VMware Horizon Community
BearHuntr
Contributor
Contributor
Jump to solution

Help me convince my network admin to open port 4172 for PCoIP.

As expected, I'm getting some push back from my Network Administrators regarding opening up port 4172 for the PCoIP Secure Gateway.  I have a meeting with them tomorrow and I'm looking for some good points and information to give to them to calm their fears.  Does anyone have some good information to pass on?  Did anyone else have to justify this to their Network team?  How did it go for you?  Thanks!

Reply
0 Kudos
1 Solution

Accepted Solutions
mittim12
Immortal
Immortal
Jump to solution

As the other poster said PCOIP is already under AES-128 encryption so it shouldn't be a big deal.   Check out this blog post by Mark Benson for additonal information.

http://communities.vmware.com/community/cto/desktop/blog/2010/12/13/secure-remote-access-with-view-a...

View solution in original post

Reply
0 Kudos
9 Replies
Camek
Enthusiast
Enthusiast
Jump to solution

As a network admin they shouldn't have to much to worry about... First, they should only open up this port to the one IP address where your secuirty server is sitting and you should not be asking this to be open to all desktops.  2nd the port is used on the securty server so it's not just sitting open for anyone to use as it has to pass in/out of the VMWare service on the secuirty server.

Also, remember for this to work you have to open both TCP and UDP, however TCP can be in only if they push back.

GaryMclean
Enthusiast
Enthusiast
Jump to solution

The pcoip traffic is also already encrypted @ AES-128Bit I believe..

Ive got the port open but having some issues connecting to my dekstops.. Were still testing..

idle-jam
Immortal
Immortal
Jump to solution

it's already on HTTPS encrypted. even if the server is being compromise it's just the security server with no data on it.

Reply
0 Kudos
mittim12
Immortal
Immortal
Jump to solution

As the other poster said PCOIP is already under AES-128 encryption so it shouldn't be a big deal.   Check out this blog post by Mark Benson for additonal information.

http://communities.vmware.com/community/cto/desktop/blog/2010/12/13/secure-remote-access-with-view-a...

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

Also, make sure that the internet facing firewall only allows PCoIP to Security Servers. Similarly if you have a DMZ make sure that on the inner firewall the PCoIP  protocol is only allowed from Security Servers. This way, you have the following assurances:

1. The only PCoIP traffic that can enter your internal network is traffic on behalf of View authenticated users.

2. The only resources (virtual desktops) that those authenticated users can access are those that are explicitly authorized through View (they can't access other resources).

As others have said, PCoIP (both sides of the Security Server) is always AES-128 encrypted.

More details are here - http://communities.vmware.com/docs/DOC-14974

Mark.

Reply
0 Kudos
BearHuntr
Contributor
Contributor
Jump to solution

Thanks for the information everyone, it's much appreciated!  Mark's blog post looks like it has everything I need.

Reply
0 Kudos
BearHuntr
Contributor
Contributor
Jump to solution

Just a follow-up post, my network admins ok'd the port opening.  However, they were concerned with the encryption only being 128 bit when our VPN options are 256 bit.  The only saving grace was that we are using RSA SecurID as an additional level of authentication.  Thanks again!

Reply
0 Kudos
jftuga
Enthusiast
Enthusiast
Jump to solution

Does he believe someone can crack 128 bit encryption, but not 256 bit?

Reply
0 Kudos
BearHuntr
Contributor
Contributor
Jump to solution

I know that it's a ridiculous thought, but that's where he was concerned.  They can be very bull-headed.

Reply
0 Kudos