Configuring the PCoIP Security Gateway¶
Configuration settings for the PCoIP Security Gateway are stored in /etc/SecurityGateway.conf as key/value pairs separated by an equals sign. One setting is described per line.
To configure a setting, open /etc/SecurityGateway.conf with a text editor and add or change the appropriate lines. For example, to set the PCoIP Security Gateway's external IP address, you would add this line:
ExternalRoutableIP = ip-address-reachable-by-clients
Restart the PCoIP Security Gateway to apply your changes.
Configuration file formats and values are not validated
Configuration file formats and values are not validated. Incorrect configurations can result in components that do not work properly. Ensure you make backups before making changes.
Important: The Security Gateway must be enabled by the Connection Manager
To use the PCoIP Security Gateway, it must be enabled in /etc/ConnectionManager.conf:
SecurityGatewayEnabled = true
In /etc/SecurityGateway.conf, you must set the IP address clients will use to reach the PCoIP Security Gateway:
ExternalRoutableIP = ip-address-reachable-by-clients
PCoIP Security Gateway Configuration Settings¶
The configuration files for the PCoIP Security Gateway are located at /etc/SecurityGateway.conf
. To apply changes, restart the PCoIP Security Gateway first, then restart the PCoIP Connection Manager.
PCoIP Security Gateway Configuration Settings
Parameter | Default | Description |
---|---|---|
ExternalRoutableIP | The externally routable IP address of the PCoIP Security Gateway. This is typically set to the static IP address assigned to the PCoIP Connection Manager. Do not set this to a loopback address. | |
LogLevel | 2 |
The minimum severity level of messages written to the log. Acceptable values in increasing order of severity are: 0 (TRACE), 1 (DEBUG), 2 (INFO), 3 (WARN), 4 (ERROR). Only messages that are at or above the configured LogLevel severity are logged. For information on log files, see PCoIP Connection Manager and Security Gateway Log Files. |
LogPath | $TMPDIR or /tmp |
Location of PCoIP Security Gateway log files. |
MaxConnections | 5000 |
Maximum number of connections. ulimit -n on Linux needs to be set to slightly more than double this number. |
SSLCertPath | /opt/Teradici/certs |
Location of certificate files used by the PCoIP Security Gateway. |
SSLCertType | 0 |
0 = Use an external certificate. If not configured, then generate and use a self-signed certificate. 1 = Use an external certificate. 2 = Generate and use a self-signed certificate. |
SSLLinuxExtCA | CMCertificateCA.pem |
SSLLinuxExtCert certificate chain file name. |
SSLLinuxExtCert | CMCertificate.pem |
File name of the public certificate (in base64-encoded PEM format) used to secure communication with PCoIP clients. |
SSLLinuxExtCertPhrase | Passphrase of the private key specified by SSLLinuxExtPriv. We strongly advise against encrypting the private key since doing so requires the pass phrase to be specified here in plain text. | |
SSLLinuxExtPriv | CMCertificateKey.pem |
File name of the SSLLinuxExtCert certificate private key (in base64-encoded PEM format). |
SSLCipherBlackList | Lists the TLS cipher suites to be removed from the default list of cipher suites used for establishing a TLS connection to the PCoIP client, the PCoIP server, and the connection manager. The cipher suites are specified by their RFC names and are separated by a colon. See PCoIP Connection Manager Supported TLS Cipher Suites. For example, specifying the "TLS_RSA_WITH_AES_256_CBC_SHA: TLS_RSA_WITH_AES_128_CBC_SHA" string as the black list removes the specified two cipher suites. | |
TCPControlLinuxExtCA | CMCertificateCA.pem |
TCPControlLinuxExtCert certificate chain file name. |
TCPControlLinuxExtCert | CMCertificate.pem |
File name of the public certificate (in base64-encoded PEM format) used to secure communication with the PCoIP Connection Manager. |
TCPControlLinuxExtCertPhrase | Passphrase of the private key specified by TCPControlLinuxExtPriv. We strongly advise against encrypting the private key since doing so requires the passphrase to be specified here in plain text. | |
TCPControlLinuxExtPriv | CMCertificateKey.pem |
File name of the TCPControlLinuxExtCert certificate private key (in base64-encoded PEM format). |
Security gateway secures connections to control channel
If the TCPControlLinuxExtCA , TCPControlLinuxExtCert, and TCPControlLinuxExtPriv settings are all configured, then the security gateway secures connections to its control channel with TLS. If one or more of these settings are not specified, then the security gateway accepts plain text connections to its control channel. The connection manager uses TLS by default when establishing a connection to the security gateway control channel. For more information, see PCoIP Connection Manager Configuration Settings.