Discovery Process Overview¶
Before endpoints can be managed by the PCoIP Management Console, they must first be discovered. Once discovered, the PCoIP Management Console will label the device as either a local or remote endpoint.
During the discovery process, the PCoIP Management Console determines whether a device is local or remote by comparing the IP address of the communicating endpoint with the IP address that the endpoint is configured with. If the two addresses are the same, the PCoIP Management Console labels the endpoint as a local endpoint. If the two IP addresses are different, such as in networks utilizing NAT devices, the PCoIP Management Console labels the endpoint as a remote endpoint. The PCoIP Management Console also labels an endpoint as local if the endpoint reports its IP address in the configured Local IP Address Ranges field found on the SETTINGS > REMOTE > REMOTE CONFIGURATION page. Endpoints identified as remote endpoints require a reverse proxy and additional configurations which are further described in Remote Endpoint Management (Enterprise)
This topic provides an overview of the main steps of the PCoIP endpoint discovery process.
Important: Replace the default self-signed certificate with your own before configuring a discovery method and adding endpoints
Teradici strongly recommends that you replace the PCoIP Management Console self-signed certificate with your own PCoIP Management Console certificates before configuring a discovery method and before adding endpoints to the PCoIP Management Console. See Managing PCoIP Management Console Certificates for details.
The following diagram illustrates how endpoints discover a PCoIP Management Console.
Note: PCoIP Management Console serves as both Endpoint Bootstrap Manager and Endpoint Manager
The PCoIP Management Console serves as both the Endpoint Bootstrap Manager and the Endpoint Manager. It is possible that other endpoint managers of the PCoIP Management Console may separate these roles.
An illustration of PCoIP endpoint discovery process
Endpoint Discovery Process¶
The steps outlined in the preceding illustration are explained next.
Note: Endpoint Bootstrap Manager and Endpoint Manager information
The Endpoint Bootstrap Manager/Endpoint Manager information with which an endpoint must be provisioned before it can be discovered depends on the endpoint’s discovery method and security level. You can configure both these options from the endpoint’s AWI Configuration > Management page. Please see Tera2 PCoIP Zero Client Firmware Administrators’ Guide for details. See also Configuring an Endpoint Manager Manually from an Endpoint for instructions on how to manually configure an Endpoint Manager from its AWI Management page.
Stage 1: Provisioning Endpoints¶
There are three ways in which you can provision endpoints with endpoint bootstrap manager or endpoint manager information for automatic and manual discovery — DHCP vendor-specific options, DNS service and text records, Uniform Resource Identifier (URI).
The first stage provisions endpoints with the information they need either to connect to the Endpoint Bootstrap Manager for bootstrapping, or to connect directly to the Endpoint Manager. Depending on the endpoint’s configured discovery method, you can manually enter the information or it can be provisioned automatically.
For automatic discovery, endpoints are populated with the IP address or FQDN of the PCoIP Management Console to which they should connect via DHCP vendor-specific options or DNS service and text records. Optionally, endpoints can also be configured with the PCoIP Management Console certificate’s fingerprint (that is, its digital signature) by the DHCP or DNS server. If the PCoIP Management Console certificate fingerprint is provided in the DHCP or DNS record, the endpoint (in low security mode) will verify the PCoIP Management Console certificate by only matching the fingerprint. This is intended for use cases where the PCoIP Management Console trusted root CA certificate (the PCoIP Management Console chain certificate) is not uploaded to the endpoint , or if the PCoIP Management Console certificate does not meet the verification requirement. If a fingerprint is not provisioned, an endpoint without a trusted PCoIP Management Console certificate will fail to connect. Automatic discovery is used for low and medium security environments.
For manual discovery, you manually configure each endpoint with the uniform resource identifier (URI) of the Endpoint Bootstrap Manager (for low and medium security environments), or with the URI of the actual Endpoint Manager (for high security environments).
Endpoint Certificate Requirements¶
Depending on an endpoint’s configured security level, you may also need to provision endpoints with an PCoIP Management Console certificate.
Endpoints configured for medium or high security must have a trusted certificate in their certificate store before they can connect to an PCoIP Management Console. For some endpoints, certificates may be pre-loaded by the vendor as a factory default. Otherwise, you can manually upload certificates using an endpoint’s AWI.
Endpoints that are configured for low security do not need a PCoIP Management Console certificate in their trusted certificate stores if either of the following is true:
They are using DHCP discovery or DNS discovery and the DHCP or DNS server has provisioned them with the PCoIP Management Console certificate’s fingerprint.
They are discovered using the PCoIP Management Console’s manual discovery method. See Discovering Endpoints Manually from PCoIP Management Console.
The following table summarizes the certificate requirement for endpoints based on their discovery method and configured security level.
Certificate Requirements for Endpoints
|Discovery Method||Low Security||Medium Security||High Security|
|DHCP/DNS discovery without Endpoint Bootstrap Manager fingerprint provisioned||Certificate required||Certificate required||N/A|
|DHCP/DNS discovery with Endpoint Bootstrap Manager fingerprint provisioned||Certificate *not*required||Certificate required||N/A|
|Discovery initiated by an endpoint configured for a high security environment||N/A||N/A||Certificate required|
|Manual discovery initiated by the PCoIP Management Console||Certificate not required||N/A||N/A|
Information about endpoint security levels is summarized next.
When low security is in use, endpoints can be discovered manually from the PCoIP Management Console. See Discovering Endpoints Manually from PCoIP Management Console.
Endpoints can use DHCP or DNS auto discovery. If the Endpoint Bootstrap Manager fingerprint is also provisioned by the DHCP or DNS server, endpoints do not require a certificate.
When medium security is in use, endpoints cannot be discovered manually from the PCoIP Management Console.
Endpoints will not use the certificate fingerprint retrieved from the DHCP or DNS server to trust the PCoIP Management Console. A PCoIP Management Console certificate or its issuer public key certificate must be pre-loaded in the endpoint.
When high security is in use, endpoints cannot be discovered manually from the PCoIP Management Console and cannot use DHCP or DNS auto discovery.
The Endpoint Manager’s address must be manually entered into the endpoint.
A PCoIP Management Console public key certificate or its issuer public key certificate must be pre-loaded in the endpoint.
Stage 2: Entering the Bootstrap Phase¶
Endpoints that have been provisioned with Endpoint Bootstrap Manager information enter a bootstrap phase where they evaluate the Endpoint Bootstrap Manager’s certificate fingerprint to determine whether the Endpoint Bootstrap Manager can be trusted. If the certificate fingerprint match succeeds, the endpoints proceed to the next step.
Note: High security endpoints configured with Endpoint Manager information bypass the bootstrap process
Endpoints in high security environments that are already configured with Endpoint Manager connection information bypass the Endpoint Bootstrap Manager bootstrap process and attempt to connect to the Endpoint Manager right away.
Stage 3: Receiving Endpoint Manager Information¶
Next, the Endpoint Bootstrap Manager provides the IP address and certificate fingerprint of the Endpoint Manager to which the endpoint should connect. The endpoint then disconnects from the Endpoint Bootstrap Manager and attempts to establish a connection with the Endpoint Manager.
Stage 4: Entering the Managed Phase¶
If Endpoint Manager certificate verification succeeds and the endpoint is able to establish a successful connection with the Endpoint Manager, the Endpoint Manager connection information is saved to the endpoint’s permanent storage, and the endpoint enters the managed phase.
Configuring a Discovery Method¶
Note: Confirm your endpoint's discovery method
Review the administrators' guide for your endpoint to confirm the discovery method it supports.
The following topics contain information about how to configure an endpoint discovery method:
Configuring Endpoints using Auto Discovery: Explains how to configure your DHCP server to provision endpoints with Endpoint Bootstrap Manager information.
Configuring DNS SRV Record Discovery: Explains how to configure your DNS server to provision endpoints with Endpoint Bootstrap Manager information.
Configuring an Endpoint Manager Manually from an Endpoint: Explains how to manually configure an Endpoint Manager for an endpoint in a high security environment.
Discovering Endpoints Manually from PCoIP Management Console: Explains how to manually initiate discovery from the PCoIP Management Console. Endpoints must be configured for low security if you use this method.