Installing the Connector on RHEL/Rocky Linux
You can configure the firewall, setup the system, download and install the Anyware connector on RHEL/Rocky Linux. If you are currently using Connector on Ubuntu, it is important to read and understand the differences Connector on RHEL/Rocky Linux introduced, To find out the side by side comparison, see Difference between Anyware Connector on Ubuntu and RHEL/Rocky Linux.
The following sections outlines how to download and install the Connector on Rocky Linux and RHEL. There are five main steps involved in this process:
- Adding the Connector repository
- Configuring the SELinux components
- Installing the RPM
- Generating the Connector Token
- Connecting to a Remote Workstation with a PCoIP Client
Prerequisite Steps¶
For instructions and documentation on the Connector prerequisite steps when installing on RHEL/Rocky Linux, see Connector System Requirements. It is important to read and address all the prerequisites outlined.
Before you begin
If you are currently using the Anyware Connector on Ubuntu, it is important to read and understand what the differences are between the Connector on Ubuntu and Connector on RHEL/Rocky Linux so you can prepare the installation correctly to minimize errors during installation.
For more information, see Difference between Anyware Connector on Ubuntu and RHEL/Rocky Linux.
1. Adding the Connector Repository¶
The virtual machine you are adding the repo to must have access to the internet. If it doesn't, you will be unable to download and install the required files.
Checking Existing Repositories for Anyware Connector¶
If the Anyware Connector was installed previously on your virtual machine, there could be existing repos related to it on your system. Run the command below to check all existing repos related to Anyware Connector (Skip this step if Anyware Connector was never installed on your virtual machine).
dnf repolist teradici-anyware-manager*
Check the current Anyware Connector repo to make sure it is the desired repo that you want to use for installation. If there are unwanted repositories on your VM, see Repository Management to remove them.
Adding a Repository¶
To access the scripts and configure the RHEL and Rocky Linux repository, select the Downloads and scripts option here and select the Anyware Connector (RHEL/Rocky Linux) option. Click Downloads and scripts and copy the script to add the Connector repo.
Once you have copied the curl command you need to run it to download the repository.
2. Configuring SELinux Policies¶
The following SELinux policies enable persistent storage and container logging on the Connector. If SELinux policies are not found, data stored in the Connector will be lost when the virtual machine is shut down.
Once configured, and the installation has verified SELinux, all Connector related data will persist when the target machine hosting the Connector is re-booted. To check if selinux
is already installed on your system, run the following command:
sudo dnf list installed | grep anyware-manager-selinux
The output from this command notifies if selinux
is already running on your system. If it is not, then you need to run the following commands to install the SELinux policies:
-
Run the following command to install the SELinux policies and set the basic framework for persistent database and Vault:
sudo dnf install -y selinux-policy-base container-selinux
-
Run the following command to install a specific version of SELinux that has been tested for K3s:
sudo dnf install -y https://github.com/k3s-io/k3s-selinux/releases/download/v1.1.stable.1/k3s-selinux-1.1-1.el8.noarch.rpm
-
Run the following command to install SELinux from the Anyware Manager repo:
sudo dnf install -y anyware-manager-selinux
3. Installing the Connector RPM¶
Once you have installed and configured the SELinx policies you must install the Connector RPM and configuration files.
Run the following command to install the Connector RPM, the sample configuration files will be generated once the install is done:
sudo dnf install -y anyware-connector
4. Generating a Connector Token¶
You must generate a Connector token using the Admin Console. The steps outlined below must be performed on the target virtual machine.
You need to create or have created a deployment prior to obtaining a token. For information on how to log into the Admin Console, see Admin Console Connection. The following section outlines how to obtain a Connector token using the Admin Console:
- Click Connectors from the console sidebar.
- Click the add connector button (+ sign located beside Connectors heading) to display the connector creation panel.
- Enter the following information:
- Select the deployment you want to add the Connector to. If you do not have an existing deployment you need to create one.
- Enter the name of the Connector.
- Follow the step by step instructions outlined below.
- Click GENERATE.
- Copy the Connector token by click the copy icon.
You can now use this Connector token when prompted during installation.
5. Configuring the Connector-Example Commands¶
The following section provides example configuration commands for configuring the Connector with Anyware Manager and Anyware Manager as a Service. These example commands use flags, but the same parameters can be configured using the configuration files also.
Configuring the Connector for Anyware Manager¶
Once you have installed the Connector RPM, and have generated a Connector token from the Anyware Manager installed in your enterprise network, run the following commands to configure the Connector to work with the Anyware Manager in your enterprise network. The first line for these commands maps the Connector token to a variable in the shell, the ' ' for the string values are not required if there are no special chars in the string.
Minimum Configuration Sample Command for Quick Start¶
The following command with dummy values configures a Connector with minimum flags to work with the Anyware Manager in your enterprise network. Communications with external integrations such as PCoIP clients, Active Directory server, etc are not secure without certificate validation are not secure without certificate validation, this should only be used for testing purpose.
export token=<token from Anyware Manager Admin Console>
/usr/local/bin/anyware-connector configure \
--manager-url 'https://ipv4.Anyware.Manager.Installable' \
--token $token \
--domain 'testlab.internal' \
--accept-policies \
--enable-ad-sync=false \
--ldaps-insecure \
You can use the minimum command for testing or base installation excluding additional configurations. When editing a workstation, you should manually add workstations from the Admin Console and add a user assignment by the user's UPN as the domain users or computers are synced.
The ability to manually add a user assignment by the user's UPN is supported only in Anyware Manager as a Service combined with Anyware Connector RHEL/Rocky Linux 23.06 or later or Ubuntu Connector version 164 or later.
Typical Configuration Sample Command¶
export token=<token from Anyware Manager admin console>
sudo /usr/local/bin/anyware-connector configure \
--manager-url 'https://ipv4.Anyware.Manager.Installable' \
--token $token \
--domain 'testlab.internal' \
--sa-user 'sampleuser' \
--sa-password 'Passwordstring' \
--ldaps-ca-cert '/home/rocky/DC-Cert.pem' \
--computers-dn 'CN=Computers,DC=testlab,DC=internal' \
--users-dn 'CN=Users,DC=testlab,DC=internal' \
--external-pcoip-ip 'public.ipv4.sg.ip' \
--self-signed \
--accept-policies \
--manager-insecure \
--debug
- When you are installing the Connector for Anyware Manager you need to ensure that you enable and specify the
--manager-url
flag. This flag specifies the Anyware Manager URL that the Connector connects to. If it is not specified, it points to https://cas.teradici.com by default. - The
--external-pcoip-ip
flag is highly recommended to explicitly set the public IP that PCoIP Clients connects to during PCoIP sessions. This is the public IP that the Connector is listening to on port 4172. The installer reaches out to cas.teradici.com and try to automatically resolve the external IP; if this fails, or is not able to resolve the correct IP, this flag is required. In the case that the Connector machine does not have an internet connection, for example in a dark site environment, or the ingress and egress internet traffic are running through different public IPs, this flag is required. - The
--manager-insecure
flag is only required when the Connector is connecting to a Anyware Manager that is using self-signed certificates. If Anyware Manager is using trusted TLS certificates signed by a public CA, then this flag isn't required. - The
--manager-ca-cert
flag can be used to provide the PEM formatted public certificate for the root CA used to sign the Anyware Manager certificate. This flag is required when Anyware Manager is using a custom certificate that is not signed by a public CA. - If this is the first Connector installed in the deployment, use
--computers-dn
and/or--users-dn
flags to sync AD objects to Anyware Manager. The additional Connector in the same deployment is able to pull the DN(s) configuration from Anyware Manager without providing these flags. If these flags are not provided the AD sync will sync all objects from the AD to the Anyware Manager. - If
--self-signed
flag is not used, you should use--tls-key
and--tls-cert
flags to provide the full path and filename of the TLS key and PEM formatted TLS certificate to use. - If
--ldaps-ca-cert
flag is not used, you should use either--ldaps-insecure
to skip certificate validation, or--enable-ldap-plaintext
for test purposes.
Ensure that you use the options and flags that best suit your system architecture and requirements. If required values are not provided on the command line, you are prompted for them. For additional flags and options, see Installation Flags and Options.
Additional Configurations for the Anyware Connector¶
Updating the Connector
When updating configurations for Anyware Connector using "Configure" command, it restarts to apply the updated configurations and all the active sessions going through the connector are disconnected. This require users to log in again and reconnect.
Multi-Factor Authentication¶
When you enable MFA for the Connector for RHEL/Rocky Linux, all PCoIP Clients authenticated through the Connector are prompted to enter MFA credentials. Previously, only the external PCoIP Clients were prompted for MFA information.
Multi-Factor Authentication for the Connector
When installing the Connector you can enable multi-factor authentication (MFA) by running the ‑‑enable‑mfa
flag. MFA is disabled by default. If you want MFA to only apply to external connections, you should have separate Connectors. One Connector should be for external connections, where MFA is enabled, and one for internal or direct connections, where MFA is disabled. For steps on how to install the Connector with MFA bypassed for internal connections, see Installing the Connector for Internal Connections. For steps on how to install the external Connector, see Installing the Connector for External Connections.
Ensure that you use the options and flags that best suit your system architecture and requirements. If required values are not provided on the command line, you will be prompted for them. For additional flags and options, see Installation Flags and Options.
Installing the Connector for Internal Connections¶
The following steps outline how to install the Connector for internal connections to bypass MFA:
- Prepare a virtual machine in your private network that meets the system requirements with the following sub-steps:
- Skip the step for preparing the system for external access.
- Skip the step for setting up MFA.
- Install the Connector with the following sub-steps:
- If you don't have external users, then you could disable security gateway by passing
--enable-security-gateway=false
, otherwise it's set to true enabled by default. - Do not set the Public IP using the
--external-pcoip-ip
flag. The Connector will instead return the virtual machines IP address. - No MFA flag is required as MFA is disabled by default.
- If you don't have external users, then you could disable security gateway by passing
- Once you have installed the Connector connect to a remote workstation with a PCoIP Software Client with the following sub-step:
- In the Host Address or Code field enter the private IP of the internal Connector you just installed and log-in.
Installing the Connector for External Connections¶
The following steps outline how to install the Connector for external connections:
- Prepare a virtual machine in your private network that meets the system requirements with the following sub-steps:
- Skip the step for preparing the system for internal access.
- Install the Connector with the following sub-steps:
- Set the Public IP using the
--external-pcoip-ip
flag.
- Set the Public IP using the
- Once you have installed the Connector, connect to a remote workstation with a PCoIP Software Client with the following sub-step:
- In the Host Address or Code field enter the IP address or DNS name of the external Connector you just installed and log-in.
Updating CIDR for Connector Cluster¶
The default CIDR for Connector Cluster are as follows:
- 10.42.0.0/16 cluster CIDR
- 10.43.0.0/16 Service CIDR
- 10.43.0.10 Cluster DNS
If the default CIDRs conflict with your internal network, use the following flags to update the cluster with different CIDR.
To update, run the following command:
sudo anyware-connector configure --cluster-cidr <IP Address> --service-cidr <IP Address> --cluster-dns <IP Address>
Example Command with dummy values:
sudo anyware-connector configure --cluster-cidr 192.168.10.0/24 --service-cidr 172.16.0.0/16 --cluster-dns 172.16.0.10
Installation Flags and Options¶
For detailed information on the installation flags and the configuration file parameters that you can pass during installation, see the table outlined below:
Groups of flags
The flags are here categorized by their configuration groups:
States for Boolean Flags
The state of all the Boolean Flags is interpreted as follows: "--boolean-flag" means "true". "--boolean-flag=true" means "true". "--boolean-flag=false" means "false". "--boolean-flag anytext" uses default as "true".
Anyware Manager
Configuration File Parameter | Flag | Description |
---|---|---|
caCertPath | --manager-ca-cert |
Enables users to supply a CA certificate for Anyware Manager to enable the Connector to trust the certificate in order to connect to the Anyware Manager instance. |
insecure | --manager-insecure |
This flag is required when the Connector is connecting to a Anyware Manager instance that is using self-signed certificates, and you want to turn off the verification of the certificate. |
url | --manager-url |
This flag is required for Anyware Manager, Specifies the Anyware Manager URL that the Connector connects to. If this is not specified it points to https://cas.teradici.com by default, which is the URL for Anyware Manager as a Service. |
--pull-connector-config |
Boolean | This flag gets the Connector configuration from the Anyware Manager. |
--push-connector-config |
Boolean | This flag saves the Connector configuration into the Anyware Manager. |
PCoIP Software Client Flags
Configuration File Parameter | Flag | Description |
---|---|---|
showAgentState | --show-agent-state |
This flag controls if the agent state is displayed as part of the remote workstation name in the PCoIP Client. The default value for this flag is true. Setting the value of this flag to true and the --retrieve-agent-state flag to false results in no agent state displaying. A boolean parameter. |
retrieveAgentState | --retrieve-agent-state |
Enables the broker to retrieve the agent state for unmanaged and managed remote workstations. The default value for this flag is false. The available states are In Session, Ready, Starting, Stopping, Stopped and Unknown. The value of this flag can either be true or false. A boolean parameter. |
ip | --external-pcoip-ip |
Sets the public IP for PCoIP Client to PCoIP Agent connection. This is the public IP that the Connector is listening to on port 4172. The installer reaches out to cas.teradici.com and try to automatically resolve the external IP; if this fails, the --external-pcoip-ip flag is required. In the case that the Connector machine doesn't have an internet connection, for example in a dark site environment, or the ingress and egress internet traffic are running through different public IPs, this flag is required. For more information on external network access, see Enabling External Network Access. A string parameter. |
Connector
Configuration File Parameter | Flag | Description |
---|---|---|
acceptPolicies | --accept-policies |
Automatically accept the EULA and Privacy Policy. |
token | --token(-t) |
Required. The token generated from Anyware Manager for Connector to create a service account to connect to Anyware Manager. |
licenseServerUrl | --local-license-server-url |
Lets the URL for PCoIP License Server to be used for PCoIP Sessions. If this is not provided, ensure that the Cloud License Server is registered on the PCoIP Agent. Example: --local-license-server-url http://10.10.10.10:7070/request. For more information on the PCoIP License Server, see PCoIP License Server. A string parameter. |
enableSecurityGateway | --enable-security-gateway |
By default the security gateway for external traffic is set to true. For internal traffic disable this feature using the --enable-security-gateway=false flag. |
Connector/Diagnosis
Configuration File Parameter | Flag | Description |
---|---|---|
anywareConnectorDiagnose | --diagnose |
This flag executes the diagnostic checks for Anyware Connector. |
anywareConnectorHealth | --health |
This flag generates reports for Anyware Connector's health status. |
maintenanceModeOn | --diagnose --maintenance-mode on |
This mode sets the Connector in maintenance mode and no new sessions are accepted. |
maintenanceModeOff | --diagnose --maintenance-mode off |
This flag turns off the Connector maintenance mode and new sessions are accepted. |
Connector/certificates
Configuration File Parameter | Flag | Description |
---|---|---|
selfSigned | --self-signed |
This mode is not secure and intended for testing only. PCoIP client will receive a untrusted warning when connecting to the Connector. The previous --insure flag is still supported |
keyPath | --tls-key |
The full path and filename of the TLS key to use. The --self-signed flag overrides this flag.A string parameter. |
certPath | --tls-cert |
The full path and filename of the TLS certificate (in PEM format) to use. The --self-signed flag overrides this flag.A string parameter. |
trustCustomerLicenseCert | --trust-customer-license-cert |
Trusted customer license certificate path. |
trustCustomerLicenseKey | --trust-customer-license-key |
Trusted customer license key path. |
Connector/multifactorAuthentication
Configuration File Parameter | Flag | Description |
---|---|---|
enable | --enable-mfa |
This flag can be used if you wish to enable multi-factor authentication. Multi-factor authentication will be enabled for all connections, both internal and external. Internal users will be required to enter the multi-factor authentication code for the Connector when connecting to the PCoIP Client. It is recommended to install separate Connectors for internal vs external connections. A boolean parameter. |
port | --radius-port |
This is the RADIUS server port. If not specified, the default port (1812) is used. If --radius-server is specified, then this flag is optional. A string parameter. |
server | --radius-server |
The FQDN or IP address of the RADIUS server to use for MFA. This flag is optional. A string parameter. |
sharedSecret | --radius-secret |
The shared secret used for configuring RADIUS authentication. If --radius-server is specified then this flag is required. A string parameter. |
deployment/domain/DomainName
Configuration File Parameter | Flag | Description |
---|---|---|
name | --domain |
The AD domain that the remote workstations will join. A string parameter. |
deployment/domain/domainControllers
Configuration File Parameter | Flag | Description |
---|---|---|
domainControllers | --domain-controller |
This flag specifies one or more domain controllers to use with the Connector. To specify multiple domain controllers use the following format: --domain-controller dc1.domain.com , --domain-controller dc2.domain.com , --domain-controller dc3.domain.com . A string parameter. |
deployment/domain/serviceAccount
Configuration File Parameter | Flag | Description |
---|---|---|
userName | --sa-user |
The AD service account username. A string parameter. |
password | --sa-password |
The AD service account password. A string parameter. |
deployment/domain/adSynch
Configuration File Parameter | Flag | Description |
---|---|---|
computerDns | --computers-dn |
The base DN to search for computers within AD for AD sync. Can specify multiple DNs with multiple options. See the differences between the Connectors at the top of this page for details. Newly provided base DN(s) will automatically replace previous base DN(s). |
computerFilters | --computers-filter |
The filter to search for computers within Active Directory. Specify multiple filters with multiple options. Default computer filter: (&(primaryGroupID=515)(objectCategory=computer)). A string parameter. |
usersDns | --users-dn |
The base DN to search for users within AD. Specify multiple DNs with multiple options. Newly provided base DN(s) will automatically replace previous base DN(s). The base DN to search for computers within the AD for AD sync. You can specify multiple DNs with multiple options. See the table above on the differences between the Connectors for more information. Newly provided base DN(s) automatically replaces previous base DN(s). A string array parameter. |
usersFilters | --users-filter |
The filter to search for users within Active Directory. Specify multiple filters with multiple options. Default user filter: (&(objectCategory=person)(objectClass=user)). A string parameter. |
interval | --sync-interval |
The interval (in minutes) for how often to sync AD users and computers with the Anyware Service. A uint8 parameter. |
adSync | --enable-ad-sync |
Enable Active Directory synchronisation. A boolean value (Default=True). |
deployment/domain
Configuration File Parameter | Flag | Description |
---|---|---|
caCertPath | --ldaps-ca-cert |
To supply a CA certificate for the connection to AD over LDAPS. A string parameter. |
insecure | --ldaps-insecure |
Skip certificate validation when connecting to the Active Directory using LDAPS. This option should only be used when connecting to the Active Directory deployed with self signed certificates. This will be ignore if a CA cert is provided. |
enableLdapMode | --enable-plaintext-ldap |
Connections to Active Directory will be made using plaintext LDAP instead of encrypted LDAPS. This is meant only for testing, do NOT use it in production. |
poolGroups | --pool-group |
Specifies one or more Active Directory groups, by entering the distinguished name (DN), to be assigned to pools for remote workstation management (eg, --pool-group 'CN=GroupPool1,CN=Users,DC=sample,DC=com' --pool-group 'CN=GroupPool2,CN=Users,DC=sample,DC=com'). A string parameter. |
N/A | --preferred-name |
This is an optional flag to determine if the hostname or machine name should be displayed to identify the remote workstations, the default is set to display machine name. |
Federated Authentication
Configuration File Parameter | Flag | Description |
---|---|---|
--enable-oauth |
Boolean | Enables Oauth authentication. (Default=False) |
--id-provider-url |
String | Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com . This flag is required if --enable-oauth is true . |
--oauth-client-id |
String | Gets the Client ID from the Identity Provider. This flag is required if --enable-oauth is true . |
--fa-url |
String | The Federated Auth Broker URL. for example https://cac-vm-fqdn:port |
--oauth-flow-code |
String | Specify the oauth flow / grant type (default "OAUTH_FLOW_CODE_WITH_PKCE"). "OAUTH_FLOW_CODE_WITH_PKCE" is the only supported oauth flow for now |
--enable-entitlements-by-upn |
Boolean | Enables/Disables searching entitlements by UPN. This flag is required to be true, if --enable-oauth is true . |
Federated Authentication With Single Sign-On
Configuration File Parameter | Flag | Description |
---|---|---|
--sso-signing-csr-ca |
String | Path to copy intermediate CA Certificate. |
--sso-signing-csr-key |
String | Path to the intermediate key. |
--sso-signing-crl |
String | Path to a certificate revocation list. |
--sso-enrollment-url |
String | Gets the URL to the Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-domain |
String | Domain of the user to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-username |
String | Username for accessing Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-password |
String | Password for the username to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-certificate-template-name |
String | Name of the certificate template that Active Directory Certificate Services (AD CS) uses to sig CSR. |
These configuration parameters are only applicable for the Connector on RHEL/Rocky Linux.
Troubleshooting the Connector
If you encounter issues when attempting to install the Connector, please see the Troubleshooting section for information on how to potentially diagnose the specific issue. You can also view the following KB article here which provides a list of troubleshooting steps for common issues related to installing the Connector. For information on installer errors related to a change in the distribution system, see Installer Issues.
6. Connecting to a Remote Workstation with a PCoIP Client¶
After successfully installing a Connector, you can initiate a session to connect to a remote workstation with a PCoIP Software Client. We enable customers to use multi-factor authentication for these PCoIP Client sessions. The following steps outline how to connect to a remote workstation using the PCoIP Software Client:
- Double-click the PCoIP Client desktop icon or program file PCoIPClient to launch the application.
- In the Host Address or Code field, enter one of the following:
- For direct connections, provide the address of the host machine.
- For managed connections, provide the address of the connection manager.
- Click NEXT.
- Select your domain and enter the credentials for the remote workstation. If you have enabled MFA then you will be prompted for the 2nd factor passcode. The method of how this passcode is communicated depends on the provider you used. It is usually either a One Time Password or push notification.
- Click LOGIN.
- If your login is successful you should be able to select the remote workstation and connect to it. Please note that if you have a single remote workstation, that remote workstation is automatically selected and the connection is initiated immeadiately. In this case you will not be presented with a remote workstation selection screen.
For more information about the PCoIP Software Client, please see the following PCoIP Software Client guides: