Before endpoints can be managed by the MC, they must first be discovered. This topic provides an overview of the main steps of the PCoIP endpoint discovery process.
Important: It is strongly recommended that you replace the MC's self-signed certificate with your own MC certificates before configuring a discovery method and before adding endpoints to the MC. See Managing MC Certificates for details.
The following diagram illustrates how endpoints discover an MC.
Note: The MC serves as both the Endpoint Bootstrap Manager (EBM) and the Endpoint Manager (EM). It is possible that other endpoint managers or future releases of the MC may separate these roles.
Figure 4-1: PCoIP Endpoint Discovery Process
The steps outlined in the above illustration are explained below.
Note: The EBM/EM information with which an endpoint must be provisioned before it can be discovered depends on the endpoint's discovery method and security level. You can configure both these options from the endpoint's AWI Configuration > Management page. Please see "PCoIP® Zero Client Configuration Help" (TER1504003) for details. See also Configuring an EM Manually from an Endpoint for instructions on how to manually configure an EM from its AWI Management page.
The first step is to provision endpoints with the information they need either to connect to the EBM for bootstrapping or to connect directly to the EM. Depending on the endpoint's configured discovery method, this information can be provisioned automatically or it can be manually entered by an administrator.
Note: The MC serves as both the Endpoint Bootstrap Manager (EBM) and the Endpoint Manager (EM). It is possible that other endpoint managers or future releases of the MC may separate these roles.
Discovery Method
For automatic discovery, endpoints are populated with the IP address or FQDN of the EBM to which they should connect via DHCP vendor-specific options or DNS service and text records. Optionally, endpoints can also be configured with the EBM certificate's fingerprint (i.e., its digital signature) by the DHCP or DNS server. If the MC certificate fingerprint is provided in the DHCP or DNS record, the endpoint will verify the MC’s certificate by only matching the fingerprint. This is intended for use cases where the MC's trusted root CA certificate (the MC chain certificate) is not uploaded to the endpoint or if the MC's certificate does not meet the verification requirement. If a fingerprint is not provisioned, an endpoint without a trusted MC certificate will fail to connect. Automatic discovery is used for low and medium security environments.
For manual discovery, an administrator manually configures each endpoint with the uniform resource identifier (URI) of the EBM (for low and medium security environments) or with the URI of the actual EM (for high security environments).
Security Level
Depending on an endpoint's configured security level, administrators may also need to provision endpoints with an EBM/EM certificate.
Endpoints configured for medium or high security must have a trusted certificate in their certificate store before they can connect to an EBM or EM. For some endpoints, certificates may be pre-loaded by the vendor as a factory default. Otherwise, administrators can manually upload certificates using an endpoint's AWI.
Endpoints that are configured for low security do not need an MC certificate in their trusted certificate stores if either of the following is true:
The following table summarizes the certificate requirement for endpoints based on their discovery method and configured security level.
Table 4-1: Certificate Requirements for Endpoints
| Discovery Method | Low Security | Medium Security | High Security |
|---|---|---|---|
|
DHCP/DNS discovery without EBM fingerprint provisioned |
certificate required |
certificate required |
N/A |
|
DHCP/DNS discovery with EBM fingerprint provisioned |
certificate not required |
certificate required |
N/A |
|
Discovery initiated by an endpoint configured for a high security environment |
N/A |
N/A |
certificate required |
|
Manual discovery initiated by the MC |
certificate not required |
N/A |
N/A |
Information about endpoint security levels is summarized below:
Endpoints that have been provisioned with EBM information enter a bootstrap phase where they evaluate the EBM's certificate fingerprint to determine whether the EBM can be trusted. If the certificate fingerprint match succeeds, the endpoints proceed to the next step.
Note: Endpoints in high security environments that are already configured with EM connection information bypass the EBM bootstrap process and attempt to connect to the EM right away.
Next, the EBM provides the IP address and certificate fingerprint of the EM to which the endpoint should connect. The endpoint then disconnects from the EBM and attempts to establish a connection with the EM.
If EM certificate verification succeeds and the endpoint is able to establish a successful connection with the EM, the EM connection information is saved to the endpoint's permanent storage, and the endpoint enters the managed phase.
See the following topics for information about how to configure an endpoint discovery method: