I have a security question for View experts.
How can I get IP addresses of the physical View clients that connect to the VMs?
We need to use source IP addresses for application access control.
Also, we want to log these IP for eventual forensic purposes.
Any ideas how to do this?
Take a look at http://blogs.vmware.com/thinapp/2010/09/looking-up-view-client-machine-info-and-using-it-in-a-thinap... to see if this is what you are looking for.
I checked the link and it seems the data is read from the user registry hive.
Therefore, the user can easily alter this information and it is inappropriate for logs or access control.
Is there any more reliable source?
I am very surprised that View Manager does not have a simple log with the IP addresses of clients.
This looks as a basic feature for me that must be present in the products like this.
I use a powershell login script to find the ip address for printing purposes. Essentially I find the connection using the pcoip port and go backwards. Maybe you can do something with that.
This would be an interesting idea.
I found several mentions of the client IP addresses in the debug logs of View Manager and View Client.
However now I need to find a way to recover these data in real time without impacting peformance of the server.
I would prefer to collect this information from the server as it is more secure.
As View Manager is based on Tomcat, I am wondering if it is possible to create a custom logger in Tomcat for this purpose?
Thank you for the suggestion.
I tried it but unfortunately in my case the client switches to UDP (for performance reasons?) so there is no "connection" established.
The IP of the Client is also noted in the volatile environment of the View Agent at the time a client connects\user logs in. This is located in the registry at "HKCU\Volatile environment\ViewClient_Broker_Remote_IP_Address". Currently I am using BGInfo pulling from this location so that we can have our users provide us the Client machines IP address and machine name. With this same thing in mind you could run a logon\logoff script to send this info to something as simple as a text file or even a SQL database. Also, this area provides much more info as well making it a good resource and easy access to a lot of informaiton.
Thanks for the suggestion.
Basically we started by looking at this registry key.
I think it can be helpful for generic purposes like printer mapping.
However it is risky to use this key for security purposes like security logging and forensic use.
The reason is that the key is under complete user control.
So the user can easily update the registry key containing the terminal IP address and then replay the login scripts.
This will effectively spoof his location in the security logs.
That is why we are looking for a solution that is rather based on the broker server.