As expected, I'm getting some push back from my Network Administrators regarding opening up port 4172 for the PCoIP Secure Gateway. I have a meeting with them tomorrow and I'm looking for some good points and information to give to them to calm their fears. Does anyone have some good information to pass on? Did anyone else have to justify this to their Network team? How did it go for you? Thanks!
As the other poster said PCOIP is already under AES-128 encryption so it shouldn't be a big deal. Check out this blog post by Mark Benson for additonal information.
As a network admin they shouldn't have to much to worry about... First, they should only open up this port to the one IP address where your secuirty server is sitting and you should not be asking this to be open to all desktops. 2nd the port is used on the securty server so it's not just sitting open for anyone to use as it has to pass in/out of the VMWare service on the secuirty server.
Also, remember for this to work you have to open both TCP and UDP, however TCP can be in only if they push back.
The pcoip traffic is also already encrypted @ AES-128Bit I believe..
Ive got the port open but having some issues connecting to my dekstops.. Were still testing..
it's already on HTTPS encrypted. even if the server is being compromise it's just the security server with no data on it.
As the other poster said PCOIP is already under AES-128 encryption so it shouldn't be a big deal. Check out this blog post by Mark Benson for additonal information.
Also, make sure that the internet facing firewall only allows PCoIP to Security Servers. Similarly if you have a DMZ make sure that on the inner firewall the PCoIP protocol is only allowed from Security Servers. This way, you have the following assurances:
1. The only PCoIP traffic that can enter your internal network is traffic on behalf of View authenticated users.
2. The only resources (virtual desktops) that those authenticated users can access are those that are explicitly authorized through View (they can't access other resources).
As others have said, PCoIP (both sides of the Security Server) is always AES-128 encrypted.
More details are here - http://communities.vmware.com/docs/DOC-14974
Mark.
Thanks for the information everyone, it's much appreciated! Mark's blog post looks like it has everything I need.
Just a follow-up post, my network admins ok'd the port opening. However, they were concerned with the encryption only being 128 bit when our VPN options are 256 bit. The only saving grace was that we are using RSA SecurID as an additional level of authentication. Thanks again!
Does he believe someone can crack 128 bit encryption, but not 256 bit?
I know that it's a ridiculous thought, but that's where he was concerned. They can be very bull-headed.