VMware Horizon Community
Zaim33
Enthusiast
Enthusiast
Jump to solution

View Security Server Network Traffic Flow

Can anyone clarify some confusion I'm having with the View Security Server. I've looked at various network diagrams of ports and protocols and I'd like to understand how connectivity is handled from an external network to an internal network via a Security server.

My understanding is that a connection is initiated externally to the Security server and this is then forwarded to a Connection server that then authenticates the user and allocates a desktop. At this point the external client connects directly to the View desktop.

However I see some diagrams where the above happens but the connection from external client to View desktop is handled through the Security server.

In the environment we're running from network traces I see the first instance and View desktops trying to communicate through the firewall to the external client. Currently these are blocked by the firewall and connections are not established.

How do other people see this happening?

If you find this information useful, please award points for "correct" or "helpful".
Tags (2)
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
Jump to solution

You're correct that the View Client connects to the View Security Server to authenticate and this authentication traffic is forwarded to View Connection Server which handles the actual authentication (to Active Directory and optionally RSA SecurID or RADIUS etc.). If this authentication is successful, then desktop protocol traffic is permitted through Security Server. Any desktop protocol traffic that is not on behalf of an authenticated user is blocked. As Security Server is normally deployed in a DMZ, then Security Server is providing protection for the virtual desktops and RDS hosts to ensure that they are not exposed directly to the Internet.

It is possible to configure View Security Server so that it doesn't act as the gateway for this desktop protocol traffic, but when used to provide remote access from the Internet, it is recommended that the desktop protocols do go via Security Server in order to gain this protection.

The desktop protocols include PCoIP, Blast, RDP, MMR, USB redirect, remote printing etc.

There's a description of remote access to View environments here https://communities.vmware.com/docs/DOC-14974 which covers traffic flows.

If you've set things up to route desktop protocols via Security Server, you may still see initial attempts from the virtual desktop to try to send PCoIP UDP packets directly to the client, but don't worry about those as they won't succeed. As soon as the PCoIP server component on the virtual desktop sees incoming UDP packets from Security Server, it will send reply UDP datagrams back to the Security Server and everything will work as expected.

Hope this helps.

Mark

View solution in original post

4 Replies
roneng
Enthusiast
Enthusiast
Jump to solution

Hello

All external connections are handled by the security gateway.

There are no direct connections from virtual desktops to the clients.

The "security servers" are really just proxy servers.

hope that helps

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

You're correct that the View Client connects to the View Security Server to authenticate and this authentication traffic is forwarded to View Connection Server which handles the actual authentication (to Active Directory and optionally RSA SecurID or RADIUS etc.). If this authentication is successful, then desktop protocol traffic is permitted through Security Server. Any desktop protocol traffic that is not on behalf of an authenticated user is blocked. As Security Server is normally deployed in a DMZ, then Security Server is providing protection for the virtual desktops and RDS hosts to ensure that they are not exposed directly to the Internet.

It is possible to configure View Security Server so that it doesn't act as the gateway for this desktop protocol traffic, but when used to provide remote access from the Internet, it is recommended that the desktop protocols do go via Security Server in order to gain this protection.

The desktop protocols include PCoIP, Blast, RDP, MMR, USB redirect, remote printing etc.

There's a description of remote access to View environments here https://communities.vmware.com/docs/DOC-14974 which covers traffic flows.

If you've set things up to route desktop protocols via Security Server, you may still see initial attempts from the virtual desktop to try to send PCoIP UDP packets directly to the client, but don't worry about those as they won't succeed. As soon as the PCoIP server component on the virtual desktop sees incoming UDP packets from Security Server, it will send reply UDP datagrams back to the Security Server and everything will work as expected.

Hope this helps.

Mark

Zaim33
Enthusiast
Enthusiast
Jump to solution

Thanks Mark that's really clear. I wonder why I'm seeing desktops trying to connect directly with the client after authentication has occurred by the Security server. I'll check the external URL's detailed on the Security server and it's paired Connection server.

If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

Let us know if that is anything other than the PCoIP UDP packets I mentioned. In any case they should fail to reach the client and so you shouldn't worry about those.

Mark

Reply
0 Kudos