Security Cipher Suites

The Tera2 PCoIP Zero Client exchanges information with several services while connecting to endpoint managers, connection managers, and PCoIP hosts. The various communication phases are described here, together with the set of cipher algorithms available to each phase. The topics include:

Encrypting Browser Connections

You can manage Tera2 PCoIP Zero Clients using a browser connection to the AWI. These secure connections require Transport Layer Session (TLS) 1.1 or TLS 1.2 compliant browsers. Browsers configured to use SSLv3 and TLS 1.0 are not supported.

The following cipher suites are used to secure a browser connection to the AWI:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA

Recommended Web Browsers

Recommended web browsers are Firefox, Chrome, Internet Explorer 11, and Edge.

Encrypting Endpoint Discovery

Tera2 PCoIP Zero Clients that are not managed by an endpoint manager, such as the PCoIP Management Console, listen for incoming discovery requests.

When an endpoint discovery request from an endpoint manager is received by the Tera2 PCoIP Zero Client, communications between the endpoint manager and the Tera2 PCoIP Zero Client are established securely using one of the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Minimum SSL Version

There is a minimum requirement of TLS 1.1.

Encrypting Endpoint Manager Administration

Once an endpoint manager discovers a Tera2 PCoIP Zero Client, it uses the PCoIP Management Protocol to administer the endpoint. Communications between endpoint managers and Tera2 PCoIP Zero Clients are secured using one of the following cipher suites:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Minimum SSL Version

There is a minimum requirement of TLS 1.1.

Encrypting Pre-Session Communications with VMware Horizon Environments

Before a PCoIP session is negotiated with a PCoIP host in a VMware Horizon environment, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the Tera2 PCoIP Zero Client communicates with a Horizon Connection Server over port 443 using one of the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

System Configuration Requirements

These cipher suites can only be configured at the host, and have a minimum requirement of TLS 1.1.

Encrypting Pre-Session Communications with PCoIP Connection Managers

Before a PCoIP session is negotiated with a PCoIP host using a PCoIP Connection Manager, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the Tera2 PCoIP Zero Client communicates with a PCoIP Connection Manager over port 443 using one of the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

System Configuration Requirements

These cipher suites can only be configured at the host, and have a minimum requirement of TLS 1.1.

Encrypting PCoIP Session Negotiation with PCoIP Hosts

After user authentication and resource selection, PCoIP sessions are negotiated between the Tera2 PCoIP Zero Client and the PCoIP host. These negotiations take place before the PCoIP session is established, and are secured using these Max Compatibility and Suite B cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Minimum SSL Version

These Max Compatibility security level cipher suites have a minimum requirement of TLS 1.1.

The following Suite B security level cipher suite has a minimum requirement of TLS 1.2, and applies only to Remote Workstation Card connections:

  • TLS_ECDHE_ECDSA_RSA_WITH_AES_256_GCM_SHA384

In-Session Encryption

Once a PCoIP session has been negotiated and the connection established, Tera2 PCoIP Zero Clients encrypt the session data using AES-256-GCM encryption algorithm. This algorithm secures all PCoIP communications during an active PCoIP session.