Upgrading the Connector on Ubuntu
When updating an installed Connector you must download the latest version of the Connector installer. For information on how to download the Connector installer, see Installing the Connector. All parameters persist from installation using pre-defined configurations and do not need to be updated unless new configurations are required. For more information on this please see the Persistent Parameters section below.
Once you have downloaded the latest installer, run the update command:
cd /usr/sbin
sudo cloud-access-connector update
Internal IP Address
As part of the update command the Connector will send its internal IP address to Anyware Manager. Previously, this only occured during installation.
Latest Installer Version
Ensure that you are using the latest installer prior to installing or upgrading the Connector. If you are not using the latest installer, you may see one of the following errors or warnings:
- The installer is out of date. Please obtain the latest version and try again. See Downloading the Connector for instructions.
- The installer is out of date. Please download the latest version from teradici.bintray.com/cloud-access-connector/cloud-access-connector-0.1.1.tar.gz and try again.
- A newer version is available. Please go to Downloading the Connector to obtain the latest.
For information on troubleshooting Connector installer issues related to this distribution change, see Installer Issues.
Persistent Parameters¶
Parameters can persist from installation through an update using the pre-defined configurations. As part of the update command, the Connector will search and read from the existing configuration and use the pre-existing information as part of the update.
If you wish to update any parameters with new information as part of the update, you can add these parameters when you are running the update command, for example, if you wanted to update the domain controller you would run the following command:
cd /usr/sbin
sudo cloud-access-connector update --domain-controller mydomain.com
If you do not add domain controllers during the update, any domain controllers that have been previously saved in the configuration will be used. If there are no domain controllers saved, the system will do an auto-discovery to find which domain controllers could be used.
Expired User Credentials
Be aware that you have a --sa-user or --sa-password that are expired and you do not add the new credentials to the update, then the update will fail. Please ensure these credentials are valid when performing an update of the Connector.
Installation Flags and Options¶
The following flags can be used to provide values at the command line. If they are omitted from the command and are required, you will be prompted for them:
| Flag | Type | Description |
|---|---|---|
| Anyware Manager | ||
--manager-url |
String | Required for Anyware Manager, Specifies the Anyware Manager URL that the Connector connects to. If this is not specified it will point to https://cas.teradici.com by default, which is the URL for Anyware Manager as a Service. |
--manager-ca-cert |
String | Enables users to supply a CA certificate for Anyware Manager to enable the Connector to connect to a Anyware Manager instance using self-signed certificates. |
--manager-insecure |
String | Is required when the Connector is connecting to a Anyware Manager instance that is using self-signed certificates. If Anyware Manager is using trusted TLS certificates signed by a public CA, then users will not need to use the this command. |
--ldaps-ca-cert |
String | Enables users to supply a CA certificate for the connection to Active Directory over LDAPS. |
‑‑self-signed |
String | Installs the Connector with self-signed certificates. This mode is not secure and is intended for testing. The --insecure flag is still supported. |
| Connector | ||
--token (-t) |
String | Required. The token generated for Anyware Manager. |
‑‑accept‑policies |
— | Automatically accept the EULA and Privacy Policy. |
--force-install |
String | Replaces any existing Connector installation. |
--debug |
String | This flag can be run if you initial install of the Connector fails. It provides a detailed output of the Connector installation. This is useful for self-troubleshooting or to provide to the HP support team when logging a support ticket. |
--local-license-server-url |
String | Sets the URL for PCoIP License Server to be used for PCoIP Sessions. If this is not provided, ensure that the Cloud License Server is registered on the PCoIP Agent. Example: --local-license-server-url http://10.10.10.10:7070/request. For more information on the PCoIP License Server, see PCoIP License Server. |
--add-pool-group |
String | Specifies one or more Active Directory groups, by entering the distinguished name (DN), to be assigned to pools for remote workstation management (eg, --pool-group 'CN=GroupPool1,CN=Users,DC=sample,DC=com' --pool-group 'CN=GroupPool2,CN=Users,DC=sample,DC=com'). By providing all the existing pools groups in the Connector settings would get replaced by the user specified ones. When running this command you need to run it with adconfig. Example: sudo ./cloud-access-connector adconfig --add-pool-group. |
--setup-docker-image |
String | Specifies the docker image to be used from the setup container. This is intended to be used for debugging purposes and is not recommended to be used without guidance from HP support. Usage without guidance could result in failed installations. |
--docker-registry |
String | This is an optional flag that enables users to specify the docker image registry that they want to use when installing or updating a Connector. If an option is not specified, the default registry docker.cloudsmith.io/teradici/cloud-access-connector will be used. This is intended to be used for debugging purposes and is not recommended to be used without guidance from HP support. Usage without guidance from us could result in failed installations. |
--prune-image |
Boolean | Removes all unused docker images on this machine to reclaim more disk space. Warning: This command will remove all unused images under Connector and other services, if any. This is equivalent to the docker image prune command. |
| Firewall | ||
--https-proxy |
String | Specify the URL for a HTTPS proxy (overrides related proxy settings in environment variables) |
--connector-network-cidr |
String | This is the CIDR to use for the Connector's docker network. The default docker network subnet is 10.101.0.0/16. |
--internal-client-cidr |
String | The CIDR for PCoIP Clients that connect to remote workstations directly. It is possible to specify multiple --internal-client-cidr networks. |
--external-client-cidr |
String | The CIDR for PCoIP Clients that connect to remote workstations through the Security Gateway. If external CIDRs settings are set, internal settings must be explicitly set. It is possible to specify multiple --external-client-cidr networks. |
| PCoIP Software Client | ||
--retrieve-agent-state |
Boolean | Enables the broker to retrieve the agent state for unmanaged and managed remote workstations. The default value for this flag is false. The available states are In Session, Ready, Starting, Stopping, Stopped and Unknown. The value of this flag can either be true or false. |
--show-agent-state |
Boolean | Controls if the agent state is displayed as part of the remote workstation name in the PCoIP Client. The default value for this flag is true. Setting the value of this flag to true and the --retrieve-agent-state flag to false will result in no agent state displaying. |
--external-pcoip-ip |
String | Sets the public IP for PCoIP Client to PCoIP Agent connection. This is the public IP that the Connector is listening to on port 4172. The installer will reach out to cas.teradici.com and first try to automatically resolve the external IP; if this fails, or is not able to resolve the correct IP, this flag is required. In the case that the Connector machine doesn't have an internet connection, for example in a dark site environment, or the ingress and egress internet traffic are running through different public IPs, this flag is required. For more information on external network access, see Enabling External Network Access. |
| Domain | ||
‑‑domain |
String | The AD domain that remote workstations will join. |
‑‑sa‑user |
String | The Active Directory service account username. |
‑‑sa‑password |
String | The Active Directory service account password. |
--domain-controller |
String | Specifies one or more domain controllers to use with the Connector. |
--users-filter |
String | The filter to search for users within Active Directory. Specify multiple filters with multiple options. Default user filter: (&(objectCategory=person)(objectClass=user)). |
--computers-filter |
String | The filter to search for computers within Active Directory. Specify multiple filters with multiple options. Default computer filter: (&(primaryGroupID=515)(objectCategory=computer)). |
‑‑users-dn |
StringArray | The base DN to search for users within AD. Specify multiple DNs with multiple options. Newly provided base DN(s) will automatically replace previous base DN(s). This field is looking for user's within the user-defined DN and SGs. |
--computers-dn |
StringArray | The base DN to search for computers within AD. Specify multiple DNs with multiple options. Newly provided base DN(s) will automatically replace previous base DN(s). |
--sync-interval |
uint8 | The interval (in minutes) for how often to sync AD users and computers with the AWM Service. |
| MFA | ||
‑‑enable‑mfa |
String | Installs with multi-factor authentication enabled. |
‑‑radius‑server |
String | The FQDN or IP address of the RADIUS server to use for MFA. This flag is optional. |
‑‑radius‑port |
String | The RADIUS server port. If not specified, the default port (1812) is used. If --radius-server is specifed then this flag is optional. |
‑‑radius‑secret |
String | The shared secret used for configuring RADIUS authentication. If --radius-server is specifed then this flag is required. |
| Certificates | ||
‑‑ssl‑key |
String | The full path and filename of the SSL key to use. The --self-signed flag overrides this flag. |
‑‑ssl‑cert |
String | The full path and filename of the SSL certificate (in PEM format) to use. The --self-signed flag overrides this flag. |
| Federated Authentication | ||
--enable-oauth |
Boolean | Enables Oauth authentication. (Default=False) |
--id-provider-url |
String | Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com. This flag is required if --enable-oauth is true. |
--oauth-client-id |
String | Gets the Client ID from the Identity Provider. This flag is required if --enable-oauth is true. |
--fa-url |
String | The Federated Auth Broker URL. for example https://cac-vm-fqdn:port |
--oauth-flow-code |
String | Specify the oauth flow / grant type (default "OAUTH_FLOW_CODE_WITH_PKCE"). "OAUTH_FLOW_CODE_WITH_PKCE" is the only supported oauth flow for now |
--enable-entitlements-by-upn |
Boolean | Enables/Disables searching entitlements by UPN. This flag is not required for the Anyware Connector. It is supported for the Connector on Ubuntu for versions 164 or below. |
Connector Upgrade and Diagnose Issues
Several previous versions of Connector installers are no longer compatible with our latest infrastucture upgrades. When you run the update or diagnose commands with these older versions you may receive errors such as "Error response from daemon: GET https://docker.cloudsmith.io/......: unauthorized" for example. If this occurs you need to download the latest version of the Connector installer from here.
Enabling MFA While Updating¶
You can enable MFA to the Connector with the --enable-mfa flag when performing an update:
sudo ./cloud-access-connector update --enable-mfa
- RADIUS server IP address or FQDN.
- RADIUS shared secret for configuring RADIUS authentication.
If you do not provide the locations of your RADIUS server and RADIUS shared secret, you will be prompted to do so.
Removing MFA While Updating¶
You can disable MFA from the Connector with the --disable-mfa flag when performing an update:
sudo ./cloud-access-connector update --disable-mfa
Updating SSL Certificates¶
Before updating SSL certificates, ensure that you aware of the requirments for creating and updating certificates, see Assigning a Certificate to the Connector. You can update your Connectors SSL certificate and key by running the following command and specifying your SSL certificate and SSL key information:
sudo ./cloud-access-connector update --ssl-cert path/to/cert --ssl-key path/to/key
Certificate format
The SSL certificate must be a PEM file. A CRT formatted file will not work with the update command above.
This command will enable you update your SSL certificate information without having to re-install the Connector. This command also enables you to change your self-signed certificate to a signed certificate.
Domain Controller Certificates
If all DC certificates have expired, the Anyware Connector will stop working. An error indicator will display on the Connectors page when a Anyware Connector has a DC with expired certificates. A warning indicator that details the current state of the DC certs will display on the same page when a Anyware Connector has a certificate that less than a week away from expiring.