Skip to content

Configuring the PCoIP Security Gateway

Configuration settings for the PCoIP Security Gateway are stored in /etc/SecurityGateway.conf as key/value pairs separated by an equals sign. One setting is described per line.

To configure a setting, open /etc/SecurityGateway.conf with a text editor and add or change the appropriate lines. For example, to set the PCoIP Security Gateway's external IP address, you would add this line:

    ExternalRoutableIP = ip-address-reachable-by-clients

Restart the PCoIP Security Gateway to apply your changes.

Configuration file formats and values are not validated

Configuration file formats and values are not validated. Incorrect configurations can result in components that do not work properly. Ensure you make backups before making changes.

Important: The Security Gateway must be enabled by the Connection Manager

To use the PCoIP Security Gateway, it must be enabled in /etc/ConnectionManager.conf:

SecurityGatewayEnabled = true

In /etc/SecurityGateway.conf, you must set the IP address clients will use to reach the PCoIP Security Gateway:

ExternalRoutableIP = ip-address-reachable-by-clients

PCoIP Security Gateway Configuration Settings

The configuration files for the PCoIP Security Gateway are located at /etc/SecurityGateway.conf. To apply changes, restart the PCoIP Security Gateway first, then restart the PCoIP Connection Manager.

PCoIP Security Gateway Configuration Settings

Parameter Default Description
ExternalRoutableIP The externally routable IP address of the PCoIP Security Gateway. This is typically set to the static IP address assigned to the PCoIP Connection Manager. Do not set this to a loopback address.
LogLevel 2 The minimum severity level of messages written to the log. Acceptable values in increasing order of severity are: 0 (TRACE), 1 (DEBUG), 2 (INFO), 3 (WARN), 4 (ERROR). Only messages that are at or above the configured LogLevel severity are logged. For information on log files, see PCoIP Connection Manager and Security Gateway Log Files.
LogPath $TMPDIR or /tmp Location of PCoIP Security Gateway log files.
MaxConnections 5000 Maximum number of connections. ulimit -n on Linux needs to be set to slightly more than double this number.
SSLCertPath /opt/Teradici/certs Location of certificate files used by the PCoIP Security Gateway.
SSLCertType 0 0 = Use an external certificate. If not configured, then generate and use a self-signed certificate. 1 = Use an external certificate. 2 = Generate and use a self-signed certificate.
SSLLinuxExtCA CMCertificateCA.pem SSLLinuxExtCert certificate chain file name.
SSLLinuxExtCert CMCertificate.pem File name of the public certificate (in base64-encoded PEM format) used to secure communication with PCoIP clients.
SSLLinuxExtCertPhrase Passphrase of the private key specified by SSLLinuxExtPriv. We strongly advise against encrypting the private key since doing so requires the pass phrase to be specified here in plain text.
SSLLinuxExtPriv CMCertificateKey.pem File name of the SSLLinuxExtCert certificate private key (in base64-encoded PEM format).
SSLCipherBlackList Lists the TLS cipher suites to be removed from the default list of cipher suites used for establishing a TLS connection to the PCoIP client, the PCoIP server, and the connection manager. The cipher suites are specified by their RFC names and are separated by a colon. See PCoIP Connection Manager Supported TLS Cipher Suites. For example, specifying the "TLS_RSA_WITH_AES_256_CBC_SHA: TLS_RSA_WITH_AES_128_CBC_SHA" string as the black list removes the specified two cipher suites.
TCPControlLinuxExtCA CMCertificateCA.pem TCPControlLinuxExtCert certificate chain file name.
TCPControlLinuxExtCert CMCertificate.pem File name of the public certificate (in base64-encoded PEM format) used to secure communication with the PCoIP Connection Manager.
TCPControlLinuxExtCertPhrase Passphrase of the private key specified by TCPControlLinuxExtPriv. We strongly advise against encrypting the private key since doing so requires the passphrase to be specified here in plain text.
TCPControlLinuxExtPriv CMCertificateKey.pem File name of the TCPControlLinuxExtCert certificate private key (in base64-encoded PEM format).

Security gateway secures connections to control channel

If the TCPControlLinuxExtCA , TCPControlLinuxExtCert, and TCPControlLinuxExtPriv settings are all configured, then the security gateway secures connections to its control channel with TLS. If one or more of these settings are not specified, then the security gateway accepts plain text connections to its control channel. The connection manager uses TLS by default when establishing a connection to the security gateway control channel. For more information, see PCoIP Connection Manager Configuration Settings.