Skip to content

System Planning

Before deploying the PCoIP Connection Manager and PCoIP Security Gateway, ensure you understand the PCoIP session establishment process and how load balancers and firewalls fit in.

Session Establishment

Here's the sequence of events involved in establishing a PCoIP session in a typical brokered scenario. In this example, the PCoIP client is outisde the firewall, so the PCoIP Security Gateway is enabled to secure the connection and to proxy authorized traffic.

Alt Text

  1. A user provides a server name and address to their PCoIP client, which passes the data to the PCoIP Connection Manager (this can be relayed through a load balancer, as shown here).

  2. The Connection Manager communicates with the Connection Broker to authenticate the user and to obtain the list of desktops the user is entitled to use.

  3. The Connection Broker passes the list of desktops back to the the PCoIP Client.

  4. The user selects a desktop from the client UI, and their choice is passed back to the PCoIP Connection Manager.

  5. The PCoIP Connection Manager prepares the PCoIP Security Gateway and the requested desktop's PCoIP Agent.

  6. The PCoIP Agent acquires a session license from a licensing service (either the PCoIP Cloud Licensing Service or the a local PCoIP License Server).

  7. The PCoIP session is established. The PCoIP Client now communicates directly with the selected desktop using the PCoIP Protocol.

    Note: PCoIP Security Gateway in LAN systems

    The PCoIP Security Gateway secures PCoIP communications through the firewall. In systems where PCoIP clients are on the WAN, PCoIP traffic is relayed through the PCoIP Security Gateway. When the entire PCoIP system is on your company LAN, the PCoIP Security Gateway is unnecessary and the PCoIP Client and PCoIP agent communicate directly.

Load Balancing

You can use load balancers in front of multiple connection managers and security gateways to distribute system load to optimize performance. The load balancer must support the following:

  • HTTPS
  • Sticky sessions by the jsessionid

During session establishment, the PCoIP Connection Manager retrieves the PCoIP Security Gateway's public IP address and passes it to the client. After the session is established, the client uses the provided IP address to communicate directly with the PCoIP Security Gateway.

Important: The PCoIP Security Gateway's public IP address must be set during installation

If the public IP address is configured to point to the load balancer instead of the PCoIP Security Gateway, the load balancer may direct the client to a PCoIP Security Gateway on the wrong server. If this happens, the client will not be able to establish a session.

The IP address is set using the --external-pcoip-ip flag during installation.

Public IP Address

The machine with the PCoIP Connection Manager and Security Gateway on it must have a public IP address if it is directly accessed from WAN.

To see how load balancers fit into firewall configurations, refer to Configuring Firewalls.

Configuring Firewalls

If there is a firewall on the PCoIP Connection Manager server, ensure ports for PCoIP traffic are open so that users can access their desktop. The illustration shown next shows the default port numbers.

Alt Text

Firewall recommendations for establishing a PCoIP Session

Source Port Destination Port Description
PCoIP Client * PCoIP Connection Manager TCP: 443 PCoIP broker protocol (HTTPS)
PCoIP Connection Manager * Connection broker TCP: 443 PCoIP broker protocol (HTTPS)
PCoIP Connection Manager * PCoIP Agent TCP: 60443 PCoIP agent protocol
PCoIP Client * PCoIP Security Gateway UDP: 4172 PCoIP user data
PCoIP Client * PCoIP Security Gateway TCP: 4172 PCoIP control information
PCoIP Security Gateway * PCoIP Agent TCP: 4172 PCoIP control information
PCoIP Security Gateway UDP: 55000 PCoIP Agent UDP: 4172 PCoIP user data.
When deploying a desktop with a PCoIP agent, only port 4172 needs to be open.

Inbound Connections

Ensure these ports are open for inbound connections:

Port Purpose
443 TCP Used by clients to connect to the PCoIP Connection Manager
4172 TCP/UDP Used by authorized clients to connect to the PCoIP Security Gateway

Instructions for opening these ports are included in the installation procedures.

Note that RHEL 8 and Rocky Linux 8 permit all outbound traffic by default.

Important: Other required services may need open outbound ports

If the PCoIP Connection Manager is on a network behind a firewall that blocks outbound connections, ensure that the required ports for other required operating system services are open. Teradici recommends that DHCP, DNS, and NTP are active for PCoIP Connection Manager operation.

Configuring Docker Network

The docker network environment for the PCoIP Connection Manager and the PCoIP Security Gateway is defined in /opt/teradici/pcoipcm_data/docker-compose.yaml under the key networks. By default, it is assigned to 10.101.0.0/24.

    cmdeployment:
    ipam:
        config:
        - subnet: 10.101.0.0/24

If your company network CIDR overlaps 10.101.0.0/24, change the default network range in /opt/teradici/pcoipcm_data/docker-compose.yaml to resolve the conflict. Addresses from any of the following CIDR classes can be used:

Class A: 10.0.0.0 to 10.255.255.255.
Class B: 172.16.0.0 to 172.31.255.255.
Class C: 192.168.0.0 to 192.168.255.255.

for example:

  cmdeployment:
    ipam:
      config:
      - subnet: 172.16.0.0/24

After editing docker-compose.yaml, run the following command to apply your changes:

sudo pcoip-cmsg-setup configure --compose-file /opt/teradici/pcoipcm_data/docker-compose.yaml