Subscribe RSS Feed | Follow on Twitter

Archive for the ‘Security Server’ tag

Firewall settings for a VMware View environment

with 3 comments

When you have to configure your firewall policies for a VMware View environment it’s sometimes a little bit hard to find a simple overview of all the necessary ports and firewall settings.

To help you doing your job, I provide you here a comprehensive overview of all important communication flows of such an implementation.

This documents is a consolidated aggregation of the information you can find in the following documents:

Perimeter Firewall Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<EXTERNALCLIENT> <CLIENTPORT> Inbound <SECURITYSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Security Server Optional
<EXTERNALCLIENT> <CLIENTPORT> Inbound <SECURITYSERVER> TCP 443 HTTPS Communication between View Client and View Security Server. Authentication etc. Mandatory
<EXTERNALCLIENT> <CLIENTPORT> Inbound <SECURITYSERVER> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<EXTERNALCLIENT> <CLIENTPORT> Both <SECURITYSERVER> UDP 4172 PCoIP PCoIP Data Transmission Mandatory

DMZ Firewall Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<SECURITYSERVER> <CLIENTPORT> Both <VIEWAGENT> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 3389 RDP Remote Desktop Protocol Optional
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 32111 USB-Redirection Optional
<SECURITYSERVER> <CLIENTPORT> Inbound <VIEWAGENT> TCP 9427 Multi Media Redirection, RDP-Connections only Optional

Connection Server Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<CONNECTIONSERVER> <CLIENTPORT> Outbound <ACTIVEDIRECTORYSERVER> TCP 389 LDAP Active Directory Authentication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <ACTIVEDIRECTORYSERVER> UDP 389 LDAP Active Directory Authentication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 389 LDAP ADAM Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 636 LDAPS AD LDS Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 1515 Microsoft Endpoint Mapper Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <CONNECTIONSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <VCENTERSERVER> TCP 18443 SOAP View Composer Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <VCENTERSERVER> TCP 443 HTTPS vCenter Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Both <VIEWAGENT> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Outbound <RSASERVER> UDP 5500 RSA Secure ID Authentication Optional
<INTERNALCLIENT> <CLIENTPORT> Outbound <CONNECTIONSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Connection Server HTTPS prefered
<INTERNALCLIENT> <CLIENTPORT> Outbound <CONNECTIONSERVER> TCP 443 SSL Communication between View Client and View Connection Server. Authentication etc.
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory

Transfer Server Rules

Source IP Source Port Direction

Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<INTERNALCLIENT> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<INTERNALCLIENT> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 80 HTTP Used if SSL/HTTPS is not used on the Transfer Server HTTPS prefered
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 443 HTTPS Communication with Transfer Server for the Offline Usage of VDIs
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<SECURITYSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4001 JMS Java Messanging Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 4100 JMSIR Inter-Server Communication Mandatory
<CONNECTIONSERVER> <CLIENTPORT> Inbound <TRANSFERSERVER> TCP 8009 AJP13 AJP-Data Traffic Mandatory
<TRANSFERSERVER> <CLIENTPORT> Outbound <VSPHEREHOST> TCP 902 Used if SSL/HTTPS is not used on the Connection Server Mandatory

View Agent Rules

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 3389 RDP Remote Desktop Protocol Optional
<INTERNALCLIENT> <CLIENTPORT> Both <VIEWAGENT> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 9472 Multi Media Redirection, RDP-Connections only Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 32111 USB-Redirection Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 42966 HP RGS HP Remote Graphics Server Optional
<VIEWAGENT> <CLIENTPORT> Outbound <CONNECTIONSERVER> TCP 4001 JMS Java Messanging Mandatory

View Client Rules (internal / without using Security Server)

Source IP
Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 3389 RDP Remote Desktop Protocol Optional
<INTERNALCLIENT> <CLIENTPORT> Both <VIEWAGENT> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 9472 Multi Media Redirection, RDP-Connections only Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 32111 USB-Redirection Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <VIEWAGENT> TCP 42966 HP RGS HP Remote Graphics Server Optional
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 80 HTTP HTTPS Prefred
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 443 HTTPS

View Client Rules (external / using Security Server)

Source IP Source Port Direction Destination IP Transport Protocol Dest. Port Application Protocol Comment Type
<EXTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 80 HTTP HTTPS Prefred
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 443 HTTPS
<INTERNALCLIENT> <CLIENTPORT> Both <CONNECTIONSERVER> UDP 4172 PCoIP PCoIP Data Transmission Mandatory
<INTERNALCLIENT> <CLIENTPORT> Inbound <CONNECTIONSERVER> TCP 4172 PCoIP PCoIP Connection Establishment Mandatory

HTTP and HTTPS-Traffic can be proxied on the application layer.

Every other protocol should only be proxied using a transparent TCP-/UDP-Proxy.

Written by Kim Nis Matzen

April 24th, 2011 at 1:52 am

PCoIP Gateway configured for home lab usage

with 2 comments

One of my colleagues from the US, Chris Colotti published a nice article on his blog which describes how he connected his wife’s iPad with his View 4.6 Security Server running in the home lab. The interesting part in his article is not the fact that you can connect to your home lab via the iPad, no it’s how to setup the PCoIP aware Security Server in View 4.6 that it works with your DynDNS connection.

Update (16.03.2011) – Gabe does have a nice article on how to use dynamic IP addresses for PCoIP.

Link: Chris Colotti’s blog

Written by Christoph Harding

March 16th, 2011 at 12:37 am

VMware View 4.6 Remote Access Video

with 2 comments

Mark Benson, a View architect from VMware’s CTO office has published a new video about the new VMware Security Server version which supports PCoIP. A great video.

VMware View 4.6 PCoIP Remote Access from Mark Benson on Vimeo.

Written by Christoph Harding

February 25th, 2011 at 4:00 pm

Posted in Uncategorized

Tagged with ,

VMware View Security Server to support PCoIP soon

with 2 comments

Mark Benson, a View architect in the VMware End User Computing CTO office published a new article about the VMware View Security Server. In this article Mark explains in detail how the new component works. He says that the new Security Server will be part of the forthcoming View release.

Read the rest of this entry »

Written by Christoph Harding

December 14th, 2010 at 5:53 pm

Posted in PCoIP,View Manager

Tagged with