Secure tunnel
try to get an understanding of the parameters inside the view I read the Administrator's guide. Under view connection, Tunnel Secure HTTP (S) here and then an external box for URL. What from internet connections or LAN clients also make use of this external address? The secure tunnel is checked in my setup and the external address is my connection servers full domain name, but I don't know if it is the default, or if someone in my Department and checked
-MN
The secure Tunnel and "External URL" is used in case you want to configure remote access to your environment from view.
If your reviews and virtual offices are on the same internal network, you don't need to use the secure tunnel or the PCoIP Secure Gateway so the two options can be unchecked. Your customers view will then connect to a virtual desktop (via PCoIP or RDP) directly.
If you want to configure your environment view accessible via the Internet, then you need these two checked options and you will need configure and understand the external use of the parameters "External URL" and "PCoIP URL." The 3 steps to the setting of this place are described here http://communities.vmware.com/docs/DOC-14974 and there is also a video that explains this configuration in detail. It also has an example of how all these parameters are used in a configuration of remote access.
I hope this helps.
Select this option.
Tags: VMware
Similar Questions
-
Hello
I installed a tunnel VPN between ASA and PIX. I want to implement security on the ASA or PIX so that some remote endpoint specfic IP can access resources of tunnel. is it possible to block additional IP addresses?
Thank you
Amardeep
Please read this link, you can implement VPN-filter.
Thank you
Ajay
-
Hi all
I have configured the interfaces of tunnel VTI (ipv4 ipsec tunnel mode) and OSPF on which interacts.
VTI is encrypt all traffic data. But what about the OSPF traffic?
Is encrypted as OSPF traffic or I need to configure OSPF authentication?
Thank you
OSPF Exchange is already encrypted inside the tunnel, so u don't have to use the ospf authentication. OSPF uses IPs of tunnel for the communications and traffic between these two addresses is possible only through the secure tunnel.
-
Hi Calyps0Craig,
Yes, I found a solution for this. In our case the issue was resolved by changing the configuration of Netscaler.
In the past, we use SSL offloading and worked all protocols. It seems that with the new version of view SSL offloading does more work.
Change the Service and virtual server on ports 443 and 8443 for SSL to SSL_BRIDGE solved our problem.
Hope this will help you.
Best regards
Claudio
-
Hello
We have a mixture of zero clients and software, and I'm having a problem where the internal software customers seem to be tunnelling through the gateway PCoIP secure servers for internal connection, rather than connect directly on the desktop. This works until we do maintenance on our servers connection, as software clients disconnected when we reboot a server connection.
In the example below, the top one is a client software, the bottom is a zero client.
Our internal connection servers have no "Use PCoIP Secure Gateway" checked as shown below.
Anyone has an idea why this happens? Can we change the behavior so that clients of the software don't not tunnel by connecting servers, or what are the expected behavior?
We run see 5.1, Win 7 mV with agent 5.1 connection.
Thank you
The answer is on the screenshot you posted - nothing happens through PCoIP Secure Gateway, but software clients always establish an HTTP (S) Secure Tunnel connection to the login server. This is used for the channel framework (used for the USB transport for customers of software) and MMR, among other things. If you want real direct connections then this should also be disabled. Please see the administration guide for more details on this setting.
Mike
-
Problems with PCoIP secure Gateway
I am using view 4.6 and faced with this configuration. Under the "view Configuration", "Servers", then "view connection server" it shows my connection to the server. The PCoIP column he says no secure portal is installed which is true. See screenshoot
the problem arises in the settings of the connection servers.
When I select my connection to the server and fill in the external URL 'Tunnel secured HTTP (S)' and uncheck it ' user secure Tunnel connection to the Office I cam continue to use the internal connection server.
When I check the box and check also the "gateway of PCoIP PCoIP connections for desktop machine, so this will work remotely, but not internally. Also the external URL PCoIP is grayed out.
To sum up I can't get this to work for internal or external use and not both at the same time.
You can do this work with just a single server connection or an external as internal access, but it will mean that internal PCoIP is unnecessarily sent by gateway through a connection to the server or security server.
It is best to dedicate servers to connect to internal and external to internal PCoIP direct access between the client and the virtual office.
There is a detailed description of this http://communities.vmware.com/docs/DOC-14974 here, which includes a video detailing a deployment configuration of view for internal and external access.
Select this option.
-
VMWare View 4.6 PCoIP tunneling problem. UDP is not get tunnel
HelloI have the black screen "classic" - question.
So, when I try to connect to a virtual desktop, I am well auhtenticated, I can select a pool of offices, but once the bureau is launching,
I just get a black screen and afterawhile it times out.I read the manuals, the document http://communities.VMware.com/docs/doc-14974 , written by Mark benson; Watched the video; Checked and re-checked the 3 magic steps;
Blog reading Sláger, Paul http://paulslager.com/?p=1300 and still I'm stuck. I read the (some the) logs from the login view, view Security Server, View Client and Agent of the view server.
None of the newspapers I read gave me all significant errors that would have solved this for me. Admitted, 'full' newspapers - trace State, there's a lot that wasn't exactly clear to me.I have simplified our mitigation debugging environment to be as follows:
See connection to the server,
running on Windows Server 2008 R2 (Datacenter) 64-bit VMware View Server connection 4.6.0 - 366101,.
Checkboxes for both "Tunnel secure HTTPS: connection to Tunnel secure usage on the desktop" and "PCoIP Secure Gateway: use PCoIP PCoIP Gateway Secure connections to desktop" have been checked.View secure server,
running on Windows Server 2008 R2 (Datacenter) 64-bit VMware View Server Security 4.6.0 - 366101,.
has been paired with the login server and the two aswell "HTTPS Secure Tunnel: external URL" as "PCoIP Secure Gateway: PCoIP external URL" has been set to a virtual IP address in the firewall external dmz with a dst - nat on the real IP address of the Security Server.The reviews are pointing to the virtual IP address of the Server Secure View.
Since it is not a production environment, I installed a bunch of Wireshark to see traffic;
I ran traffic snooping on the view connection server, see Security Server, View Client and the virtual desktop connected
at the same time and have verified that traffic TCP PCoIP on get 4172 port of talked about between my security server host <>client - and the
securityserver <>- virtual desktop just fine. TCP traffic seems to be in the tunnel. But what bothers me is the wireshark on the virtual office reveals that the virtual office is trying
to talk subject port 4172 - UDP back directly to my reviews host IP traffic. Because this is not allowed by the firewall, the virtual office propably does not work...But all scenarios describe only the Security server could handle all pcoip-traffic with the agent of the view (as shown in the documentation of the Architecture in Figure 5-6), so that no direct connection between the Client of the view and the view Agent is necessary... I can't work. But it is possible, right?
Any ideas what I could do wrong?
Help really appreciated.
It works in the way that you described in your original post. There is no obligation for the virtual office send UDP responses to the client. They will be sent on the Security Server, which will forward them to turn to the customer.
Something must be configured incorrectly.
Check very carefully the UDP traffic in your wireshark traces. The client, you should see 4172 TCP for the VIP of your SS. You should then see 4172-UDP to the same VIP. You should see the UDP of SS response to the customer data. The destination for this data answer UDP port must be the source port used for the UDP request. The source for the response data port must be 4172.
Then check your wireshark SS track. You should see the same customer traffic and you should see a similar PCoIP conversation between the SS and the virtual office. From the virtual desktop, the SS looks like a customer. PCoIP UDP must be sent to the SS, when it is properly configured.
Client - TCP 4172-> SS - TCP 4172-> Virtual Office
Customer - UDP 4172-> SS - UDP 4172-> Virtual Office
Customer<-UDP 4172--="" ss="">-UDP><-UDP 4172--="" virtual="" desktop="" (the="" 4172="" here="" is="" src="" port,="" the="" dst="" udp="" port="" will="" be="" the="" source="" port="" of="" the="" udp="" request="" packets="" above)="" 4172--="" virtual="" desktop="" (the="" 4172="" here="" is="" src="" port,="" the="" dst="" udp="" port="" will="" be="" the="" source="" port="" of="" the="" udp="" request="" packets="">-UDP>
If you have verified that you can connect to the same virtual desktop with PCoIP then this problem will not be something to do with the virtual office or agent of view etc.
Check your display settings, network, firewall and NAT.
Select this option.
-
Uninstalling programs... Should I or shouldn't I
While he was trying to improve the performance of my pc, I've pulled up to see what I could uninstall programs. I noticed that there are programs that I does not recognize. They were as follows:, Cisco LEAP module, module Cisco PEAP module Cisco EAP-FAST. I don't know what they are for. Please help, before I make something irreversible.
Hello
Those used for authentication network so let install them.
LEAP Lightweight Extensible Authentication Protocol is a patented LAN wireless authentication method developed by Cisco Systems. Important features of JUMP are dynamicWEP keys mutual authentication (between a wireless client and server aRADIUS). LEAP allows clients to authenticate again frequently; each successful authentication, customers acquire a new WEP key (with the hope that the WEP keys do not live long enough to be broken). JUMP can be configured to use TKIP instead of dynamic WEP.
http://en.Wikipedia.org/wiki/Lightweight_Extensible_Authentication_ProtocolPEAP, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Protocol EAP (Extensible Authentication) in a Tunnel of Security TLS (Transport Layer) encrypted and authenticated. The goal was to correct the deficiencies in the EAP; EAP took a secure channel, such as that provided by the physical security, so the facilities for the protection of the EAP conversation has not been provided.
http://en.Wikipedia.org/wiki/Protected_Extensible_Authentication_ProtocolEAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal byCisco systems as a replacement for the JUMP
http://en.Wikipedia.org/wiki/EAP-fastI hope this helps.
Rob Brown - MS MVP - Windows Desktop Experience: Bike - Mark Twain said it right.
-
issue certificates of 802. 1 x authentication and X 509
Hello
Can someone please help me with the following question:
First off I am a guy from Windows Server/PKI/AD etc. rather than CISCO, even if I have a CCNA :)
I take care of PKI to my company and will work with the team CISCO that are the introduction of CISCO's ISE, we will use X 509 CERT on the suppliants (desktop/laptops Windows computers mainly)
What I want to know is something pretty basic, but I saw not written anywhere
Question 1:
First stop, I guess it's the AAA (ISE) server is the entity that verifies the pleading certificate X 509, rather than the AP (access wireless router for example point)? is that correct
Question 2:
As supplicants X 509 certificate is public (for example, it is not secure and anyone can ask what it is normal) I guess the AAA server must encrypt a (random number for example) value with the public key of supplicants (of the X 509 cert) then send this value to the supplicant by which the supplicant decrypts with its private key (that no one else has as usual). Then the supplicant figure the value even with servers AAA public key (which is held in servers announced AAA X 509 cert) cela send on the AAA server and once that deciphers AAA server (with its private key) if the value matches the value originally sent to the supplicant then the AAA server can continue with authentication etc.
The above assumption is correct?
If the above is correct, not ISE always act like that or can you lower the security and get just the ISE server to check whether he trusts the issuer of the certificate (CRL does OK) the pleading X 509 Cert and not bother to send the encrypted packet as described above (this of course would ensure not begging-1 is actually "supplicant" - 1).
Thank you very much in advance
Ernie
Answers:
1 - Yes, ISE verifies the certificate presented by the device of end-user (begging) against his PB of authority certificate TRUSTED internal to import in ISE root and intermediary certificates where you use CA non-public servers (this is my case for EAP - TLS) such as Verisign, Entrust, etc. UNFORTUNATELY, ISE allows you only to have 1 cert for the use of EAP in the list (PEAP, EAP - TLS, etc.), which means that you CAN not EAP - TLS and PEAP running on different SSID. The problem is now that Entrust for example use an intermediary called L1K Entrust which is not included in trust for the devices Apple and Win 7 CA. This causes a certificate not approved for IPADs warning then you need to trust this certificate but for Win 7 features the PEAP TLS Tunnel, Setup will fail if the connection cannot be established if you uncheck "VALIDATE SERVER" on Win 7 for this SSID profile.
2 - you can create a condition that validates the issuer cert but the authorized Protocol is EAP - TLS or PEAP so that the actual process for one of these protocols, based on my understanding is actually. For example, Protocol PEAP, the configuration of the TLS Tunnel is the 1st step, so once the configured secure tunnel then the inside MSChapv2 + EAPOL is performed and finally the data passes through the tunnel
-
Is it possible to encrypt the data wirelessly between the hosts and access point? We use TTLS and PEAP and felt that ALL data when, through a secure tunnel, but it seems we are wrong and only authentication process goes through the tunnel. Somehow we can implement encryption? Thank you.
Implement WPA or WPA2, it will encrypt ALL traffic data between AP & Client after authentication.
Master encryption keys are unique to each client, to change for every package update on homelessness and group composition changes (IE, someone leaves / joined the AP)
Currently, the safest way to implement WPA2-AES, WPA-TKIP is however still extremely secure (still not cracked up to the best of my knowledge) and has a broader support for older clients.
-
PIX support IPsec over UDP or TCP
Series 500 firewall Cisco PIX support IPsec over UDP or TCP so that the secure tunnel VPN IPsec can go through the PAT and NAT. If so, how to configure it? THX
Concerning
Jeffrey
Hi Jeff,
The tentative date is around end of March 2003.
Kind regards
Arul
-
ASA (v9.1) VPN from Site to Site with IKEv2 and certificates CEP/NDE MS
Hi all
I am currently a problem with VPN Site to Site with IKEv2 and certifiactes as an authentication method.
Here is the configuration:
We have three locations with an any to any layer 2 connection. I created each ASA (ASA5510 worm 9.1) to establish one VPN of Site connection to the other for the other two places. Setting this up with pre shared keys and certificates that are signed by the CA MS administrator manually work correctly.
But when we try to enroll these certificates through the Protocol, CEP/NDE his does not work.
Here are my steps:
1 configure the CA Turstpoint to apply to the certification authority
2. request that the CA through the SCEP protocol works fine
3. set up a Trustpoint and a pair of keys for the S2S - VPN connection
4. registration form identity certificate CA via the SCEP Protocol with a one time password works fine
5. set the trustpoint created as for the S2S - VPN IKEv2 authentication method.
Now I did it also for the other site of the VPN Tunnel. But when I ping on a host that is on a different location to make appear the Tunnel VPN - the VPN session is not established. In the debugs I see that there are a few problems during authentication of the remote peer.
On the MS that I see that the certifactes of identity for both ASAs are communicated and not revoked or pending state. The certificate based on the model of the "IPSec (Offline).
When the CA-Admin and a certificate me manually based on a copy of the model of "Domaincontroller" connection is successfully established.
So I would like to know which is the correct certificate for IP-Sec peers template to use for the Protocol, CEP and MS Enterprise CA (its server 2008R2 of Microsoft Enterprise)?
Anyone done this before?
ASA requires that the local and Remote certificate contains EKU IP Security Tunnel Endpoint (1.3.6.1.5.5.7.3.6) (aka IP Security Tunnel termination). You can create a Microsoft CA model to add.
If you absolutely must go with the 'bad' cert, there is a command
ignore-ipsec-keyusage
but it is obsolete and not recommended.
Meanwhile at the IETF:
RFC 4809
3.1.6.3 extended Key use
Extended Key Usage (EKU) indications are not required. The presence
or lack of an EKU MUST NOT cause an implementation to fail an IKE
connection.
-
Hello!
If a user located in the Inet uses Horizon customer via PCoIP to get his remote desktop, what URL should I put Enabled and I can disable?
External URL of the secure tunnel, PCoIP external URL and external URL Blast
The external URL is used for secondary communications made between the client and the server. It is also used as a means of transport secure when you use RDP as display protocol.
The secure gateway PCoIP is generally used when you have a secure server deployed, or have a desire to all customer traffic through several IP addresses of the funnel. With the gateway secure enabled PCoIP, PCoIP traffic between the Agent of the view and the customer view is all be channeled through the Security Server or the connection to the server. Without this setting is enabled, clients and agents will communicate with one another. The first is generally used in an environment with a firewall, while the latest is most commonly used for internal traffic only.
-
If I want both external and non - VPN and LAN users internal to access desktops from view, I need to have a connection to the server dedicated to external users and another for internal? Right now I have one pair of Security Server-connection to the server and external connections work fine, but the internal connections are not. I have to get up at least a connection replication server and change the URL HTTPS Secure Tunnel for internal users only?
Apparently, you don't need a connection to the server dedicated to internal users if you also external users and a security server. I found this during my troubleshooting. The URL of security server will be configured as administrator mode that external URL can be resolved and accessible while the URL to connect to the server will be configured with a URL can be resolved internally and is accessible in administrator mode.
-
Restart a server view connection, connections disconnected?
I have a server connection view and a view security server. All connections are pointing at the level of the Security Server view and both the secure tunnel HTTPS and secure gateway PCoIP are archived in page view server connection settings.
If I reboot login server in my opinion, this will cut my active sessions? I do not think that it should all connections are circulating in the Security Server, but I'm not sure.
Thank you
It should not affect users already logged, but the web page will be down and unable to fix all new connections until the machine started upward.
Maybe you are looking for
-
iTunes if blocca quando connect iPhone
Ciao a tutti! Ho da versione più recent di iTunes sul mio Pc con Windows 10. SE apro mi funziona place my just connect the iPhone iTunes, iTunes if blocca (cioè trova he telefono pero sta a couple of minutes a caricare e poi TR blocca). e gia capitat
-
Satellite A200-1AI (PSAECE) error using Toshiba Disc Creator
I have an A200-1AI (PSAECE) running Windows 7 Ultimate 64 - Bit with 3 GB of RAM and a TEAC DV-W28ECT Combi drive... Whenever I try to create a CD/DVD or anytype of media using Disc Creator, I get the error messages 6 or more: -. An unexpected error
-
IdeaPad Y400 cadence radically different when it is plugged
Were so I come of it is that I had the y400 as opposed to a desktop computer so that I can play games while I was away from home. The situation is that when I have the power cord plugged in if I am connected via wifi or ethernet I get about 60-70 + i
-
Whenever I try to 'Save as PDF' Word 2007 or Excel, I get the message "this file is used by another application or user" and it will not save it. Can someone please help?
-
Flash Drive wireless network profile
How can I set up a profile on a USB wireless network so that I can easily connect other devices wireless to my router?