Administering the PCoIP Security Gateway

This section contains information on how to start and stop and configure your PCoIP Security Gateway.

Starting or Stopping the PCoIP Security Gateway

To start, stop, or restart the PCoIP Security Gateway:

service security_gateway start|stop|restart

PCoIP Security Gateway Configuration Settings

The configuration files for the PCoIP Security Gateway are located at /etc/SecurityGateway.conf. To apply changes, restart the PCoIP Security Gateway first, then restart the PCoIP Connection Manager.

PCoIP Security Gateway Configuration Settings

Parameter

Default

Description

ExternalRoutableIP

 

The externally routable IP address of the PCoIP Security Gateway. This is typically set to the static IP address assigned to the PCoIP Connection Manager. Do not set this to a loopback address.

LogLevel

2

The minimum severity level of messages written to the log. Acceptable values in increasing order of severity are: 0 (TRACE), 1 (DEBUG), 2 (INFO), 3 (WARN), 4 (ERROR). Only messages that are at or above the configured LogLevel severity are logged.

For information on log files, see PCoIP Connection Manager and Security Gateway Log Files.

LogPath

$TMPDIR or /tmp

Location of PCoIP Security Gateway log files.

MaxConnections

5000

Maximum number of connections.

ulimit -n on Linux needs to be set to slightly more than double this number.

SSLCertPath

/opt/Teradici/certs

Location of certificate files used by the PCoIP Security Gateway.

SSLCertType

0

0 = Use an external certificate. If not configured, then generate and use a self-signed certificate.

1 = Use an external certificate.

2 = Generate and use a self-signed certificate.

SSLLinuxExtCA

CMCertificateCA.pem

SSLLinuxExtCert certificate chain file name.

SSLLinuxExtCert

CMCertificate.pem

File name of the public certificate (in base64-encoded PEM format) used to secure communication with PCoIP clients.

SSLLinuxExtCertPhrase

 

Passphrase of the private key specified by SSLLinuxExtPriv. We strongly advise against encrypting the private key since doing so requires the pass phrase to be specified here in plain text.

SSLLinuxExtPriv

CMCertificateKey.pem

File name of the SSLLinuxExtCert certificate private key (in base64-encoded PEM format).

SSLCipherBlackList

 

Lists the TLS cipher suites to be removed from the default list of cipher suites used for establishing a TLS connection to the PCoIP client, the PCoIP server, and the connection manager. The cipher suites are specified by their RFC names and are separated by a colon. See PCoIP Connection Manager Supported TLS Cipher Suites.

For example, specifying the "TLS_RSA_WITH_AES_256_CBC_SHA: TLS_RSA_WITH_AES_128_CBC_SHA" string as the black list removes the specified two cipher suites.

TCPControlLinuxExtCA

CMCertificateCA.pem

TCPControlLinuxExtCert certificate chain file name.

TCPControlLinuxExtCert

CMCertificate.pem

File name of the public certificate (in base64-encoded PEM format) used to secure communication with the PCoIP Connection Manager.

TCPControlLinuxExtCertPhrase

 

Passphrase of the private key specified by TCPControlLinuxExtPriv. We strongly advise against encrypting the private key since doing so requires the passphrase to be specified here in plain text.

TCPControlLinuxExtPriv

CMCertificateKey.pem

File name of the TCPControlLinuxExtCert certificate private key (in base64-encoded PEM format).

  Note: Security gateway secures connections to control channel

If the TCPControlLinuxExtCA , TCPControlLinuxExtCert, and TCPControlLinuxExtPriv settings are all configured, then the security gateway secures connections to its control channel with TLS. If one or more of these settings are not specified, then the security gateway accepts plain text connections to its control channel. The connection manager uses TLS by default when establishing a connection to the security gateway control channel. For more information, see PCoIP Connection Manager Configuration Settings.

© 2017 Teradici Corporation. All rights reserved. TER1502010/B