Here's the sequence of events involved in establishing a PCoIP session in a typical brokered scenario. In this example, the PCoIP client is outisde the firewall, so the PCoIP Security Gateway is enabled to secure the connection and to proxy authorized traffic.
A user provides a server name and address to their PCoIP client, which passes the data to the PCoIP Connection Manager (this can be relayed through a load balancer, as shown here).
The Connection Manager communicates with the Connection Broker to authenticate the user and to obtain the list of desktops the user is entitled to use.
The Connection Broker passes the list of desktops back to the the PCoIP Client.
The user selects a desktop from the client UI, and their choice is passed back to the PCoIP Connection Manager.
The PCoIP Connection Manager prepares the PCoIP Security Gateway and the requested desktop's PCoIP Agent.
The PCoIP Agent acquires a session license from a licensing service (either the PCoIP Cloud Licensing Service or the a local PCoIP License Server).
The PCoIP session is established. The PCoIP Client now communicates directly with the selected desktop using the PCoIP Protocol.
Note: PCoIP Security Gateway in LAN systems
The PCoIP Security Gateway secures PCoIP communications through the firewall. In systems where PCoIP clients are on the WAN, PCoIP traffic is relayed through the PCoIP Security Gateway. When the entire PCoIP system is on your company LAN, the PCoIP Security Gateway is unnecessary and the PCoIP Client and PCoIP agent communicate directly.
You can use load balancers in front of multiple connection managers and security gateways to distribute system load to optimize performance. The load balancer must support the following:
- Sticky sessions by the jsessionid
During session establishment, the PCoIP Connection Manager retrieves the PCoIP Security Gateway's public IP address and passes it to the client. After the session is established, the client uses the provided IP address to communicate directly with the PCoIP Security Gateway.
Important: The PCoIP Security Gateway's public IP address must be set during installation
If the public IP address is configured to point to the load balancer instead of the PCoIP Security Gateway, the load balancer may direct the client to a PCoIP Security Gateway on the wrong server. If this happens, the client will not be able to establish a session.
The IP address is set using the
--external-pcoip-ip flag during installation.
Public IP Address
The machine with the PCoIP Connection Manager and Security Gateway on it must have a public IP address if it is directly accessed from WAN.
To see how load balancers fit into firewall configurations, refer to Configuring Firewalls.
If there is a firewall on the PCoIP Connection Manager server, ensure ports for PCoIP traffic are open so that users can access their desktop. The illustration shown next shows the default port numbers.
Firewall recommendations for establishing a PCoIP Session
|PCoIP Client||*||PCoIP Connection Manager||TCP: 443||PCoIP broker protocol (HTTPS)|
|PCoIP Connection Manager||*||Connection broker||TCP: 443||PCoIP broker protocol (HTTPS)|
|PCoIP Connection Manager||*||PCoIP Agent||TCP: 60443||PCoIP agent protocol|
|PCoIP Client||*||PCoIP Security Gateway||UDP: 4172||PCoIP user data|
|PCoIP Client||*||PCoIP Security Gateway||TCP: 4172||PCoIP control information|
|PCoIP Security Gateway||*||PCoIP Agent||TCP: 4172||PCoIP control information|
|PCoIP Security Gateway||UDP: 55000||PCoIP Agent||UDP: 4172||PCoIP user data.
When deploying a desktop with a PCoIP agent, only port 4172 needs to be open.
Ensure these ports are open for inbound connections:
|443 TCP||Used by clients to connect to the PCoIP Connection Manager|
|4172 TCP/UDP||Used by authorized clients to connect to the PCoIP Security Gateway|
Instructions for opening these ports are included in the installation procedures.
Note that RHEL 8 and Rocky Linux 8 permit all outbound traffic by default.
Important: Other required services may need open outbound ports
If the PCoIP Connection Manager is on a network behind a firewall that blocks outbound connections, ensure that the required ports for other required operating system services are open. Teradici recommends that DHCP, DNS, and NTP are active for PCoIP Connection Manager operation.
Configuring Docker Network¶
The docker network environment for the PCoIP Connection Manager and the PCoIP Security Gateway is defined in /opt/teradici/pcoipcm_data/docker-compose.yaml under the key
networks. By default, it is assigned to
cmdeployment: ipam: config: - subnet: 10.101.0.0/24
If your company network CIDR overlaps
10.101.0.0/24, change the default network range in
/opt/teradici/pcoipcm_data/docker-compose.yaml to resolve the conflict. Addresses from any of the following CIDR classes can be used:
Class A: 10.0.0.0 to 10.255.255.255. Class B: 172.16.0.0 to 172.31.255.255. Class C: 192.168.0.0 to 192.168.255.255.
cmdeployment: ipam: config: - subnet: 172.16.0.0/24
docker-compose.yaml, run the following command to apply your changes:
sudo pcoip-cmsg-setup configure --compose-file /opt/teradici/pcoipcm_data/docker-compose.yaml