Updating and Reconfiguring the Cloud Access Connector¶
When updating an installed Cloud Access Connector you must download the latest version of the Cloud Access Connector installer. For information on how to download the Cloud Access Connector installer, see here. Once you have downloaded the latest installer run the following command:
cd /usr/sbin
sudo ./cloud-access-connector update
Please note that older installs and updates may still be in the legacy directory at ~/v2connector.
Teradici Distribution System
Teradici is moving to a new distribution system. The URLs to download the Cloud Access Connector installation files are changing. Any automation, scripts or instructions downloading the installer from https://teradici.bintray.com/ should be updated to use the instructions outlined here. The download URL at https://teradici.bintray.com/ is deprecated and will be removed entirely in the near future. You need to ensure that you have a customer account created on help.teradici.com to access the download information.
Latest Installer Version
Ensure that you are using the latest installer prior to installing or upgrading the Cloud Access Connector. See Installing a Cloud Access Connector. If you are not using the latest installer, you may see one of the following errors:
- The installer is out of date. Please obtain the latest version and try again. See https://teradici.com/downloadcac for instructions.
- The installer is out of date. Please download the latest version from https://teradici.bintray.com/cloud-access-connector/cloud-access-connector-0.1.1.tar.gz and try again.
Update options
For a complete list of command flags and options, invoke update with -h to view the help file:
sudo ./cloud-access-connector update -h
The following table outlines the available update options that you can run when reconfiguring the Cloud Access Connector:
| Flag | Type | Description |
|---|---|---|
‑‑enable-mfa |
String | Enable MFA/2FA. |
‑‑radius-server |
String | The FQDN or IP address of the RADIUS server to use for MFA. This flag is optional. |
--radius-port |
String | The RADIUS server port. If not specified, the default port (1812) is used. If --radius-server is specifed then this flag is optional. |
‑‑radius‑secret |
String | The shared secret used for configuring RADIUS authentication. If --radius-server is specifed then this flag is required. |
‑‑disable-mfa |
String | Disable MFA/2FA (all RADIUS options are ignored if specified. |
‑‑domain-group |
String | The DN for the AD domain group that manages users and remote workstations in the Management Interface. |
‑‑users-dn |
StringArray | The base DN to search for users within AD. Specify multiple DNs with multiple options. Newly provided base DN(s) will automatically replace previous base DN(s). This field is looking for user's within the user-defined DN and SGs. |
--computers-dn |
StringArray | The base DN to search for computers within AD. Specify multiple DNs with multiple options. Newly provided base DN(s) will automatically replace previous base DN(s). |
--sync-interval |
uint8 | The interval (in minutes) for how often to sync AD users and computers with the CAM Service. |
--self-signed |
String | Automatically generate self-signed SSL cert and key for testing purposes. If specified, --ssl-key and --ssl-cert options are ignored. |
--ssl-key |
String | The full path and filename of the SSL key to use with the CA connector gateway. |
--ssl-cert |
String | The full path and filename of the SSL certificate to use with the CA connector gateway. |
--show-agent-state |
Boolean | Show/hide PCoIP agent state (showing requires retrieve-agent-state to be true). |
--retrieve-agent-state |
Boolean | Enable/disable retrieving PCoIP agent state. |
--domain-controller |
StringArray | Specify a domain controller FQDN to use. May be specified multiple times for more than one DC. |
--external-pcoip-ip |
String | Sets the IPv4 address for the Cloud Access Connector for external connections. If this value is not set it will be determined automatically. An empty string will clear the setting, (i.e. --external-pcoip-ip ''). |
--connector-network-cidr |
String | This is the CIDR to use for the Cloud Access Connector's docker network. The default docker network subnet is 10.101.0.0/16. |
--local-license-server-url |
String | Sets the URL for PCoIP License Server to be used for PCoIP Sessions. If this is not provided, ensure that the Cloud License Server is registered on the PCoIP Agent. Example: --local-license-server-url http://10.10.10.10:7070/request. For more information on the PCoIP License Server, see here. |
--users-filter |
String | The filter to search for users within Active Directory. Specify multiple filters with multiple options. Default user filter: (&(objectCategory=person)(objectClass=user)). |
--computers-filter |
String | The filter to search for computers within Active Directory. Specify multiple filters with multiple options. Default computer filter: (&(primaryGroupID=515)(objectCategory=computer)). |
--add-pool-group |
String | Specifies one or more Active Directory groups, by entering the distinguished name (DN), to be assigned to pools for remote workstation management (eg, --pool-group 'CN=GroupPool1,CN=Users,DC=sample,DC=com' --pool-group 'CN=GroupPool2,CN=Users,DC=sample,DC=com'). By providing all the existing pools groups in the Cloud Access Connector settings would get replaced by the user specified ones. When running this command you need to run it with adconfig. Example: sudo ./cloud-access-connector adconfig --add-pool-group. |
--internal-client-cidr |
String | The CIDR for PCoIP Clients that connect to remote workstations directly. |
--external-client-cidr |
String | The CIDR for PCoIP Clients that connect to remote workstations through the Security Gateway. If external CIDRs settings are set, internal settings must be explicitly set. |
--setup-docker-image |
String | Specifies the docker image to be used from the setup container. This is intended to be used for debugging purposes and is not recommended to be used without guidance from Teradici support. Usage without guidance could result in failed installations. |
--docker-registry |
String | This is an optional flag that enables users to specify the docker image registry that they want to use when installing or updating a Cloud Access Connector. If an option is not specified, the default registry docker.cloudsmith.io/teradici/cloud-access-connector will be used. This is intended to be used for debugging purposes and is not recommended to be used without guidance from Teradici support. Usage without guidance from Teradici could result in failed installations. |
Cloud Access Connector Upgrade and Diagnose Issues
Several previous versions of Cloud Access Connector installers are no longer compatible with our latest infrastucture upgrades. When you run the update or diagnose commands with these older versions you may receive errors such as "Error response from daemon: GET https://docker.cloudsmith.io/......: unauthorized" for example. If this occurs you need to download the latest version of the Cloud Access Connector installer from here.
Enabling MFA While Updating¶
You can enable MFA to the Cloud Access Connector with the --enable-mfa flag when performing an update. You need to have the following information:
- RADIUS server IP address or FQDN.
- RADIUS shared secret for configuring RADIUS authentication.
sudo ./cloud-access-connector update --enable-mfa
If you do not provide the locations of your RADIUS server and RADIUS shared secret, you will be prompted to do so.
Removing MFA While Updating¶
You can disable MFA from the Cloud Access Connector with the --disable-mfa flag when performing an update.
sudo ./cloud-access-connector update --disable-mfa
Updating SSL Certificates¶
Before updating SSL certificates, ensure that you aware of the requirments for creating and updating certificates, see Assigning a Certificate to the Cloud Access Connector. You can update your Cloud Access Connectors SSL certificate and key by running the following command and specifying your SSL certificate and SSL key information:
sudo ./cloud-access-connector update --ssl-cert path/to/cert --ssl-key path/to/key
Certificate format
The SSL certificate must be a PEM file. A CRT formatted file will not work with the update command above.
This command will enable you update your SSL certificate information without having to re-install the Cloud Access Connector. This command also enables you to change your self-signed certificate to a signed certificate.
Domain Controller Certificates
If all DC certificates have expired, the Cloud Access Connector will stop working. An error indicator will display on the Connectors page when a Cloud Access Connector has a DC with expired certificates.
A warning indicator that details the current state of the DC certs will display on the same page when a Cloud Access Connector has a certificate that less than a week away from expiring.