PCoIP Tunneling for secure gateway
Connection to the Server - 5.3.0 - 1427931
Security Server - 5.3.0 - 1427931
We are running a trial of VMware View First Horizon, and I have problems with PCoIP tunneling. According to our technical sales representative, tunnels always security server, and the connection to the server can create a tunnel if you turn it on ('Use PCoIP Secure Gateway for PCoIP connection on the desktop' under connect to server > edit). However, our experience is in contradiction with it. With the default, PCoIP connections and external internal configuration (for the connection to the server) (for Security Server) try to connect on PCoIP directly on the comments/VM/office. However, if I enable 'PCoIP Secure Gateway' on the login server, then the security server and the login server begin to tunnel traffic PCoIP well as them.
The goal is to tunnel from the outside, all with connections directly to VM guests from inside, but the only way I can understand how to do this is to stand additional connection (replica) servers. I have read the documentation (Installation / Adminisstration guides), googling and watch videos of training like mad, but no one seems to be able to explain it.
Your help is very appreciated.
OK, you need another broker.
Linjo
Tags: VMware
Similar Questions
-
Best practices to configure NLB for Secure Gateway and Web access
Hi team,
I'm vworksapce the facility and looking for guidance on best practices on NLB with webaccess and secure gateway. My hosted environment is Hyper-v 2012R2
My first request is it must be configure NLB, firstly that the role of set up or vice versa.
do we not have any document of best practice to configure NLB with 2 node web access server.
Hello
This video series has been created for 7.5 and 2008r2 but must still be valid for what you are doing today:
https://support.software.Dell.com/vWorkspace/KB/87780
Thank you, Andrew.
-
Problems with PCoIP secure Gateway
I am using view 4.6 and faced with this configuration. Under the "view Configuration", "Servers", then "view connection server" it shows my connection to the server. The PCoIP column he says no secure portal is installed which is true. See screenshoot
the problem arises in the settings of the connection servers.
When I select my connection to the server and fill in the external URL 'Tunnel secured HTTP (S)' and uncheck it ' user secure Tunnel connection to the Office I cam continue to use the internal connection server.
When I check the box and check also the "gateway of PCoIP PCoIP connections for desktop machine, so this will work remotely, but not internally. Also the external URL PCoIP is grayed out.
To sum up I can't get this to work for internal or external use and not both at the same time.
You can do this work with just a single server connection or an external as internal access, but it will mean that internal PCoIP is unnecessarily sent by gateway through a connection to the server or security server.
It is best to dedicate servers to connect to internal and external to internal PCoIP direct access between the client and the virtual office.
There is a detailed description of this http://communities.vmware.com/docs/DOC-14974 here, which includes a video detailing a deployment configuration of view for internal and external access.
Select this option.
-
Why can't I change the URL of the PCoIP 'external' for my security server?
I'm creating a new VMware View environment and just add a security server. I can't change the address I had temporary put there when you configure the server. Currently, the option is grayed out. The option of preparing for upgrade or reinstall is also grayed out.
Check the settings on the login server to view associated with this security server. PCOIP Secure Gateway can be deselected.
-
PCoIP connectivity through security (2k8r2) Server w / broker for Backend connections (2 k 3)
I'm having a few problems getting PCoIP to work via a front-end security Server 2008 R2 and a broker of conection backend 2003R2. If someone got it still works? When I try to connect on PCoIP outwardly, I get a black screen on the virtual machine, and then the connection fails considered 'the connection to the remote computer is done '.
I have configured my firewall to additional ports and I'm stuck... someone that works with 2k8r2 obtained front-end and back-end 2003 r2?
Thank you!
Make sure you check the box "Use Secure Gateway of PCoIP PCoIP connections to desktop" under the screen to change the connection to the server. I missed this during a few minutes, and it had confused me.
-
work around the internal security gateway and the same url for web access external and internal
role of the broker 1 quest
1 security with the roles of web access gateway
1 Server terminal serverI configured the default gateway with the parameter security rule: "vworkspace security gateway".
I created a custom with the 172.16.1.177 value rule (it's my client internal windows7).
When I navigate to the internal url (fqdn's secure gateway server) I bypassed (tsdebug shows no sslgateway).But now I want to use 1 internal and external URL to type the same URL.
Now when I navigate to an external URL of the machine internal with above ip I always get through security gateway, I see a SSLGatewayHi Erik,
I think that this has been fixed in our latest version 8.5 - documents.software.dell.com/DOC252107
Please download and upgrade your farm and let us know if you still see this problem.
If you do, it may be best to save a service request so that we can see exactly what is happening.
Thanks, Sam
-
Hello
We have a mixture of zero clients and software, and I'm having a problem where the internal software customers seem to be tunnelling through the gateway PCoIP secure servers for internal connection, rather than connect directly on the desktop. This works until we do maintenance on our servers connection, as software clients disconnected when we reboot a server connection.
In the example below, the top one is a client software, the bottom is a zero client.
Our internal connection servers have no "Use PCoIP Secure Gateway" checked as shown below.
Anyone has an idea why this happens? Can we change the behavior so that clients of the software don't not tunnel by connecting servers, or what are the expected behavior?
We run see 5.1, Win 7 mV with agent 5.1 connection.
Thank you
The answer is on the screenshot you posted - nothing happens through PCoIP Secure Gateway, but software clients always establish an HTTP (S) Secure Tunnel connection to the login server. This is used for the channel framework (used for the USB transport for customers of software) and MMR, among other things. If you want real direct connections then this should also be disabled. Please see the administration guide for more details on this setting.
Mike
-
VMWare View 4.6 PCoIP tunneling problem. UDP is not get tunnel
HelloI have the black screen "classic" - question.
So, when I try to connect to a virtual desktop, I am well auhtenticated, I can select a pool of offices, but once the bureau is launching,
I just get a black screen and afterawhile it times out.I read the manuals, the document http://communities.VMware.com/docs/doc-14974 , written by Mark benson; Watched the video; Checked and re-checked the 3 magic steps;
Blog reading Sláger, Paul http://paulslager.com/?p=1300 and still I'm stuck. I read the (some the) logs from the login view, view Security Server, View Client and Agent of the view server.
None of the newspapers I read gave me all significant errors that would have solved this for me. Admitted, 'full' newspapers - trace State, there's a lot that wasn't exactly clear to me.I have simplified our mitigation debugging environment to be as follows:
See connection to the server,
running on Windows Server 2008 R2 (Datacenter) 64-bit VMware View Server connection 4.6.0 - 366101,.
Checkboxes for both "Tunnel secure HTTPS: connection to Tunnel secure usage on the desktop" and "PCoIP Secure Gateway: use PCoIP PCoIP Gateway Secure connections to desktop" have been checked.View secure server,
running on Windows Server 2008 R2 (Datacenter) 64-bit VMware View Server Security 4.6.0 - 366101,.
has been paired with the login server and the two aswell "HTTPS Secure Tunnel: external URL" as "PCoIP Secure Gateway: PCoIP external URL" has been set to a virtual IP address in the firewall external dmz with a dst - nat on the real IP address of the Security Server.The reviews are pointing to the virtual IP address of the Server Secure View.
Since it is not a production environment, I installed a bunch of Wireshark to see traffic;
I ran traffic snooping on the view connection server, see Security Server, View Client and the virtual desktop connected
at the same time and have verified that traffic TCP PCoIP on get 4172 port of talked about between my security server host <>client - and the
securityserver <>- virtual desktop just fine. TCP traffic seems to be in the tunnel. But what bothers me is the wireshark on the virtual office reveals that the virtual office is trying
to talk subject port 4172 - UDP back directly to my reviews host IP traffic. Because this is not allowed by the firewall, the virtual office propably does not work...But all scenarios describe only the Security server could handle all pcoip-traffic with the agent of the view (as shown in the documentation of the Architecture in Figure 5-6), so that no direct connection between the Client of the view and the view Agent is necessary... I can't work. But it is possible, right?
Any ideas what I could do wrong?
Help really appreciated.
It works in the way that you described in your original post. There is no obligation for the virtual office send UDP responses to the client. They will be sent on the Security Server, which will forward them to turn to the customer.
Something must be configured incorrectly.
Check very carefully the UDP traffic in your wireshark traces. The client, you should see 4172 TCP for the VIP of your SS. You should then see 4172-UDP to the same VIP. You should see the UDP of SS response to the customer data. The destination for this data answer UDP port must be the source port used for the UDP request. The source for the response data port must be 4172.
Then check your wireshark SS track. You should see the same customer traffic and you should see a similar PCoIP conversation between the SS and the virtual office. From the virtual desktop, the SS looks like a customer. PCoIP UDP must be sent to the SS, when it is properly configured.
Client - TCP 4172-> SS - TCP 4172-> Virtual Office
Customer - UDP 4172-> SS - UDP 4172-> Virtual Office
Customer<-UDP 4172--="" ss=""><-UDP 4172--="" virtual="" desktop="" (the="" 4172="" here="" is="" src="" port,="" the="" dst="" udp="" port="" will="" be="" the="" source="" port="" of="" the="" udp="" request="" packets="" above)="" 4172--="" virtual="" desktop="" (the="" 4172="" here="" is="" src="" port,="" the="" dst="" udp="" port="" will="" be="" the="" source="" port="" of="" the="" udp="" request="" packets="">
If you have verified that you can connect to the same virtual desktop with PCoIP then this problem will not be something to do with the virtual office or agent of view etc.
Check your display settings, network, firewall and NAT.
Select this option.
-
Secure Gateway has refused the connection
Having a problem with VPN sending this back to the end-users. Have changed the Cert-plan and other things but still this message. Here's a copy of CLI errors and configuration.
the exact error is:
The secure gateway rejected the connection attempt. A new connection attempt the same or another secure gateway is required, which requires re-authentication. The following message was received from the secure gateway: no assigned address
type tunnel-group SRHVPN remote access
attributes global-tunnel-group SRHVPN
address (outside) SRHVPN pool
address SRHVPN pool
Group Policy - by default-GroupPolicy_SRHVPN
DHCP-server 10.10.10.253
tunnel-group SRHVPN webvpn-attributes
authentication certificate
enable SRHVPN group-alias
tunnel-Group-map enable rules
by default-group SRHVPN tunnel-Group-map
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-4.2.01022-k9.pkg 2
AnyConnect image disk0:/anyconnect-macosx-i386-4.2.01022-k9.pkg 3
AnyConnect profiles SRHVPN_client_profile disk0: / SRHVPN_client_profile.xml
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first [68]
AnyConnect enable
tunnel-group-list activate
tunnel-group-preference group-url
CERT certificate-Group-map - map 10 SRHVPN
type of tunnel-group SRHVPN default citrix receiver application
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
SR.VPN.donot.TS value by default-field
internal GroupPolicy_SRHVPN group strategy
attributes of Group Policy GroupPolicy_SRHVPN
value of server WINS 10.10.10.253
value of server DNS 10.10.10.252
VPN - connections 3
VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
SR.VPN.donot.TS value by default-field
the address value SRHVPN poolsYou have a dhcp server that is configured on the tunnel-group. Who would take the preference for an address assignment. Order of an address assignment is AAA, DHCP and then local.
attributes global-tunnel-group SRHVPN
address (outside) SRHVPN pool
address SRHVPN pool
Group Policy - by default-GroupPolicy_SRHVPN
DHCP-server 10.10.10.253I recommend you remove this configuration if you do not use a dhcp server.
Also, when is assigned by DHCP, the ASA may disable a local vpn address assignment. The default value is a hidden command, so you should see "run all" to see. Like this:
ASA # sh run all | in vpn-addr
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
VPN-addr-assign local reuse-delay 0If you use only the local pool to assign ip addresses, the above would be the configuration you need. If you need to DHCP or AAA ip address assignment active the parameter by adding the command.
-
How to get PCoIP working for LAN for Internet Clients?
A bit confused and I can miss something simple.
We have a simple configuration, a connection to the server view 80 LAN based clients... everything was many years and we are on version 5.3.4.
We have added a certificate to our login server view, punch a few holes through the firewall and makes connections work on the internet.
To get that to work with PCoIP, I had to check of course the PCoIP Secure Gateway and PCoIP URL specified and external address correct external IP from our view connection to the server.
This works perfectly on internet.
But making internal LAN clients switch PCoIP because they get the external IP address and they have problems with this... If I uncheck the 'use PCoIP Secure Gateway PCoIP connections to the desktop', then the LAN clients connect through PCoIP very well.
Our firewall is managed and hosted by a third party.
How is it possible to make the customers and LAN clients on the work of the internet at the same time? How LAN clients can work when check the option use PCoIP IP secure gateway address external to the URL and this is the external IP address of the server view connection? Is a firewall issue or am I missing something simple?
In most environments, there will be separate for internal and external connections connection servers. We're associated with a server security for external connections, and the other will be internal only. This will allow you also to the connection of tag servers to restrict internet access.
-
I have a problem with connecting through Secure Gateway.
The following error occurs when access to the content environment using Secure Gateway
-L' environment manages 2 servers Secure Gateway (load balanced using Fortigate)
-Secure gateway servers are configured to run Connection Broker and RDP using the same IP address
-Its configured to use an ssl wildcard certificate
I cannot pntsc use with success (from the outside) and retrieve the office setting (on Secure Gateway).
The client is configured as below (same FULL domain name is used that matched the wildcard cert)
The proxy for Connection Broker and Proxy for the RDP traffic using the same IP and port, which is accessible from the outside because I can conect with success the broker through the Secure Gateway, what could be the problem with the part of proxy RDP? Specifc parameters for Fortigate?
The bridge of desktop services shows that at the time of the error:
10:56:19 - 2924:2772 - security [972] context OK
10:56:19 - 2924:2772 - SSL handshake ok [972]
10:56:19 - 2924:2772 - [972] given Extra after the SSL handshake
10:56:19 - 2924:2772 - [972] reading data, 569 bytes
10:56:19 - 2924:2772 - client full ticket, broker auth required = true
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket timeout = 300, connect the window = 15
10:56:19 - 2924:2772 - [972] CProxyThread::validateTicket: CTicketCache::handleConnectMsg returned 3
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket not found in the cache, with broker ticket validation...
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: successfully validated the ticket
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: after validating, call the addTicketAfterValidateIf returned 4
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket added, connection was not possessed or current thread added to the owners, after validation
10:56:19 - 2924:2772 - CProxyThread::ConnectToServer [816]: disable the nagle algorithm
10:56:19 - 2924:2772 - * Handle to Thread [972 816] 00000478, Id 00000ad4
10:56:19 - 2924:2772 - Start [972 816]: 9:56:19.112 08/01/2014
10:56:19 - 2924:2772 - [972 816] NL, XXXX, XXX, XXX XX XXXX, XXXX, XXXX, Wildcard SSL, *. [email protected], of 10.3.72.32:3389
10:56:29 - 2924:2772 - Server [972 816] Recv 0
10:56:29 - 2924:2772 - [972] CTicketCache::handleProxyEnd returned 10
10:56:29 - 2924:2772 - [972 816] proxy's client 0 bytes, 0 bytes Server
10:56:29 - 2924:2772 - Server SSL channel cleaning [972]
10:56:29 - 2924:2772 - [972] 37 bytes of handshake data sent
10:56:29 - 2924:2772 - [972] 0000 15 03 01 00 20 4 b 5 a: 96 c2 e0 a6 e5 1 7 a 1 d 89... K.Z.... z...
10:56:29 - 2924:2772 - [972] finished cleaning.
10:56:29 - 2924:2772 - end of thread [972 816].
Clues?
People with the same problem, we managed to make it work using the Source IP Hash option in the Fortigate.
Thanks Andrew for the fast support!
-
VPN could not establish a connection to the security gateway
My VPN connection worked, but now after several hours I can not connect.
My LAN works. (Windows Server 2003)
The app:
Cisco Systems VPN Client
The error message:
Opening TCP to 209.189.224.138, port 10000...
Communicating with the gateway to 209.189.224.138...
Cannot establish a connection to the security gateway.
What could be the problem?
Thank you
Greg
Hi greg,.
on the properties of tunnel-> transport mode, click ipsec over UDP and try to connect... I think that, from now on, you connect via TCP 10000.
Concerning
REDA
-
AnyConnect 3.1 - the certificate on the secure gateway is not valid
Hi guys,.
I have a problem with the Anyconnect 3.1.01065.
When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.
The certificate is a signed cert self.
Woks AnyConnect 2.5 without problems.
Image of the ASA: 8.4 (2).
[27.11.2012 15:58:27] Ready to connect.
[27.11.2012 16:01:49] Contact IP_WAN.
[27.11.2012 16:01:52] Please enter your username and password.
[27.11.2012 16:02:01] User credentials entered.
[27.11.2012 16:02:02] Establish the VPN session...
[27.11.2012 16:02:03] Checking for updates to profile...
[27.11.2012 16:02:03] Checking for updates...
[27.11.2012 16:02:03] Checking for updates of customization...
[27.11.2012 16:02:03] Execution of required updates...
[27.11.2012 16:02:08] Establish the VPN session...
[27.11.2012 16:02:08] Setting up VPN - initiate the connection...
[27.11.2012 16:02:09] Disconnection in progress, please wait...
[27.11.2012 16:02:13] Connection attempt failed.
Anyone had this problem before?
Thank you very much.
Hello Cristian,
Please see this:
CSCua89091 Details of bug
the local certification authority must support the EKU and other necessary attributes
Symptom:
The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround:
Configure the cert on the customer's profilehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091
And the following:
DOC: Anyconnect supports Extended Key use specific attributes in CERT
Symptom:
When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof :
Use a certificate of id on the ASA with one other than «authentication server» EKU
Use a certificate of id on the client that has one another EKU that '-l' client authentication.Workaround solution:
Generate a new certificate of ID with correct extended key usagehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472
If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.
HTH.
Please note all useful posts
-
AnyConnect 4.1 - cannot get the secure gateway configuration
So I AnyConnect working on one SAA however, ASA another located in another country, I get the following error:
"Unable to get the secure gateway configuration.
I get a prompt for the username and password seems to be authentication very well however in step 'check' the profile updates this error.
I was comparing my two setups and they look identical.
Working ASA model: 5512 worm 9.1 (4)
Does not not ASA: 5510 worm 9.1 (4)
Client version: 4.1.02011
Any ideas?
Thank you
Hello, Kevin.
I know, if there is no customer profile configured on ASA, the software Anyconnect client will use the client profile by default, which is placed on the local computer (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) when installing Anyconnect software.
-
vSphere 5, vCSA, View Manager and Secure Gateway
Hello world
I need some advice...
A new vSphere infrastructure situation 5:
3 HP Proliant server, each connected via iSCSI to external storageVMware vSphere Essentials Plus Kit 5 (used for the server VM) main virtualization infrastructureVMware View 5 first add-on for virtualizing a desktop machineapprox. 20 VM serverapprox. 10 desktop VMMy questions:for the vCenter, I thought to use vCenter Server Appliance (vCSA) which can be used up to 5 host and VM 50,but for the View Manager manage the office machine, what should I use?There is also a View Manager device?Or I need to install it on a separate Windows 2008 Server?Need to be a member of the Windows domain?And for the VMware Secure Gateway ?There is a device or must be installed on a separate Windows 2008 Server?When he used the vCSA, you must have a domain on the network controller?Thanks for your reply guysNo.... the vCenter and view managed use 'ADAM' which is AD in user mode and is not compatible with an AD domain controller.
You need at least 3 Server Wiindows (DC 1 AD + DNS + DHCP, 1 vCenter + music, 1 View Manager)
Maybe you are looking for
-
Startup of Firefox now has auto-fill on the search. How can I stop this?
Start of Firefox, Google search, used to have no AutoFill for searches when I type one search, I want to see suggestions for my research. It is extremely annoying. It's the only reason why I use Firefox Start. Google will not allow you to choose to f
-
I currently have QuickTime plugin 7.6.3 and asked to update the latest version of QuickTime on the Apple site. I tried to manually load QuickTime 7.6.6 plugin for Firefox and it wouldn't let me do that. A .window came on my MAC and was told that I ha
-
Laptop has limited wireless connectivity.
Computer connection laptop wireless router problem We have changed our router to a BT Voyager 2091 wireless a new travel of BT of 2091 on our pc. We have a full internet access on our pc but when our daughter trying to connect with his cell phone, h
-
Why my screen stops frequently when I'm in the middle of a task?
I replaced the hard drive and the power cable to the screen but the screen turns off in the middle of a task and requires to restart and reconnect the power cord to the monitor before it will work. Any suggestions? Thank you.
-
I'm doing a video and I need to see him from time to time, but when I try to watch the clips in Windows Movie Maker, they are very chopped (more precisely the sound is fine but the video jumps). What can I do to fix this? When I watch the video clips