Live Chat Software by Kayako
Knowledgebase: RDP on Unbuntu
PC over IP
Posted by Thang Le Toan on 05 August 2018 10:33 AM

Light Meals

Article from ADMIN 16/2013
By Thomas Zeller
Anyone who has tried to to run graphics-intensive applications using an application-sharing protocol like RDP knows how miserably these technologies fail. But the PCoIP protocol and special hardware means that even heavy-duty workstations can operate remotely.

Powerful workstations for demanding graphics tasks are usually expensive and produce a lot of heat and fan noise. These devices also often process sensitive data that must not be lost or allowed to fall into the hands of competitors. Moreover, the same data might need to be accessed by multiple users at different locations, such as for a joint venture in which several companies are developing a product.

Thus, maximum data security, (through centralized data storage and the ability to assign restrictive permissions) as well as spatial and geographic independence (through the distributed use of central resources and workplace ergonomics) favor the use of remote, instead of static, workstations.

For these reasons, it makes sense to set up workstations at the data center, where they are under the control of the IT department and can be more easily integrated with the existing data center infrastructure (e.g., access control, centralized backup processes, UPS, air conditioning). Furthermore, this arrangement prevents physical access to the hardware, removing the ability of data thieves simply to clone or remove the hard disk with the project data.

The PCoIP (PC over IP) technology was developed by the Canadian company Teradici [1] specifically to display graphical output over IP networks (see the "Advantages of PCoIP" box). PCoIP transmits audio and USB signals, as well. Most administrators are probably already familiar with PCoIP from VMware's VDI solution, VMware Horizon View [2]; VMware licensed PCoIP from Teradici and integrated it into their own product.

Advantages of PCoIP

In contrast to the widespread terminal server protocols, PCoIP is much faster and achieves virtually lossless representation of graphically demanding applications. These advantages are achieved in the following way:

  • The fast UDP protocol is used to transport display information over the network (but see the "Remote Workstations and Firewalls" box).
  • Graphics are not rendered on the client side but on the host (host rendering). Only encrypted and compressed pixel information is transmitted between the remote client and the host.
  • A codec that exactly matches the graphics type is used for compression on the desktop (e.g., icons, videos, text, graphics, etc.).
  • The PCoIP Protocol automatically adjusts the image quality of the graphics output to match the prevailing network bandwidth. If little bandwidth is available, the system gradually reduces image quality so the user can continue to work smoothly. Similarly, image quality is increased again when more bandwidth becomes available.

Remote Workstations and Firewalls

PCoIP uses the UDP protocol to transport display output across the network, which unfortunately does not work well with firewalls. Because remote access to a workstation at the data center is either over the LAN or via a VPN connection, this is not typically a problem. However, when internal firewalls enter the game (e.g., between the client LAN and server backbone) or VPN packets are filtered, you need to enable various ports (5001, 5002, 4172 TCP/UDP), in addition to management ports through which, for example, the firmware on the host card can be updated. The ports that need to be allowed depend on the firmware or software release used on the host and client side.

PCoIP uses the client-server model and requires additional hardware, on which data is processed (the host).This hardware is responsible for rendering the display information, compression, and encryption.

At a remote workstation (client), you can then use a thin client (in Teradici-speak, "zero client") to access the workstation at the data center [3]. To allow authorized users to work with the required programs and data, PCoIP can allow or prohibit looped USB devices explicitly.

Workstation with Host Card

With a host card, you can turn a powerful Windows or Linux PC (and probably Macintosh computers from 2013Q3) into a remote workstation in an instant. Teradici offers this adapter as a pure host card for the PCIe bus; alternative models have integrated graphics processors. Teradici sources the hardware from various manufacturers, such as EVGA [4] or Leadtek [5] [6]. The classical host cards, TERA2220 [5] and TERA2240 [6], differ in terms of imaging performance and the possible number of connected displays. The simplest model (TERA2220, Figure 1) provides support for two Mini DisplayPorts and imaging performance of up to 130 megapixels per second (Mpps). The TERA2240 can accommodate a total of four displays (also Mini DisplayPorts) and achieve an imaging performance of up to 250Mpps. For a good overview of the functionality and performance of currently available host cards, visit the Teradici website. The TERA1202, which is still listed with two DVI ports, has now been discontinued. Nearly every major hardware vendor (IBM/Lenovo, HP, Dell, Fujitsu, etc.) offers PCoIP host workstations with integrated cards and zero clients as OEM products.

Figure 1: TERA2220 host card with two Mini DisplayPorts and an RJ45 Ethernet port.

The plugin cards with the standard PCI Express form factor need only a free full-height, half-length (FHHL) PCIe slot for the TERA2240 or a low-profile slot for the TERA2220 and one or two video cards to match. For high resolutions, such as 2560x1600, the Teradici requires a DisplayPort – dual-link DVI is not supported. The supported workstation operating systems are Windows and Linux. In principle, no driver installation is required because the card is recognized by the operating system as a USB controller and audio codec. Although Teradici offers a host software install, this is not mandatory.

Installing the card is a breeze because you only need to remove the computer housing and slip the card into a slot. Optionally, the card comes with a power cable. If you connect this cable to the cable connector on the card and the power button in the computer, the workstation can later also be powered on and off via the remote terminal. After installing the card, you then connect the DisplayPort output(s) on the graphics card(s) using the Y-connector provided to the DMS-59 port on the host card to pass on the graphic signals. Finally, the Ethernet port on the host card is connected to the LAN. In the default configuration, the host card automatically obtains an IP address via DHCP; afterward, both the configuration interface of the host card and the workstation are then accessible via PCoIP.

Starting up a Zero Client

Teradici zero clients – which the documentation somewhat confusingly also calls Desktop Portals – are based on commercial thin client hardware and come from vendors like HP, Wyse, Fujitsu, and Dell (Figure 2). Zero clients [7]-[9] provide the perfect counterpart to host cards. Because a zero client does not have its own operating system, just firmware, no software can be installed on the device, so you don't need to install a virus scanner or update the operating system, ensuring more security on its own.

Figure 2: EVGA 126-IP-PD06-KR PCoIP zero client.

Zero clients are therefore just as easy to maintain as thin client systems in terminal server environments. Like thin clients, zero clients are fanless and therefore completely silent. Depending on the model, the units are equipped with two to four DVI-D or DVI-I or DisplayPorts for connecting monitors. A keyboard and mouse and other USB devices that operate as external hard drives or flash memory can be connected to the USB ports. Also available are audio jacks for speakers and a microphone or a headset and a Gigabit Ethernet port.

Simply Connect

Under the hood, the zero client has the Teradici firmware containing the PCoIP client, which decompresses the display, USB, and audio signals from the workstation with the plugin card. To start, you just connect the zero client to a monitor, mouse, keyboard, and network. After you turn it on, the client first displays a simple welcome screen. Clicking Connect tells the zero client to search the network via broadcast for systems with a host card. Recognized machines are then displayed in a list with their respective IP and MAC address for the connection. To connect, simply click on the desired system in the list; the login screen of the workstation operating system displays immediately, and you can log in with the credentials of the workstation.

Security Aspects

As already mentioned, the advantage of using remote workstations is not just that they can be operated independent of location – they also make a significant contribution to greater privacy and security. Apart from the obvious protection against physical manipulation and the fact that only encrypted information is shared between the zero client workstation and the host card, the zero clients also offer several ways of restricting access to the workstation. Of course, you also can password-protect the menus and configuration of the zero client itself, as well as restrict whether and which USB devices can be used on the zero client and thus on the workstation.

Configuring the Host Card and Zero Client

Both the host cards and the zero clients have a built-in web server that provides a configuration interface (Figure 3). To access the configuration interface, you must know the IP address of each device: The IP address of the workstation host card is displayed during the discovery process on the zero client's screen, and the IP address of the zero client is found with Options | Configuration | Network on the login screen. Alternatively, you can run a network scanner to determine the IP addresses of the PCoIP devices on the network. With Nmap, you can do this quickly and easily with the ping scan method (-sP; Listing 1).

Figure 3: The PCoIP host card (left) and zero client (right) are managed via an easy-to-use, web-based interface that lets you adjust extensive settings.

Listing 1

IP Address Discovery with Nmap

$ nmap -sP 192.168.0.0/24 | grep pcoip
Nmap scan report for pcoip-portal-008064862335(192.168.0.190)
Nmap scan report for pcoip-host-0030040d26fc(192.168.0.195)

In this case, a host card (pcoip-host) and a zero client (pcoip-portal) were detected. To access the settings of the systems, you enter the IP address in your web browser. You then have access to all configuration parameters and can, for example, change network settings, adjust bandwidth usage, or set a password to protect the configuration interface and configuration. Furthermore, you can read extensive diagnostic information, transfer new firmware to the device, or apply restrictions (e.g., on usable USB devices).

In the download section of its website, Teradici provides a knowledge base with firmware updates and optional software. For access to the knowledge base, free registration is required, for which you must enter some personal data.

Fundamentally, although you do not need to install additional software on a computer with an integrated Teradici host card, the optional and free host software provides some convenient functions (Figure 4).

Figure 4: The optional host software adds a number of convenience functions on the remote workstation, such as changing the Wake-on-LAN settings for the network card and locking the host after the zero client logs out.

For example, the host software gives you access to the Wake-on-LAN parameters of the built-in host network card. Furthermore, remote sessions can then be simply stopped with a click of the mouse, although this function is normally reserved for the power button on the zero client. Because the host software communicates directly with the host card, the software also provides convenient access to detailed host statistics.

Automatically Locked

Automatic locking of the host PC after terminating a remote workstation session is another software function, and if you want to deploy PCoIP sessions with the help of a third-party connection broker, such as VMware Horizon View, the host software is mandatory. For more information about the features supported by Teradici Connection Broker, see the box titled "Third-Party Connection Broker."

Third-Party Connection Broker

Clients in larger VDI environments no longer connect directly with virtual machines or remote workstations. Instead, a connection broker handles this job. It takes over the management of the VMs, allocates remote user access to the appropriate resources, and takes care of the load distribution. The Teradici host cards currently support connection brokers by VMware, Ericom [10], and LeoStream [11].

In the medium term, broker support will be extended to other products, and Teradici will "possibly" even release its own mini-broker. So far, this is not official, so one can only speculate.

If VMware Horizon View is used as a connection broker, you can use the VMware View software client on the client side. In conjunction with the VMware View Security Server, this even works over the Internet.

Only Source Code for Linux

Teradici provides host software for Windows, Linux, and Mac OS X 10.5. However, the Linux version is unfortunately only a source tarball: Complete packages for Linux distributions do not exist currently. That said, the ZIP file with the download contains comprehensive documentation that describes how to create RPM packages for CentOS, SUSE Enterprise Linux, and Fedora from the source. Installers are included for Windows (32/64 bit) and Mac OS. You need to download the software from the download section of the Teradici knowledge base and install it on the host operating system.

For communication between the software and the host card to work, you then still have to enable the host driver function for the card. To do this, connect to the IP address of the host card in your browser, log in, and find Configuration | Host Driver Function . To activate this, you need to reset the host card, which you can also do using the web interface.

On Windows, the host software dumps an icon into the system tray. Right-clicking the icon lets you terminate a PCoIP session, start the host software, or view statistics. Open Properties takes you to more features, such as Lock host PC upon session termination , or lets you enable Wake-on-LAN .

Centralized Management

The Teradici Management Console (TMC) is a powerful and free tool for centralized management. Thankfully, the product is delivered as a VMware virtual appliance, so setting up the Management Console is not required (Figure 5).

Figure 5: The console for centralized management of the Teradici host card and zero client is available free of charge as a VMware virtual appliance. With a one-liner on the command line, you can also easily start it in VirtualBox.

Alternative with VirtualBox

If you do not have a VMware ESX server, Workstation, or Player, you can run the VM on VirtualBox. To begin, download the ZIP file and extract it to a directory on your hard drive. Then, change to that directory and run the following command in the shell:

vboxmanage clonehd --format vdi PCoIP_MC_rel-1.9.0-rc_pcoipmc_1_9@3334.vmdk PCoIP_MC_rel-1.9.0-rc_pcoipmc_1_9@3334.vdi

to convert the file from VMware to VirtualBox format.

In VirtualBox, you can create a new virtual machine and select the newly created VDI file by pressing Use existing hard disk .

VirtualBox will now automatically create the VM in the VirtualBox Manager. If you change the network settings of the VM from NAT to Network Bridge , the VM is automatically assigned an appropriate IP address for your LAN.

The address then appears in the Management Console, where you can also change other parameters, such as the hostname or the time zone, in a simple text-based menu. The PCoIP Management Console is based on Ubuntu 8.04 LTS and is operated entirely through the web browser; therefore, you can just open the Management Console by entering the IP address in your web browser. In the Manage Devices section, all Teradici PCoIP devices on the network are detected and listed automatically (Figure 6).

Figure 6: Simple but functional: The PCoIP Management Console automatically searches the network for host cards and zero clients and offers a variety of management functions for administrators.

You can now use the Groups , Profiles , Power and Update settings to group the devices and store them with profiles, automatically power devices on and off, or distribute updates.

Additionally, Teradici advises that various network and vulnerability scanners (e.g., Retina Network Security Scanner and McAfee Foundstone) regularly return false positives if you use the Management Console. Teradici provides detailed background information and tips on dealing with these messages in a separate document.

Client Software

One weak point in the Teradici remote workstation concept is the lack of the planned software PCoIP client, which is currently in the alpha stage and will be distributed free of charge to customers and partners in September 2013. A Windows and a Mac version are under development – with Linux users being left out on the client side for the time being; however, the reverse direction (i.e., access to a Win/Mac client on workstations with a host card running under Linux) is possible. For 2014, a software client for tablets (probably Android) is also planned. Teradici kindly provided a preliminary version of the client for Windows for this article.

Slow Watch

In a way similar to VMware View, you can access remote workstations with a Teradici host card using the client software (Figure 7). However, this direct connect functionality will probably be more interesting to users who do not work permanently, but only occasionally, with a remote workstation (e.g., a development partner who needs access to the workstation via a VPN connection). This approach is supported by the fact that the software client cannot keep up with the zero clients in terms of performance. Teradici speaks of a "significant performance overhead," so the client software is mainly for viewing purposes and less for interactive CAD work.

Figure 7: With the Teradici PCoIP software client, users can connect to the remote workstation without a zero client. The client, expected to be on the market by September 2013, communicates directly with the host card in an encrypted session.

Only the mouse and keyboard are supported as USB devices. Other USB devices, such as mass storage, cannot be used in conjunction with the software client. The connection between the client software and workstation host card is encrypted by default using SSL/TLS (AES 256-bit).

Conclusions

The use of remote workstations with zero clients – or in combination with connection brokers and software clients – in data center operations is of particular interest to companies that want to deploy graphically rich applications such as CAD/CAM, regardless of location or need. From the point of view of "Data Leakage Prevention" (e.g., industrial espionage), it is also advisable to discontinue direct hardware access for users. This setup is also easy on your nerves, because noise and heat are handled not at the workplace but in the data center.

The Author

Thomas Zeller is an IT consultant and has been involved with IT security and open source for 15 years. He is the author and co-author of OpenVPN Compact and Mind Mapping with Freemind . In real life, he is the managing director of a medium-sized IT system integrator, where he is also responsible for the IT security division.

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).

Help Desk Software by Kayako