Security & server capacity RAM connection

Similar Questions

• See Security Server and direct connection

  I have a security server for my connections from the Internet. It works very well, accept when I activate "direct connection on the desktop. I found the following statement on this:

  If you bypass the secure connection, the client must establish a direct communication of RDP to the virtual machine desktop RDP (port 3389).

  That means I have to open 3389 (RDP) to the Internet if I want to use direct connections?

  If I disable the direct connections to get my security server doesn't work, I have to turn off on my login server. It is I understand that this means that if I reboot my connection to the server, all disconnected mode clients. Is there a way I can disable "Direct connections" to the Security Server, allowing access from the LAN?

  TIA.

  For a long time I had to face the problem then I hope I'm he transmit correctly.   Because you don't want to open 3389 to the internet, you must use indirect connections to the broker for users of security server connections.   This means that all connections made outside the LAN will be handled by the Security server.   If you need to restart the Security server that these connections were removed.   If you need to restart the broker to connect to security services server should not drop all connections, the external web page would become unavailable unless you also have internal customers using this broker for connections to how it would be mandated by the broker for connections and would be deleted.

  Simple solution is to have a dedicated connection, broker for the Security server that is configured in indirect mode and then have one or two brokers connection for internal users who are configured in direct connection mode.   As I have said for a long time I had to deal with this so please forgive me if I have nothing hidden.

  If you have found this device or any other useful post please consider the use of buttons useful/correct to award points

• Security server to slow Server Broker on the initial connection

  I'll open a ticket support as well but thought I would ask here.

  My network team assures me that all configurations are as they should be, and I tend to believe them.

  The problem is that after so many hours, if anyone has used the Security Server, the initial connection to a desktop computer may take up to 10 minutes.  There is an initial delay before the user is prompted credentials, then another delay before they are invited to choose their virtual machine.  Once they are connected, everything works fine.  Are they disconnect and reconnect immediately to the whole process takes 10 seconds.

  Our tracks seem to indicate that the Security Server tries to reuse an old connection through the firewall on the servers of broker.  He waits for this timeout and then establishes a new connection to how the process is accelerating.

  Can anyone provide any idea for this?

  I have experienced this same problem and opened a ticket, 1116381631, in case you want to reference it. The reasoning of that problem directly from VMware

  ' Nervous newspapers and e show the cause of the problem. " The fundamental issue is that common AJP connections that are used by the Security server to communicate with the broker for connections are closed on the network (not by the server security VDM or broker) If you are planning a period of time. »

  They had a fix available for VDM 2.1 and allegedly solved the problem in 3.01. I am currently on 3.01 and I have not seen the problem for some time. I hope this helps.

  If you have found this device or any other useful post please consider the use of buttons useful/correct to award points

• javaw.exe missing on view Security Server - view 6.2.1

  Hello

  I'm trying to associate a view Security Server with a connection to the server (point 6.2.1).  Both servers run Windows 2012 r2 and ran into a new error (for me anyway).

  I have install the matching password, and when I go to install the Security Server component, I get an error of coupling .  I can access the server from the server security with https connection and think that other DMZ Firewall rules are configured correctly.

  Looking through the papers, I find a mistake on not being javaw.exe is not a recognized command.  I drill down to the path of the log entry and find that javaw.exe is not where it seems expected.  It seems to be a dynamic path created by the installation process

  serverInstUtil : 18/12/15 10:15:11 lancement « « C:\Users\ADMINA~1\AppData\Local\Temp\{E9740BB3-641F-492D-8B76-802FA34C778F}~setup\unpack\program files\VMware View\Server\jre\bin\javaw.exe »-Dcom.vmware.vdi.orchestratorj.nativelib=ws_java_nativeNODEP-Djava.net.preferIPv4Stack=true-Djava.library.path="C:\Users\ADMINA~1\AppData\Local\Temp\{E9740BB3-641F-492D-8B76-802FA34C778F}~setup\unpack\program files\VMware View\Server\bin » -cp « C:\Users\ADMINA~1\AppData\Local\Temp\{E9740BB3-641F-492D-8B76-802FA34C778F}~setup\unpack\program files\VMware View\Server\sslgateway\lib\ * » ; «C:\Users\ADMINA~1\AppData\Local\Temp\{E9740BB3-641F-492D-8B76-802FA34C778F}~setup\unpack\program files\VMware View\Server\lib\ * «;» check the 8009 "C:\Users\ADMINA~1\AppData\Local\Temp\{E9740BB3-641F-492D-8B76-802FA34C778F}~setup\cache" com.vmware.vdi.tunnelpairing.XmlAjpClientNew 10.97.1.129 ".

  serverInstUtil: 18/12/15 10:15:11 Matching of Java SS returned cheque ' ' C:\Users\ADMINA~1\AppData\Local\Temp\{E9740BB3-641F-492D-8B76-802FA34C778F}~setup\unpack\program files\VMware View\Server\jre\bin\javaw.exe "' is not recognized as an internal or external command ".

  serverInstUtil: 18/12/15 10:15:11 ERROR: an unexpected error occurred while determining if advanced Security Server matching is supported

  I used this binary installer to install the server of connection corresponding without problem I've noticed so far.  I just downloaded the 6.2.1 installers yesterday (17/12/15) and the files are dated 08/12/15.   I have not found any related to the release notes for this version, or in the installation guide.

  I can certainly install java runtime and copy the files in place (although I do not know what version).

  Any suggestions or ideas?

  File this one, by virtue of be sure to double check...

  I have disabled UAC, re-directed the installer - the same error.

  I saw the event log and has detected an error (event ID 11335) MSIInstaller

  Product: VMware Horizon 6 connection Server - Error 1335. The file ' Replic ~ 1.cab ' required for this installation is damaged and cannot be used. This may indicate a network error, an error reading from the CD-ROM, or a problem with this package.

  It turns out that it was the MSI. When I have re-uploaded the file, it works beautifully.   I had just used this file 10 minutes before.  Will show measure twice... really does matter

  Save this here for others to avoid my mistake ;-)

• View Security Server installation issue 5.2

  I try to get my security server upward and running for 2 days now and continues to run into a brick wall.  I always get the following error:

  Error 28083.  Failed installation of IPsec. Please see the C:\users\...\...\vminst.log file for more details.  The journal reveals 'error: could not get a satisfactory response from the connection to the server after the installation of IPsec "

  In an effort to solve the problem, I welcomed the Windows Firewall on the Security Server and the connection to the server to allow all incoming connections.

  I checked that all the Back-End firewall configurations are correct and functioning as required.

  I scrolls http://communities.vmware.com/thread/405121?start=15 & tstart = 0 and made the changes recommended in this thread.

  When I remove completely all GPOS from the connection to the server, then I can successfully create the pairing between the server security and the connection to the server.

  Most of the people looks like it's a start for GPO setting to walk through them.  Well, I have several GPO that is applied in order to be compliant STIG.

  What I'm looking for is, can someone please point me in the right direction as to what the parameters might affect IPsec communication between the 2 boxes?

  Thanks for the help.

  After calling and by opening a ticket with VMware, it seems that I was able to successfully install the Security server.  After they looked through different GPO settings several that have been applied, I changed the setting below and has been able to correctly install after you run gpupdate/force on my login server.

  Options Configuration/policies/Windows Settings / Security Settings / Local Policies/Security / Cryptography system system cryptography: Use FIPS compatible algorithms for encryption, hashing, and signing

  My setting has been activated.  I changed it to disabled and it seemed to solve the current problem.

• RADIUS only on the Security Server?

  We have activated 2-factor by Ray and his excellent work. However now must also use 2-factor on internal connections on computers VDI. Is there a way to make the RADIUS only apply on the Security Server? We only want users outside to connect with Ray...

  I'm not totally it. You say you only want authentication RADIUS to be applied on the connections to the Security server used by remote users and internal users to authenticate with just AD?

  If so, the answer is Yes. Just have 2 servers connection, one for internal users and one for remote users (with a security server). A connection to the server is a standard instance and the other is a replica.

  Simply configure RADIUS server remote access connection.

  If I misunderstood the question, please let me know more information. Thank you.

  Mark

• VMware View Security Server DMZ

  Hello!

  We are currently developing a small installation of VMware View in our office as a CEP and I have a question about the server security and the need for the ports against customers.

  Our facility:

  (Active Directory and RADIUS) 2-factor authentication

  Front End FW

  Security on the DMZ server

  Backend FW

  Connection to the server

  The question I have is:

  4172TCP/UDP port 3389 be open from the Security server to customers?

  Is there no way of this tunnel since the Security server through the connection to the server on the inside?

  Thank you

  Kenth

  Hej Kenta.

  You are right, there is currently no way to tunnel on the dry-server and the connection broker using PCoIP, you can only create a tunnel through one.

  So that means you need to open TCP/UDP 4172 between dry-server and desktop computers-view.

  Joel

• Set up the RSA only for security server and not internally?

  Greetings,

  In the view Configuration > servers > Edit View connection servers > authentication, you can enable the RSA. However, I would like to use RSA for people who connect through the Security Server and not those who log internally.

  Does this mean that my only option is to add another view connection server and point the Security Server on this connection to the server on which I have activate the RSA?

  If so is not necessarily a problem, but it would mean, I have 3 servers of connection and server 1 safety for an environment of view rather small.

  Ideally, I was balancing these aswell which would mean 4 servers connection and 2 security servers. It is perhaps a little exaggerated, heh.

  Anyone know of an alternative solution?

  Thanks in advance!

  The way you describe it is the way to do it. The Security server is always associated with a connection to the server, so no way around it.

• View 4.6 and security server

  The Security Server and the connection must be in different local networks?

  I installed a DEMO, both for the same cause of LAN, there is no real DMZ there.

  Servers are 2008 r2 64-bit, I opened the 4172 ports and 443 to j.4 server,

  When clients connect to the connection to the server or the security gateway, they can connect to the virtual desktop, but trying to connect on the internet, there is a problem, the client can connect to the Security Server and enter the credentials, but trying to connect to the office virtual has a white screen and after a few seconds will appear an error message 'the connection to the remote computer has done '.

  Is this the same local network, which is the problem here? or something else that i'm missing?

  Another thing, the FW performed the NAT to the Security Server, in the fields of configuration to the Security Server, I put the public ip address.

  Thank you

  They can be on the same local network.

  You get the symptoms you see if you have not done all 3 installation steps correctly.

  Most people on this forum who suffer from what you see remedy through each of the 3 steps of Setup again very carefully.

  http://communities.VMware.com/docs/doc-14974

  Let us know who it was.

  Mark

• Requirements VMware View 5.1 Security Server RAM

  Hi all

  I understand that the view connection Server 5.1 needed at least 10 GB of RAM for the deployment of desktop 50 + and I also received this tip of the engineer to Support VMware to use at least 10 GB of RAM when installing the CS for the first time, then we later, the performance problem.

  Now, my question is how on the Security Server?

  Based on the VM docs, they all (CS, transfer, SS) must have the same hardware configuration, but I don't know about the Security Server why would he needs 10 GB of RAM. The CS needs a grand RAM size due to the Virtual Machine Java 2 GB but is SS has a JVM too?

  According to your experience, will be a 4 GB enough RAM for SS?

  Thanks for the comments!

  Server security uses the JVM too.

  At least 10 GB is recommended for the connection to the server (including the lines connect to the server and security server). See table 1-1 on page 8 here http://pubs.vmware.com/view-51/topic/com.vmware.ICbase/PDF/view-51-installation.pdf

  Mark

• Cannot "connect as current user" via the Security Server

  Hello community,

  I had a problem using the "connect as current user" option against a network outside of the enterprise security server. Connection by manually keying in the name of user and password works very well from the outside the company network For internal connections using a connection to the server instead of security server, everything works as expected without having to manually type the name of user and password.

  Single domain

  Customer of the horizon is 3.5.2 and joined to a domain

  2 Security Server 6.2.1 x

  2 Server 6.2.1 connection x

  On one of the servers of connection I got the following error message when you try to connect through the horizon customer using the option "connection as the current user:

  2015 12-28 T 20: 21:15.207 + 01:00 INFO (B 0, 08 - 0E34) < ajp-nio-8009-exec-7 > [PAEContext] (SESSION: a774_ * _b2fb) Idle Timer executor by using 1 thread (s)

  2015 12-28 T 20: 21:15.625 + 01:00 ERROR (0744-0AEC) < MessageFrameWorkDispatch > [ws_winauth] [GSSApiProcessServerContext]: negotiate failed. Error 0 x 0000000080090300 (not enough memory is available to complete this form) {SESSION: a774_ * _b2fb}

  2015 12-28 T 20: 21:15.626 + 01:00 (B 0, 08-04 B 8) WARN < ajp-nio-8009-exec-8 > [GssapiHandler] (SESSION: a774_ * _b2fb) failed connection GSSAPI: not enough memory is available to complete this application

  2015 12-28 T 20: 21:15.627 + 01:00 ERROR (B 0, 08-04 B 8) < ajp-nio-8009-exec-8 > [GssapiHandler] (SESSION: a774_ * _b2fb) cannot close the context 7 36 d-*-00D 3 with the error: unable to locate the context requested

  2015 12-28 T 20: 21:15.627 + 01:00 ERROR (B 0, 08-04 B 8) < ajp-nio-8009-exec-8 > [GssapiAuthFilter] (SESSION: a774_ * _b2fb) authenticate GSSAPI performance problem - GSSAPI_ERROR: GSSAPI failed: not enough memory is available to complete this application

  The connection to the server has 12 GB of memory in total and 9.5 GB of memory free/available.

  In the windows event log, the following error message appears:

  BROKER_USER_AUTHFAILED_GENERAL

  Failed to authenticate the user < UNAUTHENTICATED >

  Attributes:

  Node = hostnameofconnectionsserver.mydomain.com

  Gravity = AUDIT_FAIL

  Time = Mon 28 Dec 19:51:16 THIS 2015

  Module = broker

  UserDisplayName = < UNAUTHENTICATED >

  Source = com. VMware.VDI.Broker.filters.GssapiAuthFilter

  Recognized = true

  Just tried from a machine arrived in the area via the Security server. Cannot open a session as the current user. We also enabled on the external connections of MFA, but I don't think that should make a difference.

• Horizon view connection and security server matching

  Hello friends,

  I need some clarification on security and the matching server connection. If I understand well earlier in login server and security versions matching is one-to-one.

  Is this same behavior on the Horizon 6 as well? I can read that we can connect several Security Server single instance to connect to the server. But the reverse is possible yet? What are the combinations is achievable or supported?

  Documentation centre for Horizon 6 version 6.1

  still one by one,

  If you need high availability just add another server of connection and pair it with another security server

• Not able to connect with the Security Server

  Hello

  IM setting up a demo with view 6 environment, and when I try to connect locally on the servers of connection it works fine, but when I try to connect to the Security server fails with the image below.

  

  The Security server has 2 network cards, now in the DMZ and in production. I guess I should also be able to connect directly to the ip production, but the same error.

  We have disabled the firewall between dmz and prod for troubleshooting, but same problem.

  The image below is the Security Server, the addresses here are the ip 'internet', I guess it's true?

  

  The image below is the connection to server 1, the addresses here are internal, and is the FULL domain name, if it was "internet ip" instead?

  

  If I try on the spot to connect to the ip address of prod on security with internet server explorer, im able to connect, but when I select the office that it will fail "cannot display this page", then shows the 'internet' ip in the address field.

  I guess there is just something simple I've missed... hope you understand my question

  Thanks for the support.

  If you do not already have a look at this description of the display configuration, it covers remote access via security servers as well. Setting up remote access with a view PCoIP 4.6 and newer https://communities.VMware.com/docs/doc-14974

  I guess the fact that you can connect through the servers of connection that the URL you configured in the view administrator for servers in connection is a production local IP address/address?

  External security URL server is also an IP/address of DMZ / external can be solved?

• View the connections of the server to connect to the Security Server 5.2

  So, I wonder if it is anyway possible to not expose a subnet of office to the DMZ during the deployment of a security server?  I think remember me, there was a way to have the tunnel of security server all traffic through the connection to the server, but for the life of me, I can't seem to understand.

  Even in your previous PoC you should always have allowed some ports (PCoIP, RDP if use you it and the frame channel) from the server security for virtual offices. This has always been the case.

  The role of the Security Server is to protect exposure of desktop to the Internet. It provides a monitoring of protocols of the Internet (for example PCoIP) so make it succeed to check if the traffic is in the name of an authenticated user, and to ensure that if it is valid, it is transmitted over an office whose user is authorized to access. It is important to configure your internal firewall so that Office (PCoIP etc.) protocols can come only security servers. Then you give the required insurance. If such packets only packets UDP PCoIP arrive in your DMZ that are not on behalf of an authenticated user and then they are ignored in the DMZ without ever be passed in your data center. You know that all protocols for virtual desktops have been validated by the Security server.

  The Security server should also communicate with the login server and that's why you should also allow JMS, AJP13, and IPsec through. These should be only to the servers again only from servers to security and connection.

  You can always route the PCoIP packages through a proxy in your data center, but the security required inspection happens before that the Security Server so that eventually they can be thrown into the demilitarized zone.

  Mark

• After unchecking PCoIP gateway secure on the internal connection server, a certificate customers get software View error

  Hi, we recently changed one of our servers in connection view by deselecting the secure gateway PCoIP setting and then using this server for internal connections of our virtual machine. For the most part, we use zero clients and have no problem connecting on their part to our desktop computers, but when trying to connect by using the client software to view from an office inside the network, we receive the below error.

  

  As you can see above, our server has a proper cert. I found the following KB that seems to treat my symptoms precisely. However, the KB seems to assume that we want the connection to use the bridge safe, that we do. See below for the values in the ADAM database. As you can see, they are currently empty.

  

  Considering that everything works well my zero clients, I'm reluctant to mess around with this setting to correct a few clients software. Can anyone suggest another option, or give any indication why this could happen?

  Hi, in the case where this never helps anyone else, I have solved this. I realized that we still had the box for secure HTTPS Tunnel. After unchecking the software view client is more than survey errors and connects properly.