Archive for the ‘Security Server’ tag
Firewall settings for a VMware View environment
When you have to configure your firewall policies for a VMware View environment it’s sometimes a little bit hard to find a simple overview of all the necessary ports and firewall settings.
To help you doing your job, I provide you here a comprehensive overview of all important communication flows of such an implementation.
This documents is a consolidated aggregation of the information you can find in the following documents:
- VMware View Architecture Planning Guide (View 4.6)
- KB1012382 – TCP and UDP Ports required to access vCenter Server, ESX hosts and other network components
Perimeter Firewall Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Security Server | Optional |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 443 | HTTPS | Communication between View Client and View Security Server. Authentication etc. | Mandatory |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <EXTERNALCLIENT> | <CLIENTPORT> | Both | <SECURITYSERVER> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
DMZ Firewall Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9427 | Multi Media Redirection, RDP-Connections only | Optional |
Connection Server Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <ACTIVEDIRECTORYSERVER> | TCP | 389 | LDAP | Active Directory Authentication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <ACTIVEDIRECTORYSERVER> | UDP | 389 | LDAP | Active Directory Authentication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 389 | LDAP | ADAM | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 636 | LDAPS | AD LDS | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 1515 | Microsoft Endpoint Mapper | Mandatory | |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <VCENTERSERVER> | TCP | 18443 | SOAP | View Composer Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <VCENTERSERVER> | TCP | 443 | HTTPS | vCenter Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <VIEWAGENT> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <RSASERVER> | UDP | 5500 | RSA Secure ID Authentication | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Connection Server | HTTPS prefered |
| <INTERNALCLIENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 443 | SSL | Communication between View Client and View Connection Server. Authentication etc. | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
Transfer Server Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <TRANSFERSERVER> | <CLIENTPORT> | Outbound | <VSPHEREHOST> | TCP | 902 | Used if SSL/HTTPS is not used on the Connection Server | Mandatory |
View Agent Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9472 | Multi Media Redirection, RDP-Connections only | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 42966 | HP RGS | HP Remote Graphics Server | Optional |
| <VIEWAGENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
View Client Rules (internal / without using Security Server)
| Source IP |
Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9472 | Multi Media Redirection, RDP-Connections only | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 42966 | HP RGS | HP Remote Graphics Server | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | HTTPS Prefred | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 443 | HTTPS |
View Client Rules (external / using Security Server)
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | HTTPS Prefred | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 443 | HTTPS | ||
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
HTTP and HTTPS-Traffic can be proxied on the application layer.
Every other protocol should only be proxied using a transparent TCP-/UDP-Proxy.
PCoIP Gateway configured for home lab usage
One of my colleagues from the US, Chris Colotti published a nice article on his blog which describes how he connected his wife’s iPad with his View 4.6 Security Server running in the home lab. The interesting part in his article is not the fact that you can connect to your home lab via the iPad, no it’s how to setup the PCoIP aware Security Server in View 4.6 that it works with your DynDNS connection.
Update (16.03.2011) – Gabe does have a nice article on how to use dynamic IP addresses for PCoIP.
Link: Chris Colotti’s blog
VMware View 4.6 Remote Access Video
Mark Benson, a View architect from VMware’s CTO office has published a new video about the new VMware Security Server version which supports PCoIP. A great video.
VMware View 4.6 PCoIP Remote Access from Mark Benson on Vimeo.
VMware View Security Server to support PCoIP soon
Mark Benson, a View architect in the VMware End User Computing CTO office published a new article about the VMware View Security Server. In this article Mark explains in detail how the new component works. He says that the new Security Server will be part of the forthcoming View release.
