System Planning¶
Before deploying the PCoIP Connection Manager and PCoIP Security Gateway, ensure you understand the PCoIP session establishment process and how load balancers and firewalls fit in.
Session Establishment¶
Here's the sequence of events involved in establishing a PCoIP session in a typical brokered scenario. In this example, the PCoIP client is outside the firewall, so the PCoIP Security Gateway is enabled to secure the connection and to proxy authorized traffic.
-
A user provides a server name and address to their PCoIP client, which passes the data to the PCoIP Connection Manager (this can be relayed through a load balancer, as shown here).
-
The Connection Manager communicates with the Connection Broker to authenticate the user and to obtain the list of desktops the user is entitled to use.
-
The Connection Broker passes the list of desktops back to the the PCoIP Client.
-
The user selects a desktop from the client UI, and their choice is passed back to the PCoIP Connection Manager.
-
The PCoIP Connection Manager prepares the PCoIP Security Gateway and the requested desktop's PCoIP Agent.
-
The PCoIP Agent acquires a session license from a licensing service (either the PCoIP Cloud Licensing Service or the a local PCoIP License Server).
-
The PCoIP session is established. The PCoIP Client now communicates directly with the selected desktop using the PCoIP Protocol.
Note: PCoIP Security Gateway in LAN systems
The PCoIP Security Gateway secures PCoIP communications through the firewall. In systems where PCoIP clients are on the WAN, PCoIP traffic is relayed through the PCoIP Security Gateway. When the entire PCoIP system is on your company LAN, the PCoIP Security Gateway is unnecessary and the PCoIP Client and PCoIP agent communicate directly.
Load Balancing¶
You can use load balancers in front of multiple connection managers and security gateways to distribute system load to optimize performance. The load balancer must support the following:
- HTTPS
- Sticky sessions by the jsessionid
During session establishment, the PCoIP Connection Manager retrieves the public IP addresses of the PCoIP Security Gateways and passes them to the client. After the session is established, the client uses a provided IP address to communicate directly with a PCoIP Security Gateway.
Important: The PCoIP Security Gateway's public IP address must be set during installation
When a PCoIP Security Gateway is installed using the --enable-security-gateway flag, its public IP address is set using the --external-pcoip-ip flag during installation.
If the public IP address is configured to point to the load balancer instead of the PCoIP Security Gateway, the load balancer may direct the client to a PCoIP Security Gateway on the wrong server. If this happens, the client will not be able to establish a session.
Public IP Address
The machine(s) with a PCoIP Connection Manager and/or a Security Gateway on it must have a public IP address if it is directly accessed from WAN.
To see how load balancers fit into firewall configurations, refer to Configuring Firewalls.
Configuring Firewalls¶
If there is a firewall on the PCoIP Connection Manager server, ensure ports for PCoIP traffic are open so that users can access their desktop. The illustration shown next shows the default port numbers.
Firewall recommendations for establishing a PCoIP Session
| Source | Port | Destination | Port | Description |
|---|---|---|---|---|
| PCoIP Client | * | PCoIP Connection Manager | TCP: 443 | PCoIP broker protocol (HTTPS) |
| PCoIP Connection Manager | * | Connection broker | TCP: 443 | PCoIP broker protocol (HTTPS) |
| PCoIP Connection Manager | * | PCoIP Agent | TCP: 60443 | PCoIP agent protocol |
| PCoIP Client | * | PCoIP Security Gateway | UDP: 4172 | PCoIP user data |
| PCoIP Client | * | PCoIP Security Gateway | TCP: 4172 | PCoIP control information |
| PCoIP Security Gateway | * | PCoIP Agent | TCP: 4172 | PCoIP control information |
| PCoIP Security Gateway | UDP: 55000 | PCoIP Agent | UDP: 4172 | PCoIP user data. When deploying a desktop with a PCoIP agent, only port 4172 needs to be open. |
Inbound Connections¶
Ensure these ports are open for inbound connections:
| Port | Purpose |
|---|---|
| 443 TCP | Used by clients to connect to the PCoIP Connection Manager |
| 4172 TCP/UDP | Used by authorized clients to connect to the PCoIP Security Gateway |
Instructions for opening these ports are included in the installation procedures.
Note that RHEL 8 and Rocky Linux 8 permit all outbound traffic by default.
Important: Other required services may need open outbound ports
If the PCoIP Connection Manager is on a network behind a firewall that blocks outbound connections, ensure that the required ports for other required operating system services are open. We recommend that DHCP, DNS, and NTP are active for PCoIP Connection Manager operation.
Configuring Docker Network¶
The default docker network environment for the PCoIP Connection Manager and the PCoIP Security Gateway is assigned to 10.101.0.0/24.
If your company network CIDR overlaps 10.101.0.0/24, please use option --docker-network-cidr to provide a new network CIDR for docker during installation / updating. Addresses from any of the following CIDR classes can be used:
Class A: 10.0.0.0 to 10.255.255.255.
Class B: 172.16.0.0 to 172.31.255.255.
Class C: 192.168.0.0 to 192.168.255.255.
for example: pcoip-cmsg-setup install --docker-network-cidr 172.16.0.0/24