Secure Gateway
Hello
We have a mixture of zero clients and software, and I'm having a problem where the internal software customers seem to be tunnelling through the gateway PCoIP secure servers for internal connection, rather than connect directly on the desktop. This works until we do maintenance on our servers connection, as software clients disconnected when we reboot a server connection.
In the example below, the top one is a client software, the bottom is a zero client.
Our internal connection servers have no "Use PCoIP Secure Gateway" checked as shown below.
Anyone has an idea why this happens? Can we change the behavior so that clients of the software don't not tunnel by connecting servers, or what are the expected behavior?
We run see 5.1, Win 7 mV with agent 5.1 connection.
Thank you
The answer is on the screenshot you posted - nothing happens through PCoIP Secure Gateway, but software clients always establish an HTTP (S) Secure Tunnel connection to the login server. This is used for the channel framework (used for the USB transport for customers of software) and MMR, among other things. If you want real direct connections then this should also be disabled. Please see the administration guide for more details on this setting.
Mike
Tags: VMware
Similar Questions
-
Best practices to configure NLB for Secure Gateway and Web access
Hi team,
I'm vworksapce the facility and looking for guidance on best practices on NLB with webaccess and secure gateway. My hosted environment is Hyper-v 2012R2
My first request is it must be configure NLB, firstly that the role of set up or vice versa.
do we not have any document of best practice to configure NLB with 2 node web access server.
Hello
This video series has been created for 7.5 and 2008r2 but must still be valid for what you are doing today:
https://support.software.Dell.com/vWorkspace/KB/87780
Thank you, Andrew.
-
work around the internal security gateway and the same url for web access external and internal
role of the broker 1 quest
1 security with the roles of web access gateway
1 Server terminal serverI configured the default gateway with the parameter security rule: "vworkspace security gateway".
I created a custom with the 172.16.1.177 value rule (it's my client internal windows7).
When I navigate to the internal url (fqdn's secure gateway server) I bypassed (tsdebug shows no sslgateway).But now I want to use 1 internal and external URL to type the same URL.
Now when I navigate to an external URL of the machine internal with above ip I always get through security gateway, I see a SSLGatewayHi Erik,
I think that this has been fixed in our latest version 8.5 - documents.software.dell.com/DOC252107
Please download and upgrade your farm and let us know if you still see this problem.
If you do, it may be best to save a service request so that we can see exactly what is happening.
Thanks, Sam
-
I have a problem with connecting through Secure Gateway.
The following error occurs when access to the content environment using Secure Gateway
-L' environment manages 2 servers Secure Gateway (load balanced using Fortigate)
-Secure gateway servers are configured to run Connection Broker and RDP using the same IP address
-Its configured to use an ssl wildcard certificate
I cannot pntsc use with success (from the outside) and retrieve the office setting (on Secure Gateway).
The client is configured as below (same FULL domain name is used that matched the wildcard cert)
The proxy for Connection Broker and Proxy for the RDP traffic using the same IP and port, which is accessible from the outside because I can conect with success the broker through the Secure Gateway, what could be the problem with the part of proxy RDP? Specifc parameters for Fortigate?
The bridge of desktop services shows that at the time of the error:
10:56:19 - 2924:2772 - security [972] context OK
10:56:19 - 2924:2772 - SSL handshake ok [972]
10:56:19 - 2924:2772 - [972] given Extra after the SSL handshake
10:56:19 - 2924:2772 - [972] reading data, 569 bytes
10:56:19 - 2924:2772 - client full ticket, broker auth required = true
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket timeout = 300, connect the window = 15
10:56:19 - 2924:2772 - [972] CProxyThread::validateTicket: CTicketCache::handleConnectMsg returned 3
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket not found in the cache, with broker ticket validation...
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: successfully validated the ticket
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: after validating, call the addTicketAfterValidateIf returned 4
10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket added, connection was not possessed or current thread added to the owners, after validation
10:56:19 - 2924:2772 - CProxyThread::ConnectToServer [816]: disable the nagle algorithm
10:56:19 - 2924:2772 - * Handle to Thread [972 816] 00000478, Id 00000ad4
10:56:19 - 2924:2772 - Start [972 816]: 9:56:19.112 08/01/2014
10:56:19 - 2924:2772 - [972 816] NL, XXXX, XXX, XXX XX XXXX, XXXX, XXXX, Wildcard SSL, *. [email protected], of 10.3.72.32:3389
10:56:29 - 2924:2772 - Server [972 816] Recv 0
10:56:29 - 2924:2772 - [972] CTicketCache::handleProxyEnd returned 10
10:56:29 - 2924:2772 - [972 816] proxy's client 0 bytes, 0 bytes Server
10:56:29 - 2924:2772 - Server SSL channel cleaning [972]
10:56:29 - 2924:2772 - [972] 37 bytes of handshake data sent
10:56:29 - 2924:2772 - [972] 0000 15 03 01 00 20 4 b 5 a: 96 c2 e0 a6 e5 1 7 a 1 d 89... K.Z.... z...
10:56:29 - 2924:2772 - [972] finished cleaning.
10:56:29 - 2924:2772 - end of thread [972 816].
Clues?
People with the same problem, we managed to make it work using the Source IP Hash option in the Fortigate.
Thanks Andrew for the fast support!
-
VPN could not establish a connection to the security gateway
My VPN connection worked, but now after several hours I can not connect.
My LAN works. (Windows Server 2003)
The app:
Cisco Systems VPN Client
The error message:
Opening TCP to 209.189.224.138, port 10000...
Communicating with the gateway to 209.189.224.138...
Cannot establish a connection to the security gateway.
What could be the problem?
Thank you
Greg
Hi greg,.
on the properties of tunnel-> transport mode, click ipsec over UDP and try to connect... I think that, from now on, you connect via TCP 10000.
Concerning
REDA
-
AnyConnect 3.1 - the certificate on the secure gateway is not valid
Hi guys,.
I have a problem with the Anyconnect 3.1.01065.
When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.
The certificate is a signed cert self.
Woks AnyConnect 2.5 without problems.
Image of the ASA: 8.4 (2).
[27.11.2012 15:58:27] Ready to connect.
[27.11.2012 16:01:49] Contact IP_WAN.
[27.11.2012 16:01:52] Please enter your username and password.
[27.11.2012 16:02:01] User credentials entered.
[27.11.2012 16:02:02] Establish the VPN session...
[27.11.2012 16:02:03] Checking for updates to profile...
[27.11.2012 16:02:03] Checking for updates...
[27.11.2012 16:02:03] Checking for updates of customization...
[27.11.2012 16:02:03] Execution of required updates...
[27.11.2012 16:02:08] Establish the VPN session...
[27.11.2012 16:02:08] Setting up VPN - initiate the connection...
[27.11.2012 16:02:09] Disconnection in progress, please wait...
[27.11.2012 16:02:13] Connection attempt failed.
Anyone had this problem before?
Thank you very much.
Hello Cristian,
Please see this:
CSCua89091 Details of bug
the local certification authority must support the EKU and other necessary attributes
Symptom:
The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround:
Configure the cert on the customer's profilehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091
And the following:
DOC: Anyconnect supports Extended Key use specific attributes in CERT
Symptom:
When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof :
Use a certificate of id on the ASA with one other than «authentication server» EKU
Use a certificate of id on the client that has one another EKU that '-l' client authentication.Workaround solution:
Generate a new certificate of ID with correct extended key usagehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472
If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.
HTH.
Please note all useful posts
-
Secure Gateway has refused the connection
Having a problem with VPN sending this back to the end-users. Have changed the Cert-plan and other things but still this message. Here's a copy of CLI errors and configuration.
the exact error is:
The secure gateway rejected the connection attempt. A new connection attempt the same or another secure gateway is required, which requires re-authentication. The following message was received from the secure gateway: no assigned address
type tunnel-group SRHVPN remote access
attributes global-tunnel-group SRHVPN
address (outside) SRHVPN pool
address SRHVPN pool
Group Policy - by default-GroupPolicy_SRHVPN
DHCP-server 10.10.10.253
tunnel-group SRHVPN webvpn-attributes
authentication certificate
enable SRHVPN group-alias
tunnel-Group-map enable rules
by default-group SRHVPN tunnel-Group-map
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-4.2.01022-k9.pkg 2
AnyConnect image disk0:/anyconnect-macosx-i386-4.2.01022-k9.pkg 3
AnyConnect profiles SRHVPN_client_profile disk0: / SRHVPN_client_profile.xml
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first [68]
AnyConnect enable
tunnel-group-list activate
tunnel-group-preference group-url
CERT certificate-Group-map - map 10 SRHVPN
type of tunnel-group SRHVPN default citrix receiver application
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
SR.VPN.donot.TS value by default-field
internal GroupPolicy_SRHVPN group strategy
attributes of Group Policy GroupPolicy_SRHVPN
value of server WINS 10.10.10.253
value of server DNS 10.10.10.252
VPN - connections 3
VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
SR.VPN.donot.TS value by default-field
the address value SRHVPN poolsYou have a dhcp server that is configured on the tunnel-group. Who would take the preference for an address assignment. Order of an address assignment is AAA, DHCP and then local.
attributes global-tunnel-group SRHVPN
address (outside) SRHVPN pool
address SRHVPN pool
Group Policy - by default-GroupPolicy_SRHVPN
DHCP-server 10.10.10.253I recommend you remove this configuration if you do not use a dhcp server.
Also, when is assigned by DHCP, the ASA may disable a local vpn address assignment. The default value is a hidden command, so you should see "run all" to see. Like this:
ASA # sh run all | in vpn-addr
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
VPN-addr-assign local reuse-delay 0If you use only the local pool to assign ip addresses, the above would be the configuration you need. If you need to DHCP or AAA ip address assignment active the parameter by adding the command.
-
AnyConnect 4.1 - cannot get the secure gateway configuration
So I AnyConnect working on one SAA however, ASA another located in another country, I get the following error:
"Unable to get the secure gateway configuration.
I get a prompt for the username and password seems to be authentication very well however in step 'check' the profile updates this error.
I was comparing my two setups and they look identical.
Working ASA model: 5512 worm 9.1 (4)
Does not not ASA: 5510 worm 9.1 (4)
Client version: 4.1.02011
Any ideas?
Thank you
Hello, Kevin.
I know, if there is no customer profile configured on ASA, the software Anyconnect client will use the client profile by default, which is placed on the local computer (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) when installing Anyconnect software.
-
PCoIP Tunneling for secure gateway
Connection to the Server - 5.3.0 - 1427931
Security Server - 5.3.0 - 1427931
We are running a trial of VMware View First Horizon, and I have problems with PCoIP tunneling. According to our technical sales representative, tunnels always security server, and the connection to the server can create a tunnel if you turn it on ('Use PCoIP Secure Gateway for PCoIP connection on the desktop' under connect to server > edit). However, our experience is in contradiction with it. With the default, PCoIP connections and external internal configuration (for the connection to the server) (for Security Server) try to connect on PCoIP directly on the comments/VM/office. However, if I enable 'PCoIP Secure Gateway' on the login server, then the security server and the login server begin to tunnel traffic PCoIP well as them.
The goal is to tunnel from the outside, all with connections directly to VM guests from inside, but the only way I can understand how to do this is to stand additional connection (replica) servers. I have read the documentation (Installation / Adminisstration guides), googling and watch videos of training like mad, but no one seems to be able to explain it.
Your help is very appreciated.
OK, you need another broker.
Linjo
-
vSphere 5, vCSA, View Manager and Secure Gateway
Hello world
I need some advice...
A new vSphere infrastructure situation 5:
3 HP Proliant server, each connected via iSCSI to external storageVMware vSphere Essentials Plus Kit 5 (used for the server VM) main virtualization infrastructureVMware View 5 first add-on for virtualizing a desktop machineapprox. 20 VM serverapprox. 10 desktop VMMy questions:for the vCenter, I thought to use vCenter Server Appliance (vCSA) which can be used up to 5 host and VM 50,but for the View Manager manage the office machine, what should I use?There is also a View Manager device?Or I need to install it on a separate Windows 2008 Server?Need to be a member of the Windows domain?And for the VMware Secure Gateway ?There is a device or must be installed on a separate Windows 2008 Server?When he used the vCSA, you must have a domain on the network controller?Thanks for your reply guysNo.... the vCenter and view managed use 'ADAM' which is AD in user mode and is not compatible with an AD domain controller.
You need at least 3 Server Wiindows (DC 1 AD + DNS + DHCP, 1 vCenter + music, 1 View Manager)
-
Problems with PCoIP secure Gateway
I am using view 4.6 and faced with this configuration. Under the "view Configuration", "Servers", then "view connection server" it shows my connection to the server. The PCoIP column he says no secure portal is installed which is true. See screenshoot
the problem arises in the settings of the connection servers.
When I select my connection to the server and fill in the external URL 'Tunnel secured HTTP (S)' and uncheck it ' user secure Tunnel connection to the Office I cam continue to use the internal connection server.
When I check the box and check also the "gateway of PCoIP PCoIP connections for desktop machine, so this will work remotely, but not internally. Also the external URL PCoIP is grayed out.
To sum up I can't get this to work for internal or external use and not both at the same time.
You can do this work with just a single server connection or an external as internal access, but it will mean that internal PCoIP is unnecessarily sent by gateway through a connection to the server or security server.
It is best to dedicate servers to connect to internal and external to internal PCoIP direct access between the client and the virtual office.
There is a detailed description of this http://communities.vmware.com/docs/DOC-14974 here, which includes a video detailing a deployment configuration of view for internal and external access.
Select this option.
-
VMWare Security Gateway - Multi domain?
Hi all
I use NAT for a client and I need to publish my gateway security with another URL? Is this feasible?
And how to do it? Can I add an additional line in the locked.properties file?
Thank you very much
David
Do you mean the external URL? If Yes, then no!
Kind regards
Christoph
Don't forget to assign points if this answer was helpful for you.
Blog:
http://Communities.VMware.com/blogs/Dommermuth | http://www.thatsmyview.NET/
-
AnyConnect and connections to the secure gateway are not allowed
Hello
I'm trying to understand a problem I'm having with AnyConnect 2.5. After I connect to the SSL VPN portal and download and install the client I get this message. Once the customer installs I have also no network connectivity at all. Once I have uninstall the client that I can't access Internet connectivity and network is restored. Its obviously a config issue, but I can not understand where I am going wrong. I am also unable to change the link to the field like its locked down.
This happens because you, in your profile config file, set it to always on the VPN connectivity. 2.5 AC and ASA 8.3 introduced the ability to apply always on connectivity to provide more control and security on endpoints. This can be corrected by editing your profile or an exception through DAP or ASA GP. I posted a link to the doc below. Please see the sections under detection network reliable and always on the VPN.
I hope this helps. Let me know if you have any other questions.
Thank you
Christopher
-
Teradici security gateway? !!
Nogen der har hört will som helst om kommer med den hvornar?
Kan ikke lade den men is naked er frigivet I discovered 4.6 - ma sa betyde vel det jeg far of 10 points for and rigtigt svar!
His amplifier in Walkthrough: http://paulslager.com/?p=1300
MVH Monberg
-
Hi, we recently changed one of our servers in connection view by deselecting the secure gateway PCoIP setting and then using this server for internal connections of our virtual machine. For the most part, we use zero clients and have no problem connecting on their part to our desktop computers, but when trying to connect by using the client software to view from an office inside the network, we receive the below error.
As you can see above, our server has a proper cert. I found the following KB that seems to treat my symptoms precisely. However, the KB seems to assume that we want the connection to use the bridge safe, that we do. See below for the values in the ADAM database. As you can see, they are currently empty.
Considering that everything works well my zero clients, I'm reluctant to mess around with this setting to correct a few clients software. Can anyone suggest another option, or give any indication why this could happen?
Hi, in the case where this never helps anyone else, I have solved this. I realized that we still had the box for secure HTTPS Tunnel. After unchecking the software view client is more than survey errors and connects properly.
Maybe you are looking for
-
Airport Extreme will randomly does not
My last model Airport Extreme will does not randomly (and too often)... Customers always show connected but do not have access to the internet. iOS/mac devices can * usually * connect via the utility, bouncing the router and all is well. There are so
-
screen saver not illuminate, lack of MSVCR100.dll
I lost my screen saver and the monitor will blak with a note that he cannot find the MSVCR100.dll
-
Kernell debugger dll missing or corupt in windows vista
Windows crashed. I have 2 errors: error System 32 and kernell debugger dll missing or corupt. Tried backup to the previous week, months and months without success. Tried to reinstall windows without success. I have 2 hard drives, but did not unde
-
Trojan hourse horse found in the original cd of microsoft
I own a copy of Microsoft office Professional 2007, and I loaded the Outlook program in December 2009. I just went back to load other programs and my McAfee anti-virus indicates the floppy Microsoft contains a Trojan horse. What should I do at this p
-
Microsoft has never issued an update for the Win7 disk defragment utility?
Microsoft has never issued an update for the Win7 disk defragment utility? Thank you. Original title: Win7 updates