Subscribe RSS Feed | Follow on Twitter

Archive for the ‘4.6’ tag

Firewall settings for a VMware View environment

with 3 comments

When you have to configure your firewall policies for a VMware View environment it’s sometimes a little bit hard to find a simple overview of all the necessary ports and firewall settings.

To help you doing your job, I provide you here a comprehensive overview of all important communication flows of such an implementation.

This documents is a consolidated aggregation of the information you can find in the following documents:

Perimeter Firewall Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<EXTERNALCLIENT> <CLIENTPORT> Inbound <SECURITYSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Security Server Optional
<EXTERNALCLIENT> <CLIENTPORT> Inbound <SECURITYSERVER> TCP 443 HTTPS Communication between View Client and View Security Server. Authentication etc. Mandatory
<EXTERNALCLIENT> <CLIENTPORT> Inbound <SECURITYSERVER> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<EXTERNALCLIENT> <CLIENTPORT> Both <SECURITYSERVER> UDP 4172 PCoIP PCoIP Data Transmission Mandatory

DMZ Firewall Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<SECURITYSERVER> <CLIENTPORT> Both <VIEWAGENT> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 3389 RDP Remote Desktop Protocol Optional
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 32111 USB-Redirection Optional
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 9427 Multi Media Redirection, RDP-Connections only Optional

Connection Server Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<CONNECTIONSERVER> <CLIENTPORT> Outbound <ACTIVEDIRECTORYSERVER> TCP 389 LDAP Active Directory Authentication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <ACTIVEDIRECTORYSERVER> UDP 389 LDAP Active Directory Authentication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 389 LDAP ADAM Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 636 LDAPS AD LDS Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 1515 Microsoft Endpoint Mapper Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <VCENTERSERVER> TCP 18443 SOAP View Composer Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <VCENTERSERVER> TCP 443 HTTPS vCenter Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <VIEWAGENT> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <RSASERVER> UDP 5500 RSA Secure ID Authentication Optional
<INTERNALCLIENT> <CLIENTPORT> Outbound <CONNECTIONSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Connection Server HTTPS prefered
<INTERNALCLIENT> <CLIENTPORT> Outbound <CONNECTIONSERVER> TCP 443 SSL Communication between View Client and View Connection Server. Authentication etc.
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory

Transfer Server Rules

Source IP Source Port Direction

Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<INTERNALCLIENT> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<INTERNALCLIENT> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<TRANSFERSERVER> <CLIENTPORT> Outbound <VSPHEREHOST> TCP 902 Used if SSL/HTTPS is not used on the Connection Server Mandatory

View Agent Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 3389 RDP Remote Desktop Protocol Optional
<INTERNALCLIENT> <CLIENTPORT> Both <VIEWAGENT> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 9472 Multi Media Redirection, RDP-Connections only Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 32111 USB-Redirection Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 42966 HP RGS HP Remote Graphics Server Optional
<VIEWAGENT> <CLIENTPORT> Outbound <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory

View Client Rules (internal / without using Security Server)

Source IP
Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 3389 RDP Remote Desktop Protocol Optional
<INTERNALCLIENT> <CLIENTPORT> Both <VIEWAGENT> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 9472 Multi Media Redirection, RDP-Connections only Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 32111 USB-Redirection Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 42966 HP RGS HP Remote Graphics Server Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 80 HTTP HTTPS Prefred
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 443 HTTPS

View Client Rules (external / using Security Server)

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<EXTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 80 HTTP HTTPS Prefred
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 443 HTTPS
<INTERNALCLIENT> <CLIENTPORT> Both <CONNECTIONSERVER> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory

HTTP and HTTPS-Traffic can be proxied on the application layer.

Every other protocol should only be proxied using a transparent TCP-/UDP-Proxy.

Written by Kim Nis Matzen

April 24th, 2011 at 1:52 am

Just noticed. The View Client in the Windows Startmenu

without comments

Maybe you’ve already seen it but I just noticed now. If you open the Windows Startmenu and you click on the little arrow on the right side of the View Client option, you can easily access the last used servers and desktops. I really like that!

image

Written by Christoph Harding

March 9th, 2011 at 12:20 am

Posted in View Client

Tagged with ,