About PCoIP Remote Workstation Card Management Security Levels

There are three available management security level settings in the PCoIP Remote Workstation Card: low, medium, and high. These settings determine whether the PCoIP Remote Workstation Card can be discovered by an endpoint manager, how an endpoint manager can be discovered by the PCoIP Remote Workstation Card, and also dictate whether a certificate must be installed in the PCoIP Remote Workstation Card for discovery to succeed.

The management security level is configured on the Management page of the AWI (see Configuring the Management State). Detailed instructions for allowing discovery under most scenarios, including security level settings, are described in Configuring Endpoint Management Discovery Methods.

The general implications of each security mode are summarized in the following table and described in detail next.

Discovery Mode definition

The Discovery Mode setting on the Management page, described here, configures how endpoint managers are discovered by the PCoIP Remote Workstation Card.

Discovery in this context does not refer to discovery of the PCoIP Remote Workstation Card by endpoint managers. For instructions on having an endpoint manager discover your PCoIP Remote Workstation Card, see Configuring Endpoint Management Discovery Methods.

The following table shows the Remote Workstation Card behavior in the three management security modes.

No High Security Automatic Discovery

In high security mode, there is no automatic discovery of the management tool by the Remote Workstation Card.

Behaviour                           Low
Automatic
Low
Manual
Medium
Automatic
Medium
Manual
High
Manual
Can be discovered by endpoint managers x x x
Can automatically discover endpoint managers using DNS x x x
Can trust endpoint managers using DNS or DHCP x x x x
Can manually connect to endpoint managers x x
Can trust endpoint managers using an installed certificate

Low Security Mode

In low security mode, both automatic and manual discovery methods are available. Certificates are not required in automatic manager discovery mode if the DNS server is configured to provision the PCoIP Remote Workstation Card with the URI of the endpoint manager's bootstrap server and its certificate fingerprint.

In automatic discovery mode the PCoIP Remote Workstation Card:

  • can use DNS or DHCP to automatically discover endpoint managers.

  • is discoverable by endpoint managers.

  • can use DNS to trust the endpoint manager. DNS must be configured to provision your endpoint with the URI and certificate fingerprint of the endpoint manager’s bootstrap server.

    DNS server configuration information

    For details about how to configure your DNS server for automatic discovery, see the PCoIP® Management Console Administrators’ Guide.

In manual discovery mode:

  • the endpoint must be manually configured with the endpoint manager’s bootstrap server URI.

  • the endpoint is discoverable by endpoint managers.

  • the endpoint does NOT require an installed certificate to trust the endpoint manager.

    Certificates installed on the endpoint

    If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the endpoints certificate store, one must be installed by the endpoint manager or AWI. See Using an Endpoint Manager.

Medium Security Mode

In medium security mode, the PCoIP Remote Workstation Card cannot be discovered by endpoint managers. The PCoIP Remote Workstation Card can discover endpoint managers automatically or manually. Certificates are required in medium security mode.

Certificates installed on the endpoint

If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the endpoints certificate store, one must be installed by the endpoint manager or AWI. See Using an Endpoint Manager.

In automatic discovery mode the PCoIP Remote Workstation Card:

  • can use DNS or DHCP to automatically discover endpoint managers.

  • is not discoverable by endpoint managers.

  • must have an installed certificate to trust the endpoint manager.

In manual discovery mode the PCoIP Remote Workstation Card:

  • is not discoverable by endpoint managers.

  • must be manually configured with the endpoint manager’s bootstrap server URI.

  • must have an installed certificate to trust the endpoint manager.

High Security Mode

In high security mode, the discovery bootstrap phase is disabled.

All settings must be manually configured, and certificates are required.

  • cannot use DNS or DHCP automatic discovery.

Certificates installed on the endpoint

If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the endpoints certificate store, one must be installed by the endpoint manager or AWI. See Using an Endpoint Manager.

In manual discovery mode the PCoIP Remote Workstation Card.

  • is not discoverable by endpoint managers.

  • must be manually configured with the endpoint managers’ internal (and, optionally, external) URI.

  • must have an installed certificate to trust the endpoint manager.