Posts tagged pcoip
Introducing the EVGA PD02
May 28th
Earlier this year, EVGA released a new VMware-Certified Zero Client dubbed the PD02. It uses the same chipset as the products it competes with, notably the Wyse P20, Dell FX100, and others; this means it is functionally the exact same.
The form factor is different as it comes in a small cube as opposed to the traditional blocky design. However, the biggest difference is the pricing: $299. The other units are at least 25% more expensive with the Wyse P20 listing on CDW for as much as $419.99. When purchasing hundreds of these units, that amount can really add up. For a 600 seat deployment, that’s a whopping $72,000 saved.
The unit has an aluminum casing on the sides which acts as a heat sink. While this may do a great job at accomplishing its goal of cooling the unit, it also does a great job at making it uncomfortable to touch. A non-scientific heat gun reading listed the unit as around 110 degrees (F). It’s not unbearable, but it is certainly unpleasant to hold after it has been on for awhile.
The unit can be managed via the Teradici PCoIP Management Console just as all other units that use the Teradici chipset. It can also use the firmware directly from Teradici like the others. It does not come with a keyboard or mouse similarly to the FX100; it is worth noting the Wyse P20 comes with PS/2 versions of both.
It will be interesting to see how other manufacturers respond to this unit, but hopefully this will drive down the pricing for zero clients. I am a huge proponent of zero clients over thin clients or re-purposed desktops as the experience among the three is night-and-day with the zero client coming out far ahead of the others. Lowering the cost of these units will increase their deployment numbers and be better for View-based VDI deployments.
Comprehensive List of VMware View Firewall Rules
May 14th
Getting firewall rules correct for View can be one of the more tedious tasks to do right. If things aren’t done right, you can run into lots of odd issues. It seems like the majority of installation problems arise due to firewall rules not being exactly as needed. The following is a list of all of the firewall rules that need to be created which was gathered from various sources by VMware Employee/Author of That’s My View (http://www.thatsmyview.net); all credit for the below should go to his original article.
Also, be sure to follow the great Setting up PCoIP Remote Access with View 4.6 guide if you run into further PCoIP issues after ensuring the firewall rules are configured as below.
Perimeter Firewall Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Security Server | Optional |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 443 | HTTPS | Communication between View Client and View Security Server. Authentication etc. | Mandatory |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <EXTERNALCLIENT> | <CLIENTPORT> | Both | <SECURITYSERVER> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
DMZ Firewall Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9427 | Multi Media Redirection, RDP-Connections only | Optional |
Connection Server Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <ACTIVEDIRECTORYSERVER> | TCP | 389 | LDAP | Active Directory Authentication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <ACTIVEDIRECTORYSERVER> | UDP | 389 | LDAP | Active Directory Authentication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 389 | LDAP | ADAM | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 636 | LDAPS | AD LDS | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 1515 | Microsoft Endpoint Mapper | Mandatory | |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <VCENTERSERVER> | TCP | 18443 | SOAP | View Composer Communication | Mandatory |
| <CONNECTIONSERVER> | lt;CLIENTPORT> | Outbound | <VCENTERSERVER> | TCP | 443 | HTTPS | vCenter Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <VIEWAGENT> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <RSASERVER> | UDP | 5500 | RSA Secure ID Authentication | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Connection Server | HTTPS prefered |
| <INTERNALCLIENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 443 | SSL | Communication between View Client and View Connection Server. Authentication etc. | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
Transfer Server Rules
| Source IP | Source Port | Direction
|
Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <TRANSFERSERVER> | <CLIENTPORT> | Outbound | <VSPHEREHOST> | TCP | 902 | Used if SSL/HTTPS is not used on the Connection Server | Mandatory |
View Agent Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9472 | Multi Media Redirection, RDP-Connections only | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 42966 | HP RGS | HP Remote Graphics Server | Optional |
| <VIEWAGENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
View Client Rules (internal / without using Security Server)
| Source IP |
Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9472 | Multi Media Redirection, RDP-Connections only | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 42966 | HP RGS | HP Remote Graphics Server | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | HTTPS Prefred | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 443 | HTTPS |
View Client Rules (external / using Security Server)
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | HTTPS Prefred | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 443 | HTTPS | ||
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
PCoIP Gateway Self-Signed SSL Cert
Apr 28th
As part of our periodical PCI Compliance scans, our corporate vulnerability scanner recently picked up the View 4.6 PCoIP Gateway as having a few issues. These issues were as follows:
- SSL Server Supports Weak Encryption Vulnerability (port 4172/tcp over SSL)
- SSL Certificate – Subject Common Name Does Not Match Server FQDN
- SSL Certificate – Signature Verification Failed Vulnerability
We found this odd since we had an SSL certificate installed on the Security Server, and going to the site externally showed it using a proper cert. We opened a ticket with VMware who explained that this was due to port 4172 not using the SSL certificate that is used for HTTPS, and subsequently opened a ticket with Teradici.
To try to either get this fixed, we reached out to our local VMware reps for assistance. They were incredible helpful and went out of their way with conference calls, performing research on our behalf, and even writing up the following explanation on why the aforementioned results are actually false positives. It’s also an interesting read, regardless:
One of the roles of the View Security Server is to ensure that only traffic on behalf of authenticated users is allowed to reach the internal network and only to those desktops that the user is authorized to access. Authentication and authorisation is performed over an HTTPS (TCP 443) connection to View Security Server.
When a PCoIP virtual desktop is selected by the user at the View Client, View Connection Server (via Security Server) returns an IP address, a port number and a one-time token to the client to enable the PCoIP connection to the Security Server. This channel is protected using an SSL server certificate that can be replaced by a CA signed certificate. The client will connect to the supplied IP address/port number and will proceed only if the far end is a PCoIP server or View Security Server. The TCP 4172 listener on View Security Server 4.6, in its turn, will negotiate only with a PCoIP client executing in the context of an authenticated and authorized user. Once an SSL channel is established, the client provides the one-time token to the Security Server, which then associates the client with the authenticated user through the token. Over this assured channel, an IPSec security association is performed in a process analogous to an IKE Phase 2 negotiation.
All PCoIP traffic between the View Client and View Desktop, through View Security Server, is then AES-128 encrypted with GCM authentication. UDP packets arriving at the View Security Server (or the View Desktop) with an invalid IPSec SPI or that cannot be authenticated with the key associated with the SPI will be discarded. The client similarly discards traffic that is not from the server.
The PCoIP (4172) channel can not be used to gateway PCoIP traffic without the user first authenticating and having entitlements to access virtual desktops. We are aware that some security scanners will report a PCI violation relating to the use of self-signed certificates on this PCoIP channel because they cannot know that this channel can’t be used without the initial authentication.
Some vulnerability scanners have not been updated to compensate for View using multiple ports and authentication mechanisms in tunnel creation and as such report false positives against the View Security Server.
The previous information has been critical in getting approval to re-enable our PCoIP Gateway, which is a lot more pleasant to use than RDP… especially on the iPad.
PCoIP VRAM Fix
Aug 30th
One of the biggest annoyances I’ve ran into when deploying VMware View is the finickiness of PCoIP. The problem is that if the video settings within your VM are not just right, then you will run into issues like:
- You cannot re-size the screen
- Resizing only works down instead of up.
- Resizing responds very slowly or fails after several resize attempts.
- You cannot switch between full-screen and windowed.
Obviously, these are rather deal-breaker bugs. To say the least, VMware’s response and fix to the issue are disappointing. Their “fix” involves jumping through a lot of hoops that make the process way more tedious than it should be. The KB article for this fix is 1018158.
It doesn’t appear that the vSphere client saves changes to the Video Settings fully to the .vmx file, but fortunately ermac318 over at VM Junkie has created a PowerCLI function to fix this issue. You can grab the script from his site or from a local mirror here. To run it, do the following:
> Connect-VIServer -server vCenterServer.tld
> . .\set-vramsize.ps1
> $vm = Get-VM -name VirtualMachineToModify
> Set-VRamSize($vm)
This should modify the .vmx file for the VM. You can confirm by downloading the .vmx file through vCenter and seeing if the file contains the expected modifications.