About Tera2 PCoIP Zero Client Security Level Settings¶
The Discovery Mode setting described in this article is found on the Management page and configures how endpoint managers are discovered by the Tera2 PCoIP Zero Client.
Discovery in this context does not refer to discovery of the Tera2 PCoIP Zero Client by endpoint managers. For instructions on having an endpoint manager discover your Tera2 PCoIP Zero Client, see Endpoint Manager Discovery Methods.
There are three available security level settings in the Tera2 PCoIP Zero Client: low, medium, and high. These settings determine whether theTera2 PCoIP Zero Client can be discovered by an endpoint manager, how an endpoint manager can be discovered by the Tera2 PCoIP Zero Client, and also dictate whether a certificate must be installed in the Tera2 PCoIP Zero Client for discovery to succeed.
The security level is configured on the Management page of the OSD or AWI (see Configuring Security Level). Detailed instructions for allowing discovery under most scenarios, including security level settings, are described in Endpoint Manager Discovery Methods.
The general implications of each security mode are summarized in the following table and described in detail next.
Tera2 PCoIP Zero Client behavior in low, medium, or high security modes and using automatic or manual discovery modes
| Low Security |
Low Security |
Medium Security |
Medium Security |
High Security |
|
|---|---|---|---|---|---|
| Automatic | Manual | Automatic | Manual | Manual | |
| Can be discovered by endpoint managers | |||||
| Can automatically discover endpoint managers using DNS | |||||
| Can trust endpoint managers using DNS | |||||
| Can manually connect to endpoint managers | |||||
| Can trust endpoint managers using an installed certificate |
Low Security Mode¶
In low security mode, both automatic and manual discovery methods are available. Certificates are not required in automatic manager discovery mode if the DNS server is configured to provision the Tera2 PCoIP Zero Client with the URI of the endpoint manager's bootstrap server and its certificate fingerprint.
In automatic discovery mode:
- The client can use DNS to automatically discover endpoint managers.
- The client is discoverable by endpoint managers.
-
The client can use DNS to trust the endpoint manager. DNS must be configured to provision your client with the URI and certificate fingerprint of the endpoint manager’s bootstrap server.
DNS server configuration information
For details about how to configure your DNS server for automatic discovery, see the PCoIP® Management Console 3.1 Administrators’ Guide.
In manual discovery mode:
- The client must be manually configured with the endpoint manager’s bootstrap server URI.
- The client is not discoverable by endpoint managers.
-
The client must have an installed certificate to trust the endpoint manager.
Certificates are installed by an endpoint manager
If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed by the endpoint manager. See Staging Clients Using an Endpoint Manager.
Medium Security Mode¶
In medium security mode, the Tera2 PCoIP Zero Client cannot be discovered by endpoint managers. The Tera2 PCoIP Zero Client can discover endpoint managers automatically or manually. Certificates are required in medium security mode.
In automatic discovery mode:
- The client can use DNS to automatically discover endpoint managers.
- The client is not discoverable by endpoint managers.
-
The client must have an installed certificate to trust the endpoint manager.
Certificates are installed by an endpoint manager
If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed. See Staging Clients Using an Endpoint Manager.
In manual discovery mode:
- The client is not discoverable by endpoint managers.
- The client must be manually configured with the endpoint manager’s bootstrap server URI.
-
The client must have an installed certificate to trust the endpoint manager.
Certificates are installed by an endpoint manager
If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed. See Staging Clients Using an Endpoint Manager.
High Security Mode¶
In high security mode, the discovery bootstrap phase is disabled. All settings must be manually configured, and certificates are required:
- The client is not discoverable by endpoint managers.
- The client must be manually configured with the endpoint managers’ internal (and, optionally, external) URI.
-
The client must have an installed certificate to trust the endpoint manager.
Certificates are installed by an endpoint manager
If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed. See See Staging Clients Using an Endpoint Manager.
Additional Security Tip
We recommend disabling the AWI interface to reduce the attack surface on the Zero Client. We recommend exclusively using the PCoIP Management Console to configure the Zero Client.