orczakm
Enthusiast
Enthusiast

PCoIP over SSL

hey volks,

We are using a VMware View 5.1 Environment with 5.1 ESXi hosts and Vsphere 5.1

For some security restrictions i have no chance to open the PCoIP port (4172) on our external Firewall. Because the goal is to be able to connect with a ipad into the view environment, and the view client for Ipad only support PCoIP the only chance is to tunnel the PCoIP connection over the SSL connection.

My question is, is it possible with only port 443 open to establish a PCoIP connection?

Actually we have the following network situation:

Internet => Cisco ASA => DMZ (Checkpoint firewall) => TMG         => LAN (View Connection Server)

ext. ip    => 192.168.x.x => 192.168.x.x                        => 192.168.x.x => 172.27.x.x

As above, between Internet and TMG, only port 443 is available, the TMG is forwarding the traffic to the connection server.

What i tried already was the option "PCoIP Secure Gateway" with both, the internal TMG IP, and the DMZ TMG IP, both with port 4172, as example for internal TMG : 172.27.154.99:4172, for DMZ TMG: 192.168.78.99:4172

I would appreciate if somebody could shed some light into this issue, thanks in advance,

Matthias

Die Welt ist binär - es gibt nur einsen und Nullen
0 Kudos
2 Replies
markbenson
VMware Employee
VMware Employee

You won't want to do it like that. PCoIP is primarily UDP based and the advantages of this would be mainly lost if you simply tunnel that through a TCP based SSL connection.

See http://cto.vmware.com/secure-remote-access-with-view-and-pcoip/ for more info on this.

We initially looked at various options around tunneling the PCoIP traffic through Security Server but we really didn’t want to interfere with the advanced performance characteristics of the protocol. The step improvement in having a UDP based remote display protocol would be somewhat eroded if we just tunneled that over an HTTPS connection which uses TCP as its underlying transport protocol. HTTPS encapsulation is good for RDP, but PCoIP is already secured by AES-128 encryption over the wire and so double encryption is unnecessary.

It is a bad idea to put most UDP based communications (including VoIP, PCoIP etc.) over a TCP based protocol such as SSL.

There are two options, both are fully supported.

1. Use a View Security Server in your DMZ. This ties in user authentication with secure PCoIP forwarding which ensures that the only PCoIP traffic that can enter the green zone of your data center is traffic on behalf of a strongly authenticated user. Other PCoIP traffic is discarded in your DMZ and can not make it to your datacenter green zone. This is what a lot of View customers do because it has very good performance and has the best user experience.

2. Use a VPN. This is also acceptable, but does require the user to first set up the VPN and authenticate separately. Also, as it's for a UDP based protocol, you'll want to ensure the VPN supports DTLS and this too requires you to open ports other than TCP 443. They do this for exactly the same reasons of not putting UDP traffic over TCP.

Refer to this document and the linked video if you want a deep-dive into the secure setup of PCoIP remote access. http://communities.vmware.com/docs/DOC-14974 It describes how to set it up so that it is secure and gives the best possible user experience.

Mark

orczakm
Enthusiast
Enthusiast

Hey Mark,

Thanks for your suggestions and clear words. Unfortunately this will be a deal breaker then for our external access scenario. There is no chance to get port 4172 open by the external Firewall based on BSI restrictions ... Smiley Sad

However, thanks for now...

Greetz,

Matthias

Die Welt ist binär - es gibt nur einsen und Nullen
0 Kudos