PCoIP Connection Manager for Amazon WorkSpaces

Similar documents
PCoIP Connection Manager for Amazon WorkSpaces

Teradici PCoIP Software Client for Windows

Teradici PCoIP Software Client for Mac

Pexip Infinity and Amazon Web Services Deployment Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Tera2 PCoIP Zero Client Firmware

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Pexip Infinity and Amazon Web Services Deployment Guide

Teradici PCoIP Management Console

Installation of Informatica Services on Amazon EC2

EdgeConnect for Amazon Web Services (AWS)

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

F5 BIG-IQ Centralized Management and Amazon Web Services: Setup. Version 5.4

HySecure Quick Start Guide. HySecure 5.0

Nagios Core AMI Setup Guide

Tera2 PCoIP Zero Client Firmware 4.x and Remote Workstation Card Firmware 4.9

Teradici PCoIP Virtual Channel Software Development Kit

LB Cache Quick Start Guide v1.0

How to Setup Total Application Security

NetApp Cloud Volumes Service for AWS

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Ross Whetten, North Carolina State University

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Amazon Virtual Private Cloud. Getting Started Guide

Integrating AirWatch and VMware Identity Manager

Sputnik Installation and Configuration Guide

Teradici APEX 2800 Server Offload Card Administrator's Guide TER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

VMware Horizon View Deployment

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Deploy the Firepower Management Center Virtual On the AWS Cloud

Infoblox Trinzic V-x25 Series Appliances for AWS

Installing the Nasuni Filer on the EC2 Platform. Version 7.9 July 2017 Last modified: July 10, Nasuni Corporation All Rights Reserved

Load Balancing VMware Workspace Portal/Identity Manager

Teradici PCoIP Connection Manager 1.8 and Security Gateway 1.14

Infoblox Installation Guide. vnios for Amazon Web Services

Tutorial 1. Account Registration

Integrate Aventail SSL VPN

FortiMail AWS Deployment Guide

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Progress OpenEdge. > Getting Started. in the Amazon Cloud.

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

PCoIP Management Console Release Notes. TER Issue 10

Installing and Configuring vcloud Connector

Using VMware View Client for Mac

Integrate WatchGuard XTM. EventTracker Enterprise

Pulse Connect Secure Virtual Appliance on Amazon Web Services

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

unisys Unisys Stealth(cloud) for Amazon Web Services Deployment Guide Release 2.0 May

Deploying the Cisco CSR 1000v on Amazon Web Services

Silver Peak EC-V and Microsoft Azure Deployment Guide

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

AWS VPC Cloud Environment Setup

AltaVault Cloud Integrated Storage Installation and Service Guide for Cloud Appliances

Bitnami Apache Solr for Huawei Enterprise Cloud

RealPresence Access Director System Administrator s Guide

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

Configuring a Palo Alto Firewall in AWS

vcenter Server Appliance Configuration Update 1 Modified on 04 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Using PCoIP Zero Clients with PCoIP Host Cards

CloudEdge Deployment Guide

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

CA Agile Central Administrator Guide. CA Agile Central On-Premises

VMware AirWatch Integration with RSA PKI Guide

VMware Enterprise Systems Connector Installation and Configuration

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Launch and Configure SafeNet ProtectV in AWS Marketplace

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

DameWare Server. Administrator Guide

Installing and Configuring vcloud Connector

Authlogics Forefront TMG and UAG Agent Integration Guide

Amazon WorkSpaces. User Guide

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Installation Guide Install Guide Centre Park Drive Publication Date: Feb 11, 2010

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Netwrix Auditor. Virtual Appliance and Cloud Deployment Guide. Version: /25/2017

Immersion Day. Getting Started with Linux on Amazon EC2

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

QUICK START: SYMANTEC ENDPOINT PROTECTION FOR AMAZON EC2

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Deploy ERSPAN with the ExtraHop Discover Appliance and Brocade 5600 vrouter in AWS

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

SAML-Based SSO Configuration

AWS Remote Access VPC Bundle

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Puppet on the AWS Cloud

Dolby Conference Phone. Configuration guide for Avaya Aura Platform 6.x

Dolby Conference Phone. Configuration guide for Avaya Aura Platform 6.x

Dolby Conference Phone. Configuration Guide for Microsoft Skype for Business

Remote Endpoint Management and PCoIP Management Console Oct. 19, 2017

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Firewall Enterprise epolicy Orchestrator

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

Creating a Yubikey MFA Service in AWS

Sophos Mobile in Central

Aimetis Symphony Mobile Bridge. 2.7 Installation Guide

Transcription:

PCoIP Connection Manager for Amazon WorkSpaces Version 1.0 Administrators' TER1408002-1.0

Contents Who Should Read This 3 What's New 4 Introduction 5 Before You Begin 5 Additional Documentation 6 Network Considerations 7 Deploying the PCoIP Connection Manager for Amazon WorkSpaces 10 Deploying the Appliance 10 Configuring the Appliance 16 Verifying Connectivity 20 Installing Your Own Certificates 23 Installing a Load Balancer for High Availability 26 Connecting to Amazon WorkSpaces Desktops 27 Setting a Security Mode 27 Configuring the Session Connection Type 28 Connecting to Your Amazon WorkSpaces Desktop 29 Disconnecting the PCoIP Session 30 Troubleshooting 31 Troubleshooting PCoIP Connection Manager Diagnostic Results 31 PCoIP Connection Manager Log Files 34 Troubleshooting Zero Client Connection Errors 36 PCoIP Zero Client Log Files 37 Amazon WorkSpaces Components 39 Virtual Private Cloud (VPC) 39 Security Groups 39 Directories 39 Cloud Directory 40 WorkSpaces Connect (Active Directory) 40 Troubleshooting 40 Elastic Load Balancer 40 Intellectual Property Rights 41 TER1408002 2

Who Should Read This This document is intended for IT administrators who are responsible for deploying the PCoIP Connection Manager for Amazon WorkSpaces and setting up zero clients to connect to Amazon WorkSpaces desktops. Note: Understanding terms and conventions in Teradici guides For information on the industry specific terms, abbreviations, text conventions, and graphic symbols used in this guide, see Using Teradici Product and Component s and the Teradici Glossary. TER1408002 3

What's New This release is a maintenance update that includes package updates, security improvements, and bug fixes. Teradici recommends using this release over previous versions. Zero clients on firmware higher than 5.5.1 will require the PCoIP Connection Manager for Amazon WorkSpaces 1.0 or higher to connect to Amazon WorkSpaces. Caution: Using Zero Clients with PCoIP Connection Manager for Amazon WorkSpaces Zero clients on firmware 5.0.0 or higher will not be able to connect to Amazon WorkSpaces on version 1.0.1 or earlier of the PCoIP Connection Manager for Amazon WorkSpaces. Zero clients on firmware higher than 5.5.1 may experience issues trying to connect to Amazon WorkSpaces on version 1.0.6 or earlier of the PCoIP Connection Manager for Amazon WorkSpaces. TER1408002 4

Introduction Amazon WorkSpaces is a fully managed cloud-based desktop service that enables end users to access their documents, applications, and resources. PCoIP Zero Clients together with Amazon WorkSpaces provide a secure, easy to manage solution for delivering users a rich desktop experience. The PCoIP Connection Manager for Amazon WorkSpaces is a software appliance delivered as an Amazon Machine Instance (AMI). It authenticates PCoIP Zero Clients with Amazon WorkSpaces and initiates the connection to Amazon WorkSpaces desktops. This guide explains how to launch, configure, and troubleshoot the PCoIP Connection Manager to enable zero client connectivity to Amazon WorkSpaces. Before You Begin Important: Before proceeding with the instructions in this guide, ensure that your system is already set up as follows: Amazon WorkSpaces is running and configured with full connectivity to your corporate network. See Network Considerations on page 7 for more information. End users have Tera2 PCoIP Zero Clients (TERA2321 or TERA2140) with firmware 4.8.0 or later installed (5+ recommended). TER1408002 5

Additional Documentation For more information, refer to the following documentation: The latest release details, available through the PCoIP Connection Manager for Amazon WorkSpaces option on the Product menu drop-down list. Search the support site for a summary of known issues by logging in to the Teradici Support Center. For instructions on how to install firmware in zero clients, see the PCoIP Zero Client Administrators For information about how to set up Amazon WorkSpaces, contact AWS support or consult AWS's extensive online documentation. TER1408002 6

Network Considerations This section outlines some basic requirements for enabling zero client connectivity to Amazon WorkSpaces. The following illustration shows the components that comprise a typical PCoIP Connection Manager for Amazon WorkSpaces deployment along with the ports that must be open in order for the devices to communicate with each other. These port rules apply whether the devices are located within your Virtual Private Cloud (VPC) or outside it. For connectivity to succeed, traffic using these ports must be able to traverse the network. Security group ports used in PCoIP Connection Manager for Amazon WorkSpaces Note: Understanding request and response messages The arrows in the preceding figure show the direction in which request messages are sent. Response messages, sent in the opposite direction, are not shown. You do not need to explicitly open ports for the response messages because they are automatically opened by the outgoing request messages. The following table shows the PCoIP Connection Manager's security group port rules for a quick and secure deployment. In this example, all outbound traffic is permitted. TER1408002 7

PCoIP Connection Manager Security Group Settings No Outbound Rules Allow Protocol Port # TCP/UDP Source Address Inbound SSH 22 TCP From the IT admin subnets Note: Port needs to be open This port needs to be open for deployment and administration only. It is not required to be open for normal operation. Inbound HTTPS 443 TCP From the zero client subnets If you wish to restrict outbound traffic as well as the inbound traffic, configure your security group or firewall port rules as shown in the example below. Note: Amazon WorkSpaces security group rules For more information about Amazon WorkSpaces security group rules, refer to the online topic Security Groups for Your VPC. The following table shows the PCoIP Connection Manager's security group port rules with inbound and outbound traffic rules. PCoIP Connection Manager Security Group Settings Inbound and Outbound Rules Allow Protocol Port # TCP/UDP Source/Destination Address Inbound SSH 22 TCP From the IT admin subnets Inbound HTTPS 443 TCP From the zero client subnets Outbound Kerberos 88 TCP To your Active Directory address Outbound HTTPS 443 TCP To all destinations (Allows traffic from the PCoIP Connection Manager for Amazon WorkSpaces appliance to set up the Amazon WorkSpaces session and perform registration.) Outbound PCoIP 4172 TCP/UDP To all destinations (Allows traffic for setting up the Amazon WorkSpaces session.) Outbound DNS 53 UDP To the DNS IP addresses Outbound NTP 123 UDP To all destinations (The PCoIP Connection Manager is configured to use Ubuntu's NTP server at ntp.ubuntu.com.) Outbound HTTP 80 TCP To all destinations TER1408002 8

Allow Protocol Port # TCP/UDP Source/Destination Address Outbound & Inbound DHCP 67/68 UDP Between the DHCP server and the Connection Manager TER1408002 9

Deploying the PCoIP Connection Manager for Amazon WorkSpaces This section provides instructions for creating and configuring the PCoIP Connection Manager for Amazon WorkSpaces appliance. Deploying the PCoIP Connection Manager involves the following steps: 1. Deploying the Appliance on page 10 2. Configuring the Appliance on page 16 3. Installing Your Own Certificates on page 23 Deploying the Appliance To get the PCoIP Connection Manager for Amazon WorkSpaces: 1. Sign into your AWS account, and from the the AWS Marketplace website, enter Teradici PCoIP Connection Manager for Amazon WorkSpaces into the search box and then click. 2. Click on the PCoIP Connection Manager appliance name to display its page. When you finish reading the details, click Continue to proceed. TER1408002 10

3. In the Region section, select the region where you will deploy the PCoIP Connection Manager. In this example, the selected region is the same region where the Amazon WorkSpaces are deployed. TER1408002 11

4. In the EC2 Instance Type section, select the desired instance type. Teradici will support this appliance on m3.medium and larger instance types. However, it can be configured for t2.micro, t2.small, and t2.medium. If you run into performance issues, try upgrading your instance type to at least m3.medium. Larger instance types can process the connection attempts more quickly. For TER1408002 12

example, a c3.large will process the connections approximately 2.5 times faster than an m3.medium, and a c3.xlarge is approximately twice as fast as a c3.large. Deciding on the appropriate instance type will therefore depend on your tolerance for waiting, connection rejection, and acceptable instance costs. (For instance pricing, see the AWS website.) Info: Connection manager for Amazon WorkSpaces can handle up to 100 simultaneous login attempts The PCoIP Connection Manager for Amazon WorkSpaces is capable of processing up to 100 simultaneous end user login attempts to Amazon WorkSpaces. If you expect more than 100 login attempts at the same time or within a short period of time, consider using multiple PCoIP Connection Managers and/or a larger EC2 instance type for your appliance(s) to decrease login processing time. Note that once the connection is established, the PCoIP traffic is between the zero client and the WorkSpace desktop, not the PCoIP Connection Manager. This means that a single PCoIP Connection Manager can be used for thousands of users. 5. In the VPC Settings section, select the Virtual Private Cloud (VPC) and subnet that you wish to deploy the appliance into. In this example, the appliance is deployed into the same VPC and subnet as the Amazon WorkSpaces. TER1408002 13

Note: Using VPC simplifies setup procedure Using this VPC will simplify your setup procedure; otherwise, you may need to open connectivity to your appliance. Wherever you decide to deploy your appliance, ensure that traffic can be routed to this location and that your directory can be resolved. For details, see Network Considerations on page 7. 6. In the Security Group section, create a security group with the appropriate ports opened to enable the right type of connections into the PCoIP Connection Manager appliance (as a general rule, the appliance should not be accessible from the public Internet). For more information about ports, see PCoIP Connection Manager Security Group Settings No Outbound Rules on page 8. The security group must enable SSH (TCP port 22) connections into the appliance from wherever the IT department manages it. It must also enable HTTPS (TCP port 443) connections from the network ranges where the zero clients are deployed. Related Information: Security group ports For more information on security group ports, see Network Considerations on page 7. 7. A key pair is required before you can make SSH connections into the appliance. Amazon stores the public key, but you are responsible for storing the private key in a secure place. If needed, you can obtain a key pair using these steps: a. Click the Visit the Amazon EC2 Console link in the Key Pair section. b. Create the key pair and save the file. c. Return to the PCoIP Connection Manager's Marketplace page and refresh the browser. TER1408002 14

If you already have a key pair, select it from the drop-down list. 8. When you are finished, click Launch with 1-click. 9. After your subscription completes, select the appliance from the Instances page on your EC2 console. View the appliance's details. Tip: Note the PCoIP Connection Manager's IP address Make a note of the PCoIP Connection Manager's IP address. You may need to connect to this address or configure a DNS name to connect to it. TER1408002 15

Note: Status Checks column indicates your instance is running The Status Checks column states 2/2 checks passed, indicating that your instance is up, running, and has passed all internal checks to ensure it is operating correctly. However, your PCoIP Connection Manager will not be operational until you have completed the configuration. Configuring the Appliance To complete the PCoIP Connection Manager for Amazon WorkSpaces configuration, you need to connect to the appliance with SSH. You can use your preferred SSH client to do this (for example, SSH from a Linux terminal or PuTTY from Windows). In order to connect, you need to provide the client with the appliance's assigned IP address, the 'administrator' user name, and the key pair file. Note: Convert the downloaded.pem key pair file to.ppk format If you use PuTTY, you will need to convert the downloaded.pem key pair file to.ppk format. You can use PuTTYgen to do this. TER1408002 16

Before you connect to the appliance, note the following keyboard shortcuts to use for navigation: Press the arrow keys to change the selection or to move the cursor within a field Select Tab to move the cursor to the next field Press the space bar to select or unselect a radio button or check box, or to press a button Press Page Up and Page Down to scroll up/down a long page Press Ctrl+N to move to the next screen Press Ctrl+B to move back to the previous screen Note: Gather your information during the configuration process During the configuration process, you will need to provide the addresses of the DNS servers for your directory, the registration code that was emailed to you when you created your Amazon WorkSpaces, and one or more authentication domains for your Cloud Directory or on-premises Active Directory. To configure the PCoIP Connection Manager for Amazon WorkSpaces: Press Ctrl+N to proceed to the next screen after each step. 1. Initial Configuration Wizard: Using your SSH client, log in to the appliance as administrator. 2. Configure network settings: Enter a host name for the PCoIP Connection Manager appliance, then tab to the Extra DNS servers field and enter the TER1408002 17

addresses of the DNS servers for your directory. 3. Configure connection broker: Enter the registration code that was emailed to you when you created your Amazon WorkSpaces. In the Directory domains field, enter the domain name(s) for your directory. This step configures connectivity to the Amazon WorkSpaces and user accounts. TER1408002 18

4. Initial configuration complete: By default, the Run diagnostics after applying changes check box is selected to perform diagnostic tests to verify connectivity after you finish configuring the appliance. If you do not wish to run the tests now, press the space bar to deselect this option before selecting Finish. Note: Run diagnostics later You can run diagnostics later from the PCoIP Connection Manager's main console screen. For details, see Verifying Connectivity on page 20. 5. Once your configuration is applied, the initial configuration is complete. TER1408002 19

Verifying Connectivity The PCoIP Connection Manager can run a series of diagnostic tests to ensure the appliance has been configured correctly and to identify networking and connectivity issues. The following checks are performed during the test: Connectivity with the DNS server(s) Connectivity with the NTP server(s) Connectivity to the Internet Validation that the DNS server(s) can resolve the Amazon WorkSpaces domain name(s) Connectivity with the Amazon WorkSpaces directories (Cloud Directory or onpremises Active Directories) Connectivity with the Amazon WorkSpaces servers Optionally, validation that Amazon WorkSpaces credentials are valid for the specified directory Optionally, validation that Amazon WorkSpaces can be provisioned using the provided credentials You can run the diagnostics when you finish the initial configuration or from the PCoIP > Diagnostics menu in the PCoIP Connection Manager's console, as shown next. TER1408002 20

PCoIP Diagnostics menu After starting the diagnostics, you can optionally enter your Amazon WorkSpaces user name and password. If you provide your Amazon WorkSpaces credentials, a full set of diagnostic tests will be performed. If you do not provide credentials, the Amazon WorkSpaces connectivity tests will be excluded. To begin the tests, select Start. Entering your Amazon WorkSpaces user name and password The diagnostic test results are updated on the screen in real time. TER1408002 21

Diagnostic test results When completed, each test will display one of the following results: PASSED: Test passed. FAILED: Test failed. WARNING: One or more subtests failed. See the results under Details. SKIPPED: The test was skipped because a prerequisite test case failed or you did not provide WorkSpaces credentials. Select Details (see bottom right of the above screen) for more information about the tests. Some sample diagnostic results are shown next. TER1408002 22

Sample diagnostic results If diagnostics indicates a problem with your connectivity, see Troubleshooting on page 31 for some possible causes and solutions. Press Escape to return to the diagnostics screen. To exit diagnostics and return to the main PCoIP Connection Manager console screen, select Exit. Installing Your Own Certificates Upon completing configuration, an appliance will operate correctly and a PCoIP Zero Client will be able to start a session after acknowledging a security warning. However, Teradici strongly recommends installing your organization's own certificates that have been properly signed by a well-known certificate authority. For proper operation with zero clients, installed server certificates must meet the following requirements: Expiry Time: The Certificate must have a correct Validity Time. The Not Before and Not After requirements must be satisfied. Key Usage: If an Enhanced Key Usage (EKU) extension has been provided, it must include Server Authentication usage. RSA Key Length: The length of the RSA key must satisfy the minimum key length requirement. The minimum RSA public key length is a configurable parameter with a default value of 1024 bits. TER1408002 23

Host Name Matches the Certificate Subject: The PCoIP Connection Manager host name must match the Subject Name (SN) or one of the Subject Alternative Names (SAN) of the certificate. Certificate Issued by a Trusted Root: The certificate Issuer must be trusted by the client. Typically, the client trusts the issuer/root by finding its certificate in the client s certificate store. If the certificate presented by the PCoIP Connection Manager is self-signed, then the self-signed certificate itself must be trusted by the client, that is, it must exist in the client s certificate store. The server certificates must be PEM-encoded and must not be protected by a passphrase. They must be named as follows: SSLCertificate.pem: The server certificate SSLCertificateKey.pem: The server private key SSLCACertificate.pem: Concatenation of all certificates comprising the Certificate Authority (CA) chain of trust. For example, this file could contain a certificate trust chain with your server certificate, intermediate CA certificate, and root CA certificate, as shown below: -----BEGIN CERTIFICATE----- (your server certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (your intermediate certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (your root certificate) -----END CERTIFICATE----- The certificate that the zero client will trust depends on which certificate is installed in the device. For example, if the server certificate is installed, the zero client will trust only that server. If the intermediate or root certificate is installed, it will trust any certificate signed by that intermediate or root, respectively. For instructions on how to install a certificate in a zero client, see PCoIP Zero Client Administrators Note: CA chain of trust must consist of at least one certificate If your certificate does not have a CA chain of trust (such as if you are using a self-signed certificate), make a copy of the server certificate (SSLCertificate.pem) and name it SSLCACertificate.pem. TER1408002 24

Note: Use UNIX line endings for certificate files The lines in the certificate files must be delimited by line-feed characters (UNIX line endings) and not by carriage-return/line-feed pairs (Windows line endings). To install the certificates, use scp or WinSCP to copy them to the location on the PCoIP Connection Manager appliance as in the following example (where <sshprivate-key-file> is the file name of your SSH private key file and <ip-address> is the IP address of the appliance): scp -i <private-key-file> SSLCertificate.pem SSLCertificateKey.pem SSLCACertificate.pem administrator@<ipaddress>:/home/administrator/.cert Caution: Make sure certificates are in the correct PEM format The PCoIP Connection Manager will automatically move the certificates to the proper location and restart the PCoIP Connection Manager service. Connections to PCoIP clients that are in the process of establishing sessions will be dropped. If the certificates are not in the correct PEM format (.pem), the PCoIP Connection Manager service will not restart properly, and PCoIP clients will not be able to establish sessions. TER1408002 25

Installing a Load Balancer for High Availability For instructions on how to configure Amazon WorkSpaces's Elastic Load Balancer in front of the PCoIP Connection Manager for Amazon WorkSpaces, see How to configure an Elastic Load Balancer with the PCoIP Connection Manager for Amazon WorkSpaces (1322). TER1408002 26

Connecting to Amazon WorkSpaces Desktops To establish a PCoIP session between a zero client and an Amazon WorkSpaces desktop, you must use a Tera2 PCoIP Zero Client with firmware 4.8.0 (or later) installed. The following instructions assume you have some familiarity with the zero client's built-in On Screen Display (OSD). If you require more information, see PCoIP Zero Client Administrators. If you have not installed your own certificates, ensure that your zero client's security mode is not set to Never connect to untrusted servers before you connect. Setting a Security Mode To set a security mode option using the Tera2 PCoIP Zero Client's OSD: 1. From the OSD, select Options > User Settings > Certificate. 2. Select the desired security option. 3. Click OK. TER1408002 27

Configuring the Session Connection Type For the Tera2 PCoIP Zero Client, you must first configure the zero client with the Uniform Resource Identifier (URI) of the PCoIP Connection Manager for Amazon WorkSpaces appliance before you can connect to it. The example below shows how to configure the PCoIP Connection Manager connection session type. Note: Using Auto Detect to connect to Amazon WorkSpaces If desired, you can also use the Auto Detect connection session type to connect to your PCoIP Connection Manager for Amazon WorkSpaces. To configure the session connection type for the Tera2 PCoIP Zero Client: 1. From the OSD, select Options > Configuration > Session. 2. Click Unlock, enter your OSD password (if required), and click OK. 3. In the Connection Type field, select PCoIP Connection Manager from the dropdown list, enter the URI (https://<ip address>) of the PCoIP Connection Manager for Amazon WorkSpaces appliance in the Server URI field, and click OK. TER1408002 28

Connecting to Your Amazon WorkSpaces Desktop After configuring the appliance's URI, it will appear in the Server field on your OSD connect screen. To connect to your Amazon WorkSpaces desktop: 1. Click Connect 2. Enter your Amazon WorkSpaces user name and password at the next screen, and click Login. Your Amazon WorkSpaces domain will automatically appear in the Domain field. TER1408002 29

Disconnecting the PCoIP Session To disconnect your PCoIP session, select Start > Log off from your Amazon WorkSpaces desktop. You can also use the Ctrl+Alt+F12 key sequence to disconnect. TER1408002 30

Troubleshooting This section provides information about how to troubleshoot the PCoIP Connection Manager based on test results from the appliance's built-in diagnostics tool. See Verifying Connectivity on page 20. It also provides information about zero client error messages. Troubleshooting PCoIP Connection Manager Diagnostic Results The following table lists results for the appliance's diagnostic test cases, along with possible causes and solutions. Note: Checking current status of service availability You can see the current status of service availability in your area for Amazon WorkSpaces and other AWS services by going to the AWS Service Health Dashboard at http://status.aws.amazon.com/. TER1408002 31

Troubleshooting PCoIP Connection Manager Diagnostic Results Diagnostic Test Result DNS FAILED Possible Cause Outgoing UDP on port 53 is blocked. Possible Resolution Check the security group of the PCoIP Connection Manager and the VPC. Check the VPN firewall. No Internet connectivity. Ensure that the VPC on which the PCoIP Connection Manager is deployed has a route to the Internet. None of the configured DNS servers are responding. The PCoIP Connection Manager address cannot be resolved. NTP server address cannot be resolved. Directory domain name cannot be resolved. Ensure DNS server addresses have been entered correctly. Ensure the DNS server can resolve Internet addresses. Ensure DNS server addresses have been entered correctly. Ensure the DNS server has an entry for the specified Amazon WorkSpaces domain name. Note: Additional DNS servers In case of the Amazon cloud directories, you need to specify additional DNS servers that can resolve the domain name. See the configuration step where you enter additional DNS servers. DNS WARNING Broker FAILED At least one DNS server did not respond. Outgoing TCP on port 443 is blocked. Amazon WorkSpaces server is not responding. Ensure that all the specified DNS server addresses are valid. Check the security group of the PCoIP Connection Manager and the VPC. Check the VPN firewall. Ensure the Amazon WorkSpaces software client for PC or Mac can establish a session using the same registration code. Check the AWS Service Health Dashboard for the current status of service availability in your area. TER1408002 32

Diagnostic Test Result NTP FAILED NTP WARNING Active Directory FAILED Negotiation FAILED Possible Cause Outgoing UDP on port 123 is blocked. None of the NTP servers responded. At least one NTP server did not respond. Active Directory port (TCP 88) is blocked. Active Directory is not listening to requests from PCoIP Connection Manager's subnet. Active Directory server is down. Failed to receive a response (or a successful response) from the Amazon WorkSpaces server. Possible Resolution Check the security group of the PCoIP Connection Manager and the VPC. Check the VPN firewall. Ensure Internet connectivity. Ensure DNS server can resolve the NTP server name. Ensure DNS server can resolve the NTP server name. Check the security group of the PCoIP Connection Manager and the VPC. Check the VPN firewall. Ensure Active Directory is listening to requests from the subnet in which the PCoIP Connection Manager is deployed. Ensure Active Directory server is operational. Ensure the Amazon WorkSpaces software client for PC or Mac can establish a session using the same registration code. Ensure outbound and inbound TCP on port 443 is not blocked. Check the security group of the PCoIP Connection Manager, the VPC, and the VPN firewall. Check the AWS Service Health Dashboard for the current status of service availability in your area. TER1408002 33

Diagnostic Test Result Authentication FAILED Resource List FAILED Connection FAILED Possible Cause Authentication failed due to wrong user credentials. Failed to receive a response (or a successful response) from the Amazon WorkSpaces server. User is not entitled to any resources. Failed to receive a response (or a successful response) from the Amazon WorkSpaces server. Outgoing TCP on port 4172 is blocked. Amazon Session Provisioner is not responding. Possible Resolution Ensure valid Amazon WorkSpaces credentials are entered for the specified directory. Ensure the Amazon WorkSpaces software client for PC or Mac can establish a session using the same registration code. Ensure the Amazon WorkSpaces software client for PC or Mac can establish a session using the same registration code. Ensure that Kerberos port 88 is configured correctly on the PCoIP Connection Manager security group, the VPC access lists, and the VPN firewall. Check the AWS Service Health Dashboard for the current status of service availability in your area. Ensure the specified user has a WorkSpace on the specified directory. Ensure the Amazon WorkSpaces software client for PC or Mac can establish a session using the same registration code. Ensure valid Amazon WorkSpaces credentials are entered for the specified directory. Check the AWS Service Health Dashboard for the current status of service availability in your area. Check the security group of the PCoIP Connection Manager and the VPC. Check the VPN firewall. Ensure the Amazon WorkSpaces software client for PC or Mac can establish a session using the same registration code. Try establishing a session several times to ensure all Session Provisioners are responding. Check the AWS Service Health Dashboard for the current status of service availability in your area. PCoIP Connection Manager Log Files The PCoIP Connection Manager logs are text files containing important information for troubleshooting the appliance. You can configure the logging level from the Logs > TER1408002 34

Log level menu on the PCoIP Connection Manager main console screen. For debugging purposes, the recommended log level is TRACE, shown in the next example. Configuring the logging level on the PCoIP Connection Manager main console screen Caution: DEBUG and TRACE should not be left on DEBUG and TRACE level logging may impact the performance of the PCoIP Connection Manager, and are not recommended to be left on for production use. If you need to open a trouble ticket in the Teradici Support Center, it is important to retrieve the latest log file and attach it to your ticket. To transfer a log file from the PCoIP Connection Manager to a Windows machine: 1. Use WinSCP on your Windows machine to log in to the PCoIP Connection Manager with the following credentials: Host name: Enter the host name or IP address of the PCoIP Connection Manager. User name: Enter administrator. Private key file: Go to the Advanced > SSH > Authentication screen on the WinSCP Login page, and specify your key pair file (.ppk format) in the Authentication parameters section. TER1408002 35

Note: Convert the.pem key pair file to.ppk format If your key pair file is in.pem format, you can use PuTTYgen to convert it to.ppk format. 2. In the WinSCP right-hand pane, navigate to the following directory: /var/log/teradici/connectionmanager 3. Locate the latest PCoIP Connection Manager log file. The name of the latest log file starts with pcoip-conmgr, and has a.log extension. The.log.gz files are archived log files. 4. Drag and drop the PCoIP Connection Manager log file from the right-hand pane to the desired Windows directory in the left-hand pane. 5. To view the file from your Windows machine, open the file using a text editor that supports the UNIX end-of-line format (for example, WordPad or Notepad++). Troubleshooting Zero Client Connection Errors The following table lists errors a user may receive when connecting a zero client to Amazon WorkSpaces, along with possible causes and solutions. TER1408002 36

Troubleshooting Zero Client Connection Errors Zero Client Error Possible Cause Possible Resolution PCoIP Connection Manager communication error Unable to connect (0x1002). Please contact your IT administrator. Failed to connect. The server provided a certificate that is invalid. Cannot verify the identity of the server you have contacted. Zero client cannot communicate with the PCoIP Connection Manager. Zero client cannot communicate with Amazon WorkSpaces. The certificate checking mode on the zero client is set to Never connect to untrusted servers, and a problem exists with the certificate. See Setting a Security Mode on page 27. The certificate checking mode on the zero client is set to Warn before connecting to untrusted servers and a problem exists with the certificate. Check the security group of the PCoIP Connection Manager and the VPC. Check the VPN firewall. Amazon WorkSpaces may be restarting or off. Ensure zero client has connectivity to Internet/Amazon WorkSpaces on UDP port 4172. Check the AWS Service Health Dashboard for the current status of service availability in your area. Ensure the certificate subject or subject alternative name matches the PCoIP Connection Manager address or host name. See Installing Your Own Certificates on page 23. Ensure the certificate chain of trust is rooted in the zero client's local certificate store. If desired, change the zero client's certificate checking mode to Warn before connecting to untrusted servers. See Setting a Security Mode on page 27. Ensure the certificate subject or subject alternative name matches the PCoIP Connection Manager address or host name. See Installing Your Own Certificates on page 23. Ensure the certificate chain of trust is rooted in the zero client's local certificate store. PCoIP Zero Client Log Files Zero client log files can be viewed from the Event Log page in the client's Administrative Web Interface (AWI). To access the log files: 1. From a browser, enter the IP address of the zero client. You can find this address in the IP Address field on the OSD's Option > Configuration > Network page. 2. From the AWI Log In page, enter the administrative password (if required) and then click Log In. TER1408002 37

3. Select the Diagnostics > Event Log menu. 4. In the Event Log page, click View to display the log in a new window. TER1408002 38

Amazon WorkSpaces Components In order to operate, Amazon WorkSpaces requires the following components: Virtual Private Cloud Security groups Directories (Cloud Directory or Active Directory with connectivity to the VPC, usually via a VPN) To find out more about Amazon WorkSpaces, see the information provided by Amazon at http://aws.amazon.com/workspaces. Virtual Private Cloud (VPC) A VPC is the network in Amazon s cloud where you can deploy resources. It is in many ways similar to an office network. You can see your VPC information by selecting VPC from the AWS console or from the Services drop-down list. For more information, see: http://docs.aws.amazon.com/amazonvpc/latest/gettingstarted/ ExerciseOverview.html http://docs.aws.amazon.com/amazonvpc/latest/user/ VPC_Introduction.html Security Groups Security groups are similar in many ways to firewalls in that they control the traffic that is allowed to enter or leave an instance or a group of instances. For more information, see: http://docs.aws.amazon.com/awsec2/latest/user/using-networksecurity.html http://docs.aws.amazon.com/amazonvpc/latest/user/vpc_ SecurityGroups.html Directories Two types of directories are available: Cloud Directory or WorkSpaces Connect (On- Premises Active Directory). Because Amazon directories are compatible with Active Directory, you can apply Group Policy settings to Amazon WorkSpaces. For more information, see: http://docs.aws.amazon.com/workspaces/latest/adminguide/group_policy.html TER1408002 39

Cloud Directory If you wish to use a Cloud Directory, follow the Quick Setup steps when creating your Amazon WorkSpaces. For more information, see: http://docs.aws.amazon.com/workspaces/latest/adminguide/prep_cloud.html http://docs.aws.amazon.com/workspaces/latest/adminguide/cloud_directory.html WorkSpaces Connect (Active Directory) If you use an on-premises Active Directory, you must ensure that anything in your Virtual Private Cloud can communicate with WorkSpaces Connect. For more information, see http://docs.aws.amazon.com/workspaces/latest/adminguide/prep_connect.html http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_ directory.html For instructions on how to create a VPN to your on-premises equipment, see: http://docs.aws.amazon.com/amazonvpc/latest/user/vpc_vpn.html http://docs.aws.amazon.com/amazonvpc/latest/networkadmin/welcome. html Troubleshooting Every network configuration will be different. Incorporating AWS into your own network will have its own unique issues and challenges. For troubleshooting information, see http://docs.aws.amazon.com/workspaces/latest/adminguide/ admin_troubleshooting.html Elastic Load Balancer AWS's Elastic Load Balancer (ELB) is a service that enables you to run multiple EC2 instances and automatically distribute traffic across them. For more information, see: http://docs.aws.amazon.com/elasticloadbalancing/latest/developer/ SvcIntro.html TER1408002 40

Intellectual Property Rights Teradici Corporation #301-4601 Canada Way, Burnaby, BC V5G 4X7 Canada phone +1.604.451.5800 fax +1.604.451.5818 www.teradici.com The information contained in this documentation represents the current view of Teradici Corporation as of the date of publication. Because Teradici must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Teradici, and Teradici cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. TERADICI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Teradici Corporation. Teradici may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Teradici, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Visit http://www.teradici.com/about-teradici/pat.php for more information. 2000-2018 Teradici Corporation. All rights reserved. Teradici, PC-over-IP, and PCoIP are trademarks of Teradici Corporation and may be registered in the United States and/or other countries. Any other trademarks or registered trademarks mentioned in this release are the intellectual property of their respective owners. TER1408002 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback