Certificate/Protocol 4172 PCoIP gateway port problems

Just received my quarterly security scans back, and while I thought I had my security server set up correctly, apparently I still have problems with the port of PCoIP/cert.

The analyses show the PCoIP gateway on 4172 answering the SSLv3 and by not providing a valid certificate. I have double and triple checked the registry settings and files locked.properties to be sure I'm not serving SSLv3 and present a valid certificate, and all these settings seem to be correct. Check the ports 443 or 8443 shows the protocols/cert are working properly, but the same analysis on 4172 shows that he respond to SSLV3 and issue a certificate of PCoIP self-signed (default).

Looks like my locked.properties file in C:\Program VMware View\Server\sslgateway\conf:


secureProtocols.1 = TLSv1.2

secureProtocols.2 = TLSv1.1

secureProtocols.3 = TLSv1

preferredSecureProtocol = TLSv1.2

enabledCipherSuite.1 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA = enabledCipherSuite.2

enabledCipherSuite.3 = TLS_RSA_WITH_AES_128_CBC_SHA

enabledCipherSuite.4 = TLS_RSA_WITH_AES_256_CBC_SHA

enabledCipherSuite.5 = TLS_DHE_DSS_WITH_AES_256_CBC_SHA

enabledCipherSuite.6 = SSL_RSA_WITH_RC4_128_MD5

enabledCipherSuite.7 = SSL_RSA_WITH_RC4_128_SHA

enabledCipherSuite.8 = SSL_RSA_WITH_3DES_EDE_CBC_SHA

enabledCipherSuite.9 = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

And here are registry settings that PCoIP gateway should use for the cert (SSLCertPSGNI the key is correctly set to the public fqdn of the Security Server):

The friendly name on the cert in the Windows certificate store is vdm, and there is a private key associated with the cert. As I said, it's only to default on 4172-443 and 8443 work as expected. No idea where to start looking for why the PCoIP gateway isn't follow these settings on 4172?

Thank you

Geoff

Just got the phone with support. TL; DR version: it works.

More explanation in the case where you need please Commissioners to the accounts:

Apparently most of the scanning (in this case, Qualys) services fail to do one very important thing when they probe port 4172, and who has send a SNI. Without this crucial little of info Security Server will return the cert (self-signed) by default, not the one you want. To see this in action, openssl is your friend:

c:\OpenSSL-Win32\bin>OpenSSL s_client-connect "vcs.XXXXXXX.com:4172" - showcerts

Loading 'screen' into random State - done

CONNECTED (000001CC)

depth = 1 O = PCoIP Root, CN = PCoIP Root CA

Verify error: num = 19:self certificate of certificate chain

Verify return: 0

---

Certificate chain

0 s/O = PCoIP Device/CN=1.1.1.1

i: / O = PCoIP root/CN = PCoIP Root CA

...

Now try the same connection by sending a SNI (servername argument)-:

c:\OpenSSL-Win32\bin>OpenSSL s_client - servername vcs. XXXXXXXX.com - connect "vcs.XXXXXXX.com:4172" - showcerts

Loading 'screen' into random State - done

CONNECTED (000001CC)

...

Certificate chain

s:/0C = US / ST = Texas/L = Houston/O = XXXXXXXX/CN = *. XXXXXXX.com

i: / C = US / O = DigiCert Inc./CN = DigiCert SHA2 Secure Server CA

The PCoIP Gateway sends the cert right when you connect with the customer to view or with a browser, but if another program (such as openssl) connects without sending a NIS, you will get the default cert (or nothing at all if disable CERT legacy with the key "reg").

Hope this helps for others who have to explain why 4172 appears vulnerable according to audit reports.

Geoff

Tags: VMware

Similar Questions

  • AnyConnect 3.1 - the certificate on the secure gateway is not valid

    Hi guys,.

    I have a problem with the Anyconnect 3.1.01065.

    When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.

    The certificate is a signed cert self.

    Woks AnyConnect 2.5 without problems.

    Image of the ASA: 8.4 (2).

    [27.11.2012 15:58:27] Ready to connect.

    [27.11.2012 16:01:49] Contact IP_WAN.

    [27.11.2012 16:01:52] Please enter your username and password.

    [27.11.2012 16:02:01] User credentials entered.

    [27.11.2012 16:02:02] Establish the VPN session...

    [27.11.2012 16:02:03] Checking for updates to profile...

    [27.11.2012 16:02:03] Checking for updates...

    [27.11.2012 16:02:03] Checking for updates of customization...

    [27.11.2012 16:02:03] Execution of required updates...

    [27.11.2012 16:02:08] Establish the VPN session...

    [27.11.2012 16:02:08] Setting up VPN - initiate the connection...

    [27.11.2012 16:02:09] Disconnection in progress, please wait...

    [27.11.2012 16:02:13] Connection attempt failed.

    Anyone had this problem before?

    Thank you very much.

    Hello Cristian,

    Please see this:

    CSCua89091 Details of bug
    the local certification authority must support the EKU and other necessary attributes

    Symptom:
    The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround:
    Configure the cert on the customer's profile

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091

    And the following:

    DOC: Anyconnect supports Extended Key use specific attributes in CERT

    Symptom:
    When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof :
    Use a certificate of id on the ASA with one other than «authentication server» EKU
    Use a certificate of id on the client that has one another EKU that '-l' client authentication.

    Workaround solution:
    Generate a new certificate of ID with correct extended key usage

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472

    If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.

    HTH.

    Please note all useful posts

  • PCoIP Gateway and IPv6

    We use PCoIP gateway and remote users to log in from home using Microsoft Access live. This works on IPv6 so that the PSG IPv4 address is translated by an IPv6 address. But this means that the external URL parameter on the login server can be set up an IPv6 address. Someone at - it it works or if it is not supported?

    The "URL external PCoIP ' set to view Security Server 4.6 is used by customers to view to connect to the Security server. Like all Teradici PCoIP clients require the destination address is an IPv4 address, this ' URL external PCoIP ' can specify an IPv4 address. This requirement is validated by the view.

    Select this option.

  • After unchecking PCoIP gateway secure on the internal connection server, a certificate customers get software View error

    Hi, we recently changed one of our servers in connection view by deselecting the secure gateway PCoIP setting and then using this server for internal connections of our virtual machine. For the most part, we use zero clients and have no problem connecting on their part to our desktop computers, but when trying to connect by using the client software to view from an office inside the network, we receive the below error.

    view-cert-error.PNG

    As you can see above, our server has a proper cert. I found the following KB that seems to treat my symptoms precisely. However, the KB seems to assume that we want the connection to use the bridge safe, that we do. See below for the values in the ADAM database. As you can see, they are currently empty.

    pae-ssl.PNG

    Considering that everything works well my zero clients, I'm reluctant to mess around with this setting to correct a few clients software. Can anyone suggest another option, or give any indication why this could happen?

    Hi, in the case where this never helps anyone else, I have solved this. I realized that we still had the box for secure HTTPS Tunnel. After unchecking the software view client is more than survey errors and connects properly.

  • PCoIP firewall ports

    I am under an environment of vmware view here and we have a pool with a few remote workstations that are used by system admins when they are working remotely or on-call incident response.  For security reasons, we have our servers segmented by VLANS and highly protected through Firewall (i.e. all traffic off the server WHAT VLAN is blocked explicitly).  For this reason, I seem to have a problem with is client vmware view to connect to remote workstations (inside the local network VIRTUAL server) via PCoIP.  I'm sure it's a firewall issue, because I can connect via RDP (ports that are open in the firewall) and I put temporarily in a rule to allow all traffic to the IP addresses of the remote workstations, which allowed me to connect through PCoIP, but immediately after the deactivation of this rule I have once more not connect through PCoIP.  Of course, the solution seems to be to open the ports of PCoIP remote work station, but after scouring the internets yesterday that I couldn't get a full list of ports, I need to open.  I looked at the article here http://kb.vmware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 1027217 and opening just tried these specific ports, but I still not can connect.  Someone at - it a complete list of ports to open?  I don't want to create a rule to open all ports for these machines.  Thanks in advance

    Suiname wrote:

    I forgot to mention that I am using view 5 and discovers not 4.6, I wonder if this changes anything in the ports that use the Protocol or implementation of PCoIP remote access.

    The same goes for 4.6, 5.0 and 5.1.

    Linjo is correct. For PCoIP is 4172 TCP and UDP 4172.

    Step 3 here described. http://communities.VMware.com/docs/doc-14974

    If you block PCoIP PCoIP fails and you will get a black screen for a few seconds, followed by a break.

    Run Wireshark on the Security server if it would help. You will see this traffic PCoIP.

    Let us know what it was. Thank you.

    Mark

  • charge port problem

    Hey guys I use an Iphone 5 16 GB and, recently, I found that my charger is not working properly so I change the cable and the problem is still there.

    My iphone does not load, BUT when I put a small piece of paper or something like that under the "cable plug" (sorry I don't know what to call it) and it works perfectly.

    So my question is: is it possible to fix this? Or can I replace the charger port?

    Hello, it seems that your charger port is broke off or a cable lost the appropriate connection. Your charger to another iPhone, try to find what is the problem. If it works fine with another iPhone, which means that your device needs to fix the charger port. In this case, it is best to take it to the service of Apple.

  • Bluetooth Windows 7 USB port problem

    Hello

    I use a bluetooth class 1 dongle (manufacturer unknown) with the V 8.00.03 Premium toshiba bluetooth stack and a bluetooth headset. The specifications for the dongle are: Bluetooth V1.2, compatible USB V1.2/2.0

    I have a strange problem when changing the USB dongle is plugged. If I change the dongle on another USB port, searching for devices fails. I tried to uninstall the battery and of course remove device from the bluetooth Manager window.

    Also, strangely, when I plug the dongle on a USB extension on the same port, it does not either. When I put the dongle into the same USB port it works fine as usual.

    I want to change the USB port so that I can get the best reception, like its plugged in to the back at the moment. Also, I want to use the usb expansion for the same reason, to bring out above the office. Oddly, if, as I say, it does not work with the extension (just a regular cable with USB male on one end and female on the other to plug the dongle in.)

    Is this something to do with voltage drop down a cable? And regarding the change of the ports usb is it something to do with ports being installed on this USB port bluetooth only? I don't know exactly how ports bluetooth works, how they settle etc.

    Thanks much for any help.

    Hello

    > Also, strangely, when I plug the dongle on a USB extension on the same port, it does not either. When I put the dongle into the same USB port it works fine as usual.

    I think you're wrong here buddy
    If you use another manufacturer's computer, and if you have problems using it, you should check the page of computer manufacturing support.

    In my opinion the question isn t linked to Toshiba BT stack but to the USB ports on your computer.

  • On Satellite Pro A300-13Y USB port problem

    I have a Satellite Pro A300-13Y with 4 USB ports. The USB ports of two right don t work. I bought this phone recently (2-3 weeks ago). It has a Windows Vista Business SP1 on it. I put chip in utility installed on it, I checked the Device Manager and tried to find driver for it but I couldn't solve this problem.

    So I called Toshiba service dek, they say that I need to install new standard to factory install to see if it can be solved. But I don t find it the best way and I have some applications installed on it and get some info on my laptop, so I would find another way to solve this problem.

    Also, I think it might be a hardware problem. Can someone show the way in which I can find or fix this? I can also send it to guarantee, but I made a mistake and if there is not a hardware problem that I have to pay for it.

    Hello

    I know it s not the best way, but it's the only way to exclude a hardware failure. If after a recovery of the won´t of USB ports not work then you can send it to repair without being in doubt that they will charge you for the repair.

    Welcome them

  • Material RANE/Serato SL2 SL3 SL4 Core Audio Port problem with El Capitan

    Hi Apple,

    I and many others have had problems when using devices with Rane Serato DJ software where the breaks down of software, nor will we get audio drop-outs and crashes.
    (Audio Interface) device that I use is RANE SL3.

    MacBook Pro (retina, 13 inches, end of 2013)

    Version: 10.11.2 (15 c 50)

    Intel Core i7 2.8 GHz

    16 GB 1600 MHz DDR3

    Iris 1536 MB Intel

    1 TB SSD

    Serato have updated their software (1.8.1) to take in charge the last OX El Capitan (10.11.2) and announced that the problem is with the drivers of RANE and Serato not.

    See Site for more information: https://support.serato.com/hc/en-us/articles/213821528

    RANE said its now a problem with Apple and is a Port Audio problem. Please see their announcement about the update of BEEF: http://dj.rane.com/support/knowledge-base/el-capitan-update

    This is the Forum for discussion with RANE, saying they are awaiting your response on fixing this problem.

    here: http://dj.rane.com/support/knowledge-base/el-capitan-update

    Rane suggested only that downgrade us our BONES to the Mavericks or Yosemite. This should not be the case!

    We need answers, and for not having spent somebody else as everyone pushes the blame.

    Please you can find what the solution is rather then downgraded to a previous operating system. It's a very frustrating with all the people who spent loads of money on a Macbook and RANE hardware especially this time of the year where we DJs play every weekend like our jobs.

    Hope this gets sorted soon
    Concerning
    Anthony

    This is a user forum. While we, users can sympathize, is not in our power to resolve this issue if it's a bug.

    To allow Apple to know of this problem, you must use the appropriate feedback chanel.

    http://www.Apple.com/feedback/

  • Gateway Timeout problem

    With the help of a MacBook Pro 13' (mid-2012) El Capitan (Version 10.11.1). running

    Usually living abroad, came home last night and managed to connect my computer to the internet WiFi and my parents very well. Could access any Web site, ran perfectly. This morning I started having a problem where I can open only a small number of websites (Facebook, Youtube, Google, Apple, Wikipedia), another Web site gives me a ' Gateway Timeout: unable to connect to the remote host " message, even large reputable (NYT, etc.)."

    Here are the facts:

    • MacBook connects to the WiFi
    • MacBook restarted, the problem persisted
    • Reset the router (FRITZ!) 6360 Box cable, German provider is Unitymedia)-online everything has worked again for about 2 minutes, and then the problem comes back
    • All other computers/phones in the House has no problem, can access any Web site
    • Connected my MacBook to the Ether, has worked well. Yet once unplugged and tried WiFi problem returned. Ethernet plugged back in (with WiFi off), now, even the ethernet gives me the same problem
    • Software antiVirus Sophos's active and firewall settings and Web Protection were not yet activated (no idea why)
    • First time this question has occurred (connected to this dozens of times network and worked very well, but with the Mavericks) and has produced at night - everything worked fine yesterday and I am not aware of having made changes to anything.

    Found a thread with a person having a similar problem on another forum of support, but in his case, all its devices had the question so that, in our House, everything works but my MacBook. So I doubt that it is a problem with the provider or router.

    Any help would be greatly appreciated!

    AntiVirus software is Sophos.

    Uninstall completely and evaluate the results.

    Use the Remove Sophos Anti-virus program. It will be installed in the folder Applications on your Mac, unless you have moved or deleted. In this case, follow the instructions in uninstalling here: https://www.sophos.com/support/knowledgebase/122710.aspx. Beware that the effectiveness of the uninstall program is poor, a typical feature of garbage software.

  • Visa set up serial port problem

    Hi all

    I use the RS-232 port to communicate with the instrument. At the moment the device is not their so I shorted pins 2 and 3 of the connector connected to the COM2 port, so that what ever I'm transmitting, I I'll be back. Using Hyperterminal I am able to verify that whatever i write, he's coming back.

    But when you use a Labview 7.1 I am tring to connect first by configuring the using VISA CONFIGURE SERIAL PORT.vi serial bus

    with the following parameters

    Visa resource name = ASRL2::INSTR (port COM2 because)

    Baud rate = 2400

    Data bits = 8

    Parity = None

    Stop bits = 1.0(Equal to 10)

    Flow control = None

    End of reading at the end of character = True

    Dismissal = A

    Up VISA is in error. The error code is 1073807202

    The procedure described above is similar in the read/write of Visa examples provided...

    I strive to solve the problem but all invain.

    Can anyone help me in this.

    See here

    I guess your problem is #2 (you have not installed OR visa).

  • Serial Port problems - carriage return and use as an executable file

    Hello

    I developed an application to send a few simple commands on the serial port and read the corresponding answers of a device that I am in communication with.  I have been using logical Port to watch the line TX of the serial port.

    By using the Visa configure Serial Port I set the stop character property allow true and used the hexadecimal value D trying to make the termination a carriage return characters.  When I sent the order, I'll send the cmd followed by Enter.  No matter if this property is set to true or the hexadecimal value is set to D for carriage return or line break is, the serial port would always send a line break.

    Then I got crafty and the string constant under normal display to hexadecimal display.  The ONLY way I could send a carriage return was manually putting 0x0D after ordering.  So my question is, why the Visa set up the Serial Port is not working correctly, and is there a better way to send a carriage return?

    My next issue is facing the construction of executable files.  I'm using LabVIEW 8.2 and wrote this program for another employee to use on his laptop computer.  I did install runtime Labview 8.2 and led to the executable that I generated.  I did-> the executable by clicking Tools build the executable.  The problem I noticed was that the executable would open and will work perfectly, but it would not send any data the serial port.  I then ran the executable on my laptop (which contains the full version of LabVIEW 8.2) and the serial port has worked well.  I guess my question is... Are there plug-ins that must be installed to use the serial port with the Labview runtime engine?  Or y at - it a step that I failed to do?

    Thank you

    Gary Still

    Not immerse in the first issue. The Knight will probably be galloping until shortly.

    For your second question, after building the executable, you must build the installer and includes support for the VISA. VISA is required for serial communication, and it does not accept American Express.

    It may be useful

    -AK2DM

  • W510 usb ports problem

    Hi all

    I have a W510 machine which has 4 usb ports, including 2 3.0 ones (blue marker), 1 still active (marked in yellow) and usb-eSata port a combo. They are all works well with data transfer, but I'm not sure that they do with the power supply matter. The use of two 3.0 ports seem to feed all the time, except when the laptop is turned off (say, my short of cooler for laptop when the thinkpad goes into mode 'sleep'; or I can easily wake up my pc by moving my mouse that is connected to one of the two ports 3.0)

    The combined port seems very well, his power goes off mode "Eve" (cooler stops working when it is connected to it)

    Always on that seems odd. Power goes off like the combo, but if I plug it into a something like the receiver of my mouse wireless, the machine does not start in the next boot.

    Does anyone have problems like mine?

    Hello partner,

    Try to check in the BIOS if the always on udb is activated and in the boot order if usb is not first otherwise u may have problems to start with something to plug...

  • Parallel Port problem

    We used the kind of software that uses a key lock (which is connected to the parallel port), we have added new machines in our Mt. HP3330 company, i.e, who doesn't have a parallel port on the motherboard. The problem starts here, even after installing Add on parallel port & required installation driver, after the execution of programs, it gives an error not found "Key lock". This problem can be solved using the USB parallel port?

    Even after that the installation of the Add on parallel port & installation required pilot, after execution of programs, it gives an error "Key lock" not found

    You mean you bought a discreet the snap card to provide a parallel port?

    Check Device Manager for parallel ports that are available on your PC and what is their status...

    • Click Start
    • Click on run
    • Type devmgmt.msc and press enter
    • Enlarge (click on +) Ports (COM & LPT) section

    Please answer with the information on your parallel port (printer). Is there more than one?

    If there is that this means that even though there may be no physical outlet, your motherboard has the ability to add another via a ribbon cable.

    If this is the case there are two options...

    1. Configure your software to use the new (LPT2 probably) LPT port not LPT1.
    2. Remove the add-in and replace a cable sheet of the motherboard to a backplate with a parallel decision-making. You should be able to buy this th same place you bought the card.

    Tricky

    EDIT: 3rd option if you have 2 LPT ports: disable the port of the motherboard in the BIOS, uninstalling the card and its drivers. Re-install add it in card and should be LPT1.

  • Spectrum of HP - MINI DISPLAY PORT PROBLEM

    Good evening, I'm Mattia, I have a HP spectrum 13 ultrabook; It has a mini display port, as the macbook, so I bought a mini display of sample of cable vga port to connect my ultrabook to my vga monitor 19 ". The problem is no signal in the company of Eve. Is there anyone who know the cable that should work?

    The cable I buy and the seller told me it should work:

    http://www.eBay.it/ITM/320935563726?ssPageName=STRK:MEWNX:it & _trksid = p3984.m1439.l2649

    Thank you all

    ML

    It nuovo e love cavo e funziona! He first che era stato dato era rotto e! Problem solved, grazie thousand per aiuto e per i consigli

Maybe you are looking for

  • HP Officejet 5740: I can not connect my printer firmware update site

    Like one time, I put a password on my site Admin for my printer. I tried a network definition reset to remove the password, but it's still there. What should I do to remove the password from the server web embeded?

  • How can I update Java?

    I think I lost my Java script and when I try to update, it costs.  I thought it was part of windows.  How can I update java? original title: Java script problems

  • Timer.exe the error closes prog. down

    I get application error "Exception EAccess TeaTimer.exe violation to the 00025E0C module address 000425E0C access violation write address 000000. Also when I try to open the image file I get an error message "Internet Explorer is unresponsive and wil

  • Space on the C drive have exhausted when I use internet

    I have a laptop Compaq610 with Windows Vista Home Basic as the operating system. I have three partitoned discs namely C (28.8 GB), D (259 GB) & E (10GB). Drive C is to have Windows files, drive E is to have the HP recovery files and drive D is the dr

  • damaged Windows installation disk-help

    My OS drive is damaged. My laptop is dell. I want a recovery so disk Do you recognize this site? [Link removed to the fake web site] This Web site is safe? HELP Please