About Tera2 PCoIP Zero Client Security Level Settings

The Discovery Mode setting described in this article is found on the Management page and configures how endpoint managers are discovered by the Tera2 PCoIP Zero Client.

Discovery in this context does not refer to discovery of the Tera2 PCoIP Zero Client by endpoint managers. For instructions on having an endpoint manager discover your Tera2 PCoIP Zero Client, see Endpoint Manager Discovery Methods.

There are three available security level settings in the Tera2 PCoIP Zero Client: low, medium, and high. These settings determine whether theTera2 PCoIP Zero Client can be discovered by an endpoint manager, how an endpoint manager can be discovered by the Tera2 PCoIP Zero Client, and also dictate whether a certificate must be installed in the Tera2 PCoIP Zero Client for discovery to succeed.

The security level is configured on the Management page of the OSD or AWI (see Configuring Security Level). Detailed instructions for allowing discovery under most scenarios, including security level settings, are described in Endpoint Manager Discovery Methods.

The general implications of each security mode are summarized in the following table and described in detail next.

Tera2 PCoIP Zero Client behavior in low, medium, or high security modes and using automatic or manual discovery modes

Low
Security
Low
Security
Medium
Security
Medium
Security
High
Security
Automatic Manual Automatic Manual Manual
Can be discovered by endpoint managers x x x x
Can automatically discover endpoint managers using DNS x x x
Can trust endpoint managers using DNS x x x x
Can manually connect to endpoint managers x x
Can trust endpoint managers using an installed certificate

Low Security Mode

In low security mode, both automatic and manual discovery methods are available. Certificates are not required in automatic manager discovery mode if the DNS server is configured to provision the Tera2 PCoIP Zero Client with the URI of the endpoint manager's bootstrap server and its certificate fingerprint.

In automatic discovery mode:

  • The client can use DNS to automatically discover endpoint managers.
  • The client is discoverable by endpoint managers.
  • The client can use DNS to trust the endpoint manager. DNS must be configured to provision your client with the URI and certificate fingerprint of the endpoint manager’s bootstrap server.

    DNS server configuration information

    For details about how to configure your DNS server for automatic discovery, see the PCoIP® Management Console 3.1 Administrators’ Guide.

In manual discovery mode:

  • The client must be manually configured with the endpoint manager’s bootstrap server URI.
  • The client is not discoverable by endpoint managers.
  • The client must have an installed certificate to trust the endpoint manager.

    Certificates are installed by an endpoint manager

    If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed by the endpoint manager. See Staging Clients Using an Endpoint Manager.

Medium Security Mode

In medium security mode, the Tera2 PCoIP Zero Client cannot be discovered by endpoint managers. The Tera2 PCoIP Zero Client can discover endpoint managers automatically or manually. Certificates are required in medium security mode.

In automatic discovery mode:

  • The client can use DNS to automatically discover endpoint managers.
  • The client is not discoverable by endpoint managers.
  • The client must have an installed certificate to trust the endpoint manager.

    Certificates are installed by an endpoint manager

    If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed. See Staging Clients Using an Endpoint Manager.

In manual discovery mode:

  • The client is not discoverable by endpoint managers.
  • The client must be manually configured with the endpoint manager’s bootstrap server URI.
  • The client must have an installed certificate to trust the endpoint manager.

    Certificates are installed by an endpoint manager

    If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed. See Staging Clients Using an Endpoint Manager.

High Security Mode

In high security mode, the discovery bootstrap phase is disabled. All settings must be manually configured, and certificates are required:

  • The client is not discoverable by endpoint managers.
  • The client must be manually configured with the endpoint managers’ internal (and, optionally, external) URI.
  • The client must have an installed certificate to trust the endpoint manager.

    Certificates are installed by an endpoint manager

    If a certificate for the endpoint manager has not previously been installed by an endpoint manager in the client’s certificate store, one must be installed. See See Staging Clients Using an Endpoint Manager.

Additional Security Tip

Teradici recommends disabling the AWI interface to reduce the attack surface on the Zero Client. Teradici recommends exclusively using the PCoIP Management Console to configure the Zero Client.