Skip to content

HyWorks and HySecure
Configuration

PCoIP HySecure Gateway Configuration

This section covers the PCoIP configurations done in the HySecure Gateway.

Delivering PCoIP-based VDI Graphics/Non-Graphics with HySecure

To deliver PCoIP-based VDI Graphics/Non-Graphics with HySecure, a Turbo configuration on the Gateway and the following applications, and the access control list are required:

Turbo Configuration in HySecure Management Console

Follow the steps below:

  1. Login to the HySecure Management Console using the Security Officer Account.
  2. Navigate to Settings > Service Config > Turbo Tunnel.
  3. Click Add and enter the required details. Click Submit. !!!Note
    • In this configuration, Enable ACL and Enable ACL Logs are enabled by default.
    • To allow all ports for any IP address or Network Subnet, Uncheck both the Enable ACL and Enable ACL Logs options in the Turbo Interface Configuration.

Refer to the Turbo configuration as shown in the image:
4. Configure Turbo IP Pool for endpoints. Navigate to Policies > IP Address Pools > Add to Create IP Address Pool.

Note

Ensure that a sufficient IP Address Pool is available for all the HySecure Users.

Application Creation in HySecure Management Console

To access VDI with PCoIP using Accops Workspace, the client Application needs to be assigned to End Users.

Note

  • Requires VDI Network Address and the ports: TCP 443, TCP 4172, UDP 4172, and TCP 60443.
  • Also requires HyWorks Controller (Primary/Secondary) and TCP 38866 port.

Follow the steps to create an application in the HySecure gateway:

  1. Login to the HySecure Management console using the Security Officer Account credentials.

  2. Navigate to Apps > Apps > Add to create a new application.

  3. Add the applications to the App Group:

    1. Application 1: Application for VDIs Network Range for port 4172 enter the field values:
      • Application Type: Network
      • Tunnel Type: Turbo Tunnel (L3 VPN)
      • Network Address: Network Subnet of the VDIs
      • Port: 4172
      • Protocol: UDP
      • Traffic Routing: Allow
      • Enable Desktop Shortcut: Uncheck
      • Hidden Application: Uncheck
      • Show Real IP Address of Server: Uncheck
      • Enable Compression: Uncheck
    2. Application 2: HyWorks Controller enter the field values:
      • Application Type: HyWorks - Controller (Primary) and (Secondary) If it is present.
      • Tunnel Type: App Tunnel
      • Network Address: IP Address of the HyWorks Controllers
      • Port: 38866
      • Protocol: TCP
      • Traffic Routing: Allow
      • Access Site Group: LocalSiteGroup
      • Enable Desktop Shortcut: Uncheck
      • Hidden Application: Uncheck

Note

  • Create additional Applications for ports: TCP 443, TCP 4172, UDP 4172, and TCP 60443.
  • If the ACL box is unchecked, the VDI Network can be published with port 4172 with Any Protocol. This will allow all port access (1-65535) from the End User System for the Published Network Subnet or Published IP address.

Create Application Group

Create a new Application Group and add all the applications created in the previous to the new Group.

Create ACL Policy for VDI Access

  1. Login to the HySecure Management console using the Security Officer Account credentials.

  2. Navigate to Policies > ACL.

  3. Click Add to create a new ACL Policy.

Enter the following details:

  • Access Control Type: Application Access
  • Access Control Name: Specify a name for the policy (e.g., VDI Access Policy).
  • Select HySecure Domain: Choose the appropriate HySecure domain where the policy will be applied.
  • Select Authorization Server: Specify the authorization server for authentication and authorization.
  • Select Assignment Type: Choose whether the assignment is for users or groups based on the requirements.
  • Select Application Group: Select the application group created earlier for VDI access (e.g., the App Group containing VDIs Network Range).

Firewall Rule: Port Forwarding on Port 443 (TCP/UDP)

A firewall rule must be configured to allow port forwarding on port 443 for TCP and UDP protocols, ensuring secure data transmission over HTTPS and other services.

The internal server is the Accops HySecure Gateway Virtual IP address.

Following are the steps to configure the firewall rule:

  1. Identify the Network Interface.

    • WAN Interface: An external interface connected to the internet.
    • LAN Interface: An internal interface connected to the local network.

  2. Determine the Internal IP Address.

    • Identify the Accops HySecure Gateway Virtual IP address's internal IP address. For example, 192.168.1.100.

  3. Access the Firewall Configuration.

    • Log in to your firewall's management interface. This can be done via a web browser by entering the firewall's IP address.

  4. Navigate to Port Forwarding/Firewall Rules.

    • Go to the section to configure port forwarding or firewall rules. Depending on your firewall's interface, this section might be labeled NAT, or Port Forwarding, or Firewall Rules.

  5. Enter the following details to add a new Port Forwarding rule:

    • Description: Enter a description for the rule (e.g., Forward HTTPS traffic to Accops HySecure Gateway).
    • Source Interface: Select the WAN interface.
    • Source Address: Usually left as Any to allow traffic from any external address.
    • Destination Interface: Select the LAN interface.
    • Destination Address: Specify the WAN IP address of the firewall.
    • Destination Port: Enter 443 (HTTPS).
    • Translated IP Address: Enter the internal IP address of the Accops HySecure Gateway (192.168.1.100).
    • Translated Port: Enter 443 (or leave blank if the port number remains the same).
    • Protocol: Select TCP/UDP.

  6. Configure firewall rules. Ensure that a corresponding firewall rule exists to allow traffic on port 443 from the WAN to the LAN for both TCP and UDP. Enter the following details:

    • Action: Allow
    • Source Interface: WAN
    • Source Address: Any
    • Destination Address: Internal IP address of the Accops HySecure Gateway (192.168.1.100)
    • Destination Port: 443
    • Protocol: TCP/UDP

  7. Click Save and apply the configuration.

    • Save the new rule and apply the changes. This step might require a firewall reboot or configuration reload.

  8. Verify the configuration.

    • Test the configuration by accessing the service using the WAN IP address or domain name over HTTPS (port 443). Ensure that the traffic is properly forwarded to the Accops HySecure Gateway.

Sample configuration (Using a Generic Firewall Interface)

  1. Port Forwarding Rule:

    • Description: Forward HTTPS traffic to Accops HySecure Gateway
    • Source Interface: WAN
    • Source Address: Any
    • Destination Interface: LAN
    • Destination Address: Firewall WAN IP
    • Destination Port: 443
    • Translated IP Address: 192.168.1.100
    • Translated Port: 443
    • Protocol: TCP/UDP

  2. Firewall Rule:

    • Action: Allow
    • Source Interface: WAN
    • Source Address: Any
    • Destination Address: 192.168.1.100
    • Destination Port: 443
    • Protocol: TCP/UDP

Following the above steps, an admin can successfully configure a firewall rule for port forwarding on port 443, allowing TCP and UDP traffic to be securely and efficiently transmitted to Accops.

HyWorks Configurations for Desktop Delivery

For specifying the use of the PCoIP protocol to connect to the desktops, the following changes must be made in the HyWorks Controller connection profile:

  1. Log into the HyWorks Controller Management Console.
  2. Go to Policies > Connection Profiles.
  3. Click Add/Edit a connection profile.

  4. Navigate to the Access Settings tab:

    1. For Windows Endpoints:

      • Set the Windows Client Session Launcher Option as PC-over-IP Protocol (PCoIP). img

    2. For Linux Endpoints, navigate to the Additional Settings tab:

      • Set the following entry for RDP10 (Linux): accUsePCOIP:i:1 img

  5. Save the connection profile.

  6. Assign the connection profiles to appropriate users/groups/OUs/desktop pools.

    • To use PCoIP, connect VMs with GPUs and update the connection profiles of the VDI Pool. For Example: A screenshot of a computer Description automatically generated

PCoIP can now be used while accessing desktops from the respective clients.

Verifying: PCoIP Protocol and License usage

  1. Launch the Accops Workspace Client and connect to the HySecure Gateway.
  2. Enter login credentials and launch the assigned VDI.

  3. Accops HyPCoIP Client will display on the top left corner of the VDI.

  4. To verify the assigned license, Run PowerShell with admin and execute the command as shown in the figure. img

PCoIP Protocol Licensing

Licenses must be obtained separately to use the PCoIP Protocol.

Here are brief instructions for obtaining and configuring licenses for PCoIP.

Teradici offers two main types of licenses based on deployment models:

  1. Offline Server License

    1. Usage: This type is suitable for environments without consistent internet access or requiring on-premises license management.
    2. Features:
      1. Allows license activation and management without requiring an internet connection.
      2. Licenses are stored and managed locally on a license server within the organization’s network.
    3. Deployment: Ideal for highly secure environments where internet connectivity is restricted or unavailable.
    4. Activation: Typically involves downloading the license file from an online portal and importing it into the local license server.

  2. Cloud License

    1. Usage: Designed for environments with reliable internet connectivity and those leveraging cloud services.
    2. Features:
      1. Enables license management via a cloud-based portal.
      2. Offers flexibility and scalability for dynamic environments.
      3. Simplifies license management with centralized cloud control.
    3. Deployment: Suitable for organizations using cloud infrastructures or those with multiple geographically dispersed locations.
    4. Activation: An internet connection is required to communicate with the cloud license server for activation and validation.

Note

Customers can directly purchase the cloud license from HP or via Accops. Send an email at license@accops.com, and our team will contact you.

Known Limitations

Only personal desktop or single-session deliveries can be done using the PCoIP protocol. The delivery mode is not used for Multiuser Shared hosted desktops or virtual applications.