See Security Server + RDP

Can you security 'proxy' Server RDP connections or manipulates only PCOIP?

You can use RDP and PCOIP via view security server. I'm moving this thread the View Forum Manager for better visibility.

Tags: VMware

Similar Questions

See Security Server network traffic

Can someone clarify some confusion that I have with the view security server. I looked different diagrams of network ports and protocols, and I want to understand how the network connectivity outside to an internal network via a security server is managed.
I know that a connection is initiated externally on the Security Server, and it is then passed to a connection to the server that authenticates the user, then allocates a desktop computer. At this point, the external client connects directly on the desktop of the view.
However, I see some diagrams where the above happens, but the connection from the external client to view desktop is managed by the Security server.
In the environment, lack of network traces that I see the first instance and view desktop computers trying to communicate through the firewall to the external client. Currently, they are blocked by the firewall and connections are not established.
How do other people see what is happening?

You are right that the customer view connects to view security server to authenticate and this authentication traffic is passed to the view of the login server that manages the actual authentication (for Active Directory and possibly RSA SecurID or RADIUS etc.). If this authentication is successful, then the Office Protocol traffic is allowed through the Security server. Any traffic Protocol Office which is not in the name of an authenticated user is blocked. As security server is usually deployed in a demilitarized zone, then Security Server provides protection for virtual desktops and presenters RDS to make sure they are not exposed directly to the Internet.

It is possible to configure the Security Server view so that it does not act as the gateway for this Office Protocol traffic, but when it is used to provide remote access from the Internet, it is recommended that protocols of office go through the Security server in order to obtain this protection.

The Office protocols include PCoIP, Blast, redirect RDP, ROR, USB, remote printing etc..

There is a description of the remote to access the view here https://communities.vmware.com/docs/DOC-14974 environments that covers traffic flows.

If you have set things up to protocols route Office via the Security Server, you can still see the first attempts from the virtual office to try to send UDP PCoIP packets directly to the client, but you don't have on those they do not. As soon as the component server PCoIP desktop virtual sees security server incoming UDP packets, it sends the answer UDP datagrams on the Security Server and everything will work as expected.

I hope this helps.

Mark

Using Security Server RDP session and inwardly with PCoIP

Sorry about the long title, but I'm having a few configuration issues. I created a pool of virtual machines to users to use on the local network and an external location. The "Protocol of remote display" is set to PCoIP and 'Allow the user to choose the Protocol' is set to Yes, as shown in the screenshot below:
When you use the view on the local network, all right. PCoIP is used and everything is nice and fast. If I ask a user to connect to inexternally using the server security, so I have to ask the user to change the default of PcoIP to RDP Protocol, as it is the only protocol supported. Ask users to configure things themselves led to many calls to helpdesk!
Can anyone offer any advise on how to have a pool set up for RDP and PCoIP depending on?
Thank you
Stuart

that thread has been discussed recently and it was a month ago and unfortunately not.

as security for this version server only supports RDP, I believe (if defined PCOIP is default) user will be automatically on autoswitch RDP and PCOIP when connected via the Security server.

See Security Server and direct connection

I have a security server for my connections from the Internet. It works very well, accept when I activate "direct connection on the desktop. I found the following statement on this:
If you bypass the secure connection, the client must establish a direct communication of RDP to the virtual machine desktop RDP (port 3389).
That means I have to open 3389 (RDP) to the Internet if I want to use direct connections?
If I disable the direct connections to get my security server doesn't work, I have to turn off on my login server. It is I understand that this means that if I reboot my connection to the server, all disconnected mode clients. Is there a way I can disable "Direct connections" to the Security Server, allowing access from the LAN?
TIA.

For a long time I had to face the problem then I hope I'm he transmit correctly. Because you don't want to open 3389 to the internet, you must use indirect connections to the broker for users of security server connections. This means that all connections made outside the LAN will be handled by the Security server. If you need to restart the Security server that these connections were removed. If you need to restart the broker to connect to security services server should not drop all connections, the external web page would become unavailable unless you also have internal customers using this broker for connections to how it would be mandated by the broker for connections and would be deleted.

Simple solution is to have a dedicated connection, broker for the Security server that is configured in indirect mode and then have one or two brokers connection for internal users who are configured in direct connection mode. As I have said for a long time I had to deal with this so please forgive me if I have nothing hidden.

If you have found this device or any other useful post please consider the use of buttons useful/correct to award points

Extra license is required to view security server

Hi, we have a Vmware Academic View4 first bundle only this configuration of a server to view security or additional license coverage there?
Thank you
Robert

No additional license is required to see Security Server. It is included in the General view license.

Mark

See 4.5 Security server problems since installing SSL certificate

I'm having some very strange problems with my view view connection Server 4.5 (front and back) running. I hope someone could shed some light on the problem, because I have tried everything I know to do this job properly.
Before installing a certificate self-signed server of external connection again, I was running the default VMware certificate. Everything worked very well in this configuration. I installed a new self-signed certificate and now I'm having intermittent problems, the connection to the server:
1. in the connection from a windows machine I CAN reach the site URL/HTTP to download the client from the view. Once I run the client to view I got the following error: failed connection to connect to the server view. Network error.
2. I tried to connect via the IP address of the server, ensure that the external URL is correct (everything worked fine before the installation of the SSL certificate).
3. completely removed security server and reinstalled, restart the services etc. Still not connect on some machines. Connecting from a Wyse compatible iPad still works, never a problem.
4. If I connect the VPN of the company on the machine that does not work, then launches the Client to view and connect everything works as it should. When I disconnect the VPN and try to connect again, I can connect very well! So I need to connect to the VPN to connect to browse... its really weird. I checked DNS etc and everything is identical with the default certificate. I did so that machines that have problems approve the certificate and I also followed the Cisco ASA firewall logs, I do not see happneing anything different between periods of work and does not.
Someone at - he never lived something along these lines or can think of anything I can try?
Thank you!

I came across this same thing. The conflict is between the customer to view and your new self-signed SSL certificate. More precisely the thing causing the problem is the version of the wininet.dll file provided with IE8. The wininet.dll file provided with IE8 causes some kind of conflict with the customer view 4.5 (if using other SSL certificate that the server generated one) and will not allow the client to view 4.5 software to connect to your server security. I reported this to VMware (2 weeks ago) so that they should be aware of the problem.

If you remove your new SSL certificate and return to the one created by the display server then everything works perfectly again. If you are using a machine with IE6 or IE7 XP remove IE8, it also works very well. I tried taking the file wininet.dll from XP SP3 IE6 machine and restore this file after installing IE8 and everything seemed to work ok, but probably not the best solution.

Bottom line is until VMware resolves the conflict with their client to view, you may not use any SSL certificate (other than that of the server is) If you are going to connect to windows machines running IE8 or newer.

See Security with smartcard Auth Server

Guys I'm at a bit of a stand still with my Horizon 6 deployment and I am hoping to get assistance. I have a connection to the server running on the network 10.0.244.x, works very well with smart card authentication. I have a security server in the demilitarized zone, which connects to the server connection on the allowed ports and that seems fine. However, I can not connect to the Security Server (which is on the 172.14.x.x network just for reference) via the smart card. I just get the error "smart card authentication is required." I'm forcing smart card authentication, so the error is not bad, but I can't understand what prevents security server passing the credentials of card chip to connect to the server. I cut and paste excerpts from newspapers below to help I hope:
Security Server:
2016 01-26 T 14: 17:23.180 - 06:00 DEBUG (0 B 20-1340) < pool-1-wire-13 > [PooledProcessor] SSL handshake exception for /10.0.211.180:4708, error was: a received fatal alert: certificate_unknown
2016 01-26 T 14: 17:24.258 - 06:00 DEBUG (0 B 20 - 16 4) < HandshakeCompletedNotify-wire > [PooledProcessor] using the Protocol Secure TLSv1.2 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 on encryption
2016 01-26 T 14: 17:24.321 - 06:00 DEBUG (0 B 20 - 0A7C) < Thread-34 > [SimpleAJPService] (ajp:broker:Request37) request for /10.0.211.180: POST/broker/xml
2016 01-26 T 14: 17:24.368 - 06:00 DEBUG (0 B 20 - 0D9C) < AJP-18 > [SimpleAJPService] (ajp:broker:Request37) response 200 OK [close]
Connection to the server:
2016 01-26 T 14: 17:17.582 - 06:00 DEBUG (1198-11EC) < CBHealthUpdate > [TrackerManager] send message: (SYNC TrackerMessage {}: {nn = VDI-IPPSA-view, u = [{'type': 'SET', 'item': {'name': 'HEALTH_LAST_UPDATE_TIME', 'type': 'LONG', 'longValue': 1453839437581}}, {'type': 'SET', 'item': {'name': "ATTR_BROKER_VERSION", "Typ...}}]})
2016 01-26 T 14: 17:24.615 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlRequestProcessor] (SESSION: 9cca_ * _bdab) read XML input
2016 01-26 T 14: 17:24.615 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlRequestProcessor] (SESSION: 9cca_ * _bdab) added: together-local
2016 01-26 T 14: 17:24.615 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlRequestProcessor] (SESSION: 9cca_ * _bdab) added: configuration
2016 01-26 T 14: 17:24.615 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlAuthFilter] (SESSION: 9cca_ * _bdab) treatment of pre approval: configuration
2016 01-26 T 14: 17:24.616 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [ProperoAuthFilter] (SESSION: 9cca_ * _bdab) authentication attempt against gssapi
2016 01-26 T 14: 17:24.616 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [ProperoAuthFilter] (SESSION: 9cca_ * _bdab) authentication attempt against cert-auth
2016 01-26 T 14: 17:24.616 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [CertificateAuthFilter] (SESSION: 9cca_ * _bdab) Client does not use authentication certificate to jump or failing
2016 01-26 T 14: 17:24.616 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [CertificateAuthFilter] (SESSION: 9cca_ * _bdab) certificate of failing authentication, a fatal error for the REQUIRED mode
2016 01-26 T 14: 17:24.616 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [CertificateAuthFilter] (SESSION: 9cca_ * _bdab) messageKey aren't HttpServletRequest
2016 01-26 T 14: 17:24.616 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [EventLogger] (SESSION: 9cca_ * _bdab) Error_Event: [BROKER_USER_AUTHFAILED_GENERAL] 'Null user failed to authenticate': node = IPPSA VDI - View.ds.amrdec.army.mil, under = 10.0.211.180, gravity = AUDIT_FAIL, time = kill Jan 26 14:17:24 CST 2016, Module = broker, UserDisplayName = null, Source = com.vmware.vdi.broker.filters.CertificateAuthFilter, acquitted = true
2016 01-26 T 14: 17:24.617 - 06:00 DEBUG (1640-1118) < MessageFrameWorkDispatch > [MessageFrameWork] System::WriteWindowsEvent
2016 01-26 T 14: 17:24.617 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [ProperoAuthFilter] (SESSION: 9cca_ * _bdab) is not authenticated, asking the login page for cert-auth
2016 01-26 T 14: 17:24.617 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [AuthorizationFilter] (SESSION: 9cca_ * _bdab) paeCtx == null, return to the login page: / broker/xml
2016 01-26 T 14: 17:24.617 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlServlet] (SESSION: 9cca_ * _bdab) starts to process: all local configuration
2016 01-26 T 14: 17:24.617 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlServlet] (SESSION: 9cca_ * _bdab) treatment: all-local
2016 01-26 T 14: 17:24.618 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlServlet] (SESSION: 9cca_ * _bdab) finished treatment: all-local, result: ok
2016 01-26 T 14: 17:24.618 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlServlet] (SESSION: 9cca_ * _bdab) treatment: configuration
2016 01-26 T 14: 17:24.618 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlServlet] (SESSION: 9cca_ * _bdab) finished treatment: configuration, result: error, error Code: AUTHENTICATION_FAILED, Error Message: failed to authenticate, the user Message: smart card or certificate authentication is required.
2016 01-26 T 14: 17:24.619 - 06:00 (1198-1DB8) DEBUG < ajp-nio-8009-exec-9 > [XmlServlet] (SESSION: 9cca_ * _bdab) end to treatment: all local configuration
2016 01-26 T 14: 17:37.261 - 06:00 DEBUG (1198-0ED0) < DesktopControlSessions > [DesktopTracker] boot player broadcast session
2016 01-26 T 14: 17:39.801 - 06:00 (1198-0124) < VirtualCenterDriver-573f884e-f4e7-4a7c-b04f-184cd0c3c7be > [VirtualCenterDriver] VMs checked for the reconfiguration of DEBUGGING: 5; not checked for reconfiguration: 0
2016 01-26 T 14: 17:39.801 - 06:00 DEBUG (1198-0124) < VirtualCenterDriver-573f884e-f4e7-4a7c-b04f-184cd0c3c7be > [VirtualCenterDriver] (spread cn = ippsa, or server = groups, dc = vdi, dc is vmware, dc = int) onMachineEvent: null in the pool: Server cn = ippsa, ou = groups, dc = vdi, dc is vmware, dc = int
2016-01 - 26 T 14: 17:40.171 - 06:00 DEBUG (1198-0EB4) < publish VC Cert Task-1453235100421 > [ServiceConnection25] connection instance Publish VC Cert Instance of task to the ADDRESS https://VDI-SVR2:443 / sdk
2016 01-26 T 14: 17:40.185 - 06:00 DEBUG (1198-29 D 4) ok < MessageFrameWorkDispatch > [MessageFrameWork] ValidateCertificateChain = 1, ms = 0
2016-01 - 26 T 14: 17:40.185 - 06:00 DEBUG (1198-0EB4) < publish VC Cert Task-1453235100421 > [CertMatchingTrustManager] invalid (as expected) certificate for VDI - SVR2:443 InvalidCertificateException [reasons: nameMismatch; notTrusted; cantCheckRevoked; subject:' [email protected], CN = certificate by default of VMware, OR = vCenterServer_2015.03.27_222554, O = "VMware, Inc." "message:'ValidateCertificateChain result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain'"]
2016 01-26 T 14: 17:40.434 - 06:00 ok (1198-1978) DEBUG < MessageFrameWorkDispatch > [MessageFrameWork] ValidateCertificateChain = 1, ms = 0
2016-01 - 26 T 14: 17:40.434 - 06:00 DEBUG (1198-0EB4) < publish VC Cert Task-1453235100421 > [CertMatchingTrustManager] invalid (as expected) certificate for VDI - SVR2:443 InvalidCertificateException [reasons: nameMismatch; notTrusted; cantCheckRevoked; subject:' [email protected], CN = certificate by default of VMware, OR = vCenterServer_2015.03.27_222554, O = "VMware, Inc." "message:'ValidateCertificateChain result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain'"]
2016-01 - 26 T 14: 17:40.639 - 06:00 DEBUG connected instance (1198-0EB4) < publish VC Cert Task-1453235100421 > [ServiceConnection25] publish VC Cert Instance of task to the ADDRESS https://VDI-SVR2:443 / sdk
2016-01 - 26 T 14: 17:40.639 - 06:00 DEBUG reference objects Fetched (1198-0EB4) < publish VC Cert Task-1453235100421 > [ServiceConnection25] for example publish VC Cert of Instance of task at the ADDRESS https://VDI-SVR2:443 / sdk in 0 seconds. CBRC supported by VC: real
2016 01-26 T 14: 17:40.657 - 06:00 ok (1198-1588) DEBUG < MessageFrameWorkDispatch > [MessageFrameWork] ValidateCertificateChain = 1, ms = 0
2016-01 - 26 T 14: 17:40.658-06:00 DEBUG (1198-0EB4) < publish VC Cert Task-1453235100421 > [CertMatchingTrustManager] invalid (as expected) for 10.0.244.56:18443 InvalidCertificateException certificate [reasons: nameMismatch; notTrusted; subject: "C = US, ST = CA, L = CA, O = VMware Inc., unit of ORGANIZATION = VMware Inc., CN = VDI-SED-DIAL, [email protected]' message:'ValidateCertificateChain result: FAIL, EndEntityReasons: nameMismatch, noTrust, ChainReasons: invalid '"]
2016 01-26 T 14: 17:47.266 - 06:00 (1198-0ED0) < DesktopControlSessions > DEBUG [SDMessageManager] finished waiting, expecting 10000ms
2016 01-26 T 14: 17:49.307 - 06:00 DEBUG (1 B 28 - 1 C 90) < MsgWorker #8 > [bm] point on 'Worker JMS Inbound' queue for 81, = 0, available workers queue length = 9 out of 10
2016 01-26 T 14: 17:49.308 - 06:00 DEBUG (B 28 1 - 1 90) < MsgWorker #8 > [r] RequestGetStatus: serverType = ice, server = null, localHostname = VDI-IPPSA-VIEW
2016 01-26 T 14: 17:49.308 - 06:00 DEBUG (B 28 1 - 1 90) < MsgWorker #8 > [cc] Queuing request ABSGC29-2451
2016 01-26 T 14: 17:49.308 - 06:00 DEBUG (1 B 28 - 102 c) < ABSGC29 > [cc] manipulation request ABSGC29-2451, on the queue for 18uS
2016 01-26 T 14: 17:49.309 - 06:00 DEBUG (1 B 28 - 102 c) < ABSGC29 > [cc] Queuing reception ABSGC-9297
2016 01-26 T 14: 17:49.309 - 06:00 DEBUG (1 B 28-207 C) < ABSGC29:C > [cm] management ABSGC-9297 message on the queue for 28
2016 01-26 T 14: 17:49.310 - 06:00 DEBUG (B 28 1 - 1 90) < MsgWorker #8 > [cs] Queuing request PSGC28-2477
2016 01-26 T 14: 17:49.310 - 06:00 DEBUG (1 B 28-1764) < PSGC28 > [cs] request handling PSGC28-2477 on the queue for 25uS
2016 01-26 T 14: 17:49.310 - 06:00 DEBUG (1 B 28-1764) < PSGC28 > request mailing GETCOUNTERS [cs] PSGC28-2477
2016 01-26 T 14: 17:49.310 - 06:00 (1 B 28 - 0E00) < PSGC28:L > [df] DEBUG good response received for GETCOUNTERS demand PSGC28-2477 555uS (analysis in 82uS)
2016 01-26 T 14: 17:49.310 - 06:00 DEBUG (1 B 28 - 0E00) < PSGC28:L > [cs] Queuing reception 9334
2016 01-26 T 14: 17:49.311 - 06:00 DEBUG (1 B 28 - 1EBC) < PSGC28:C > [cm] management message 9334 on the queue for 17uS
2016 01-26 T 14: 17:49.312 - 06:00 DEBUG (B 28 1 - 1 90) < MsgWorker #8 > [r] Quick Mode not active IPsec Security Associations
2016 01-26 T 14: 17:49.312 - 06:00 DEBUG (1 B 28 - 1A2C) < outgoing JMS machine wire > [bm] question about queue "outgoing answering machine JMS" for 19 we, the = 0, available workers queue length = 0 on 1
2016 01-26 T 14: 17:49.312 - 06:00 DEBUG (1 B 28 - 1A2C) < outgoing JMS machine wire > [m] send JMS message: CurrentStatus
2016 01-26 T 14: 17:49.313 - 06:00 DEBUG (1 B 28 - 1A2C) < outgoing JMS machine wire > [m] sent ObjectMessage 990 United States
2016 01-26 T 14: 17:49.804 - 06:00 DEBUG (1198-0 D 50) < propagate-573f884e-f4e7-4a7c-b04f-184cd0c3c7be > [VirtualCenterDriver] determine actions for cn = ippsa, or = server groups, dc is vdi, dc = vmware, dc = int: stats = {errorVMs = 0, available = 1, suspendedVMs = 0, dirtyForNewSession = 0, poweredOffVMs = 3, recentlyRecoveredVMs = 0, total = 5, customizingVMs = 0, availableAssigned = 0, busy = 1, zombie = 0 affected = 0, adminDisabled = 0}, vmMaximumCount = 5, vmMinimumCount = 5, vmHeadroomCount = 1
2016 01-26 T 14: 17:50.273 - 06:00 ok (1198-2604) DEBUG < MessageFrameWorkDispatch > [MessageFrameWork] ValidateCertificateChain = 1, ms = 0
2016-01 - 26 T 14: 17:50.274 - 06:00 DEBUG (1198-23 c 4) < VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be > [CertMatchingTrustManager] invalid (as expected) certificate for VDI - SVR2:443 InvalidCertificateException [reasons: nameMismatch; notTrusted; cantCheckRevoked, subject:' [email protected], CN = certificate by default of VMware, OR = vCenterServer_2015.03.27_222554, O = "VMware, Inc." "message:'ValidateCertificateChain result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain'"]
2016 01-26 T 14: 17:50.477 - 06:00 DEBUG (1198-23 c 4) < VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be > [TrackerObject] full sync: VcCacheTrackedVCs:573f884e-f4e7-4a7c-b04f-184cd0c3c7be version: 18725
2016 01-26 T 14: 17:50.477 - 06:00 DEBUG (1198-23 c 4) < VcCache 573f884e-f4e7-4a7c-b04f-184cd0c3c7be poller > [TrackerManager] send message: (SYNC TrackerMessage {}: {nn = VDI-IPPSA-view, u = [{'type': 'SET', "item": {"name": "lastSeen", "type": "LONG", "longValue": 1453839470477}}], 18725, tn = VcCacheTrackedVCs = v, IO = 573f884e-f4e7-4a7c-b04f-184cd0c3c7...})
2016 01-26 T 14: 17:53.347 - 06:00 DEBUG (1 B 28-207 C) < ABSGC29:C > [a-z] getCoManagerStatus: CoController.queryHealth: request failed:
Mid = ABSGC29-2451
reason = Timeout
2016 01-26 T 14: 17:54.307 - 06:00 DEBUG info-santé (1198-214 C) < SGHealth-federatedtask-1453235100843 > [SGHealth] treatment of secure gateway BA-VMSEC
2016 01-26 T 14: 17:54.308 - 06:00 DEBUG (1198-214 (C) < SGHealth-federatedtask-1453235100843 > [SGHealth] IPsec status NOT_IN_USE for BA-VMSEC
2016 01-26 T 14: 17:54.309 - 06:00 ok (1198-18E0) < MessageFrameWorkDispatch > [MessageFrameWork] ValidateCertificateChain DEBUG = 1, ms = 0
2016 01-26 T 14: 17:54.310 - 06:00 DEBUG full sync (1198-214 (C) < SGHealth-federatedtask-1453235100843 > [TrackerObject]: SGHealth:BA - VMSEC version: 1273
2016 01-26 T 14: 17:54.310 - 06:00 DEBUG (1198-214 (C) < SGHealth-federatedtask-1453235100843 > [TrackerManager] send message: (SYNC TrackerMessage {}: {nn = VDI-IPPSA-view, u = [{'type': 'SET', 'item': {'name': 'HEALTH_LAST_UPDATE_TIME', 'type': 'LONG', 'longValue': 1453839474309}}, {'type': 'SET', 'item': {'name': 'ATTR_SG_VERSION', 'type': '...}}]})
2016 01-26 T 14: 17:54.311 - 06:00 DEBUG (1198-214 (C) < SGHealth-federatedtask-1453235100843 > [SGHealth] treatment gateway secure VDI-IPPSA-VIEW health info
2016 01-26 T 14: 17:54.312 - 06:00 DEBUG (1198-29 D 4) ok < MessageFrameWorkDispatch > [MessageFrameWork] ValidateCertificateChain = 1, ms = 0
2016 01-26 T 14: 17:54.312 - 06:00 DEBUG (1198-214 (C) < SGHealth-federatedtask-1453235100843 > [TrackerObject] full sync: SGHealth:VDI - IPPSA-VIEW to the version: 9297
2016 01-26 T 14: 17:54.312 - 06:00 DEBUG (1198-214 (C) < SGHealth-federatedtask-1453235100843 > [TrackerManager] send message: (SYNC TrackerMessage {}: {nn = VDI-IPPSA-view, u = [{'type': 'SET', 'item': {'name': 'HEALTH_LAST_UPDATE_TIME', 'type': 'LONG', 'longValue': 1453839474312}}, {'type': 'SET', 'item': {'name': 'ATTR_SG_VERSION', 'type': '...}}]})
2016 01-26 T 14: 17:54.554 - 06:00 DEBUG (1198-187 (C) < EnhancedSecurityManager$ EnhancedSecurityTask-1453235101061 > [EnhancedSecurityManager$ EnhancedSecurityTask] current mode: current level: REINFORCED
2016 01-26 T 14: 17:57.583 - 06:00 DEBUG (1198-11EC) < CBHealthUpdate > [CBHealth] IPsec status NOT_IN_USE for BA-VMSEC
2016 01-26 T 14: 17:57.583 - 06:00 (1198-11EC) < CBHealthUpdate > [TrackerObject] synchronization complete debugging: BrokerHealth:VDI - IPPSA-VIEW to the version: 15109
2016 01-26 T 14: 17:57.584 - 06:00 DEBUG (1198-11EC) < CBHealthUpdate > [TrackerManager] send message: (SYNC TrackerMessage {}: {nn = VDI-IPPSA-view, u = [{'type': 'SET', 'item': {'name': 'HEALTH_LAST_UPDATE_TIME', 'type': 'LONG', 'longValue': 1453839477583}}, {'type': 'SET', 'item': {'name': "ATTR_BROKER_VERSION", "Typ...}}]})

When I had this problem, I had not set up the file locked.properties on the Security server. I also made the mistake of not showing files in Windows Explorer extensions, while it looked like locked.properties, it was locked.properties.txt.

Problem with USB auto connect with clients that connect through the Security server...

Lack of VMware View 5.0.1 with 2 servers connection and a security server. When the clients connect directly to the server connection, USB connection works very well... users can use their USB drives and other devices with their VM. The problem occurs when they attempt to use their USB devices when negotiated through the Security server.
I know that port 32111 (TCP) must be open between the server security and the connection to the server, but even after doing so it does not always work... customers just to get the scrolling message of office in the USB menu initialization.
Our current facility is:
External IP address-> DMZ (Security Server)-> connect to server
Entrust us our firewall config through our ISP (we are not overloaded with scientists here, it's just me, so things like little help my work load). They are certainly not incompetent (or at least were not in the past). I had to open the external 32111 IP port to the DMZ, then of the DMZ to our connection server that is used for external connections. Everything about VMware View works perfectly for the clients that connect this way, but not USB devices.
One thing I give is if our having a configuration of VLAN dedicated for customers views influence what either. I'm trying to keep an eye on what ports are open that for our firewall for my records, but I do not see where I openly opened ports on the internal side of security server to our internal network. He must have the port opened directly from the internal face of security server of vmware 32111 discovers clients?
The firewall Guys tell me that they checked over and over that port 32111 is open throughout the. They also said that they tried to telnet 32111 to our security server port and have nothing back (should have gotten garbage at least according to them).
An idea of the next steps to take? It is obviously a blocked port, I just have no idea why at this stage.

I know that port 32111 (TCP) must be open between the server security and the connection to the server, but even after doing it still does not work

This is not what it takes. The agent is listening on the port 32111, you must open the firewall to allow connections to the Security server for the desktop on port 32111 (same thing you must allow RDP and PCoIP).

Mike

Peripheral NAT between Security Server and Connection Manager - View 4.6

Hi all
I'm trying to deploy a view environment 4.6 - with a view Security Server in the DMZ.
The DMZ is a NAT entirely would be and isolated network (single firewall, configuration 3-leg-GB-2000 is the model of the firewall).

At this point, just trying to get RDP to work with this configuration.
The firewall configuration is as follows:
-Security server IP - 10.1.1.49/24
-The alias created to view connection server - 10.1.1.100 (NAT IP)
-Tunnel NAT (with port 8009 and 4001) created between the server connection view and real IP 10.2.2.229 server connection alias
-The alias created for the view Desktop - 10.1.1.101 (NAT IP)
-Tunnel NAT (with port 3389) created between Desktop and view real IP Destop 10.2.2.239 view alias
I can RDP directly since the Security server to the desktop (via the 'alias' 10.1.1.101 IP) view correctly.
I can connect successfully from the internal network (via IP real office 10.2.2.239).
When I try to connect via the server of security (from the outside) I get the connection for the initial connection manager, and I choose the pool to connect to. However I'm unable to start a desktop session. The error I get is "the office is currently not available.
In the event logs on the Manager server connection that I see that the real IP (10.2.2.239) is used to connect to the desktop view - which will not work in this scenario (the 10.1.1.101 alias should be used).
Has anyone deployed a server of security seen in this scenario?
Thanks in advance!

Not sure if it works or not, but there is a GPO that changes the rules to connect using the DNS name. Is the name DNS returns the correct value, you must connect as?

How will I be informed when getting in and out a site with a secure server

I can't find where to set the option for this. I could on Firefox 3.6
Firefox 3.6 gives me a pop up that says I'm entering or leaving a site with a secure server. It's PARAMETERS in the Messages of warning on the Security tab in the window options. When you push the button PARAMETERS, a number of checkboxes allow for different parameters. I can't find it in Firefox 8.

The settings for the 5 Warning Messages has been removed from security section in Firefox 4 and newer versions. These settings should be accessible through Subject: config now. So you're looking for the first and the third in the list below "parameters of the former in Firefox 3.6 on the Security Panel.

See: http://kb.mozillazine.org/About:config
1. type of topic: config in the URL bar and press the Enter key.
2. If you see a cautionary, accept it (promise to be careful)
3. Filter = security.warn_
4. Double-click the pref in the lower panel on the subject: config display to toggle to true or false according to the descriptions below (scroll down to security.warn to see these particular preferences)
  - http://kb.mozillazine.org/About:config_entries #Security.
Parameters of the ancients in Firefox 3.6 on the Security Panel

Display a dialog warning when:
- I'm about to view an encrypted page
  - Pref: security.warn_entering_secure
- I'm about to view a page that uses low-grade encryption
  - Pref: security.warn_entering_weak
- I leave a page encrypted to one that is not encrypted
  - Pref: security.warn_leaving_secure
- I submit, information that is not encrypted
  - Pref: security.warn_submit_insecure
- I'm about to view an encrypted page that contains unencrypted information
  - Pref: security.warn_viewing_mixed
If this answer solved your problem, please click 'Solved It' next to this response when connected to the forum.

Not related to your question, but...

You may need to update some plug-ins. Check your plug-ins and update if necessary:
- Plugin check-> http://www.mozilla.org/en-US/plugincheck/
- Adobe Shockwave for Director Netscape plug-in: install (or update) the Shockwave with Firefox plugin
- Adobe PDF plugin for Firefox and Netscape: Installation/update Adobe Reader in Firefox
- Shockwave Flash (Adobe Flash or Flash): updated Flash in Firefox
- Next-generation Java plug-in for the Mozilla browser: install or update Java in Firefox

One of my view security server shows as "unknown" in Administrator dashboard view

Hello
One of my view security server (view Horizon 5.2) shows as UNKNOWN in Administrator dashboard view.
I tried with the declared, rebooted Server services restart, still no luck.
The stated server is accessible via RDP and the Services are running.
Can someone help me on this?

This problem has been resolved by disabling Windows NLB NETWORK adapter settings.

We used Windows NLB long back for security servers, recently we removed view Security Server NLB Windows and place in F5 load balancing.

Not sure for some reason, the Windows NETWORK load balancing service came active, disabled, and the problem solved.

After the upgrade to 6, security server does not change the listening Port

Came across a weird situation where after upgrading a server security 6.1.0 - 2509221, it does not change the listening SSL port during the upgrade, it was not on the standard SSL port.
It was initially configured to listen on 444 before the upgrade, after the upgrade, I tried to go back to 443 and a netstat-ban shows that it is listening on port 444.
I double checked the config.properties file and there is no entry for serverPort, and configuration shows 443 in the admin View handler.
-Re-apply the configuration via the web page does no change, always tuned to 444.
-Don't restart the service of security server no change, still plays on 444.
-Restart of the server, no change, still plays on 444.
-Statically placed serverPort = 443 in the config.properties, always tuned to 444.
All ports are verified open, 443, 444 and so I think I could have hit a bug. Someone else has security servers that listen on non-standard ports SSL?
A complete reinstallation of the Security server is provided, changing the port to listen 443, shouldn't have to do that well.

You checked config.properties, but did you check in locked.properties for the port setting see if it's been moved there before and during the upgrade? Locked.Properties replaces all the configuration settings.

Security server certificates and naming

Hello
I create a security server to test some of the features of the Horizon. My question is about the certificates. I want to keep it as secure as possible. If I have the name of the Security server different from the external URL will this cause issues with certification? So my server would be say S132985SV1 and my external URL is access.amazingcompany.com. View would be ok with a different external certificate name (the name on the certificate would be the URL that would be different for the name of the physical server). Or will I have to the name of the Security Server similar to my external URL 'access.amazingcompany.com' for the certificate works properly?
Thank you

It is a very common configuration.

The idea here is that the external name is the one with the certificate. This way the View Client can validate as being approved.

In this case, you create a regular certificate issued for the external name and add short security server and the full DNS name for the same certificate San (Subject Alternative Name).

In short, a common name for the external name certificate and adds the Security server to the SAN certificate fields.

For more details, please see:

https://pubs.VMware.com/horizon-view-60/topic/com.VMware.ICbase/PDF/horizon-view-60-scenarios-SSL-certificates.PDF

See you soon,.

JesusM

View the connections of the server to connect to the Security Server 5.2

So, I wonder if it is anyway possible to not expose a subnet of office to the DMZ during the deployment of a security server? I think remember me, there was a way to have the tunnel of security server all traffic through the connection to the server, but for the life of me, I can't seem to understand.

Even in your previous PoC you should always have allowed some ports (PCoIP, RDP if use you it and the frame channel) from the server security for virtual offices. This has always been the case.

The role of the Security Server is to protect exposure of desktop to the Internet. It provides a monitoring of protocols of the Internet (for example PCoIP) so make it succeed to check if the traffic is in the name of an authenticated user, and to ensure that if it is valid, it is transmitted over an office whose user is authorized to access. It is important to configure your internal firewall so that Office (PCoIP etc.) protocols can come only security servers. Then you give the required insurance. If such packets only packets UDP PCoIP arrive in your DMZ that are not on behalf of an authenticated user and then they are ignored in the DMZ without ever be passed in your data center. You know that all protocols for virtual desktops have been validated by the Security server.

The Security server should also communicate with the login server and that's why you should also allow JMS, AJP13, and IPsec through. These should be only to the servers again only from servers to security and connection.

You can always route the PCoIP packages through a proxy in your data center, but the security required inspection happens before that the Security Server so that eventually they can be thrown into the demilitarized zone.

Mark

View Security Server installation issue 5.2

I try to get my security server upward and running for 2 days now and continues to run into a brick wall. I always get the following error:
Error 28083. Failed installation of IPsec. Please see the C:\users\...\...\vminst.log file for more details. The journal reveals 'error: could not get a satisfactory response from the connection to the server after the installation of IPsec "
In an effort to solve the problem, I welcomed the Windows Firewall on the Security Server and the connection to the server to allow all incoming connections.
I checked that all the Back-End firewall configurations are correct and functioning as required.
I scrolls http://communities.vmware.com/thread/405121?start=15 & tstart = 0 and made the changes recommended in this thread.
When I remove completely all GPOS from the connection to the server, then I can successfully create the pairing between the server security and the connection to the server.
Most of the people looks like it's a start for GPO setting to walk through them. Well, I have several GPO that is applied in order to be compliant STIG.
What I'm looking for is, can someone please point me in the right direction as to what the parameters might affect IPsec communication between the 2 boxes?
Thanks for the help.

After calling and by opening a ticket with VMware, it seems that I was able to successfully install the Security server. After they looked through different GPO settings several that have been applied, I changed the setting below and has been able to correctly install after you run gpupdate/force on my login server.

Options Configuration/policies/Windows Settings / Security Settings / Local Policies/Security / Cryptography system system cryptography: Use FIPS compatible algorithms for encryption, hashing, and signing

My setting has been activated. I changed it to disabled and it seemed to solve the current problem.

See Security Server + RDP

Similar Questions

Maybe you are looking for