PCoIP Protocol

Anyone who has tried to to run graphics-intensive applications using an application-sharing protocol like RDP knows how miserably these technologies fail. But the PCoIP protocol and special hardware means that even heavy-duty workstations can operate remotely.

Powerful workstations for demanding graphics tasks are usually expensive and produce a lot of heat and fan noise. These devices also often process sensitive data that must not be lost or allowed to fall into the hands of competitors. Moreover, the same data might need to be accessed by multiple users at different locations, such as for a joint venture in which several companies are developing a product.

Thus, maximum data security, (through centralized data storage and the ability to assign restrictive permissions) as well as spatial and geographic independence (through the distributed use of central resources and workplace ergonomics) favor the use of remote, instead of static, workstations.

For these reasons, it makes sense to set up workstations at the data center, where they are under the control of the IT department and can be more easily integrated with the existing data center infrastructure (e.g., access control, centralized backup processes, UPS, air conditioning). Furthermore, this arrangement prevents physical access to the hardware, removing the ability of data thieves simply to clone or remove the hard disk with the project data.

The PCoIP (PC over IP) technology was developed by the Canadian company Teradici specifically to display graphical output over IP networks (see the “Advantages of PCoIP” box). PCoIP transmits audio and USB signals, as well. Most administrators are probably already familiar with PCoIP from VMware’s VDI solution, VMware Horizon View; VMware licensed PCoIP from Teradici and integrated it into their own product.

PCoIP uses the client-server model and requires additional hardware, on which data is processed (the host).This hardware is responsible for rendering the display information, compression, and encryption.

At a remote workstation (client), you can then use a thin client (in Teradici-speak, “zero client”) to access the workstation at the data center. To allow authorized users to work with the required programs and data, PCoIP can allow or prohibit looped USB devices explicitly.

Workstation with Host Card

With a host card, you can turn a powerful Windows or Linux PC (and probably Macintosh computers from 2013Q3) into a remote workstation in an instant. Teradici offers this adapter as a pure host card for the PCIe bus; alternative models have integrated graphics processors. Teradici sources the hardware from various manufacturers, such as EVGA or Leadtek. The classical host cards, TERA2220 and TERA2240, differ in terms of imaging performance and the possible number of connected displays. The simplest model (TERA2220, Figure 1) provides support for two Mini DisplayPorts and imaging performance of up to 130 megapixels per second (Mpps).

Figure 1: TERA2220 host card with two Mini DisplayPorts and an RJ45 Ethernet port.

The TERA2240 can accommodate a total of four displays (also Mini DisplayPorts) and achieve an imaging performance of up to 250Mpps. For a good overview of the functionality and performance of currently available host cards, visit the Teradici website. The TERA1202, which is still listed with two DVI ports, has now been discontinued. Nearly every major hardware vendor (IBM/Lenovo, HP, Dell, Fujitsu, etc.) offers PCoIP host workstations with integrated cards and zero clients as OEM products.

The plugin cards with the standard PCI Express form factor need only a free full-height, half-length (FHHL) PCIe slot for the TERA2240 or a low-profile slot for the TERA2220 and one or two video cards to match. For high resolutions, such as 2560x1600, the Teradici requires a DisplayPort — dual-link DVI is not supported. The supported workstation operating systems are Windows and Linux. In principle, no driver installation is required because the card is recognized by the operating system as a USB controller and audio codec. Although Teradici offers a host software install, this is not mandatory.

Installing the card is a breeze because you only need to remove the computer housing and slip the card into a slot. Optionally, the card comes with a power cable. If you connect this cable to the cable connector on the card and the power button in the computer, the workstation can later also be powered on and off via the remote terminal. After installing the card, you then connect the DisplayPort output(s) on the graphics card(s) using the Y-connector provided to the DMS-59 port on the host card to pass on the graphic signals. Finally, the Ethernet port on the host card is connected to the LAN. In the default configuration, the host card automatically obtains an IP address via DHCP; afterward, both the configuration interface of the host card and the workstation are then accessible via PCoIP.

Starting up a Zero Client

Teradici zero clients — which the documentation somewhat confusingly also calls Desktop Portals — are based on commercial thin client hardware and come from vendors like HP, Wyse, Fujitsu, and Dell (Figure 2).

Figure 2: EVGA 126-IP-PD06-KR PCoIP zero client.

Zero clients, such as the EVGA 126-IP-PD06-KR and Leadtek TERA2140 and TERA2321, provide the perfect counterpart to host cards. Because a zero client does not have its own operating system, just firmware, no software can be installed on the device, so you don’t need to install a virus scanner or update the operating system, ensuring more security on its own.

Zero clients are therefore just as easy to maintain as thin client systems in terminal server environments. Like thin clients, zero clients are fanless and therefore completely silent. Depending on the model, the units are equipped with two to four DVI-D or DVI-I or DisplayPorts for connecting monitors. A keyboard and mouse and other USB devices that operate as external hard drives or flash memory can be connected to the USB ports. Also available are audio jacks for speakers and a microphone or a headset and a Gigabit Ethernet port.

Simply Connect

Under the hood, the zero client has the Teradici firmware containing the PCoIP client, which decompresses the display, USB, and audio signals from the workstation with the plugin card. To start, you just connect the zero client to a monitor, mouse, keyboard, and network. After you turn it on, the client first displays a simple welcome screen. Clicking Connect tells the zero client to search the network via broadcast for systems with a host card. Recognized machines are then displayed in a list with their respective IP and MAC address for the connection. To connect, simply click on the desired system in the list; the login screen of the workstation operating system displays immediately, and you can log in with the credentials of the workstation.

Security Aspects

As already mentioned, the advantage of using remote workstations is not just that they can be operated independent of location — they also make a significant contribution to greater privacy and security. Apart from the obvious protection against physical manipulation and the fact that only encrypted information is shared between the zero client workstation and the host card, the zero clients also offer several ways of restricting access to the workstation. Of course, you also can password-protect the menus and configuration of the zero client itself, as well as restrict whether and which USB devices can be used on the zero client and thus on the workstation.

Configuring the Host Card and Zero Client

Both the host cards and the zero clients have a built-in web server that provides a configuration interface (Figure 3).

Figure 3: The PCoIP host card (left) and zero client (right) are managed via an easy-to-use, web-based interface that lets you adjust extensive settings.

To access the configuration interface, you must know the IP address of each device: The IP address of the workstation host card is displayed during the discovery process on the zero client’s screen, and the IP address of the zero client is found with Options | Configuration | Network on the login screen. Alternatively, you can run a network scanner to determine the IP addresses of the PCoIP devices on the network. With Nmap, you can do this quickly and easily with the ping scan method (-sP; Listing 1).

Listing 1: IP Address Discovery with Nmap

$ nmap -sP 192.168.0.0/24 | grep pcoip
Nmap scan report for pcoip-portal-008064862335(192.168.0.190)
Nmap scan report for pcoip-host-0030040d26fc(192.168.0.195)

In this case, a host card (pcoip-host) and a zero client (pcoip-portal) were detected. To access the settings of the systems, you enter the IP address in your web browser. You then have access to all configuration parameters and can, for example, change network settings, adjust bandwidth usage, or set a password to protect the configuration interface and configuration. Furthermore, you can read extensive diagnostic information, transfer new firmware to the device, or apply restrictions (e.g., on usable USB devices).

In the download section of its website, Teradici provides a knowledge base with firmware updates and optional software. For access to the knowledge base, free registration is required, for which you must enter some personal data.

Fundamentally, although you do not need to install additional software on a computer with an integrated Teradici host card, the optional and free host software provides some convenient functions (Figure 4).

Figure 4: The optional host software adds a number of convenience functions on the remote workstation, such as changing the Wake-on-LAN settings for the network card and locking the host after the zero client logs out.

For example, the host software gives you access to the Wake-on-LAN parameters of the built-in host network card. Furthermore, remote sessions can then be simply stopped with a click of the mouse, although this function is normally reserved for the power button on the zero client. Because the host software communicates directly with the host card, the software also provides convenient access to detailed host statistics.

Automatically Locked

Automatic locking of the host PC after terminating a remote workstation session is another software function, and if you want to deploy PCoIP sessions with the help of a third-party connection broker, such as VMware Horizon View, the host software is mandatory. For more information about the features supported by Teradici Connection Broker, see the box titled “Third-Party Connection Broker.”

Only Source Code for Linux

Teradici provides host software for Windows, Linux, and Mac OS X 10.5. However, the Linux version is unfortunately only a source tarball: Complete packages for Linux distributions do not exist currently. That said, the ZIP file with the download contains comprehensive documentation that describes how to create RPM packages for CentOS, SUSE Enterprise Linux, and Fedora from the source. Installers are included for Windows (32/64 bit) and Mac OS. You need to download the software from the download section of the Teradici knowledge base and install it on the host operating system.

For communication between the software and the host card to work, you then still have to enable the host driver function for the card. To do this, connect to the IP address of the host card in your browser, log in, and find Configuration | Host Driver Function. To activate this, you need to reset the host card, which you can also do using the web interface.

On Windows, the host software dumps an icon into the system tray. Right-clicking the icon lets you terminate a PCoIP session, start the host software, or view statistics. Open Properties takes you to more features, such as Lock host PC upon session termination, or lets you enable Wake-on-LAN.

Centralized Management

The Teradici Management Console (TMC) is a powerful and free tool for centralized management. Thankfully, the product is delivered as a VMware virtual appliance, so setting up the Management Console is not required (Figure 5).

Figure 5: The console for centralized management of the Teradici host card and zero client is available free of charge as a VMware virtual appliance. With a one-liner on the command line, you can also easily start it in VirtualBox.

Alternative with VirtualBox

If you do not have a VMware ESX server, Workstation, or Player, you can run the VM on VirtualBox. To begin, download the ZIP file and extract it to a directory on your hard drive. Then, change to that directory and run the following command in the shell:

vboxmanage clonehd --format vdi PCoIP_MC_rel-1.9.0-rc_pcoipmc_1_9@3334.vmdk \
   PCoIP_MC_rel-1.9.0-rc_pcoipmc_1_9@3334.vdi

to convert the file from VMware to VirtualBox format.

In VirtualBox, you can create a new virtual machine and select the newly created VDI file by pressing Use existing hard disk.

VirtualBox will now automatically create the VM in the VirtualBox Manager. If you change the network settings of the VM from NAT to Network Bridge, the VM is automatically assigned an appropriate IP address for your LAN.

The address then appears in the Management Console, where you can also change other parameters, such as the hostname or the time zone, in a simple text-based menu. The PCoIP Management Console is based on Ubuntu 8.04 LTS and is operated entirely through the web browser; therefore, you can just open the Management Console by entering the IP address in your web browser. In the Manage Devices section, all Teradici PCoIP devices on the network are detected and listed automatically (Figure 6).

Figure 6: Simple but functional: The PCoIP Management Console automatically searches the network for host cards and zero clients and offers a variety of management functions for administrators.

You can now use the Groups, Profiles, Power and Update settings to group the devices and store them with profiles, automatically power devices on and off, or distribute updates.

Additionally, Teradici advises that various network and vulnerability scanners (e.g., Retina Network Security Scanner and McAfee Foundstone) regularly return false positives if you use the Management Console. Teradici provides detailed background information and tips on dealing with these messages in a separate document.

Client Software

One weak point in the Teradici remote workstation concept is the lack of the planned software PCoIP client, which is currently in the alpha stage and will be distributed free of charge to customers and partners in September 2013. A Windows and a Mac version are under development — with Linux users being left out on the client side for the time being; however, the reverse direction (i.e., access to a Win/Mac client on workstations with a host card running under Linux) is possible. For 2014, a software client for tablets (probably Android) is also planned. Teradici kindly provided a preliminary version of the client for Windows for this article.

Slow Watch

In a way similar to VMware View, you can access remote workstations with a Teradici host card using the client software (Figure 7).

Figure 7: With the Teradici PCoIP software client, users can connect to the remote workstation without a zero client. The client, expected to be on the market by September 2013, communicates directly with the host card in an encrypted session.

However, this direct connect functionality will probably be more interesting to users who do not work permanently, but only occasionally, with a remote workstation (e.g., a development partner who needs access to the workstation via a VPN connection). This approach is supported by the fact that the software client cannot keep up with the zero clients in terms of performance. Teradici speaks of a “significant performance overhead,” so the client software is mainly for viewing purposes and less for interactive CAD work.

Only the mouse and keyboard are supported as USB devices. Other USB devices, such as mass storage, cannot be used in conjunction with the software client. The connection between the client software and workstation host card is encrypted by default using SSL/TLS (AES 256-bit).

Conclusions

The use of remote workstations with zero clients — or in combination with connection brokers and software clients — in data center operations is of particular interest to companies that want to deploy graphically rich applications such as CAD/CAM, regardless of location or need. From the point of view of “Data Leakage Prevention” (e.g., industrial espionage), it is also advisable to discontinue direct hardware access for users. This setup is also easy on your nerves, because noise and heat are handled not at the workplace but in the data center.

Info

[1] Ericom application and VDI delivery

[2] Leostream

 

The Author

Thomas Zeller is an IT consultant and has been involved with IT security and open source for 15 years. He is the author and co-author of OpenVPN Compact and Mind Mapping with Freemind. In real life, he is the managing director of a medium-sized IT system integrator, where he is also responsible for the IT security division.

Related content

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.