PCoIP Remote Workstation Card Security Overview

PCoIP Remote Workstation Cards are easy to manage devices that offer a rich user experience and allow for ultra-secure data transfer. They are available in a variety of form factors from a number of trusted OEMs. With embedded hardware support for PCoIP from the TERA chipset by Teradici, PCoIP Remote Workstation Cards are a natural choice wherever security and performance are critical. The security section of this manual contains configuration options that affect the security of the PCoIP Remote Workstation Card.

Data Control

When control and lockdown of sensitive data are a primary objective, PCoIP Remote Workstation Cards enable an environment where no application data ever leaves the host PC. The host PC sends only encrypted PCoIP data to the PCoIP client where no sensitive application data is ever processed or stored. In a PCoIP session the data is separated into management channel and media (display data, USB data, and audio network traffic) stream, both encrypted.

Encryption

PCoIP Remote Workstation Cards support the following encryption types.

TLS Security Mode for session negotiation security.

  • Maximum Compatibility: TLS 1.1 or higher with RSA keys

  • Suite B: TLS 1.2 with Suite B-compliant 192-bit elliptic curve encryption

PCoIP Data Encryption Ciphers for session security:

  • AES-256-GCM

To establish a PCoIP session the PCoIP Remote Workstation Card exchanges information with several services while connecting to endpoint managers, connection managers, and PCoIP clients. These encryption methods are discussed in Security Cipher Suites.

802.1x Network Authentication

PCoIP Remote Workstation Cards support 802.1x network device authentication using EAP-TLS certificates. With 802.1x network authentication, all network end devices must be authenticated before they are granted access to the network. This is a typical method of device authentication for high security environments, providing an additional layer of security beyond username and password credentials.

See Configuring 802.1x Network Device Authentication in the "How To" section for instructions on how to configure PCoIP Remote Workstation Cards for this type of authentication.

Management Security Level

The PCoIP Remote Workstation Card is set to the most flexible management state by default settings. The lowest security setting enables the host be manually discovered by an endpoint management tool and verified by its certificate fingerprint. To further secure PCoIP Remote Workstation Card management, two additional security level options are available—Medium Security Environment and High Security Environment. See About PCoIP Remote Workstation Card Management Security Levels for further information.