Teradici All Access Architecture Guide
TER1608004 Teradici All Access Architecture Guide
Contents
Who Should Read This Guide? 4 Welcome to Teradici All Access 5 Desktop Access 6 Cloud Access 7 Cloud Access Plus 7 Workstation Access 8 Why Choose a Teradici All Access Plan? 9 What is PCoIP Technology? 10 Key Benefits of PCoIP Technology 10 Who Uses PCoIP Technology? 11 A Closer Look at PCoIP Components 12 PCoIP Standard and Graphics Agent 12 PCoIP Zero Client 13 Features Supported by PCoIP Technology 14 Optimal Display Resolution 14 Flexible Display Topology 15 Audio Input and Output 15 Printing 15 Copy and Paste 15 USB Devices 15 A Closer Look at Deployment Infrastructure Components 18 PCoIP-Compatible Connection Broker 19 PCoIP Connection Manager 19 PCoIP Security Gateway 20 License Server 20 PCoIP Management Console 21 Teradici All Access Deployment Architecture 22 Public Cloud Architecture 22 On-Premises Datacenter Architecture 24 Security Architecture 25 Security Architecture for Public Cloud 26 Security Architecture for On-Premises Datacenter 27 Deployment Infrastructure 28 Planning Your All Access Deployment 29
TER1608004 2 Teradici All Access Architecture Guide
Workload Considerations 29 Scaling Your Components 30 Customized and Extended Teradici All Access Solution Architecture 31 Frequently Asked Questions 32
TER1608004 3 Teradici All Access Architecture Guide
Who Should Read This Guide? This guide provides information for administrators who are looking to implement, install, and develop All Access plans. This guide introduces you to Teradici All Access plans and enables you to determine which solution best suits your needs. This guide provides you with information you can use to better understand:
l The components of a Teradici All Access plan.
l How to architect Teradici All Access plans for public cloud infrastructure and on- premises datacenters.
l How to scale a Teradici All Access solution.
l System requirements for a variety of deployment sizes and scenarios.
l Options that enable you to extend and customize your specific solution using Cloud Access Platform.
Note: Understanding terms and conventions in Teradici guides For information on the industry specific terms, abbreviations, text conventions, and graphic symbols used in this guide, see Using Teradici Product and Component Guides and the Teradici Glossary.
TER1608004 4 Teradici All Access Architecture Guide
Welcome to Teradici All Access Teradici All Access enables enterprises and solution providers to migrate and host desktops, workloads and both graphics-intensive and mainstream applications on the public cloud or on-premises datacenter. The All Access plans are built on industry- leading PCoIP technology, to securely deliver a rich user experience across all network conditions to a variety of endpoint devices. Teradici All Access Solution Architecture
Teradici All Access plans are designed for various use cases and user types, from task workers to knowledge workers, artists, and designers; and fit the requirements of industries including media and entertainment, AEC (Architecture, Engineering, and Construction), healthcare, oil and gas, and design and manufacturing. Teradici offers the following All Access plans:
l Desktop Access
l Cloud Access
l Cloud Access Plus
l Workstation Access
TER1608004 5 Teradici All Access Architecture Guide
All Access Plans Compared
Features of Teradici All Access Solutions Cloud Cloud Workstation Desktop Access Access Access Access Plus
Management Console Enterprise license
PCoIP Zero Client updates
24/7 Support
Exclusive Resources (webinars, knowledge base, training videos, downloads, tools)
Access from zero client
Access from software clients (Windows, macOS, iOS, Android, Chrome OS endpoint support)
Windows host OS
Linux host OS
Concurrent user license
3 Cloud Access Software licenses (valid for 1 year)
Cloud Access Software Standard license
Cloud Access Software Graphics license (with GPU support)
Remote Workstation Card updates
Desktop Access This plan is aimed at PCoIP Zero Client and PCoIP Management Console users. It is ideal for VMware Horizon or Amazon Workspaces zero client users. The Desktop Access plan enables you to centrally manage your PCoIP Zero Clients with PCoIP Management Console Enterprise. The Desktop Access plan provides the following features:
l Premium Support: 24 x 7 support from Teradici, the inventors of PCoIP technology.
l PCoIP Management Console Enterprise: Manage up to 20,000 endpoints from a single console, get features like auto-config, scheduling, certificates and more.
TER1608004 6 Teradici All Access Architecture Guide
l PCoIP Zero Client firmware upgrades: Access to the latest security and feature updates for your PCoIP Zero Clients.
l Exclusive resources: Access to exclusive training webinars, with topics such as health checks, deployment optimization, migration to the cloud, and more.
l Cloud Access Software: Future proof your PCoIP infrastructure and explore your cloud options with three Cloud Access Software evaluation licenses.
For more information on Desktop Access, see Desktop Access. Cloud Access The Teradici Cloud Access plan enables businesses to host non-GPU workloads and application on-premises data centers or in a public cloud, and securely access them from any PCoIP endpoint. It includes the following features:
l Cloud Access Software: Host Linux and Windows applications and workloads on-premises or from the public cloud with Teradici PCoIP Cloud Access Software.
l PCoIP Management Console Enterprise: Manage up to 20,000 endpoints from a single console, features like auto-config, scheduling, certificates and more.
l PCoIP Zero Client firmware upgrades: Access to the latest security and feature updates for your PCoIP Zero Clients.
l Exclusive resources: Access to exclusive training webinars, with topics such as health checks, migration, and optimization.
l Premium support: 24 x 7 support from Teradici, the inventors of PCoIP technology.
For more information on Cloud Access, see Cloud Access. Cloud Access Plus Cloud Access Plus is ideal for enterprises, managed service providers or ISVs moving graphic-intensive applications to the cloud in oil & gas, automotive, M&E, AEC and many more industries. Cloud Access Software eliminates the large data transfers required between physical workstations, providing quick access and responsive 3D visualization, while improving security and reducing costs. The plan consists of the following features:
l Cloud Access Software - Graphics Edition: Host graphics-intensive applications and workloads on-premises or from the public cloud.
l Premium support: 24 x 7 support from Teradici, the inventors of PCoIP technology.
TER1608004 7 Teradici All Access Architecture Guide
l PCoIP Management Console Enterprise: Manage up to 20,000 endpoints from a single console, auto-config, scheduling, certificates and more.
l PCoIP Zero Client Firmware upgrades: Access to the latest security and feature updates for your PCoIP Zero Clients.
l Exclusive resources: Access to exclusive training webinars, with topics such as health checks, migration, and optimization.
For more information on Cloud Access Plus, see Cloud Access Plus. Workstation Access This plan is aimed at graphics users who require a PCoIP Remote Workstation Card for demanding on-premises applications. This plan consists of features such as:
l Cloud Access Software: Future proof your PCoIP infrastructure and explore your cloud options with three Cloud Access Software licenses.
l Premium support: 24 x 7 support from Teradici, the inventors of PCoIP technology.
l PCoIP Management Console Enterprise: Manage up to 20,000 endpoints from a single console, features like auto-config, scheduling, certificates and more.
l PCoIP Zero Client firmware upgrades: Access to the latest security and feature updates for your PCoIP Zero Clients.
l PCoIP Remote Workstation Card firmware upgrades: Access to the latest security and feature updates for your PCoIP Remote Workstation Cards.
l Exclusive resources: Access to exclusive training webinars, with topics such as health checks, migration, and optimization.
For further information on Workstation Access, see Workstation Access.
Note: Further information on All Access solutions For more information on the Teradici All Access solutions see Teradici All Access.
TER1608004 8 Teradici All Access Architecture Guide
Why Choose a Teradici All Access Plan? Teradici All Access plans offer a complete set of remoting solutions for knowledge workers and power users, enabling lower IT costs and administrative time while giving your team the flexibility to work any way they need to. Teradici offers a varied set of solutions that will fit your company and infrastructure needs. Benefits of the All Access subscription plans include:
l A higher level of performance and better security at a lower cost, and be able to switch your operations from CAPEX to more predictable OPEX models.
l The ability to provision new device, report on inventory, review metrics, configure settings, and update firmware with PCoIP Management Console.
l All Access plans use the industry-leading PCoIP protocol with over 10 million endpoints deployed today across a broad spectrum of industries, including Fortune 500 and small-medium businesses and enterprises alike.
l Teradici All Access supports Windows, Linux, and hybrid deployments; it is naturally compatible with cross-platform configurations.
l With Teradici All Access, you can lift and shift legacy applications, workloads, and desktops without having to re-write software for cloud compatibility.
l Teradici All Access supports flexible multi-monitor display topologies and high resolutions including ultra-high definition (UHD) and 4K industry standards.
l Enable workforce mobility by supporting Windows, OS X, iOS, Android Chrome OS, and PCoIP Zero Client endpoints.
l Insurance against cloud vendor lock-in because it can be rapidly deployed on any on-premises datacenter, hybrid, or public cloud.
l The ability to collaborate on the cloud.
l Freedom to move applications and workloads into any host environment, such as on-premises data center and public cloud.
l Teradici All Access secures your intellectual property in the host environment - data is only transferred as secure pixels via our PCoIP technology.
TER1608004 9 Teradici All Access Architecture Guide
What is PCoIP Technology? PCoIP is a display protocol that encodes a complete desktop or workload, which is then displayed through a PCoIP client device over a standard IP network. PCoIP technology uses advanced display compression to provide end users with cloud- based virtual computers such as GPU-enabled virtual workstations or standard virtual desktops as a progressive alternative to a local deployment model. It also supports many of the services available to physical machines, including keyboard, mouse, USB, multiple monitors, printers, audio devices, as well as custom options. The core technology comprises the PCoIP protocol which compresses, encrypts, and transmits only pixels to a broad range of software clients, mobile clients, and stateless PCoIP Zero Clients, providing a highly secure data exchange. The image is rendered on the host to provide the framework in which the host can transmit only the pixels across the network without being concerned about the applications or responses from the client. In best case scenarios, zero clients are used to receive the pixels and decode them, essentially eliminating display latency. The PCoIP protocol is configured to enable the display representation rendered by the virtual workstation to be exactly reproduced at the endpoint. This is referred to as lossless reproduction. This is critical, particularly in instances such as medical diagnostics, geospatial analysis, and media production, where the image itself contains important visual information. PCoIP protocol uses the User Datagram Protocol (UDP) which is much better suited for streaming media and real time display situations. Key Benefits of PCoIP Technology The following features and benefits are key aspects of PCoIP technology:
l Host Rendering Pixel-level processing means any application performs to its optimum capability.
l Image Decomposition and Optimized Multi-codec Highest image quality with efficient build-to-lossless and optimized bandwidth.
l Dynamic Network Adaptation Automatically delivers the best possible user experience under changing network conditions.
l Pixel Transmission Only pixels are transmitted. This ensures that data stays secure and never leaves the cloud.
l Platform Agnostic Enables you to deploy on-premises or using public, private or hybrid cloud infrastructure.
Architecturally, a basic configuration includes only a few components including a client and a host such as a virtual workstation or desktop comprising a PCoIP agent, as shown next.
TER1608004 10 Teradici All Access Architecture Guide
A basic PCoIP configuration showing the client and host components Who Uses PCoIP Technology? Teradici PCoIP technology is used in a wide range of industries, including government, education, financial services, healthcare, oil and gas, automotive, media and entertainment, architecture, engineering and construction, manufacturing, and design. For information on specific industry applications, check out the case studies featured on the Teradici website.
TER1608004 11 Teradici All Access Architecture Guide
A Closer Look at PCoIP Components The products included in All Access plans include the following components:
l PCoIP Standard Agents and PCoIP Graphics Agents, which are components of Cloud Access Software
l PCoIP Software Clients for macOS or Windows
l PCoIP Mobile Clients for iOS, macOS, Android, and Chrome OS
l PCoIP Zero Client
l PCoIP Remote Workstation Card PCoIP Standard and Graphics Agent PCoIP Hosts The virtual workstation or desktop is configured with Teradici Cloud Access Software - specifically a component referred to as PCoIP Standard or Graphics agent - that will securely encode the desktop and efficiently stream pixels-only to the PCoIP client. Additionally, PCoIP Remote Workstation Card may be installed in a physical workstation to provide remote access.
The following table details the available host options: Available Host Options
PCoIP Graphics PCoIP Standard PCoIP Remote Agent Agent Workstation Card
Description A PCoIP Graphics A PCoIP Standard A PCoIP Remote Agent, provided with Agent, which is Workstation Card, Cloud Access Software included in the Cloud which is included in the Graphics Edition as Access plan, provides Workstation Access part of the Cloud each user with a plan, provides remote Access Plus plan, dedicated remote access to physical leverages a discrete desktop. workstations, often graphics processor and A PCoIP Standard over high bandwidth associated 3D APIs, Agent is optimized for LANs. It is ideal for on- including OpenGL and VDI, DaaS, and cloud premises solutions DirectX. The PCoIP deployments. A which demand high Graphics Agent is PCoIP Standard Agent frame rates. optimized for the latest does not support GPU- NVIDIA GRID amd accelerated 3D AMD compatible graphics. GPUs.
TER1608004 12 Teradici All Access Architecture Guide
PCoIP Graphics PCoIP Standard PCoIP Remote Agent Agent Workstation Card
OS Windows and Linux Windows and Linux Windows and Linux
Further See the Teradici See the Teradici See the PCoIP Zero Information PCoIP® Graphics PCoIP® Standard Client Administrators’ Agent 2.11 for Agent 2.11 for Windows Guide Windows Administrators' Guide Administrators' Guide and the Teradici or the Teradici PCoIP® PCoIP® Standard Graphics Agent 2.11 for Agent 2.11 for Linux Linux Administrators' Administrators' Guide Guide
PCoIP Zero Client The PCoIP client is a standalone hardware device or software application that enables the user to connect to the virtual workstation. The PCoIP client decodes a stream of PCoIP data from the cloud-based virtual workstation and presents the results to the user. The client is offered in different forms, including zero clients, iOS and Android, mobile clients, and software clients compatible with Windows, OS X and Chrome OS operating systems. For more information on these products visit Teradici Product Finder.
TER1608004 13 Teradici All Access Architecture Guide
Features Supported by PCoIP Technology PCoIP technology supports a wide range of client features, operating systems, and virtualized resources. This includes a variety of security, operating system, video, audio, printing, and USB features, as shown next.
Desktop features available in PCoIP clients
Note: PCoIP agents and PCoIP clients both impact functionality The functionality of any PCoIP system is determined by the overlapping capabilities of the PCoIP client and PCoIP agent components involved.
Optimal Display Resolution Resolution refers to the common display resolution supported by both your client endpoint and host machine. PCoIP technology supports up to 3840×2160 display resolution. The working resolution is negotiated at session start-up. The PCoIP agent will select and provide the optimal resolution based on the hardware capabilities of the client monitors and agent hardware.
TER1608004 14 Teradici All Access Architecture Guide
Flexible Display Topology The term topology refers to your display arrangement. PCoIP technology supports up to four monitors in various topologies and/or mixed monitor arrangements. Audio Input and Output Audio output is supported by all Teradici platforms. Stereo output is supported by default. Audio input is also available on Windows hosts and most clients.
Printing Local, network, and cloud printers are supported in various ways:
l Windows and Linux hosts can print to any printer on the host’s local area network.
l Windows hosts connected via PCoIP Windows and OS X Clients can print to remote USB-connected and network-connected printers configured at the client.
l If your host desktop has access to the Internet, cloud-based printing is supported through cloud-printing services such as Google Cloud Print and HP Mobile Printing. Copy and Paste It is possible to copy from the client machine to the remote host machine using copy and paste, and vice-versa. Copy and paste is supported for both Windows and Linux agents. USB Devices Universal Serial Bus (USB) is used to connect a computer to devices such as printers, scanners, and external hard drives.
l USB is a cross-platform technology that is supported by most major operating systems.
l It is designed to connect local devices to a local PC over short distances.
TER1608004 15 Teradici All Access Architecture Guide
Caution: Linux hosts do not support USB devices Linux hosts do not support redirecting USB devices between host and client, and so do not support local USB devices like flash drives or printers. Only locally terminated human interface devices such as keyboards and mice are supported. Teradici PCoIP Graphics Agent for Windows and Teradici PCoIP Standard Agent for Windows support USB devices.
There are different USB devices use different low-level USB transfer types. In some instances, device compatibility is dependent on the USB transfer types required for certain devices:
l Headsets: Devices such as headsets and others which use the USB Control Transfer type are generally compatible with PCoIP technology. Headsets require a controlled transfer. These transfers support configuration, command, and status operations between the software on the host and the device.
l Mouse and Keyboard: Devices such as your mouse and keyboard which use the USB Transfer type are also generally compatible and require guaranteed quick responses. These devices require an interrupt transfer.
l Thumb drives, Printers and Scanners: These devices use the USB Bulk Transfer type and are generally compatible but data transfer rates may be dependent on network latency and bandwith availablity. require bulk transfers which are large-volume, sporadic transfers, with no guarantees on bandwidth or latency.
l Webcam: A Webcam device uses the USB Isochronous Transfer type bounded by strict timing considerations. Webcams are therefore not compatible with PCoIP technology. They require an isochronous transfer which requires a guaranteed data rate but not as fast as interrupt transfers.
Info: Isochronous USB devices supported through technology partners USB devices with time-sensitive information, such as webcams, are not generally supported. However, Teradici's technology partners provide additional solutions to expand peripheral support such as webcams with Cloud Access Software. For more information and installation, see Peripherals on the list of Teradici Technology Partners.
Given the complexity and diversity of USB devices and their drivers in the market, Teradici does not maintain a supported list of USB devices. Instead, Teradici provides the following general guidelines:
TER1608004 16 Teradici All Access Architecture Guide
l USB using all data transfer types except Isocronous, for example USB Webcams, are supported by PCoIP software and hardware endpoints.
l If after testing, a device is found to be improperly redirected, then support for these devices can be added by developing a custom driver. Teradici provides the Teradici Virtual Channel Software Development Kit (SDK) for developing custom drivers through the Technology Partner Program on Teradici Cloud Access Platform.
TER1608004 17 Teradici All Access Architecture Guide
A Closer Look at Deployment Infrastructure Components The following sections deal with Cloud Access Software deployments - as part of the Cloud Access and Cloud Access Plus plans. Whether you are deploying on a public cloud or on-premises datacenter, scaling your deployment to serve a large number of end users will ultimately increase your network demand, connection traffic, and load balancing needs. To meet this increased demand, Teradici recommends adding a PCoIP-compatible connection broker. This includes the load balancing components outlined in the following image.
Resource: PCoIP-compatible connection brokers For a list of available PCoIP-compatible brokers, see Commercial Third-Party Brokers.
A large-scale PCoIP configuration showing the PCoIP-compatible connection broker, and load balancers.
TER1608004 18 Teradici All Access Architecture Guide
For more information about the scaling components used in this architecture, see the following section. Large deployment additional components and requirements
❶ PCoIP-Compatible PCoIP-compatible connection brokers can be obtained from a third-party Connection Broker vendor. For a list of third-party vendors and available PCoIP-compatible connection brokers, see Commercial Third-Party Brokers. ❷ PCoIP® Connection Broker The connection broker typically has an extension on the host machine Protocol that it uses to spin the host up and down as needed. See PCoIP- Specification compatible connection broker documentation.
PCoIP-Compatible Connection Broker
A PCoIP-compatible connection broker is a resource manager that authenticates users and dynamically assigns authorized host desktops to PCoIP clients based on the identity of the user. A connection broker can also allocate a pool of virtual workstations to a group of PCoIP clients. A PCoIP-compatible connection broker can be obtained from a third party vendor. For a list of third-party vendors and available PCoIP-compatible connection brokers, see Commercial Third-Party Brokers on Teradici's support site. PCoIP Connection Manager The PCoIP Connection Manager coordinates establishing a PCoIP session between the client and agent. It provides setup details to the PCoIP Security Gateway and works with the connection broker to authenticate the PCoIP client user. The PCoIP Connection Manager coordinates the establishment of remote desktop connections by creating a PCoIP session between the PCoIP client and PCoIP agent. The PCoIP Connection Manager works with a connection broker to authenticate the user and query for available desktop and applications. The PCoIP Connection Manager is deployed together with a PCoIP Security Gateway (discussed next) on a dedicated server or a public cloud instance accessible only by administrators. In large-
TER1608004 19 Teradici All Access Architecture Guide
scale desktop deployments, multiple connection managers can be deployed together to accommodate a large number of simultaneous connection requests and ensure high availability.
Resource: PCoIP Connection Manager For information on installing and configuring your PCoIP Connection Manager, see the Teradici PCoIP® Connection Manager 1.8 and PCoIP® Security Gateway 1.14 Administrators’ Guide.
PCoIP Security Gateway The PCoIP Security Gateway Security is provides secure connectivity managed by the between zero clients and other PCoIP Security Gateway. No PCoIP Connection client endpoints over PCoIP. firewall is required. Manager PCoIP Security PCoIP Gateway The PCoIP Security Gateway isn’t explicitly required in all scenarios. For instance, a security gateway If a firewall is isn’t required when accessing present, it must PCoIP remote desktops across a local area PCoIP allow the same network (LAN) or when a virtual ports access. private network is available between the client and the agent. Teradici recommends using the PCoIP Security Gateway to enable users on a wide area network (WAN) to securely access their remote desktops from the Internet without the need to set up a VPN connection.
Resource: PCoIP Connection Manager and Security Gateway For information on installing and configuring your PCoIP Security Gateway, see the Teradici PCoIP® Connection Manager 1.8 and PCoIP® Security Gateway 1.14 Administrators’ Guide.
License Server Teradici recommends adopting cloud licensing for most deployments. Using this approach, PCoIP Agents in your domain are validated against cloud licensing services maintained by Teradici, so you don't have to configure or maintain your own licensing infrastructure. Cloud licensing services is a suitable solution for PCoIP Agents that have continual access to the internet, When the PCoIP Agents do not have access to the internet, the Teradici License Server must be deployed in your environment.
TER1608004 20 Teradici All Access Architecture Guide
Resource: PCoIP License Server For information on the PCoIP License Server see Teradici PCoIP® License Server 2.0 Administrators' Guide
PCoIP Management Console The PCoIP Management Console is only applicable for PCoIP Zero Clients. Teradici PCoIP Management Console allows IT administrators to quickly provision new devices, review metrics, configure settings, update firmware, and view event logs. Based on Teradici PCoIP Management Protocol, the PCoIP Management Console delivers a secure and reliable way to configure and manage the endpoints in your PCoIP deployment, as displayed in the image above. Teradici Management Console provides IT administrators with a browser-based console. From the PCoIP Management Console you can perform the following tasks:
l Display the status, health, and activity of your PCoIP deployment
l Discover endpoints in a variety of ways and automatically name and configure them
l Organize endpoints into multi-level groups
l Schedule firmware and configuration updates to endpoints based on the profiles
l Reset endpoints to factory defaults and control their power settings
l Use custom certificates to secure your PCoIP system
Resource: PCoIP Management Console If you have PCoIP Zero Clients in your deployment, or for information on the PCoIP Management Console, see PCoIP® Management Console 3.0 Administrators’ Guide.
TER1608004 21 Teradici All Access Architecture Guide
Teradici All Access Deployment Architecture The Teradici All Access solutions can be deployed to any public cloud or on-premises datacenter. In this section you will be shown the various architecture options and infrastructure components pertaining to the Cloud Access and Cloud Access Plus plans. Public Cloud Architecture In this section you will be shown the steps that can be taken to go from an initial trial to production deployment using a public cloud. In cloud deployments, the host is provided by a cloud-based service such as Amazon Web Services or Microsoft Azure. Small systems with fewer than 5- 10 users can be deployed as indicated in the following diagram. Larger systems may require additional scaling components, as shown in A Closer Look at Deployment Infrastructure Components on page 18. The next illustration and table show how these components connect, and lists the various client and the agent specifications.
A simple PCoIP cloud deployment with a PCoIP client and PCoIP agent.
TER1608004 22 Teradici All Access Architecture Guide
Important: Further information on deployment infrastructure For an in depth view of a large scale PCoIP deployment and the components involved, see A Closer Look at Deployment Infrastructure Components on page 18.
This architecture does not require additional firewall or a VPN (the cloud provider will have their own firewall). Cloud deployment components and requirements
❶ Teradici PCoIP® Operating System Note: Other PCoIP- Software Client 3.4 for l Windows compatible clients are
Windows l OS X available through OEM Administrators' Guide partners, resellers, and l Chrome OS and Teradici PCoIP® developers, such as a Software Client 3.4 for Teradici PCoIP Zero Client Mac Administrators' or a PCoIP-optimized thin Guide client.
Mobile Clients l iOS
l Android
❷ Teradici PCoIP® l Windows 10 (64-bit) Public Cloud Graphics Agent 2.11 for l Amazon Web Services l Windows 7 (64-bit) Windows l Microsoft Azure l Windows Server 2016 Administrators' Guide l Windows Server 2008 R2 (single user only)
Teradici PCoIP® l Ubuntu 16.04 LTS Public Cloud Graphics Agent 2.11 for l Amazon Web Services l RHEL 7.2 or later Linux Administrators' l Microsoft Azure Guide
Teradici PCoIP® l Windows 10 (64-bit) Public Cloud Standard Agent 2.11 for l Amazon Web Services l Windows 7 (64-bit) Windows l Microsoft Azure l Windows Server 2016 Administrators' Guide l Windows Server 2008 R2 (single user only)
Teradici PCoIP® l Ubuntu 16.04 LTS Public Cloud Standard Agent 2.11 for l Amazon Web Services l RHEL 7.2 or later Linux Administrators' l Microsoft Azure Guide
TER1608004 23 Teradici All Access Architecture Guide
On-Premises Datacenter Architecture In this section you will be shown the steps that can be taken to go from an initial trial to production deployment using on-premises infrastructure. In on-premise deployments, the desktop is a host, managed by a hypervisor and located in an on-premises facility. Small systems with fewer than 50-100 users can be deployed as indicated in the following diagram. Larger systems may require additional scaling components, as shown in A Closer Look at Deployment Infrastructure Components on page 18. The next illustration and table show how these components connect, and list the various client and host machine specifications.
Note: GPU compatibility For more information on GPU compatibility with the PCoIP Graphics Agent, see Teradici PCoIP® Graphics Agent 2.11 for Windows Administrators' Guide and Teradici PCoIP® Graphics Agent 2.11 for Linux Administrators' Guide.
A simple PCoIP datacenter deployment with a PCoIP client using a VPN and PCoIP agent
TER1608004 24 Teradici All Access Architecture Guide
Important: Further information on deployment infrastructure For an in depth view of a large scale PCoIP deployment and the components involved, see A Closer Look at Deployment Infrastructure Components on page 18.
On-premises datacenter deployment components and requirements
❶ Teradici PCoIP® Software Operating System Note: Other PCoIP- Client 3.4 for Windows l Windows compatible clients are
Administrators' Guide and l OS X available through OEM Teradici PCoIP® Software partners, resellers, and l Chrome OS Client 3.4 for Mac developers, such as a Administrators' Guide Teradici PCoIP Zero Client or a PCoIP- Mobile Client l iOS optimized thin client. l Android
❷ Teradici PCoIP® Graphics l Windows 10 (64-bit) On-Premises Agent 2.11 for Windows Datacenter l Windows 7 (64-bit) Administrators' Guide l ESXi 6.0+ l Windows Server 2016 l Bare Metal l Windows Server 2008 R2 (single user only)
Teradici PCoIP® Graphics l Ubuntu 16.04 LTS On-Premises Agent 2.11 for Linux Datacenter l RHEL 7.2 or later Administrators' Guide l ESXi 6.0+
Teradici PCoIP® Standard l Windows 10 (64-bit) On-Premises Agent 2.11 for Windows Datacenter l Windows 7 (64-bit) Administrators' Guide l ESXi 6.0+ l Windows Server 2016
l Windows Server 2008 R2 (single user only)
Teradici PCoIP® Standard l Ubuntu 16.04 LTS On-Premises Agent 2.11 for Linux Datacenter l RHEL 7.2 or later Administrators' Guide l ESXi 6.0+
Security Architecture Teradici PCoIP technology is inherently secure in terms of both public cloud and on- premises datacenter deployments, as shown in the following sections.
TER1608004 25 Teradici All Access Architecture Guide
PCoIP Connection LAN PCoIP-compatibleManager Connection Broker PCoIP Security PCoIP 3rd Gateway Party WAN 3rd Party
Traffic is forwarded by the security gateway in a PCoIP PCoIP PCoIP compatible brokering solution
A PCoIP connection through a PCoIP Security Gateway
If you want to enable access over a WAN without using a VPN, Teradici recommends using a PCoIP-compatible connection broker to enable WAN users to securely access their remote desktops. PCoIP-compatible connection brokers include security gateways which secure PCoIP sessions Security Architecture for Public Cloud Teradici PCoIP technology is inherently secure. The PCoIP session between client endpoints and virtual workstations is encrypted. Certificates are used on both the client and agent sides to ensure a trusted, end-to-end Transport Layer Security (TLS) connection for TCP streams. The PCoIP UDP protocol is encrypted with industry-standard AES encryption suites. Public cloud providers protect your systems with Allow these ports a firewall, which must be through firewall: UDP: 4172 Firewall navigated by a TCP: 4172 PCoIP session. This TCP: 443 security architecture is valid in an instance where no broker or security gateway is being used. PCoIP The protocol uses ports UDP:4172, TCP:4172, and TCP:443 (port 60443 may be used in placed of A PCoIP connection through a firewall port 443), which must be open and flow through the firewall.
TER1608004 26 Teradici All Access Architecture Guide
Your cloud-based host must also expose a public IP address. Teradici recommends using a fixed public IP address if possible. Refer to your cloud provider’s documentation for specific instructions about obtaining fixed public IP addresses. Security Architecture for On-Premises Datacenter Teradici PCoIP technology is inherently secure. The PCoIP session between client endpoints and host machines virtual workstations is encrypted. Certificates are used on both the client and agent sides to ensure a trusted, end-to-end Transport Layer Security (TLS) connection for TCP streams. AllThe PCoIP UDP traffic associated with the PCoIP protocol is encrypted with industry-standard AES encryption suites. In small scale deployments a PCoIP compatible broker Firewall may not be needed. In LAN such cases you can WAN enable WAN access. For larger deployments that require a PCoIP compatible broker, PCoIP A VPN see A Closer Look at appliance can Deployment Infrastructure be deployed on the WAN side of Components on page 18. the firewall
A PCoIP connection running through a VPN
Caution: TLS-based VPNs can degrade the user experience The use of TLS-based VPNs is not recommended because of the impact the TCP tunnelling can have on the user experience. DTLS or IPSec VPNs can tunnel PCoIP traffic without degrading the user experience.
TER1608004 27 Teradici All Access Architecture Guide
Deployment Infrastructure The following image and table detail the components involved in a an All Access deployment:
A large-scale PCoIP configuration showing the PCoIP-compatible connection broker, and load balancers Deployment Infrastructure Components
Component Further Information
1 Connection Manager and Security Gateway Teradici PCoIP® Connection Manager 1.8 and PCoIP® Security Gateway 1.14 Administrators’ Guide
2 Management Console PCoIP® Management Console 3.0 Administrators’ Guide
3 License Server Teradici PCoIP® License Server 2.0 Administrators' Guide
4 Broker PCoIP® Connection Broker Protocol Specification
TER1608004 28 Teradici All Access Architecture Guide
Planning Your All Access Deployment When planning your All Access deployment you need to take into account your workload needs and the applicable component infrastructure required to support these needs. The following sections introduce this planning element based around scaling and workload considerations, for more information see (missing or bad snippet). Workload Considerations PCoIP technology provides a range of capabilities suitable for a variety of user types, including:
l Task Workers: Task workers typically use applications involving simple screen data and text entry, such as call centers or companies that deliver online certification tests. The Desktop Access, and/or Cloud Access solutions would suit the needs of task workers.
l Knowledge Workers: Knowledge workers use enterprise-level productivity suites, interactive CD quality audio communication tools, consume high- definition video and may have some lightweight 3D applications. The Desktop Access, and/or Cloud Access solutions would suit the needs of knowledge workers.
l Artists/Designers: Artists and designers perform creative tasks that need high- quality, graphic-intensive 3D rendering for high definition imaging, video, and animation work. The Cloud Access Plus and/or Workstation Access solution would suit the needs of Artist and Designers.
l Scientists/Engineers: Scientists and engineers use computer farms and High Performance Computing (HPC) platforms to extract high resolution visual information and animations from complex data sets. The Cloud Access Plus and/or Workstation Access solution would suit the needs of Scientists and Engineers.
Deploying virtual workstations that will exceed user expectations requires detailed workload planning to ensure that the client and host hardware are adequately sized for CPU usage, memory usage, storage needs, and network traffic. You can use these worker profiles as guidelines when planning your workload requirements in specific user scenarios. Teradici recommends assessing your own environment using real-world testing with actual applications, use your results together with the worker definitions Teradici provides below to build your own workload profiles keeping in mind that more or less bandwidth may be needed to satisfy your user performance expectations and requirements. Note that user perceptions are individualistic and vary based on your
TER1608004 29 Teradici All Access Architecture Guide
workload demands, the operating systems involved, and the specific applications in use. Systems that need fully lossless quality can enable build-to-lossless compression at the expense of increased bandwidth usage, though still far lower than traditional compression. For more information on planning your deployment, see (missing or bad snippet). Scaling Your Components As the number of users that your platform supports increases, you may need to adjust your connection manager and security gateway capabilities to accommodate the simultaneous logins and requests to establish PCoIP sessions in terms of brokering, security, and licensing. Teradici provides a system sizing tool that provides recommendations for the number of connection managers and security gateways based on the number of remote desktops you are planning to deploy as well as other key considerations, including:
l User bandwidth profiles
l Network distribution
l Connection rates
l Design constraints
The System Sizing Tool is available as a free download from the Teradici Global Support Services web site.
TER1608004 30 Teradici All Access Architecture Guide
Customized and Extended Teradici All Access Solution Architecture Teradici All Access can be extended and customized with the Cloud Access Platform solution. Cloud Access Platform is an extension of All Access and provides the flexibility to build customized cloud solutions. The Platform building blocks and standard API's and SDK's enable customized workflows, endpoint interfaces and client-host interactions, specialized peripheral support and integration with management infrastructure. With easy-to-integrate components, you can create solutions with maximum flexibility in terms of cloud platforms, brokers, hypervisors and management tools. You can learn more at Cloud Access Platform.
TER1608004 31 Teradici All Access Architecture Guide
Frequently Asked Questions The following are answers to common questions asked when contemplating how to integrate the All Access Software components when building PCoIP-compatible deployments:
Q: What client devices are compatible with the Teradici Cloud Access and Cloud Access Plus plans? A: The desktop can be accessed remotely from any device including secure PCoIP Zero Clients, PCoIP Software Client for Mac, Windows or Chrome OS, and Mobile Clients including iOS and Android.
Q: What localization options are available? A: The Cloud Access Software is available in most commonly used languages – including support for multi-language keyboards.
Q: What peripherals devices are supported with PCoIP Technology? A: Most peripherals are available. USB bulk devices are supported, including human interface devices, network printers, and Bluetooth keyboards. For more information, see Features Supported by PCoIP Technology on page 14.
Q: Are there guidelines available to help tune the PCoIP protocol for our network? A: Yes. See the (missing or bad snippet) for more information.
Q: Will the PCoIP streams work well behind NATs or firewalls? A: Yes, the PCoIP protocol has built-in protocols designed specifically around security and high performance. Only a few well-controlled ports need to be opened up (as detailed in the Teradici PCoIP® Connection Manager 1.8 and PCoIP® Security Gateway 1.14 Administrators’ Guide). The protocol itself will ensure that all data is encrypted and that only pixels are transmitted to the client.
Q: Can the PCoIP solution be deployed in bandwidth-constrained environments? A: Yes. The Teradici All Access automatically adapts to its bandwidth environment in order to optimize the user experience. Administrators may also configure the PCoIP endpoints to manually handle custom scenarios. For information on the bandwidth Teradici recommends for various workloads, refer to (missing or bad snippet).
TER1608004 32 Teradici All Access Architecture Guide
Q: Can we build high-availability solutions? A: Yes—to design a highly resilient solution, we recommend adding a PCoIP- compatible connection broker as outlined in A Closer Look at Deployment Infrastructure Components on page 18.
Q: Is a PCoIP-compatible broker required for all PCoIP deployments? A: A broker is not required for small PCoIP deployments. It is highly recommended for large deployments where you want to design for high availability and have more control over the user authentication process.
A PCoIP-compatible broker is also required if you would like to spin the PCoIP host up or down in real time.
Q: Where can we obtain a PCoIP-compatible broker? A: A full list of commercial brokers is in Technology Partners on Teradici's support site.
TER1608004 33 Teradici All Access Architecture Guide
Q: What GPUs are recommended for use with Teradici PCoIP Cloud Access? A: The best possible performance will be realized with NVIDIA GRID-compatible GPUs. All supported and recommended graphics cards are described in detail in the Teradici PCoIP® Graphics Agent 2.11 for Windows Administrators' Guide and the Teradici PCoIP® Graphics Agent 2.11 for Linux Administrators' Guide, along with information about capabilities and limitations.
Q: Can I get started with a trial public cloud deployment? A: Yes. You can go to the Teradici website to learn more about a trial deployment. A simple trial deployment can be rapidly prototyped using a single PCoIP client installed on a laptop or PC endpoint connected directly to a PCoIP agent installed on a virtual workstation, configured on your public cloud of choice.
Q: Can I extend my trial public cloud deployment with a formal PoC (Proof-of- Concept)? A: If you want to extend your trial public cloud deployment into a formal proof of concept, contact a Teradici solution architect.
Q: Can I get started with a trial on-premises datacenter deployment? A: Yes. PCoIP systems can be easily prototyped or evaluated by downloading the Teradici trial software from the Teradici website. A simple trial deployment can be rapidly prototyped using a single PCoIP client installed on a laptop or PC endpoint connected directly to a PCoIP agent installed on the virtual workstation.
Q: Can I extend my trial on-premises datacenter deployment with a formal PoC? A: If you want to extend your trial on-premises datacenter deployment into a formal proof of concept, contact a Teradici solution architect.
TER1608004 34 Teradici All Access Architecture Guide
Teradici Corporation #301-4601 Canada Way, Burnaby, BC V5G 4X8 Canada phone +1.604.451.5800 fax +1.604.451.5818 www.teradici.com The information contained in this documentation represents the current view of Teradici Corporation as of the date of publication. Because Teradici must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Teradici, and Teradici cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. TERADICI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Teradici Corporation. Teradici may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Teradici, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Visit Notice of Intellectual Property Rights for more information. © 2004-2018 Teradici Corporation. All rights reserved. Teradici, PC-over-IP, and PCoIP are trademarks of Teradici Corporation and may be registered in the United States and/or other countries. Any other trademarks or registered trademarks mentioned in this release are the intellectual property of their respective owners.
TER1608004 35