Configuration Guide¶
You can configure the Remote Workstation Card Agent for Windows, and optimize the PCoIP broker protocol for security, licensing and control panel behavior by adjusting the Windows GPO settings found in the admx template files.
GPO template files are automatically imported by the Remote Workstation Card Agent for Windows installer, except on domain controllers. You must manually import the files into the domain controller's Group Policy Editor.
To import the template on a domain controller:
-
Copy the admx file from
C:\Program Files\Teradici\PCoIP Agent\configuration\policyDefinitions\PCoIP.admxto
C:\Windows\PolicyDefinitions -
Copy the adml file from
C:\Program Files\Teradici\PCoIP Agent\configuration\policyDefinitions\en-US\PCoIP.admlto
C:\Windows\PolicyDefinitions\en-US
Modifying PCoIP GPO Variables¶
The PCoIP broker protocol settings can be configured using this procedure. The configurable settings are described in the following section.
To modify a PCoIP session variable:
-
Open the Local Group Policy Editor on the agent machine:
- Press + r to open the run dialog
- type gpedit.msc and press Enter.
-
In the left pane, navigate to Administrative Templates and then to PCoIP Session Variables.
The variables you can configure appear in the right pane.
-
Double-click the GPO you want to configure to open the variable's configuration window, then:
-
Select Enabled to enable the PCoIP setting.
-
Configure any parameters that are available for the setting.
-
Click OK to close the GPO's configuration window.
-
-
Repeat step 3 until all policies have been set.
-
Close the Local Group Policy Editor.
Note: Changes require a new PCoIP connection
Changes take effect on the next PCoIP connection to the desktop.
Only the settings documented here apply to the Remote Workstation Card Agent for Windows
The Remote Workstation Card Agent for Windows man pages document additional configuration settings, beyond those described here. These additional settings apply to virtual machine instances and have no effect on Remote Workstation Card systems. Only the settings described here apply to the Remote Workstation Card.
Configurable Settings¶
The following settings can be configured on the Remote Workstation Card Agent for Windows. Initially, all settings are not configured.
Enable Disclaimer Authentication¶
| Directive | Options | Default |
|---|---|---|
Enable disclaimer auth |
Enabled (on), Disabled (off), Not configured | Not configured |
This setting takes effect when you start the next session. When this setting is enabled, users connecting via direct connect will be presented a disclaimer prior to password based authentication. If the disclaimer is rejected, the user will not be able to connect.
Disclaimer files must be placed in %PROGRAMDATA%\Teradici\PCoIPAgent\disclaimers. Files must be named according to the locale, e.g. en_US.txt for en_US, ko_KR.txt for ko_KR, etc. If a file matching the negotiated locale is not present, en_US will be used as a fallback. If disclaimer text cannot be found, a blank disclaimer will be presented.
Enable the PCoIP control panel¶
| Directive | Options | Default |
|---|---|---|
Control panel |
Enabled (on), Disabled (off), Not configured | Not configured |
This setting takes effect when the system is restarted. This policy enables or disables the PCoIP control panel. When enabled, the PCoIP control panel will be running, and when disabled the control panel will not be running. When not configured, will run by default.
License server URL¶
| Directive | Options | Default |
|---|---|---|
License server path |
string (up to 511 characters) | Not configured |
This setting takes effect when you start the next session. This policy sets the license server path. Enter the license server path in https://address:port/request or http://address:port/request format.
PCoIP Security Certificate Settings¶
| Directive | Options | Default |
|---|---|---|
SSL cert type |
From certificate storage Generate a unique self-signed certificate From certificate storage if possible, otherwise generate |
Not configured |
Cert store name |
string (up to 255 characters) | MY |
SSL cert min key length |
1024 bits 2048 bits 3072 bits 4096 bits |
Not configured |
This setting takes effect when you start the next session. This policy dictates the handling of certificates.
A certificate is used to secure PCoIP related communications. The way PCoIP components choose a certificate is based on the certificate type, the name of the Certificate Store (referred to as "certificate storage") and the key length. Without a certificate being generated or selected, a PCoIP Session cannot be established.
Depending on the value chosen for the option, 'How the PCoIP agent chooses the certificate...' and the availability of appropriate certificates, PCoIP components may acquire a CA signed certificate from the Windows Certificate Store or generate an in-memory self-signed certificate.
Name the Windows Certificate Store where the CA signed certificate is stored. The default is the "MY" store (shown as "Personal" in Management Console). Set the friendly name of the CA signed certificate to be PCoIP, in the Windows Certificate Store.
CA certificate(s) must be stored in the "Trusted Root Certification Authorities" store (sometimes referred to as "ROOT").
Select a minimum key length (in bits) for choosing a CA signed certificate from the Windows Certificate Store. Longer length certificates will require more computing resources and may reduce performance, but will increase security. Shorter length certificates will provide better performance at the cost of lower security.
Note: Please refer to HP documentation for instructions on creating and deploying certificates.
PCoIP Security Settings¶
| Directive | Options | Default |
|---|---|---|
TLS security mode |
Maximum Compatibility | Not configured |
TLS cipher blacklist |
string (up to 1023 characters) | Not configured |
Data encryption ciphers |
AES-256-GCM, AES-128-GCM (default, AES-256-GCM preferred) AES-256-GCM only AES-128-GCM only |
Not configured |
This setting takes effect when you start the next session. Controls the cryptographic cipher suites and encryption ciphers used by PCoIP endpoints.
The endpoints negotiate the actual cryptographic cipher suites and encryption ciphers based on the settings configured here. Newer versions of TLS and stronger cipher suites will be preferred during negotiation between endpoints.
If this setting is not configured or disabled, the TLS Security Mode will be set to Maximum Compatibility, and the PCoIP Data Encryption Ciphers will be set to AES-256-GCM, AES-128-GCM.
TLS Security Mode
Maximum Compatibility offers TLS 1.1, 1.2 and a range of cipher suites including those that support Perfect Forward Security (PFS) and SHA-1. Supported cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_AES_256_GCM_SHA384
Blacklisted Cipher Suites
Provides the ability to block specific cipher suites from being offered during negotiation. Must be entered as a semi-colon separated list of cipher suites.
PCoIP Data Encryption Ciphers
Encryption ciphers used for PCoIP UDP data encryption. "AES-256-GCM, AES-128-GCM" is the default setting. AES-256-GCM will get negotiated if the client supports it, otherwise, AES-128-GCM will get negotiated.
PCoIP event log verbosity¶
| Directive | Range | Increment | Default |
|---|---|---|---|
Event filter mode |
0 – 3 | 1 | 2 |
This setting takes effect immediately. This policy enables the configuration of the PCoIP event log verbosity ranging from 0 (least verbose) to 3 (most verbose).
When this policy is Disabled or Not Configured, the default event log verbosity setting is 2. When this policy is Configured, the setting controls the verbosity level as described above.
PCoIP log retention¶
| Directive | Range | Increment | Default |
|---|---|---|---|
Max log retention days |
7 – 100 | 1 | 30 |
This setting takes effect immediately. This policy sets the retention period (in days) for PCoIP logs that have been archived. PCoIP log files are periodically archived to %PROGRAMDATA%\Teradici\logs\ROTATE. When this policy is Disabled or Not Configured, archived logs that have not been modified in 30 days are removed. When this policy is Configured, the setting controls the retention period as described above.
When configuring a retention period PowerShell 4.0 or newer is required. If an older PowerShell version is installed then the default retention period will be used, regardless of the configured setting.
Proxy Access to a remote License Server¶
| Directive | Options | Range | Increment | Default |
|---|---|---|---|---|
License proxy server |
string (up to 511 characters) | Not configured | ||
License proxy port |
0 – 65535 | 1 | Not configured |
This setting takes effect when you start the next session. If a proxy is required to access a local License Server or the Cloud License Server, enter those parameters here. These parameters are loaded only during agent startup.