Configuring the NICE DCV Connection Gateway - NICE DCV Connection Gateway

Configuring the NICE DCV Connection Gateway

This section describes how to configure the NICE DCV Connection Gateway. It introduces the configuration file used by the Connection Gateway and describes the basic configuration required to run the Connection Gateway service. For more information about all the available configuration options, see the Configuration File Reference section.

The NICE DCV Connection Gateway configuration file is located at /etc/dcv-connection-gateway/dcv-connection-gateway.conf. The file uses the TOML format and is organized in sections which control different aspects of the Connection Gateway.

You can edit the configuration file using your preferred text editor.

A basic configuration file will have the following content.

[gateway] web-listen-endpoints = ["0.0.0.0:8443", "[::]:8445"] quic-listen-endpoints = ["0.0.0.0:8443"] [resolver] url = "https://localhost:8081" [web-resources] url = "https://localhost:8080"

Configuring the Connection Gateway Listener

The [gateway] section controls how the NICE DCV Connection Gateway accepts incomig connections from the clients.

[gateway] web-listen-endpoints = ["0.0.0.0:8443", "[::]:8445"] quic-listen-endpoints = ["0.0.0.0:8443"] ...

This section includes two parameters: web-listen-endpoints and quic-listen-endpoints which define the list of TCP and UDP endpoints (respectively) that the Connection Gateway service will bind to and listen on. In the above example, the Connection Gateway is configured to listen for incoming TCP connections on all available IPv4 addresses on TCP port 8443, and on all available IPv6 addresses on port 8445. Also, the Connection Gateway is configured to listen for incoming UDP connections on all available IPv4 addresses on UDP port 8443. The web-listen-endpoints parameter is required to be set and non-empty. If the quic-listen-endpoint parameter is not set or empty, QUIC support is disabled.

This section also allows you to configure the certificates that NICE DCV Connection Gateway presents to the clients:

[gateway] cert-file = "/path/to/cert.pem" cert-key-file = "/path/to/key.pem" ...

cert-file and cert-key-file respectively specify the path of the x.509 public certificate in PEM format and the path of the file containing the private SSL key in PKCS8 representation. If these parameters are not specified, the Connection Gateway will generate and use a self-signed certificate.

Configuring the Session Resolver

The [resolver] section controls how the NICE DCV Connection Gateway interacts with a Session Resolver responsible for mapping Session IDs to a destination host running the NICE DCV server

... [resolver] url = "https://localhost:8081" ...

This section includes a mandatory url parameter which specifies the HTTP end-point of the resolver. See Implementing a Session Resolver for more information about the implementation of this end-point.

Depending on where your session resolver end-point is located and how it authenticates connections, you may need to specify additional configuration parameters: in particular if the end point has a certificate signed by a private Certification Authority, you may provide the corresponding ca-file with the path of the x.509 CA certificate in PEM format:

... [resolver] ca-file = "/path/to/resolver_ca.pem" ...

Or if it fits your security requirements, you can accept untrusted certificates:

... [resolver] tls-strict = false ...

If the session resolver HTTP end-point is configured to require mutual TLS authentication, you will also need to specify the certificate and key that the Connection Gateway uses to prove its identity to the resolver. These files can be the same as the ones specified in the [gateway] section.

... [resolver] cert-file = "/path/to/cert.pem" cert-key-file = "/path/to/key.pem" ...

Configuring the DCV target servers

The [dcv] section allows to specify options used by the NICE DCV Connection Gateway to connect to the NICE DCV server hosts.

If you are using the NICE DCV server with the automatically generated self-signed certificates, you can use the tls-strict setting to allow the Connection Gateway to connect:

... [dcv] tls-strict = false ...

Similarly to the [resolver] section, you can also use the ca-file setting if your fleet of DCV servers use certificates signed by a private Certificate Authority.

Configuring Web Resources

The [web-resources] section controls how the NICE DCV Connection Gateway forwards HTTP requests to an external Web Server. In particular, the Web Server is used to host the files of a DCV Web Client, so that when a browser connects to the Connection Gateway it can retrieve the html, css and javascript files of the DCV Web Client.

... [web-resources] url = "https://localhost:8080" ...

This section is optional and can be omitted if you are not interested in using the DCV Web Client or if client machines retrieve the DCV Web Client from a separate server. If the url parameter is specified, it points to the HTTP end-point of a Web Server which can serve static files, in particular the html, css and javascript files of the DCV Web Client.

Similarly to the [resolver] section, you can also use the ca-file or the tls-strict settings to be able to connect to a Web server that has a certificate signed by a private Certificate Authrority or a self-signed certificate.

... [web-resources] ca-file = "/path/to/resolver_ca.pem" ...