More than just 443 to the world?

lefcakis · ‎03-24-2011

I was under the impression that the 4.6 version of View was the addition of the PCOIP gateway...

With that, why do I need to have more than just 443 open to the world? Seems like I need to have 4172 open as well. Doesn't that defeat the purpose? If I need to open more ports, why bother with a Security server?

Even some of the documentation (page 63 of the planning guide) says HTTPS traffic (which is port 443)

Any ideas?

thanks

bharris9 · ‎03-24-2011

The PCoIP Secure Gateway requires port 4172 to use the PCoIP protocol if you were only requiring RDP then 443 would be sufficient. This is an excellent resource for understanding Remote Access and PCoIP:

http://communities.vmware.com/docs/DOC-14974

Thanks

lefcakis · ‎03-24-2011

I understand that but then you need RDP open to the world and that is worse.

It was supposed to be 443 traffic only.

markbenson · ‎03-24-2011

There was a typo in the architecture and planning guide which we have now fixed and will be updated shortly. One of the protocol flows was marked HTTPS instead of PCoIP. It is correct in the document referenced above.

TCP 443 only, would require you to run PCoIP (UDP based) over a TCP connection and that is not the best user experience. The better way is to allow 4172 but only to the Security Server(s). That way you get the best of both worlds. a) you ensure that only traffic on behalf of authenticated users enters the green zone and only to desktops authorized for that user, and b) the best possible user experience. You don't need to expose 4172 to the world from the virtual desktops. That's the purpose of the Security Server.

Sorry for the confusion.

Mark.

vgracanin · ‎03-24-2011

I found this nice article from BrianMadden concerning the security standpoint of opening 4172 to the world.

http://www.brianmadden.com/blogs/brianmadden/archive/2011/03/08/vmware-releases-view-4-6-pcoip-gatew...

All

More than just 443 to the world?