Transition from existing CACv2 on Ubuntu to Anyware Connector RHEL/ROCKY
Anyware connector runs on RHEL/Rocky so there is no in-place upgrade or migration in that sense but there are a couple of steps that could make the transition to Anyware Connector smooth and straightforward:
How to minimize downtime on transition
RHEL/Rocky Linux Connector (Anyware Connector) can co-exist with the Ubuntu Connector in the same deployment of the Anyware Manager, it is highly recommended that you allow the new RHEL/Rocky Linux Connector (Anyware Connector) to run for some time to make it's working properly before retiring the old Connector to minimize the downtime
What's the difference in Connectors?
Feature | Ubuntu Connector (CACv2) | Anyware Connector |
OS | Ubuntu 18.04 | RHEL/ROCKY 8,9 |
Packaging | Tar file | RPM package |
Deployment | Docker Swarm | Kubernetes |
Configuration method | Command line flags, and in command prompt for missing flags | Configuration files and/or command line flags. Command return error, if required flags/parameters, are missing. |
Required Configuration Flags | --token --domain --sa-user --sa-password --accept-policies --self-signed (or --ssl-key and –ssl-cert) | --token --domain --sa-user --sa-password --accept-policies --self-signed (or --tls-key and --tls-cert must be provided) --manager-insecure (required using self-signed cert) --ldaps-ca-cert ( or –ldap-insecure) --computers-dn (for the 1st Connector of the deployment) --users-dn (for the 1st Connector of the deployment) |
MFA Configuration | MFA is bypassed for connection requests from internal PCoIP Clients Internal and external clients had different MFA configurations | When you enable MFA for the Connector for RHEL/Rocky Linux, all PCoIP Clients authenticated through the Connector are prompted to enter MFA credentials. Previously, only the external PCoIP Clients were prompted for MFA information. |
Federated User Authentication/SSO | Available | Available |
AD Service Accounts | The Active Directory service account username and password is required | The Active Directory service account is optional. |
AD LDAPS Certificate | If --ldaps-ca-cert is not provided during installation, the AD CA certificate is automatically collected by the Connector by connecting to each DC on the LDAPS port, and the certificate is saved to the Connectors CA certificate store automatically. | The Active Directory CA certificate must be provided to the installer by entering the information with the --ldaps-ca-cert parameter or by editing the configuration file. Skip the certificate validation when connecting to the Active Directory using the following flag --ldaps-insecure. For testing purposes the Active Directory connection can use LDAP in the plaintext form with the --enable-ldap-plaintext flag |
Connector tls key and cert flag | --ssl-key and --ssl-cert | --tls-key and --tls-cert |
Installation Commands | Download the installer from teradici.com and extract the package, then run the install and configuration command with the required flags: sudo /usr/sbin/cloud-access-connector install <flags>. The installer will then prompt for mandatory flags if you do not provide them in the command. | For Online Env: · Add the Connector repository. · Configure SELinux · Install the Connector RPM with the following command: sudo dnf install -y cas-connector. For Darkside Env:
· Download and Transfer the Installation Files · Extract the file and run install script
Next steps are same for online and dark side env Generate the Connector Token
Configure the Connector with flags or configuration files using the following command: sudo /usr/local/bin/cas-connector configure <flags or path to config file>. The configure command will fail with a missing parameter error if the mandatory flags or parameters are missing |
Update Configuration | sudo /usr/sbin/cloud-access-connector update <flags to be updated> | sudo /usr/local/bin/cas-connector configure <flags or path to config file>. |
Upgrading Connector | sudo /usr/sbin cloud-access-connector update <flags to be updated if any are required> | sudo dnf update cas-connector and sudo /usr/local/bin/cas-connector upgrade |
Diagnose Commands | You can diagnose remote workstation connectivity, and Active Directory connectivity by running the diagnose command: Cloud Access Connector Connectivity Issues - Teradici CAS Manager | The connectivity diagnosis command is not supported. Users can check the health of the Connector by running the sudo /usr/local/bin/cas-connector diagnose --health and can create a support bundle by running the sudo /usr/local/bin/cas-connector diagnose --support-bundle command.
Use flag --diagnose --maintenance-mode on This mode sets the Connector in maintenance mode and no new sessions are accepted. --diagnose --maintenance-mode off This flag turns off the Connector maintenance mode and new sessions are accepted |
Internal/External Session Detection | Typically, CAC will work without any special configuration, but in some cases you may need to explicitly set the --internal-client-cidr and --external-client-cidr so that sessions get treated correctly (eg, NATing external connections from a Firewall). |
Set the Public IP using the --external-pcoip-ip flag
There are three flags to use for the Connector's network. They are; --cluster-cidr to set cluster CIDR,default is 10.42.0.0/16, --servcie-cidr to set service CIDR, default is 10.43.0.0/16. and --cluster-dns to set cluster dns ip address, default is 10.43.0.10, it has to be part of of the service-cidr |
|
|
Other helpful flags: --debug*
In this release, Anyware Connector is configured to support either external or internal PCoIP connections, two separate Connectors are required to support both connections respectively. |
Before Installing Anyware Connector
Preparing the Connector Server on RHEL/Rocky Linux
This guide outlines the minimum system requirements and network configurations for installing the Anyware Connector on Rocky Linux and RHEL.
Minimum System Requirements:
- Operating System: Rocky Linux 8,9 or RHEL 8,9
- RAM: Minimum 8 GB
- CPU: 4 vCPUs
- Storage: 60 GB VM storage
- Additional Requirements:
- If using LVM and /var is mounted on a separate volume, the volume must have at least 30 GB of free space to ensure successful installation and optimal performance of the CAS Manager.
Network Requirements:
To set up the Anyware Connector, ensure the following network and environmental conditions are met:
- Internet Access: Required for online installation (for Darksite offline installations, refer to the https://anyware.hp.com/find/product/hp-anyware/2024.07/anyware-connector-rhelrocky-linux
- FQDN Resolution: The server must be able to resolve the AD domain FQDN.
- Active Directory (AD): You must have an AD user account within the designated Connector domain admin group to access the Admin Console.
- Ports Configuration/Firewall Configuration: The virtual machine must have the following ports enabled:
- TCP 443
- TCP/UDP 4172
- TCP 60443
- TCP 636
- If using a local license server, open TCP 7070.
- SSH Access: Console access to the virtual machine via SSH is required.
- Superuser Privileges: You need sudo privileges on the server.
- Network Configuration: The server's networking settings (including the IP address) must remain static while the Connector is operational.
Ports and Component Connections
Component | Allow | Port/Protocol | Source/Destination Component | Descriptions |
Connector | Inbound | 443 TCP | From PCoIP Clients and administrative web browsers. | For users to negotiate connections to their remote workstations. For accessing the Management Interface for (legacy) management of Anyware Manager. |
Connector | Outbound | 443 TCP | To CAM Service, PCoIP Cloud License Server and to SumoLogic. | To sync AD information to the CAM service and call Anyware Manager APIs related to negotiating PCoIP sessions. To verify the license activation code during the Connector installation. For log aggregation for support purposes. |
Connector | Outbound | 60443 TCP | To remote workstations. | Prepares PCoIP Agents for a new user session. |
Connector | Inbound | 4172 TCP/UDP | From PCoIP Clients. | For PCoIP Sessions with users that are outside of the corporate network. |
Connector | Outbound | 4172 TCP/UDP | To remote workstations. | For PCoIP Sessions with users that are outside of the corporate network. |
Connector | Outbound | 636 TCP | To Domain Controllers. | To authenticate users, and query user and computer information. |
Connector | Outbound | 1812 UDP (This port is configurable) | To RADIUS Server. (Optional) | For authentication against RADIUS Server. |
Connector | Outbound | 53 TCP/UDP | To DNS. | Domain name resolution. |
PCoIP License Server | Inbound | 7070 TCP (This port is configurable) | From remote workstations. | For license activation and verification from PCoIP Agent if the PCoIP License Server is used instead of the Cloud License Server. |
Firewall Configuration for Anyware Connector
Ensure that the firewall within the virtual network of the VM is properly configured for the CAS Connector to operate.
Check Firewall Status:
You can confirm the firewall status by running the following command: sudo systemctl status firewalld
- If firewalld is active, follow the steps below.
- If firewalld is inactive and your organization doesn't require a firewall for the CAS Connector VM, skip this step and proceed to the remaining steps.
View Firewall Configuration:
To check the existing firewall configuration, run:
sudo firewall-cmd --list-allConfigure the Firewall:
Execute the following commands to configure the firewall properly:
- sudo firewall-cmd --permanent --add-port=6443/tcp (for the virtual network flannel)
- sudo firewall-cmd --permanent --add-port=4172/tcp (PCoIP SG TCP port)
- sudo firewall-cmd --permanent --add-port=4172/udp (PCoIP SG UDP port)
- sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 (subnet for the pods)
- sudo firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 (subnet for the services)
- sudo firewall-cmd --reload (to apply changes)
Configuring and Verifying DNS Resolution for the Connector Server
To install and configure Anyware Manager or Connector on RHEL or Rocky Linux, ensure there’s a solid connection between the machine and the Active Directory Domain Controller.
Verification Steps:
- SSH into the machine and verify DNS resolution and network connectivity by running:
ping <domain FQDN> and ping <remote workstation FQDN>
DNS Troubleshooting: If the ping doesn't work, follow these steps using the example IP of 10.162.0.42 for the domain example-domain.com:
- Disable Auto-configuration of DNS:
Prevent DNS settings from being overwritten on reboot:- nmcli device modify eth0 ipv4.ignore-auto-dns yes
- nmcli connection modify eth0 ipv4.ignore-auto-dns yes
- Edit Network Configuration Scripts:
Add the DNS server IP addresses and optionally a DNS suffix:- Open the file: sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
- Add/edit the following lines:
DNS1=10.162.0.42
DNS2=<Secondary DNS IP if available>
DOMAIN=example-domain.com
PEERDNS=no
- Restart Network Manager:
Restart the network manager to apply the changes:
sudo systemctl restart NetworkManager - Verify DNS Settings:
Check that the desired DNS servers and search suffixes are correct:
cat /etc/resolv.conf
If necessary, add the following:
search example-domain.com
nameserver 10.162.0.42 - Test DNS:
Test DNS resolution by pinging the domain FQDN and the IP address of the Domain Controller.
Configuring Active Directory (AD) Service Account Permissions
To successfully install the Connector, ensure the following Active Directory Service Account permissions and configurations:
- The server must be able to resolve the AD domain.
- Supported Domain Controller Servers for the Connector:
- Windows 2016 Server with secure LDAP (LDAPS) enabled.
- Windows 2012 R2 Server with secure LDAP (LDAPS) enabled.
- Windows 2019 Server with secure LDAP (LDAPS) enabled.
Disable Swap
The connector is built on K3s, and it's strongly recommended to disable swap on a Linux system to avoid memory issues in a production environment. It is recommended to disable swap on a Linux system to avoid memory issue.
You can do the following to disable the swap:
- If this is a new install and you want to disable swap permanently on the Connector server:
o Edit the /etc/fstab file and add '#' in front of any line that contains the word 'swap'.
- If you have an existing Connector and is running into a memory issue, run the following command to disable the swap immediately. (This is not retained after a system reboot):
o sudo swapoff -a
If Swap is required for any reason, it should be greater or equal to the size of the RAM. There is no guarantee that it works, so it is strongly recommended to disable it.
Preparing the Required Connector configuration information
Write down and save the data that are required for installing and configuring Connector later on, it may take time to get them from your IT department. Here is the list of required and commonly used flags.
What | Description | R/O | Flags |
Token | Generate the token from the Anyware Manager, details below | Required | --token |
Domain | The domain where the Connector and Remote Workstations are at, e.g. myexample.com | Required | --domian |
AD service account | Required | --sa-user --sa-password | |
Policies | Have read and accepted EULA | Required | --accept-policies |
Cert for ldaps Connection to AD | Either one of the mentioned flag is required. If --ldaps-ca-cert flag is not used, you should use either --ldaps-insecure to skip certificate validation, or --enable-ldap-plaintext for test purposes | Required | --ldaps-ca-cert --ldap-insecure |
Cert for TLS connection to CAS Manager | Not required if --manager-insecure flag is used Required, if Anyware Manager is using self-signed cert, and –manager-insecure is not used to skip the validation. Required, if Anyware Manager is using private CA signed cert that is not known to Connector Must in PEM format and including a single cert | Required | --manager-ca-cert --manager-insecure |
tls-key and tls-cert for Connector | Not required if installing Connector for testing and --self-signed flag is used Required for production use to establish secure connection from PCoIP client to Connector Must in PEM format and including a single cert | Required | --tls-key, tls-cert --self-signed |
The base DN to search for computers and users within AD | Not Required if one or more Connectors were installed and had AD synced in the same deployment Required if this is the first Connector in the deployment. | Optional | --computers-dn --users-dn |
Domain Controller | Not required if DNS auto resolve from the --domain works as desired | Optional | --domain-controller |
Security Gateway | For external connection, By default, the security gateway for external traffic is set to true.For internal traffic disable this feature using the --enable-security-gateway=false flag |
|
--enable-security-gateway |
Notes:
- LDAPS Certificate: If --ldaps-ca-cert is not used, you can skip the certificate validation with --ldaps-insecure, or use --enable-ldap-plaintext for testing purposes.
- TLS Connection: Ensure certificates for CAS Manager are in PEM format, containing a single cert. These are crucial for production environments.
- Security Gateway: The security gateway for external traffic is enabled by default. To disable it for internal traffic, use the flag --enable-security-gateway=false.
Self Signed Certificate:
- Follow these steps to install the self-signed certificate.
- Guide: How to create and install a self-signed certificate on a Windows 2016 Active Directory (Do not make any changes in the script)
Use the following command to check if the certificate is installed:
- openssl s_client -connect http://dc1.domain.com:636
Installing Anyware Connector
Internet-Connected Environment Setup:
- Adding the Connector Repository:
Download the repository link from the website or check if the repository is already added by running this command:
sudo dnf repolist teradici-anyware-manager* - Configuring SELinux Components:
To check if SELinux is installed, run:
sudo dnf list installed | grep anyware-manager-selinux
If SELinux is not installed, follow these steps:- Install the SELinux policies:
sudo dnf install -y selinux-policy-base container-selinux - Install a specific version of SELinux for K3s:
sudo dnf install -y https://github.com/k3s-io/k3s-selinux/releases/download/v1.5.stable.1/k3s-selinux-1.5-1.el8.noarch.rpm - Install SELinux from the Anyware Manager repository:
sudo dnf install -y anyware-manager-selinux
- Install the SELinux policies:
- Installing the Connector RPM:
Install the Connector RPM and generate sample configuration files by running this command:
sudo dnf install -y anyware-connector
Darksite (Offline) Environment Setup:
- Download and Transfer the Files:
Download the Darkside tar.gz file using a direct download or a script. Transfer the file to the target darksite machine. - Extract the Installation File:
After transferring the file, extract it by running:
sudo tar xzvf anyware-connector-offline_Linux.tar.gz
This creates a new folder that contains two files:- anyware-connector-offline-deps.tar.gz
- install.sh (the installation script)
- Install Anyware Connector Offline:
To install the Connector offline, navigate to the folder and run:
cd /PATH_OF_EXTRACTED_INSTALLATION_FILES
Then run:
sudo ./install.sh
Generating a Connector Token
To generate a Connector token, follow these steps:
- In the console sidebar, click Connectors.
- Click the Add Connector button (the "+" sign next to Connectors heading).
- Enter the required information:
- Select or create the deployment you want to add the Connector to.
- Enter the name of the Connector.
- Click Generate.
- Copy the Connector token using the copy icon.
Configuring the Anyware Connector for Anyware Manager
After installing the Connector RPM and generating a Connector token, configure the Connector to work with the Anyware Manager by running the following commands:
Quick Start Configuration:
- Set the token environment variable using:
export token=<token from Anyware Manager Admin Console> - Run the configuration command:
/usr/local/bin/anyware-connector configure \
--manager-url 'https://ipv4.Anyware.Manager.Installable' \
--token $token \
--domain 'testlab.internal' \
--sa-user 'sampleuser' \
--sa-password 'passwordstring' \
--accept-policies \
--self-signed \
--ldaps-insecure \
--manager-insecure
Typical Configuration:
- Set the token environment variable using:
export token=<token from Anyware Manager Admin Console> - Run the configuration command:
sudo /usr/local/bin/anyware-connector configure \
--manager-url 'https://ipv4.Anyware.Manager.Installable' \
--token $token \
--domain 'testlab.internal' \
--sa-user 'sampleuser' \
--sa-password 'Passwordstring' \
--ldaps-ca-cert '/home/rocky/DC-Cert.pem' \
--computers-dn 'CN=Computers,DC=testlab,DC=internal' \
--users-dn 'CN=Users,DC=testlab,DC=internal' \
--external-pcoip-ip 'public.ipv4.sg.ip' \
--self-signed \
--accept-policies \
--manager-insecure
MFA & FedOauth+SSO) Setup
- HP Anyware Manager as a Service SAML Multi Admin setup - Instructions for setting up HP Anyware Manager as a service with SAML Multi Admin can be found here: SAML Multi Admin setup
- MFA Setup with DUO - DUO MFA Integration in AWS
- MFA setup with OKTA - OKTA MFA Integration in AWS
- Federated OAuth Setup - For configuring Federated OAuth, please refer to: Federated OAuth Setup
- SSO Setup - Instructions for Single Sign-On (SSO) setup are available at the following links: SSO Setup and Preparing SSO
Connector multifactorAuthentication flags
Configuration File Parameter | Flag | Description |
enable | --enable-mfa | This flag can be used if you wish to enable multi-factor authentication. Multi-factor authentication will be enabled for all connections, both internal and external. Internal users will be required to enter the multi-factor authentication code for the Connector when connecting to the PCoIP Client. It is recommended to install separate Connectors for internal vs external connections. A boolean parameter. |
port | --radius-port | This is the RADIUS server port. If not specified, the default port (1812) is used. If --radius-server is specified, then this flag is optional. A string parameter. |
server | --radius-server | The FQDN or IP address of the RADIUS server to use for MFA. This flag is optional. A string parameter. |
sharedSecret | --radius-secret | The shared secret used for configuring RADIUS authentication. If --radius-server is specified then this flag is required. A string parameter. |
Federated Authentication
Configuration File Parameter | Flag | Description |
--enable-oauth | Boolean | Enables Oauth authentication. (Default=False) |
--id-provider-url | String | Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com. This flag is required if --enable-oauth is true. |
--oauth-client-id | String | Gets the Client ID from the Identity Provider. This flag is required if --enable-oauth is true. |
--fa-url | String | The Federated Auth Broker URL. for example https://cac-vm-fqdn:port |
--oauth-flow-code | String | Specify the oauth flow / grant type (default "OAUTH_FLOW_CODE_WITH_PKCE"). "OAUTH_FLOW_CODE_WITH_PKCE" is the only supported oauth flow for now |
--enable-entitlements-by-upn | Boolean | Enables/Disables searching entitlements by UPN. This flag is required to be true, if --enable-oauth is true. |
Federated Authentication With Single Sign-On
Configuration File Parameter | Flag | Description |
Configuration File Parameter | Flag | Description |
--sso-signing-csr-ca | String | Path to copy intermediate CA Certificate. |
--sso-signing-csr-key | String | Path to the intermediate key. |
--sso-signing-crl | String | Path to a certificate revocation list. |
--sso-enrollment-url | String | Gets the URL to the Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-domain | String | Domain of the user to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-username | String | Username for accessing Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-password | String | Password for the username to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-certificate-template-name | String | Name of the certificate template that Active Directory Certificate Services (AD CS) uses to sig CSR. |