Installing for Offline Environments¶
If the PCoIP Connection Manager and PCoIP Security Gateway machine does not have a connection to the public internet, you must create a temporary internet-connected machine to download a pre-created offline installation bundle and then transfer the bundle to the production machine.
For information on bundle dependencies, see System Requirements.
Before You Begin¶
Before you proceed with installation, note the following:
-
If your connection broker is configured to identify resources by host name, then DNS must be available and configured as follows:
-
Host names must be resolvable from the PCoIP Connection Manager server.
-
Host names must be resolvable from the PCoIP broker.
-
Downloading Offline Installation Bundle¶
You'll need a temporary machine with internet access.
-
On the temporary machine, open a browser and go to the PCoIP Connection Manager and PCoIP Security Gateway download page, and download the installation bundle.
-
Transfer the installation bundle to the production machine using any acceptable method, such as a USB flash drive or SCP.
Note: Create Offline Bundle
If you preferred to create your own offline bundle for specific reasons, you can follow bundle creation. However, we recommend using the pre-created offline installation bundle.
Installing PCoIP Connection Manager and the PCoIP Security Gateway¶
To install the PCoIP Connection Manager and the PCoIP Security Gateway:
-
SSH into the production machine.
-
Navigate to the directory where you placed the installer bundle.
-
Extract the bundle and move into the newly-created teradici-pcoip-cmsg-bundle directory:
-
RHEL 8
```text tar xzvf pcoip-cmsg-setup_darksite-<version>.el8.tar.gz ``` ```text cd teradici-pcoip-cmsg-bundle ```
-
RHEL 9
```text tar xzvf pcoip-cmsg-setup_darksite-<version>.el9.tar.gz ``` ```text cd teradici-pcoip-cmsg-bundle ```
-
-
Run the pcoip-cmsg-setup-offline.sh script to complete the installation
-
To install dependencies and follow the setup prompts to setup PCoIP Connection Manager and the PCoIP Security Gateway:
and skip the next step.sudo ./pcoip-cmsg-setup-offline.sh
-
To install dependencies and run pcoip-cmsg-setup later to setup PCoIP Connection Manager and the PCoIP Security Gateway:
sudo ./pcoip-cmsg-setup-offline.sh -d
-
-
Move back up one directory level and then install the PCoIP Connection Manager and PCoIP Security Gateway:
cd .. sudo pcoip-cmsg-setup install --darksite-bundle-path teradici-pcoip-cmsg-bundle <installation_flags>
Important: Required installation flags
There are a number of options and settings available. You can invoke the
install
command with the--help
flag to list them:pcoip-cmsg-setup install --help
They are also listed in the next section.
The
install
command will prompt you for required parameters that have not been supplied via flags.
Installation Flags and Options¶
The following flags can be used to provide values at the command line. Flags that are required are identified in the description.
Boolean values should be provided as either true
or false
, lowercased, as in this example:
--example-flag=true
Flag | Type | Description |
---|---|---|
--accept-policies |
Boolean | Automatically accepts the EULA and Privacy Policy. Required. |
--broker-url |
String | The URL of the PCoIP Broker, specified either as a https:// Required. |
--ca-cert |
String | The full path and filename of the custom Certificate Authority's public certificate to be used in the PCoIP Connection Manager and PCoIP Security Gateway. Required if --self-signed is not used. |
--compose-file |
String | Specify the full path to a local docker-compose file. |
--darksite-bundle-path |
string | The path of darksite install bundle to be used for darksite installation |
--docker-password |
String | Password to login to private registry. |
--docker-registry |
String | Specifies the HP source for Anyware Connector images to be install from. Debugging only: This is intended to be used for debugging purposes and should not be used without guidance from HP support. Using this flag incorrectly can result in failed installations. |
--docker-username |
String | Username to login to private registry. |
--enable-collaboration |
Boolean | Allow multiple PCoIP clients to collaborate on a PCoIP agent. (Default=true) |
--enable-ipv6 |
Boolean | Enables IPv6 connections (Default=false). To enable IPv6 use --enable-ipv6=true . To disable IPv6 use --enable-ipv6=false , or omit this flag. |
--external-pcoip-ip |
StringArray | Sets the public IP address of Security Gateway. If --enable-ipv6 is true, this option may be used twice (once for IPv4 and once for IPv6).Required if PCoIP Security Gateway is enabled |
--enable-security-gateway |
Boolean | Enable and use the PCoIP Security Gateway (Default=true). |
--help |
Lists all available flags. | |
--host-address |
stringArray | Sets the host FQDN/IP address. The option may be used twice (once for the IP address and once for the FQDN) |
--ignore-disk-req |
Boolean | Ignore the check for the minimum disk space requirement. |
--license-server-url |
String | The address of the locally installed PCoIP License Server. Example: https://<license-server-address>:<port> |
--self-signed |
Boolean | Automatically generate self-signed SSL cert and key for testing purposes. If specified, --ssl-key and --ssl-cert options are ignored. |
--ssl-cert |
String | The full path and filename of the SSL certificate to be used in the PCoIP Connection Manager and PCoIP Security Gateway. Required if --self-signed is not used. |
--ssl-key |
String | The full path and filename of the SSL key to be used in the PCoIP Connection Manager and PCoIP Security Gateway. Required if --self-signed is not used. |
--docker-network-cidr |
Sets CIDR for Connection Manager's docker network for services. If default docker network IP range is conflict with intranet, this option should be used to solve the confliction | |
--debug |
String | Sets the log verbosity higher to help with debugging installation issues. |
--enable-connection-manager |
Boolean | Enable and use the PCoIP Connection Manager (Default=true). |
--external-sg-ip |
StringArray | Sets public IP addresses of external Security Gateways to enable gateway failover if a Security Gateway becomes unavailable. IP address should be provided in the format --external-sg-ip=ipAddr1 --external-sg-ip=ipAddr2... |
--jwt-verifying-cert |
String | The full path and filename of the certificate that the Security Gateway should use to validate the JWT token. |
--jwt-signing-key |
String | The full path and filename of the key to sign a JWT. It is used by the Connection Manager for signing the JWT token. |
Federated Authentication Flags
Flag | Type | Description |
---|---|---|
--enable-oauth |
Boolean | Enables Oauth authentication. (Default=false) |
--id-provider-url |
String | Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.id.provider.com . This flag is required if --enable-oauth is true . |
--oauth-client-id |
String | Gets the Client ID from the Identity Provider. This flag is also required if --enable-oauth is "true". |
Federated Authentication Single Sign-On Flags
Flag | Type | Description |
---|---|---|
--fa-url |
String | Override the fhe Federated Auth Broker URL provided to the PCoIP Agent. This flag can be used if auto-detection is not correcting determining the connector address. for example https://cac-vm-fqdn:port |
--enable-sso |
Boolean | Enables SSO. (Default=False) |
--sso-signing-csr-ca |
String | Path to copy intermediate CA Certificate. |
--sso-signing-csr-key |
String | Path to the intermediate key. |
--sso-signing-crl |
String | Path to a certificate revocation list. |
--sso-enrollment-url |
String | Gets the URL to the Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-domain |
String | Domain of the user to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-username |
String | Username for accessing Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-password |
String | Password for the username to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-certificate-template-name |
String | Name of the certificate template that Active Directory Certification Authority Web Enrollment Service uses to sign CSR. |
Enabling or Disabling the PCoIP Security Gateway¶
By default, the PCoIP Security Gateway is enabled when the bundle is installed. This configuration is highly recommended for deployments where users will connect over the WAN. If your users are behind a firewall and do not access their desktops from the WAN, you may not need the PCoIP Security Gateway.
If you are sure that you do not need the PCoIP Security Gateway, reinstall the bundle using the --enable-security-gateway=false
flag.
To reenable the PCoIP Security Gateway, reinstall the bundle using the default options.
Creating the Installation Bundle¶
First, you'll download the package and dependencies to a temporary internet-connected machine, create an installation bundle.
To create the offline installation bundle:
-
Install Docker onto the temporary machine.
-
On the temporary, open a browser and go to the PCoIP Connection Manager and PCoIP Security Gateway download page.
-
Click Downloads and scripts:
If you see a login button instead, click it to log into the site and then proceed.
-
Accept the End User License Agreement, then click Set Up Repository:
.
The window will expand and show the setup scripts for each supported operating system. Copy the command for your system to the clipboard.
-
Open a console window and paste in the command you copied in the previous step. You may need to press Enter to execute it.
The command fetches a configuration script from our servers and runs it locally, setting up and configuring the repository on the local machine.
-
Install pcoip-cmsg-setup
sudo dnf install pcoip-cmsg-setup
-
Find and note the rpm name for the setup package. We will use this name when creating the offline bundle next.
sudo dnf info pcoip-cmsg-setup
The rpm name will similar to this:
pcoip-cmsg-setup-<version>-<release>
. -
Create the offline install bundle:
sudo pcoip-cmsg-setup create-darksite-bundle --pcoip-cmsg-rpm-path <rpm name>
...where
<rpm name>
is the name you noted in the previous step.The process will create a tarball called teradici-pcoip-cmsg-bundle.tar.gz.
Once this process has completed successfully, you can dispose of the temporary machine.