Cloud Access Connector¶
Cloud Access Manager features a lightweight Cloud Access Connector component that gets deployed in the customer's subscription. The connector component authenticates end users with domain controllers and optionally, MFA services to enable secure connectivity between various Cloud Access Manager endpoints. The connector can be easily upgraded and multiple connectors can be deployed to:
- Change multi-factor authentication settings.
- Setup a gateway per region.
- Setup internal and external connections with different multi-factor authentication settings.
- Upgrade connector builds.
With Cloud Access Manager it is possible to have three connector configurations that can be used for different use cases:
- An external connector with MFA enabled.
- An external connector with MFA disabled.
- An internal connector with MFA disabled.
A Cloud Access Connector consists of the following components:
- An application gateway to route traffic.
- The connection server, which is a Server 2016 A2 V2 instance with the default OS disk and a 128 GByte HDD image.
- The connection server remote workstation hosts the PCoIP broker and the management interface.
- A scale set of security gateway VM's which are CentOS images with a VM size of A2 V2 and the default OS disk image which is a 30 GByte HDD image.
Connection Configuration Matrix
|Use Case Number||External/Public||MFA||Management Interface Location||PCoIP Broker Protocol Location||Security Gateway Enabled|
|3||No||No||Private IP||Private IP||No|
|2||Yes||No||Public IP||Public IP||Yes|
|1||Yes||Yes||Private IP at port 60443||Public IP||Yes|
The Teradici Difference
Teradici Cloud Access Manager enables you to have external and internal connectors running concurrently. For example, you can have an internal connector that has MFA disabled running at the same time as an external connector that has MFA enabled. You can have both internal and external connectors running concurrently, where internal clients are routed to the internal connector and external clients are routed to the external connector via DNS. In the case of Cloud Access Manager, it enables the PCoIP traffic to flow optimally and MFA policies can be independently controlled both internally and externally. For information on how to create and upgrade a Cloud Access Connector, see Creating and Upgrading a Cloud Access Connector.
External Cloud Access Connector (MFA Enabled)¶
This connector allows external access and has the MFA enabled. You can select to enable external network access and enable MFA when prompted when deploying Cloud Access Manager. For more information on Cloud Access Managers MFA architecture, see RADIUS Multi-Factor Authentication with Cloud Access Manager Deployments. With this connector the management interface can only be accessed internally through the private IP at port 60443.
External Cloud Access Connector (MFA Disabled)¶
This connector allows external access but does not have MFA enabled. You can select to enable external network access and disable MFA when prompted when deploying Cloud Access Manager. Both the PCoIP Broker Protocol and Cloud Access Manager management interface are available from the public IP. No port numbers need to be specified. PCoIP traffic will flow through the security gateway even if connecting internally. This configuration is suitable to lower security environments, such as test use cases. It is not recommended for use on higher level security production use cases.
Internal Cloud Access Connector¶
When deploying Cloud Access Manager it is possible to create an internal connector that only enables access to remote workstations from within the internal network. You can select to not enable external network access when prompted for your Cloud Access Manager deployment. This connection can be used when you are connecting to remote workstations, using PCoIP from within your local network. PCoIP traffic flows directly between the PCoIP client and remote workstation without passing through a security gateway. There is no Public IP with this connection type and no port numbers need to be specified to establish connections or go to the Cloud Access Manager management interface.
There must be a VPN bridge between your local network and the VNETs used by Cloud Access Manager in Azure.
A Cloud Access internal connector consists of components in the following states:
- The Application Gateway does not receive a public IP address.
- The Application Gateway listens on port 443 on the private IP.
- MFA is disabled.
- The PCoIP Security Gateway application is disabled. PCoIP traffic flows directly between the PCoIP client and the remote workstation.
- Security Gateway virtual machines are active in the PCoIP session establishment process, and do not receive public IP addresses.
Cloud Access Connectors Data Storage
Cloud Access Connectors do not store any customer or user data. These connectors can be created and destroyed easily.
Cloud Access Connector Resiliency
Cloud Access Manager provides a high level of resiliency in terms of service outages around region failures. Cloud Access Manager uses redundant and scalable services which are monitored 24/7 through the Cloud Access Status page. For more information on the high availability and resiliency around Cloud Access Manager and the Cloud Access Connector, speak to a Teradici sales representative.
Cloud Access Software 19.05 - PCoIP Agent file name and location update
Cloud Access Software 19.05 has changed the file names, locations and install paths of the PCoIP Agents.
The following knowledge base article details how to update previously installed Cloud Access Connectors for Azure with these new locations, see here.
If you do not run this update then you will be unable to deploy remote workstations to a Cloud Access Connector.