Security Cipher Suites¶
The Tera2 PCoIP Zero Client exchanges information with several services while connecting to endpoint managers, connection managers, and PCoIP hosts. The various communication phases are described here, together with the set of cipher algorithms available to each phase. The topics include:
-
Encrypting Pre-Session Communications with VMware Horizon Environments
-
Encrypting Pre-Session Communications with PCoIP Connection Managers
Encrypting Browser Connections¶
You can manage Tera2 PCoIP Zero Clients using a browser connection to the AWI. These secure connections require Transport Layer Session (TLS) 1.1 or TLS 1.2 compliant browsers. Browsers configured to use SSLv3 and TLS 1.0 are not supported.
The following cipher suites are used to secure a browser connection to the AWI:
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
Recommended Web Browsers
Recommended web browsers are Firefox, Chrome, Internet Explorer 11, and Edge.
Encrypting Endpoint Discovery¶
Tera2 PCoIP Zero Clients that are not managed by an endpoint manager, such as the PCoIP Management Console, listen for incoming discovery requests.
When an endpoint discovery request from an endpoint manager is received by the Tera2 PCoIP Zero Client, communications between the endpoint manager and the Tera2 PCoIP Zero Client are established securely using one of the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Minimum SSL Version
There is a minimum requirement of TLS 1.1.
Encrypting Endpoint Manager Administration¶
Once an endpoint manager discovers a Tera2 PCoIP Zero Client, it uses the PCoIP Management Protocol to administer the endpoint. Communications between endpoint managers and Tera2 PCoIP Zero Clients are secured using one of the following cipher suites:
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Minimum SSL Version
There is a minimum requirement of TLS 1.1.
Encrypting Pre-Session Communications with VMware Horizon Environments¶
Before a PCoIP session is negotiated with a PCoIP host in a VMware Horizon environment, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the Tera2 PCoIP Zero Client communicates with a Horizon Connection Server over port 443 using one of the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
System Configuration Requirements
These cipher suites can only be configured at the host, and have a minimum requirement of TLS 1.1.
Encrypting Pre-Session Communications with PCoIP Connection Managers¶
Before a PCoIP session is negotiated with a PCoIP host using a PCoIP Connection Manager, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the Tera2 PCoIP Zero Client communicates with a PCoIP Connection Manager over port 443 using one of the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
System Configuration Requirements
These cipher suites can only be configured at the host, and have a minimum requirement of TLS 1.1.
Encrypting PCoIP Session Negotiation with PCoIP Hosts¶
After user authentication and resource selection, PCoIP sessions are negotiated between the Tera2 PCoIP Zero Client and the PCoIP host. These negotiations take place before the PCoIP session is established, and are secured using these Max Compatibility and Suite B cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Minimum SSL Version
These Max Compatibility security level cipher suites have a minimum requirement of TLS 1.1.
The following Suite B security level cipher suite has a minimum requirement of TLS 1.2, and applies only to Remote Workstation Card connections:
- TLS_ECDHE_ECDSA_RSA_WITH_AES_256_GCM_SHA384
In-Session Encryption¶
Once a PCoIP session has been negotiated and the connection established, Tera2 PCoIP Zero Clients encrypt the session data using AES-256-GCM encryption algorithm. This algorithm secures all PCoIP communications during an active PCoIP session.