VMware Horizon Community
andydrum
Contributor
Contributor
‎03-18-2009 09:10 AM

security server and 3389 port to guests in lan

Hi all!

I'm evaluating new VMware View release (3.0.1).

The problem (dilemma?!?!) is simple: Have I really to open tcp/3389 port from dmz to ALL my guests?

As a system administrator and 'half-firewall' guy I can't belive that! Furthermore I'm pretty sure that in the past this was not necessary: I can remeber a "tunnel" behaviour of the VDI 2.x security server.

While attending at VMworld Europe 2009 I've also asked this question to a VMware guy and he said me (he swear me!) that the tunnel function is still possible.

Here is what I would like to do: PC@wan--

(https)
>SSERVER@dmz
(https)
>BROKER@lan
(rdp)--

>GUEST@lan

How do you feel about that? Are you confortable with these settings? Hundred of RDP connections from dmz to lan?

Thanks for your answers.

best regards

Andrea.

Reply
0 Kudos
3 Replies
mittim12
Immortal
Immortal
‎03-18-2009 11:09 AM

I don't think this is any different than in the past. When using the non-direct mode the user connects up to the security server and is authenticated by the connection broker via the security server and is then connected to the remote desktop via the security server. I am probably not the most security focused individual but this isn't entirely different than how my Citrix secure gateway works. The only quirk is I have a lot more remote desktops then I do Citrix servers.

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Reply
0 Kudos
andydrum
Contributor
Contributor
‎03-19-2009 03:24 AM

Hi mittim12, thans for your answer.

Regardless Xenapp and its SecureGateway, I would like to understand how VDI should work and if I'm making some mistakes in my configuration.

Do you confirm this is the standard behaviuor?

Authentication: PC@wan--

(https)
>SSERVER@dmz
(https)--

>BROKER@lan

Data Stream: PC@wan--

(https)
>SSERVER@dmz
(rdp)--

>GUEST@lan

Is it possible to have this behaviuor?

Auth+data Stream: PC@wan--

(https)
>SSERVER@dmz
(https)
>BROKER@lan
(rdp)--

>GUEST@lan

thanks and best regards

Andrea

Reply
0 Kudos
mittim12
Immortal
Immortal
‎03-19-2009 05:56 AM

From my understand that is the standard behavior and I do not know of any way to accomplish what are you are looking for. If you had an existing VPN solution you could always take the security server out of the picture and utilize VPN and View together.

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Reply
0 Kudos