CAS Manager 22.04¶
CAS Manager is a Teradici management plane enabling users to configure, manage and monitor brokering of remote workstations. CAS Manager enables highly-scalable and cost-effective Cloud Access Software deployments by managing cloud compute costs by brokering PCoIP connections to remote workstations, see Cloud Access Software for supported hosts.
CAS Manager is offered in 2 variants – as a Teradici managed Service, and as an installable instance deployed and managed by the users in their on-premises or cloud environments.
This document covers the installable instance variant of CAS Manager.
For information on CAS Manager as a Service, see CAS Manager as a Service.
Where Do I Begin?¶
CAS Manager is a collection of microservices, and each microservice operates from its own docker container. These container images are deployed on a local lightweight Kubernetes (k3s) cluster, on a virtual machine. This cluster is set up on the virtual machine as part of the installation.
Before you begin installing CAS Manager, it is important to understand what other components are required by the CAS Manager to enable end to end brokering:
- CAS Manager
- Hashicorp Vault/Azure Key Vault
- Cloud Access Connector
- Teradici PCoIP Registration Key
- Teradici PCoIP Client
- Teradici PCoIP Agent
MongoDB is the local data store that hosts all CAS Manager information, configurations and settings.
Hashicorp Vault is the secret storage where CAS Manager can store and encrypt all the secrets and keys.
Azure Key Vault is the cloud service from Microsoft that enables the secure storage of, and access to, secrets.
Cloud Access Connector is an access hub that facilitates PCoIP connections to remote desktops and workstations by providing user authentication, entitlement and security gateway services. Later in this document it will be referred to as the "Connector". It is installed on a separate VM that resides in your environment. Based on your requirements, you may need more than a single Connector. Please ensure you have read all the installation guidelines and prerequisites in the Connector section.
Where Do I Install CAS Manager?¶
The following architectural diagrams depict where CAS Manager can be installed in multiple infrastructures – be it the Public Cloud, On-Premises or a Hybrid deployemnt.
Please pay close attention to the number of Connectors required based on your setup, and the ports you may need to configure to allow PCoIP traffic (pre-session and in-session). These ports are outlined in the Ports and Connections table.
Public Cloud Deployment
The following diagram illustrates a public cloud deployment with CAS Manager.
The following diagram illustrates a hybrid deployment where CAS Manager is deployed in the Public Cloud.
The following diagram illustrates an on-premises deployment with CAS Manager.
Ports and Connections¶
CAS Manager requires certain ports to be open to enable connections between the other components such as Connector, MongoDB, Vault etc. For detailed breakdown of the ports and connection descriptions for Connector, see Firewall and Load Balancing Considerations.
The following table outlines the required ports and connections for CAS Manager:
|CAS Manager||Inbound||443/TCP||From administrative web browsers, HTTP request clients and Connector.||To enable access to CAS Manager.|
|CAS Manager||Outbound||443/TCP||To the public license server.||Validates the CAS registration code.|
|CAS Manager||Outbound||8200/TCP||To external Vault.||Stores CAS Manager secrets.|
|CAS Manager||Outbound||27017/TCP||To external MongoDB.||Stores CAS Manager data.|
|CAS Manager||Outbound||636/TCP||To Domain Controller.||Authenticates users to CAS Manager.|
|CAS Manager||Outbound||53/UDP||To DNS.||Domain name resolution.|
What Deployment Topology Can I Use?¶
In terms of deployment topologies and scenarios, CAS Manager is flexible and can be deployed in a single host, or with multiple hosts, depending on your organization's network environment and operational requirements. The possible deployment topologies are outlined below. Connector(s) are not included in these diagrams, they will be deployed on additional host(s) separately.
Single Host Deployment¶
This deployment configuration is when CAS Manager and MongoDB and Vault server are running on a single host, it can be deployed on a virtual machine on any cloud or on-premise. It should be used for getting started with CAS Manager for initial prototyping or smaller scale production deployments. If you use this configuration for production environment you must ensure there is a backup and restore process in place. This is necessary to minimize the loss of data and to minimize down time.
For information on installing CAS Manager as part of a single host deployment, see Installing CAS Manager - Default Configuration.
Two/Three Host Deployment¶
This deployment configuration is when CAS Manager, MongoDB and Vault server are running on separate hosts. By hosting the database and secret storage on a separate machine, it reduces the risk of data loss in the case of CAS Manager server failure. This configuration enables high-availability and scalability for CAS Manager by deploying multiple instances of CAS Manager. This configuration has the following limitations:
- With only one instance of MongoDB and Vault deployed, high-availability is not available to the data persistence layer, and a backup and restore process must be in place for the server hosting MongoDB and Vault to minimize data loss.
- You can configure this deployment on virtual machines hosted on-premises or on any cloud.
- This configuration requires a certain level of technical knowledge around MongoDB and Vault to properly deploy and operate these external components. For detailed deployment instructions on installing and configuring MongoDB and Vault in a single virtual machine to be used by CAS Manager, see the following KB article.
For information on installing CAS Manager as part of a two/three host deployment, see Installing CAS Manager - External Configuration.
Five or more Hosts Deployment¶
This deployment configuration provides high-availability for both CAS Manager, and MongoDB and Vault server which are on separate hosts. In this configuration two or more CAS Manager instances provides high-availability using a load balancer. The hosts that contain the MongoDB and Vault server provide a basic high-availability for data persistence with a failure tolerant of 1. This configuration requires the following working knowledge:
- This is a complex environment and requires you to have working knowledge of installing, configuring and operating the MongoDB and Vault server services in a high-availability setup. Visit MongoDB and Hashicorp Vault official documentation sites for detailed instructions on how to carry out these steps.
For information on installing CAS Manager as part of a five or more host deployment, see Installing CAS Manager - External Configuration.
How Do I Install CAS Manager?¶
You need to setup and install a dedicated virtual machine which will host CAS Manager. This virtual machine needs to meet certain system requirements which are outlined in the sections below. If you are using an external MongoDB and secret storage you need to prepare these components before installing CAS Manager, and then configure them afterwards. The available configurations are outlined below.
Once you have installed CAS Manager using either of the configurations below, you need to install the Connector. This should take roughly 1 hour to complete.
Using a Default Database and Secret Storage¶
This is the default installation of CAS Manager where an instance of MongoDB and Vault is deployed as part of the installation. Installation of these components is seamlessly built into the CAS Manager installer. This configuration does not scale beyond a single CAS Manager instance and does not support high availability. For more information on this configuration, see Installing CAS Manager - Default Configuration.
Installing CAS Manager with the default database and secret storage should take roughly 45 minutes to complete. It should take a further 1 hour to install the Connector.
Using an External Database and Secret Storage¶
With CAS Manager you can prepare and install your own instances of MongoDB and Vault, or you can use an Azure Key Vault service, on a different virtual machine, by following the guidelines in the installation section. This enables you to upgrade or re-install CAS Manager, and makes a high-availability service available. For more information on this configuration, see Installing CAS Manager - External Database and Secret Storage Configuration.
Installing CAS Manager with an external database and secret storage should take roughly 2 hours to complete. It should take a further 1 hour to install the Connector.