3 Replies Latest reply on Mar 24, 2015 7:24 AM by markbenson

    Why are there so many PCoIP firewall rules - one for each VM (Security Server to VM)?

    itn_dh Lurker

      Following some documentation I found, it seems to me that I have to setup FW rules between the Security Server and each VM. If I have a lot of VM's, that seems overkill to me.

       

      See https://pubs.vmware.com/horizon-61-view/topic/com.vmware.ICbase/PDF/view-61-architecture-planning.pdf     Table 5-2, 5-3, or

      VMware View PCoIP Remote Access in View 4.6 - YouTube    time 16:17 onwards.


      And if I'd go directly, without Security and Connection Server, the setup is again, per VM.

      See https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/view-agent-601-direct-connection-plugin-administrati…

      Page 13, Section Using Network Address Translation and Port Mapping to page 16. Table 2-2 explains nicely.

      (this document just explains it much better than any documentation I found with Security Server involved)


      Do I really have to add that bunch of rules to the FW for each VM??


       

      Dan

        • 1. Re: Why are there so many PCoIP firewall rules - one for each VM (Security Server to VM)?
          markbenson Master
          VMware Employees

          itn_dh wrote:

           

          ..


          Do I really have to add that bunch of rules to the FW for each VM??


           

          Dan

           

          Hi Dan,

           

          No. It's true that PCoIP needs to go between Security Server and each VM, but it is more usual to do that with a single PCoIP rule for each Security Server (at the inner firewall). Add a rule that allows PCoIP (TCP 4172 and UDP 4172) from a source IP address of each Security Server.

           

          You can be sure that Security Server will only connect to virtual desktops that the authenticated user is entitled to which is why you can simplify the rules you need to add.

           

          Mark

          • 2. Re: Why are there so many PCoIP firewall rules - one for each VM (Security Server to VM)?
            itn_dh Lurker

            Thanks Mark,

            I think I was not on the point with my question.

            You are right. I can add one or just a few firewall rules on the inside firewall to manage all possible numbers of VM's.

            Perhaps what I was referring to was less the firewall rules and more the NAT rules.

            I might not quite understand the way a security server acts together with the VM's, though. Just in the documentation I found so far, there was always a reference on security server connects to the VM's with the need to also adapt the NAT rules.

            Perhaps someone could point me to an example which shows exactly what firewall rules AND NAT rules are needed on the outside firewall and the inside firewall?

            Thanks

            Dan

            • 3. Re: Why are there so many PCoIP firewall rules - one for each VM (Security Server to VM)?
              markbenson Master
              VMware Employees

              OK. Yes, I answered the question about firewall rules. BTW: similarly on the outside Internet facing firewall, just add rules to allow 443 (TCP), 4172 (TCP and UDP) and 8443 (TCP) to get to each Security Server.

               

              You can use NAT between the Internet and your Security Servers. This is quite normal. There is a worked example showing this configuration here Security Server PCoIP Remote Access (the video at the bottom).

               

              Hope this helps. Feel free to ask more questions as you get into it.

               

              Mark