VMware Horizon Community
itn_dh
Contributor
Contributor
‎03-22-2015 12:27 PM

Why are there so many PCoIP firewall rules - one for each VM (Security Server to VM)?

Following some documentation I found, it seems to me that I have to setup FW rules between the Security Server and each :smileyalert: VM. If I have a lot of VM's, that seems overkill to me.

See https://pubs.vmware.com/horizon-61-view/topic/com.vmware.ICbase/PDF/view-61-architecture-planning.pd...  Table 5-2, 5-3, or

VMware View PCoIP Remote Access in View 4.6 - YouTube    time 16:17 onwards.


And if I'd go directly, without Security and Connection Server, the setup is again, per VM.

See https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/view-agent-601-direct-connection...

Page 13, Section Using Network Address Translation and Port Mapping to page 16. Table 2-2 explains nicely.

(this document just explains it much better than any documentation I found with Security Server involved)


Do I really have to add that bunch of rules to the FW for each VM??


Dan

Reply
0 Kudos
3 Replies
markbenson
VMware Employee
VMware Employee
‎03-23-2015 06:37 AM

itn_dh wrote:

..


Do I really have to add that bunch of rules to the FW for each VM??


Dan

Hi Dan,

No. It's true that PCoIP needs to go between Security Server and each VM, but it is more usual to do that with a single PCoIP rule for each Security Server (at the inner firewall). Add a rule that allows PCoIP (TCP 4172 and UDP 4172) from a source IP address of each Security Server.

You can be sure that Security Server will only connect to virtual desktops that the authenticated user is entitled to which is why you can simplify the rules you need to add.

Mark

Reply
0 Kudos
itn_dh
Contributor
Contributor
‎03-23-2015 10:09 AM

Thanks Mark,

I think I was not on the point with my question.

You are right. I can add one or just a few firewall rules on the inside firewall to manage all possible numbers of VM's.

Perhaps what I was referring to was less the firewall rules and more the NAT rules.

I might not quite understand the way a security server acts together with the VM's, though. Just in the documentation I found so far, there was always a reference on security server connects to the VM's with the need to also adapt the NAT rules.

Perhaps someone could point me to an example which shows exactly what firewall rules AND NAT rules are needed on the outside firewall and the inside firewall?

Thanks

Dan

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
‎03-24-2015 07:24 AM

OK. Yes, I answered the question about firewall rules. BTW: similarly on the outside Internet facing firewall, just add rules to allow 443 (TCP), 4172 (TCP and UDP) and 8443 (TCP) to get to each Security Server.

You can use NAT between the Internet and your Security Servers. This is quite normal. There is a worked example showing this configuration here Security Server PCoIP Remote Access (the video at the bottom).

Hope this helps. Feel free to ask more questions as you get into it.

Mark

Reply
0 Kudos