Network Security Configuration¶
The Cloud Access Manager subnets each have their own security requirements and recommendations. Some are implemented by the Cloud Access Manager deployment scripts and some can be implemented as part of a corporate network security policy.
Cloud Access Connector Subnet¶
This subnet needs to allow for inbound access for public IP’s generated in the subnet. This is where the PCoIP security gateways will be deployed and they have a public IP each. This subnet also needs to be able to communicate with the domain controllers as well as remote workstations, and the Cloud Access Manager service hosted by Teradici.
Port 4172 Requirements
Port 4172 requirements are only for connectors which have external connectivity. For internal-only connectors the PCoIP traffic never flows through the connector.
Public IP inbound Port numbers:
Network Security Group
This network security group is deployed by the Cloud Access Manager deployment script as sgNSG\<number> in the connection service resource group.
Outbound access to the remote workstation subnet:
- TCP/4172 - For the PCoIP Session Signaling protocol
- UDP/4172 - For the PCoIP protocol
- TCP/60443 - For the PCoIP agent and broker protocols
Outbound access to the domain controller:
- TCP/636 - For LDAPS communication with the domain controller
- UDP/53 - For DNS queries
- TCP/53 - For DNS queries
Outbound access to the internet:
- TCP/443 - for downloading required binaries and packages and communicating with the Cloud Access Manager service
Cloud Access Manager Application Gateway Subnet¶
The subnet which contains the Cloud Access Manager application gateways must meet the following requirements:
- Application gateways must be able to listen on public IP addresses on port TCP/443.
- The application gateway must be able to initiate communication with machines in the connection service subnet.
- TCP/8444 between the security gateway scale set and the connection server.
Outbound access to the connection service subnet:
- TCP/8080 - for broker protocol and management interface http requests
Inbound access from the application gateway subnet:
Cloud Access Manager Remote Workstation Subnet¶
This subnet needs to be routable from the Cloud Access Connector subnet, plus needs any other desired internal access such as to domain controllers, file shares, and internal application servers. Network interfaces in this subnet do not need to create public IP's for Cloud Access Manager.
Outbound access to public IP's:
- TCP/443 - for downloading required binaries and packages, and communicating with Teradici's license server and Cloud Access Manager service