

Security Cipher Suites¶

Security cipher suites are sets of security algorithms or methods that help secure a network connection. The PCoIP Remote Workstation Card exchanges information with several services while connecting to endpoint managers, connection managers, and PCoIP hosts. The various communication phases are described here together with the set of cipher suites available to each phase. The topics include:

Encrypting Browser Connections
Encrypting Endpoint Discovery
Encrypting Endpoint Manager Administration
Encrypting PCoIP Session Negotiation with PCoIP Clients
In-Session Encryption

Encrypting Browser Connections¶

You can manage PCoIP Remote Workstation Cards using a browser connection to the AWI. These secure connections require Transport Layer Session TLS 1.2 compliant browsers.

The following cipher suites (listed in order of preference) are used to secure a browser connection to the AWI:

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Recommended web browsers

Recommended web browsers are Firefox, Chrome, and Edge.

Encrypting Endpoint Discovery¶

PCoIP Remote Workstation Cards that are not managed by an endpoint manager, such as the PCoIP Management Console, listen for incoming discovery requests.

When an endpoint discovery request from an endpoint manager is received by the PCoIP Remote Workstation Card, communications between the endpoint manager and the PCoIP Remote Workstation Card are established securely using one of the following cipher algorithms:

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Minimum SSL version

There is a minimum required SSL version of TLS 1.1.

Encrypting Endpoint Manager Administration¶

Once an endpoint manager discovers a PCoIP Remote Workstation Card, it uses the PCoIP Management Protocol to administer the endpoint. Communications between endpoint managers and PCoIP Remote Workstation Cards use one of the following cipher suites:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Minimum SSL version

There is a minimum required SSL version of TLS 1.2.

Encrypting PCoIP Session Negotiation with PCoIP Clients¶

After user authentication and resource selection, PCoIP sessions are negotiated between the PCoIP client and the PCoIP Remote Workstation Card. These negotiations take place before the PCoIP session is established, and are secured using either Max Compatibility or Suite B cipher suites.

Maximum Compatibility cipher suites allow secure negotiation under a variety of different cipher suites to offer flexibility for your network security requirements. The Available negotiation cipher suites are:

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Minimum SSL version

These Maximum Compatibility security level cipher suites have a minimum required SSL version of TLS 1.1.

Suite B security level cipher suite has a minimum required SSL version of TLS 1.2, and applies only to Remote Workstation Card connections. It offers the greatest security for negotiating session connections with a PCoIP client. The available suite B cipher suite is:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

In-Session Encryption¶

Once a PCoIP session has been negotiated and the connection established, the AES-256-GCM session encryption algorithm is used. This algorithm will secure all PCoIP communications during an active PCoIP session.