Before deploying the PCoIP Connection Manager and PCoIP Security Gateway, ensure you understand the PCoIP session establishment process and how load balancers and firewalls fit in.
Here's the sequence of events involved in establishing a PCoIP session in a typical brokered scenario. In this example, the PCoIP client is outisde the firewall, so the PCoIP Security Gateway is enabled to secure the connection and to proxy authorized traffic.
A user provides a server name and address to their PCoIP client, which passes the data to the PCoIP Connection Manager (this can be relayed through a load balancer, as shown here).
The Connection Manager communicates with the Connection Broker to authenticate the user and to obtain the list of desktops the user is entitled to use.
The Connection Broker passes the list of desktops back to the the PCoIP Client.
The user selects a desktop from the client UI, and their choice is passed back to the PCoIP Connection Manager.
The PCoIP Connection Manager prepares the PCoIP Security Gateway and the requested desktop's PCoIP Agent.
The PCoIP Agent acquires a session license from a licensing service (either the PCoIP Cloud Licensing Service or the a local PCoIP License Server).
The PCoIP session is established. The PCoIP Client now communicates directly with the selected desktop using the PCoIP Protocol.
Note: PCoIP Security Gateway in LAN systems
The PCoIP Security Gateway secures PCoIP communications through the firewall. In systems where PCoIP clients are on the WAN, PCoIP traffic is relayed through the PCoIP Security Gateway. When the entire PCoIP system is on your company LAN, the PCoIP Security Gateway is unnecessary and the PCoIP Client and PCoIP agent communicate directly.
You can use load balancers in front of multiple connection managers and security gateways to distribute system load to optimize performance. The load balancer must support the following:
- Sticky sessions by the jsessionid
During session establishment, the PCoIP Connection Manager retrieves the
ExternalRoutableIP configuration value from its paired PCoIP Security Gateway and passes it to the client. After the session is established, the client uses the provided IP address to communicate directly with the PCoIP Security Gateway.
ExternalRoutableIP must point to the PCoIP Security Gateway
ExternalRoutableIP setting is configured to point to the load balancer instead of the PCoIP Security Gateway, the load balancer may direct the client to a PCoIP Security Gateway on the wrong server. If this happens, the client will not be able to establish a session.
Public IP Address
The machine with the PCoIP Connection Manager and Security Gateway on it must have a public IP address.
To see how load balancers fit into firewall configurations, refer to Configuring Firewalls.
If there is a firewall on the PCoIP Connection Manager server, ensure ports for PCoIP traffic are open so that users can access their desktop. The illustration shown next shows the default port numbers.
Firewall recommendations for establishing a PCoIP Session
|PCoIP Client||*||PCoIP Connection Manager||TCP: 443||PCoIP broker protocol (HTTPS)|
|PCoIP Connection Manager||*||Connection broker||TCP: 443||PCoIP broker protocol (HTTPS)|
|PCoIP Connection Manager||*||PCoIP Agent||TCP: 60443||PCoIP agent protocol|
|PCoIP Client||*||PCoIP Security Gateway||UDP: 4172||PCoIP user data|
|PCoIP Client||*||PCoIP Security Gateway||TCP: 4172||PCoIP control information|
|PCoIP Security Gateway||*||PCoIP Agent||TCP: 4172||PCoIP control information|
|PCoIP Security Gateway||UDP: 55000||PCoIP Agent||UDP: 4172||PCoIP user data.
When deploying a desktop with a PCoIP agent, only port 4172 needs to be open.
Ensure these ports are open for inbound connections:
|443 TCP||Used by clients to connect to the PCoIP Connection Manager|
|4172 TCP/UDP||Used by authorized clients to connect to the PCoIP Security Gateway|
By default, only SSH service is permitted in RHEL/CentOS 7. Use these commands to open the required ports for incoming traffic:
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT sudo iptables -I INPUT 1 -p tcp --dport 4172 -j ACCEPT sudo iptables -I INPUT 1 -p udp --dport 4172 -j ACCEPT sudo service iptables save
If you also limit outbound connections, ensure that the following ports are open for outbound connections:
|443 TCP||Used by the PCoIP Connection Manager to connect to third-party brokers|
|60443 TCP||Used by the PCoIP Connection Manager to launch sessions on PCoIP agents|
|4172 TCP/UDP||Used by the PCoIP Security Gateway to relay PCoIP session traffic from clients to PCoIP agents|
RHEL/CentOS 7 permits all outbound traffic by default.
Important: Other required services may need open outbound ports
If the PCoIP Connection Manager is on a network behind a firewall that blocks outbound connections, ensure that the required ports for other required operating system services are open. Teradici recommends that DHCP, DNS, and NTP are active for PCoIP Connection Manager operation.