Transition from existing CACv2 on Ubuntu to Anyware Connector RHEL/ROCKY

Rate this Article

October 21, 2024

Last modified: 10/23/2024, 4:32 pm

Knowledge Base Article Tutorial

Anyware connector runs on RHEL/Rocky so there is no in-place upgrade or migration in that sense but there are a couple of steps that could make the transition to Anyware Connector smooth and straightforward:

How to minimize downtime on transition

RHEL/Rocky Linux Connector (Anyware Connector) can co-exist with the Ubuntu Connector in the same deployment of the Anyware Manager, it is highly recommended that you allow the new RHEL/Rocky Linux Connector (Anyware Connector) to run for some time to make it's working properly before retiring the old Connector to minimize the downtime

What's the difference in Connectors?

Feature	Ubuntu Connector (CACv2)	Anyware Connector
OS	Ubuntu 18.04	RHEL/ROCKY 8,9
Packaging	Tar file	RPM package
Deployment	Docker Swarm	Kubernetes
Configuration method	Command line flags, and in command prompt for missing flags	Configuration files and/or command line flags. Command return error, if required flags/parameters, are missing.
Required Configuration Flags	--token --domain --sa-user --sa-password --accept-policies --self-signed (or --ssl-key and –ssl-cert)	--token --domain --sa-user --sa-password --accept-policies --self-signed (or --tls-key and --tls-cert must be provided) --manager-insecure (required using self-signed cert) --ldaps-ca-cert ( or –ldap-insecure) --computers-dn (for the 1st Connector of the deployment) --users-dn (for the 1st Connector of the deployment)
MFA Configuration	MFA is bypassed for connection requests from internal PCoIP Clients Internal and external clients had different MFA configurations	When you enable MFA for the Connector for RHEL/Rocky Linux, all PCoIP Clients authenticated through the Connector are prompted to enter MFA credentials. Previously, only the external PCoIP Clients were prompted for MFA information.
Federated User Authentication/SSO	Available	Available
AD Service Accounts	The Active Directory service account username and password is required	The Active Directory service account is optional.
AD LDAPS Certificate	If --ldaps-ca-cert is not provided during installation, the AD CA certificate is automatically collected by the Connector by connecting to each DC on the LDAPS port, and the certificate is saved to the Connectors CA certificate store automatically.	The Active Directory CA certificate must be provided to the installer by entering the information with the --ldaps-ca-cert parameter or by editing the configuration file. Skip the certificate validation when connecting to the Active Directory using the following flag --ldaps-insecure. For testing purposes the Active Directory connection can use LDAP in the plaintext form with the --enable-ldap-plaintext flag
Connector tls key and cert flag	--ssl-key and --ssl-cert	--tls-key and --tls-cert
Installation Commands	Download the installer from teradici.com and extract the package, then run the install and configuration command with the required flags: sudo /usr/sbin/cloud-access-connector install <flags>. The installer will then prompt for mandatory flags if you do not provide them in the command.	For Online Env: · Add the Connector repository. · Configure SELinux · Install the Connector RPM with the following command: sudo dnf install -y cas-connector. For Darkside Env: · Download and Transfer the Installation Files · Extract the file and run install script Next steps are same for online and dark side env Generate the Connector Token Configure the Connector with flags or configuration files using the following command: sudo /usr/local/bin/cas-connector configure <flags or path to config file>. The configure command will fail with a missing parameter error if the mandatory flags or parameters are missing
Update Configuration	sudo /usr/sbin/cloud-access-connector update <flags to be updated>	sudo /usr/local/bin/cas-connector configure <flags or path to config file>.
Upgrading Connector	sudo /usr/sbin cloud-access-connector update <flags to be updated if any are required>	sudo dnf update cas-connector and sudo /usr/local/bin/cas-connector upgrade
Diagnose Commands	You can diagnose remote workstation connectivity, and Active Directory connectivity by running the diagnose command: Cloud Access Connector Connectivity Issues - Teradici CAS Manager	The connectivity diagnosis command is not supported. Users can check the health of the Connector by running the sudo /usr/local/bin/cas-connector diagnose --health and can create a support bundle by running the sudo /usr/local/bin/cas-connector diagnose --support-bundle command. Use flag --diagnose --maintenance-mode on This mode sets the Connector in maintenance mode and no new sessions are accepted. --diagnose --maintenance-mode off This flag turns off the Connector maintenance mode and new sessions are accepted
Internal/External Session Detection	Typically, CAC will work without any special configuration, but in some cases you may need to explicitly set the --internal-client-cidr and --external-client-cidr so that sessions get treated correctly (eg, NATing external connections from a Firewall).	If you don't have external users, then you could disable the security gateway by passing --enable-security-gateway=false, otherwise, it's set to true enabled by default. Set the Public IP using the --external-pcoip-ip flag There are three flags to use for the Connector's network. They are; --cluster-cidr to set cluster CIDR,default is 10.42.0.0/16, --servcie-cidr to set service CIDR, default is 10.43.0.0/16. and --cluster-dns to set cluster dns ip address, default is 10.43.0.10, it has to be part of of the service-cidr
		Other helpful flags: --debug* In this release, Anyware Connector is configured to support either external or internal PCoIP connections, two separate Connectors are required to support both connections respectively.

Before Installing Anyware Connector

Preparing the Connector Server on RHEL/Rocky Linux

This guide outlines the minimum system requirements and network configurations for installing the Anyware Connector on Rocky Linux and RHEL.

https://anyware.hp.com/web-help/anyware_manager_connector/24.07/anyware_connector/prerequisite/awc_connector_server/

Minimum System Requirements:

Operating System: Rocky Linux 8,9 or RHEL 8,9
RAM: Minimum 8 GB
CPU: 4 vCPUs
Storage: 60 GB VM storage
Additional Requirements:
- If using LVM and /var is mounted on a separate volume, the volume must have at least 30 GB of free space to ensure successful installation and optimal performance of the CAS Manager.

Network Requirements:

To set up the Anyware Connector, ensure the following network and environmental conditions are met:

Internet Access: Required for online installation (for Darksite offline installations, refer to the https://anyware.hp.com/find/product/hp-anyware/2024.07/anyware-connector-rhelrocky-linux
FQDN Resolution: The server must be able to resolve the AD domain FQDN.
Active Directory (AD): You must have an AD user account within the designated Connector domain admin group to access the Admin Console.
Ports Configuration/Firewall Configuration: The virtual machine must have the following ports enabled:
- TCP 443
- TCP/UDP 4172
- TCP 60443
- TCP 636
- If using a local license server, open TCP 7070.

SSH Access: Console access to the virtual machine via SSH is required.
Superuser Privileges: You need sudo privileges on the server.
Network Configuration: The server's networking settings (including the IP address) must remain static while the Connector is operational.

Ports and Component Connections

Component	Allow	Port/Protocol	Source/Destination Component	Descriptions
Connector	Inbound	443 TCP	From PCoIP Clients and administrative web browsers.	For users to negotiate connections to their remote workstations. For accessing the Management Interface for (legacy) management of Anyware Manager.
Connector	Outbound	443 TCP	To CAM Service, PCoIP Cloud License Server and to SumoLogic.	To sync AD information to the CAM service and call Anyware Manager APIs related to negotiating PCoIP sessions. To verify the license activation code during the Connector installation. For log aggregation for support purposes.
Connector	Outbound	60443 TCP	To remote workstations.	Prepares PCoIP Agents for a new user session.
Connector	Inbound	4172 TCP/UDP	From PCoIP Clients.	For PCoIP Sessions with users that are outside of the corporate network.
Connector	Outbound	4172 TCP/UDP	To remote workstations.	For PCoIP Sessions with users that are outside of the corporate network.
Connector	Outbound	636 TCP	To Domain Controllers.	To authenticate users, and query user and computer information.
Connector	Outbound	1812 UDP (This port is configurable)	To RADIUS Server. (Optional)	For authentication against RADIUS Server.
Connector	Outbound	53 TCP/UDP	To DNS.	Domain name resolution.
PCoIP License Server	Inbound	7070 TCP (This port is configurable)	From remote workstations.	For license activation and verification from PCoIP Agent if the PCoIP License Server is used instead of the Cloud License Server.

Firewall Configuration for Anyware Connector

Ensure that the firewall within the virtual network of the VM is properly configured for the CAS Connector to operate.

Check Firewall Status:
You can confirm the firewall status by running the following command: sudo systemctl status firewalld

If firewalld is active, follow the steps below.
If firewalld is inactive and your organization doesn't require a firewall for the CAS Connector VM, skip this step and proceed to the remaining steps.

View Firewall Configuration:
To check the existing firewall configuration, run:
sudo firewall-cmd --list-allConfigure the Firewall:
Execute the following commands to configure the firewall properly:

sudo firewall-cmd --permanent --add-port=6443/tcp (for the virtual network flannel)
sudo firewall-cmd --permanent --add-port=4172/tcp (PCoIP SG TCP port)
sudo firewall-cmd --permanent --add-port=4172/udp (PCoIP SG UDP port)
sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 (subnet for the pods)
sudo firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 (subnet for the services)
sudo firewall-cmd --reload (to apply changes)

Configuring and Verifying DNS Resolution for the Connector Server

To install and configure Anyware Manager or Connector on RHEL or Rocky Linux, ensure there’s a solid connection between the machine and the Active Directory Domain Controller.

https://anyware.hp.com/web-help/anyware_manager_connector/24.07/anyware_connector/prerequisite/awc_dnsname_config/

Verification Steps:

SSH into the machine and verify DNS resolution and network connectivity by running:
ping <domain FQDN> and ping <remote workstation FQDN>

DNS Troubleshooting: If the ping doesn't work, follow these steps using the example IP of 10.162.0.42 for the domain example-domain.com:

Disable Auto-configuration of DNS:
Prevent DNS settings from being overwritten on reboot:
- nmcli device modify eth0 ipv4.ignore-auto-dns yes
- nmcli connection modify eth0 ipv4.ignore-auto-dns yes
Edit Network Configuration Scripts:
Add the DNS server IP addresses and optionally a DNS suffix:
- Open the file: sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
- Add/edit the following lines:
  DNS1=10.162.0.42
  DNS2=<Secondary DNS IP if available>
  DOMAIN=example-domain.com
  PEERDNS=no
Restart Network Manager:
Restart the network manager to apply the changes:
sudo systemctl restart NetworkManager
Verify DNS Settings:
Check that the desired DNS servers and search suffixes are correct:
cat /etc/resolv.conf
If necessary, add the following:
search example-domain.com
nameserver 10.162.0.42
Test DNS:
Test DNS resolution by pinging the domain FQDN and the IP address of the Domain Controller.

Configuring Active Directory (AD) Service Account Permissions

To successfully install the Connector, ensure the following Active Directory Service Account permissions and configurations:

The server must be able to resolve the AD domain.
Supported Domain Controller Servers for the Connector:
- Windows 2016 Server with secure LDAP (LDAPS) enabled.
- Windows 2012 R2 Server with secure LDAP (LDAPS) enabled.
- Windows 2019 Server with secure LDAP (LDAPS) enabled.

Disable Swap

The connector is built on K3s, and it's strongly recommended to disable swap on a Linux system to avoid memory issues in a production environment. It is recommended to disable swap on a Linux system to avoid memory issue.

You can do the following to disable the swap:

If this is a new install and you want to disable swap permanently on the Connector server:

o Edit the /etc/fstab file and add '#' in front of any line that contains the word 'swap'.

If you have an existing Connector and is running into a memory issue, run the following command to disable the swap immediately. (This is not retained after a system reboot):

o sudo swapoff -a

If Swap is required for any reason, it should be greater or equal to the size of the RAM. There is no guarantee that it works, so it is strongly recommended to disable it.

Preparing the Required Connector configuration information

Write down and save the data that are required for installing and configuring Connector later on, it may take time to get them from your IT department. Here is the list of required and commonly used flags.

What	Description	R/O	Flags
Token	Generate the token from the Anyware Manager, details below	Required	--token
Domain	The domain where the Connector and Remote Workstations are at, e.g. myexample.com	Required	--domian
AD service account	Active Directory Service Accounts - Teradici CAS Manager	Required	--sa-user --sa-password
Policies	Have read and accepted EULA	Required	--accept-policies
Cert for ldaps Connection to AD	Either one of the mentioned flag is required. If --ldaps-ca-cert flag is not used, you should use either --ldaps-insecure to skip certificate validation, or --enable-ldap-plaintext for test purposes	Required	--ldaps-ca-cert --ldap-insecure
Cert for TLS connection to CAS Manager	Not required if --manager-insecure flag is used Required, if Anyware Manager is using self-signed cert, and –manager-insecure is not used to skip the validation. Required, if Anyware Manager is using private CA signed cert that is not known to Connector Must in PEM format and including a single cert	Required	--manager-ca-cert --manager-insecure
tls-key and tls-cert for Connector	Not required if installing Connector for testing and --self-signed flag is used Required for production use to establish secure connection from PCoIP client to Connector Must in PEM format and including a single cert	Required	--tls-key, tls-cert --self-signed
The base DN to search for computers and users within AD	Not Required if one or more Connectors were installed and had AD synced in the same deployment Required if this is the first Connector in the deployment.	Optional	--computers-dn --users-dn
Domain Controller	Not required if DNS auto resolve from the --domain works as desired	Optional	--domain-controller
Security Gateway	For external connection, By default, the security gateway for external traffic is set to true.For internal traffic disable this feature using the --enable-security-gateway=false flag		--enable-security-gateway

Notes:

LDAPS Certificate: If --ldaps-ca-cert is not used, you can skip the certificate validation with --ldaps-insecure, or use --enable-ldap-plaintext for testing purposes.
TLS Connection: Ensure certificates for CAS Manager are in PEM format, containing a single cert. These are crucial for production environments.
Security Gateway: The security gateway for external traffic is enabled by default. To disable it for internal traffic, use the flag --enable-security-gateway=false.

Self Signed Certificate:

Follow these steps to install the self-signed certificate.
Guide: How to create and install a self-signed certificate on a Windows 2016 Active Directory (Do not make any changes in the script)

Use the following command to check if the certificate is installed:

openssl s_client -connect http://dc1.domain.com:636

Installing Anyware Connector

Internet-Connected Environment Setup:

Adding the Connector Repository:
Download the repository link from the website or check if the repository is already added by running this command:
sudo dnf repolist teradici-anyware-manager*
Configuring SELinux Components:
To check if SELinux is installed, run:
sudo dnf list installed | grep anyware-manager-selinux
If SELinux is not installed, follow these steps:
- Install the SELinux policies:
  sudo dnf install -y selinux-policy-base container-selinux
- Install a specific version of SELinux for K3s:
  sudo dnf install -y https://github.com/k3s-io/k3s-selinux/releases/download/v1.5.stable.1/k3s-selinux-1.5-1.el8.noarch.rpm
- Install SELinux from the Anyware Manager repository:
  sudo dnf install -y anyware-manager-selinux
Installing the Connector RPM:
Install the Connector RPM and generate sample configuration files by running this command:
sudo dnf install -y anyware-connector

Darksite (Offline) Environment Setup:

Download and Transfer the Files:
Download the Darkside tar.gz file using a direct download or a script. Transfer the file to the target darksite machine.
Extract the Installation File:
After transferring the file, extract it by running:
sudo tar xzvf anyware-connector-offline_Linux.tar.gz
This creates a new folder that contains two files:
- anyware-connector-offline-deps.tar.gz
- install.sh (the installation script)
Install Anyware Connector Offline:
To install the Connector offline, navigate to the folder and run:
cd /PATH_OF_EXTRACTED_INSTALLATION_FILES
Then run:
sudo ./install.sh

Generating a Connector Token

To generate a Connector token, follow these steps:

In the console sidebar, click Connectors.
Click the Add Connector button (the "+" sign next to Connectors heading).
Enter the required information:
- Select or create the deployment you want to add the Connector to.
- Enter the name of the Connector.
Click Generate.
Copy the Connector token using the copy icon.

Configuring the Anyware Connector for Anyware Manager

After installing the Connector RPM and generating a Connector token, configure the Connector to work with the Anyware Manager by running the following commands:

https://anyware.hp.com/web-help/anyware_manager_connector/24.07/anyware_connector/awc_connector_install/

Quick Start Configuration:

Set the token environment variable using:
export token=<token from Anyware Manager Admin Console>
Run the configuration command:

/usr/local/bin/anyware-connector configure \

--manager-url 'https://ipv4.Anyware.Manager.Installable' \

--token $token \

--domain 'testlab.internal' \

--sa-user 'sampleuser' \

--sa-password 'passwordstring' \

--accept-policies \

--self-signed \

--ldaps-insecure \

--manager-insecure

Typical Configuration:

Set the token environment variable using:
export token=<token from Anyware Manager Admin Console>
Run the configuration command:

sudo /usr/local/bin/anyware-connector configure \

--manager-url 'https://ipv4.Anyware.Manager.Installable' \

--token $token \

--domain 'testlab.internal' \

--sa-user 'sampleuser' \

--sa-password 'Passwordstring' \

--ldaps-ca-cert '/home/rocky/DC-Cert.pem' \

--computers-dn 'CN=Computers,DC=testlab,DC=internal' \

--users-dn 'CN=Users,DC=testlab,DC=internal' \

--external-pcoip-ip 'public.ipv4.sg.ip' \

--self-signed \

--accept-policies \

--manager-insecure

MFA & FedOauth+SSO) Setup

HP Anyware Manager as a Service SAML Multi Admin setup - Instructions for setting up HP Anyware Manager as a service with SAML Multi Admin can be found here: SAML Multi Admin setup
MFA Setup with DUO - DUO MFA Integration in AWS
MFA setup with OKTA - OKTA MFA Integration in AWS
Federated OAuth Setup - For configuring Federated OAuth, please refer to: Federated OAuth Setup
SSO Setup - Instructions for Single Sign-On (SSO) setup are available at the following links: SSO Setup and Preparing SSO

Connector multifactorAuthentication flags

Configuration File Parameter	Flag	Description
enable	--enable-mfa	This flag can be used if you wish to enable multi-factor authentication. Multi-factor authentication will be enabled for all connections, both internal and external. Internal users will be required to enter the multi-factor authentication code for the Connector when connecting to the PCoIP Client. It is recommended to install separate Connectors for internal vs external connections. A boolean parameter.
port	--radius-port	This is the RADIUS server port. If not specified, the default port (1812) is used. If --radius-server is specified, then this flag is optional. A string parameter.
server	--radius-server	The FQDN or IP address of the RADIUS server to use for MFA. This flag is optional. A string parameter.
sharedSecret	--radius-secret	The shared secret used for configuring RADIUS authentication. If --radius-server is specified then this flag is required. A string parameter.

Federated Authentication

Configuration File Parameter	Flag	Description
--enable-oauth	Boolean	Enables Oauth authentication. (Default=False)
--id-provider-url	String	Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com. This flag is required if --enable-oauth is true.
--oauth-client-id	String	Gets the Client ID from the Identity Provider. This flag is required if --enable-oauth is true.
--fa-url	String	The Federated Auth Broker URL. for example https://cac-vm-fqdn:port
--oauth-flow-code	String	Specify the oauth flow / grant type (default "OAUTH_FLOW_CODE_WITH_PKCE"). "OAUTH_FLOW_CODE_WITH_PKCE" is the only supported oauth flow for now
--enable-entitlements-by-upn	Boolean	Enables/Disables searching entitlements by UPN. This flag is required to be true, if --enable-oauth is true.

Federated Authentication With Single Sign-On

Configuration File Parameter	Flag	Description
Configuration File Parameter	Flag	Description
--sso-signing-csr-ca	String	Path to copy intermediate CA Certificate.
--sso-signing-csr-key	String	Path to the intermediate key.
--sso-signing-crl	String	Path to a certificate revocation list.
--sso-enrollment-url	String	Gets the URL to the Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-domain	String	Domain of the user to access Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-username	String	Username for accessing Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-password	String	Password for the username to access Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-certificate-template-name	String	Name of the certificate template that Active Directory Certificate Services (AD CS) uses to sig CSR.