System Planning¶
Before deploying the Connection Manager and Security Gateway, ensure you understand the PCoIP session establishment process and how load balancers and firewalls fit in.
Session Establishment¶
Here's the sequence of events involved in establishing a PCoIP session in a typical brokered scenario. In this example, the Anyware client is outside the firewall, so the Security Gateway is enabled to secure the connection and to proxy authorized traffic.
-
A user provides a server name and address to their Anyware client, which passes the data to the Connection Manager (this can be relayed through a load balancer, as shown here).
-
The Connection Manager communicates with the Connection Broker to authenticate the user and to obtain the list of desktops the user is entitled to use.
-
The Connection Broker passes the list of desktops back to the the Anyware Client.
-
The user selects a desktop from the client UI, and their choice is passed back to the Connection Manager.
-
The Connection Manager prepares the Security Gateway and the requested desktop's Anyware Agent.
-
The Anyware Agent acquires a session license from a licensing service (either the PCoIP Cloud Licensing Service or the a local License Server).
-
The PCoIP session is established. The Anyware Client now communicates directly with the selected desktop using the PCoIP Protocol.
Note: Security Gateway in LAN systems
The Security Gateway secures PCoIP communications through the firewall. In systems where Anyware clients are on the WAN, PCoIP traffic is relayed through the Security Gateway. When the entire PCoIP system is on your company LAN, the Security Gateway is unnecessary and the Anyware Client and Anyware agent communicate directly.
Load Balancing¶
You can use load balancers in front of multiple connection managers and security gateways to distribute system load to optimize performance. The load balancer must support the following:
- HTTPS
- Sticky sessions by the jsessionid
During session establishment, the Connection Manager retrieves the public IP addresses of the Security Gateways and passes them to the client. After the session is established, the client uses a provided IP address to communicate directly with a Security Gateway.
Important: The Security Gateway's public IP address must be set during installation
When a Security Gateway is installed using the --enable-security-gateway
flag, its public IP address is set using the --external-pcoip-ip
flag during installation.
If the public IP address is configured to point to the load balancer instead of the Security Gateway, the load balancer may direct the client to a Security Gateway on the wrong server. If this happens, the client will not be able to establish a session.
Public IP Address
The machine(s) with a Connection Manager and/or a Security Gateway on it must have a public IP address if it is directly accessed from WAN.
To see how load balancers fit into firewall configurations, refer to Configuring Firewalls.
Configuring Firewalls¶
If there is a firewall on the Connection Manager server, ensure ports for PCoIP traffic are open so that users can access their desktop. The illustration shown next shows the default port numbers.
Firewall recommendations for establishing a PCoIP Session
Source | Port | Destination | Port | Description |
---|---|---|---|---|
Anyware Client | * | Connection Manager | TCP: 443 | PCoIP broker protocol (HTTPS) |
Connection Manager | * | Connection broker | TCP: 443 | PCoIP broker protocol (HTTPS) |
Connection Manager | * | Anyware Agent | TCP: 60443 | Anyware agent protocol |
Anyware Client | * | Security Gateway | UDP: 4172 | PCoIP user data |
PCoIP Client | * | Security Gateway | TCP: 4172 | PCoIP control information |
Security Gateway | * | Anyware Agent | TCP: 4172 | PCoIP control information |
Security Gateway | UDP: 55000 | Anyware Agent | UDP: 4172 | PCoIP user data. When deploying a desktop with an Anyware agent, only port 4172 needs to be open. |
Inbound Connections¶
Ensure these ports are open for inbound connections:
Port | Purpose |
---|---|
443 TCP | Used by clients to connect to the Connection Manager |
4172 TCP/UDP | Used by authorized clients to connect to the Security Gateway |
Instructions for opening these ports are included in the installation procedures.
Note that RHEL 8 and Rocky Linux 8 permit all outbound traffic by default.
Important: Other required services may need open outbound ports
If the Connection Manager is on a network behind a firewall that blocks outbound connections, ensure that the required ports for other required operating system services are open. We recommend that DHCP, DNS, and NTP are active for Connection Manager operation.
Configuring Docker Network¶
The default docker network environment for the Connection Manager and the Security Gateway is assigned to 10.101.0.0/24
.
If your company network CIDR overlaps 10.101.0.0/24
, please use option --docker-network-cidr to provide a new network CIDR for docker during installation / updating. Addresses from any of the following CIDR classes can be used:
Class A: 10.0.0.0 to 10.255.255.255.
Class B: 172.16.0.0 to 172.31.255.255.
Class C: 192.168.0.0 to 192.168.255.255.
for example: pcoip-cmsg-setup install --docker-network-cidr 172.16.0.0/24