4 Replies Latest reply on Jan 12, 2015 5:52 AM by markbenson

    View Security Server Network Traffic Flow

    Zaim33 Enthusiast

      Can anyone clarify some confusion I'm having with the View Security Server. I've looked at various network diagrams of ports and protocols and I'd like to understand how connectivity is handled from an external network to an internal network via a Security server.

       

      My understanding is that a connection is initiated externally to the Security server and this is then forwarded to a Connection server that then authenticates the user and allocates a desktop. At this point the external client connects directly to the View desktop.

       

      However I see some diagrams where the above happens but the connection from external client to View desktop is handled through the Security server.

       

      In the environment we're running from network traces I see the first instance and View desktops trying to communicate through the firewall to the external client. Currently these are blocked by the firewall and connections are not established.

       

      How do other people see this happening?

        • 1. Re: View Security Server Network Traffic Flow
          roneng Enthusiast

          Hello

          All external connections are handled by the security gateway.

          There are no direct connections from virtual desktops to the clients.

          The "security servers" are really just proxy servers.

          hope that helps

          • 2. Re: View Security Server Network Traffic Flow
            markbenson Master
            VMware Employees

            You're correct that the View Client connects to the View Security Server to authenticate and this authentication traffic is forwarded to View Connection Server which handles the actual authentication (to Active Directory and optionally RSA SecurID or RADIUS etc.). If this authentication is successful, then desktop protocol traffic is permitted through Security Server. Any desktop protocol traffic that is not on behalf of an authenticated user is blocked. As Security Server is normally deployed in a DMZ, then Security Server is providing protection for the virtual desktops and RDS hosts to ensure that they are not exposed directly to the Internet.

             

            It is possible to configure View Security Server so that it doesn't act as the gateway for this desktop protocol traffic, but when used to provide remote access from the Internet, it is recommended that the desktop protocols do go via Security Server in order to gain this protection.

             

            The desktop protocols include PCoIP, Blast, RDP, MMR, USB redirect, remote printing etc.

             

            There's a description of remote access to View environments here https://communities.vmware.com/docs/DOC-14974 which covers traffic flows.

             

            If you've set things up to route desktop protocols via Security Server, you may still see initial attempts from the virtual desktop to try to send PCoIP UDP packets directly to the client, but don't worry about those as they won't succeed. As soon as the PCoIP server component on the virtual desktop sees incoming UDP packets from Security Server, it will send reply UDP datagrams back to the Security Server and everything will work as expected.

             

            Hope this helps.

             

            Mark

             

             

            • 3. Re: View Security Server Network Traffic Flow
              Zaim33 Enthusiast

              Thanks Mark that's really clear. I wonder why I'm seeing desktops trying to connect directly with the client after authentication has occurred by the Security server. I'll check the external URL's detailed on the Security server and it's paired Connection server.

              • 4. Re: View Security Server Network Traffic Flow
                markbenson Master
                VMware Employees

                Let us know if that is anything other than the PCoIP UDP packets I mentioned. In any case they should fail to reach the client and so you shouldn't worry about those.

                 

                Mark