VMWare Security Gateway - Multi domain?

Hi all

I use NAT for a client and I need to publish my gateway security with another URL? Is this feasible?

And how to do it? Can I add an additional line in the locked.properties file?

Thank you very much

David

Do you mean the external URL? If Yes, then no!

Kind regards

Christoph

Don't forget to assign points if this answer was helpful for you.

Blog:

http://Communities.VMware.com/blogs/Dommermuth | http://www.thatsmyview.NET/

Tags: VMware

Similar Questions

vSphere 5, vCSA, View Manager and Secure Gateway

Hello world
I need some advice...

A new vSphere infrastructure situation 5:
3 HP Proliant server, each connected via iSCSI to external storage
VMware vSphere Essentials Plus Kit 5 (used for the server VM) main virtualization infrastructure
VMware View 5 first add-on for virtualizing a desktop machine
approx. 20 VM server
approx. 10 desktop VM
My questions:
for the vCenter, I thought to use vCenter Server Appliance (vCSA) which can be used up to 5 host and VM 50,
but for the View Manager manage the office machine, what should I use?
There is also a View Manager device?
Or I need to install it on a separate Windows 2008 Server?
Need to be a member of the Windows domain?
And for the VMware Secure Gateway ?
There is a device or must be installed on a separate Windows 2008 Server?
When he used the vCSA, you must have a domain on the network controller?
Thanks for your reply guys

No.... the vCenter and view managed use 'ADAM' which is AD in user mode and is not compatible with an AD domain controller.

You need at least 3 Server Wiindows (DC 1 AD + DNS + DHCP, 1 vCenter + music, 1 View Manager)

Secure gateway problem

I have a problem with connecting through Secure Gateway.

The following error occurs when access to the content environment using Secure Gateway

-L' environment manages 2 servers Secure Gateway (load balanced using Fortigate)

-Secure gateway servers are configured to run Connection Broker and RDP using the same IP address

-Its configured to use an ssl wildcard certificate

I cannot pntsc use with success (from the outside) and retrieve the office setting (on Secure Gateway).

The client is configured as below (same FULL domain name is used that matched the wildcard cert)

The proxy for Connection Broker and Proxy for the RDP traffic using the same IP and port, which is accessible from the outside because I can conect with success the broker through the Secure Gateway, what could be the problem with the part of proxy RDP? Specifc parameters for Fortigate?

The bridge of desktop services shows that at the time of the error:

10:56:19 - 2924:2772 - security [972] context OK

10:56:19 - 2924:2772 - SSL handshake ok [972]

10:56:19 - 2924:2772 - [972] given Extra after the SSL handshake

10:56:19 - 2924:2772 - [972] reading data, 569 bytes

10:56:19 - 2924:2772 - client full ticket, broker auth required = true

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket timeout = 300, connect the window = 15

10:56:19 - 2924:2772 - [972] CProxyThread::validateTicket: CTicketCache::handleConnectMsg returned 3

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket not found in the cache, with broker ticket validation...

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: successfully validated the ticket

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: after validating, call the addTicketAfterValidateIf returned 4

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket added, connection was not possessed or current thread added to the owners, after validation

10:56:19 - 2924:2772 - CProxyThread::ConnectToServer [816]: disable the nagle algorithm

10:56:19 - 2924:2772 - * Handle to Thread [972 816] 00000478, Id 00000ad4

10:56:19 - 2924:2772 - Start [972 816]: 9:56:19.112 08/01/2014

10:56:19 - 2924:2772 - [972 816] NL, XXXX, XXX, XXX XX XXXX, XXXX, XXXX, Wildcard SSL, *. [email protected], of 10.3.72.32:3389

10:56:29 - 2924:2772 - Server [972 816] Recv 0

10:56:29 - 2924:2772 - [972] CTicketCache::handleProxyEnd returned 10

10:56:29 - 2924:2772 - [972 816] proxy's client 0 bytes, 0 bytes Server

10:56:29 - 2924:2772 - Server SSL channel cleaning [972]

10:56:29 - 2924:2772 - [972] 37 bytes of handshake data sent

10:56:29 - 2924:2772 - [972] 0000 15 03 01 00 20 4 b 5 a: 96 c2 e0 a6 e5 1 7 a 1 d 89... K.Z.... z...

10:56:29 - 2924:2772 - [972] finished cleaning.

10:56:29 - 2924:2772 - end of thread [972 816].

Clues?

People with the same problem, we managed to make it work using the Source IP Hash option in the Fortigate.

Thanks Andrew for the fast support!

PCoIP Tunneling for secure gateway

Connection to the Server - 5.3.0 - 1427931
Security Server - 5.3.0 - 1427931
We are running a trial of VMware View First Horizon, and I have problems with PCoIP tunneling. According to our technical sales representative, tunnels always security server, and the connection to the server can create a tunnel if you turn it on ('Use PCoIP Secure Gateway for PCoIP connection on the desktop' under connect to server > edit). However, our experience is in contradiction with it. With the default, PCoIP connections and external internal configuration (for the connection to the server) (for Security Server) try to connect on PCoIP directly on the comments/VM/office. However, if I enable 'PCoIP Secure Gateway' on the login server, then the security server and the login server begin to tunnel traffic PCoIP well as them.
The goal is to tunnel from the outside, all with connections directly to VM guests from inside, but the only way I can understand how to do this is to stand additional connection (replica) servers. I have read the documentation (Installation / Adminisstration guides), googling and watch videos of training like mad, but no one seems to be able to explain it.
Your help is very appreciated.

OK, you need another broker.

Linjo

Best practices to configure NLB for Secure Gateway and Web access

Hi team,

I'm vworksapce the facility and looking for guidance on best practices on NLB with webaccess and secure gateway. My hosted environment is Hyper-v 2012R2

My first request is it must be configure NLB, firstly that the role of set up or vice versa.

do we not have any document of best practice to configure NLB with 2 node web access server.

Hello

This video series has been created for 7.5 and 2008r2 but must still be valid for what you are doing today:

https://support.software.Dell.com/vWorkspace/KB/87780

Thank you, Andrew.

work around the internal security gateway and the same url for web access external and internal

role of the broker 1 quest
1 security with the roles of web access gateway
1 Server terminal server

I configured the default gateway with the parameter security rule: "vworkspace security gateway".
I created a custom with the 172.16.1.177 value rule (it's my client internal windows7).
When I navigate to the internal url (fqdn's secure gateway server) I bypassed (tsdebug shows no sslgateway).

But now I want to use 1 internal and external URL to type the same URL.
Now when I navigate to an external URL of the machine internal with above ip I always get through security gateway, I see a SSLGateway

Hi Erik,

I think that this has been fixed in our latest version 8.5 - documents.software.dell.com/DOC252107

Please download and upgrade your farm and let us know if you still see this problem.

If you do, it may be best to save a service request so that we can see exactly what is happening.

Thanks, Sam

VPN could not establish a connection to the security gateway

My VPN connection worked, but now after several hours I can not connect.

My LAN works. (Windows Server 2003)

The app:

Cisco Systems VPN Client

The error message:

Opening TCP to 209.189.224.138, port 10000...

Communicating with the gateway to 209.189.224.138...

Cannot establish a connection to the security gateway.

What could be the problem?

Thank you

Greg

Hi greg,.

on the properties of tunnel-> transport mode, click ipsec over UDP and try to connect... I think that, from now on, you connect via TCP 10000.

Concerning

REDA

AnyConnect 3.1 - the certificate on the secure gateway is not valid

Hi guys,.

I have a problem with the Anyconnect 3.1.01065.

When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.

The certificate is a signed cert self.

Woks AnyConnect 2.5 without problems.

Image of the ASA: 8.4 (2).

[27.11.2012 15:58:27] Ready to connect.

[27.11.2012 16:01:49] Contact IP_WAN.

[27.11.2012 16:01:52] Please enter your username and password.

[27.11.2012 16:02:01] User credentials entered.

[27.11.2012 16:02:02] Establish the VPN session...

[27.11.2012 16:02:03] Checking for updates to profile...

[27.11.2012 16:02:03] Checking for updates...

[27.11.2012 16:02:03] Checking for updates of customization...

[27.11.2012 16:02:03] Execution of required updates...

[27.11.2012 16:02:08] Establish the VPN session...

[27.11.2012 16:02:08] Setting up VPN - initiate the connection...

[27.11.2012 16:02:09] Disconnection in progress, please wait...

[27.11.2012 16:02:13] Connection attempt failed.

Anyone had this problem before?

Thank you very much.

Hello Cristian,

Please see this:

CSCua89091 Details of bug

the local certification authority must support the EKU and other necessary attributes
Symptom: The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround: Configure the cert on the customer's profile

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091

And the following:

DOC: Anyconnect supports Extended Key use specific attributes in CERT

Symptom:
When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof :
Use a certificate of id on the ASA with one other than «authentication server» EKU
Use a certificate of id on the client that has one another EKU that '-l' client authentication.

Workaround solution:
Generate a new certificate of ID with correct extended key usage

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472

If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.

HTH.

Please note all useful posts

Secure Gateway has refused the connection

Having a problem with VPN sending this back to the end-users. Have changed the Cert-plan and other things but still this message. Here's a copy of CLI errors and configuration.

the exact error is:

The secure gateway rejected the connection attempt. A new connection attempt the same or another secure gateway is required, which requires re-authentication. The following message was received from the secure gateway: no assigned address

type tunnel-group SRHVPN remote access
attributes global-tunnel-group SRHVPN
address (outside) SRHVPN pool
address SRHVPN pool
Group Policy - by default-GroupPolicy_SRHVPN
DHCP-server 10.10.10.253
tunnel-group SRHVPN webvpn-attributes
authentication certificate
enable SRHVPN group-alias
tunnel-Group-map enable rules
by default-group SRHVPN tunnel-Group-map
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-4.2.01022-k9.pkg 2
AnyConnect image disk0:/anyconnect-macosx-i386-4.2.01022-k9.pkg 3
AnyConnect profiles SRHVPN_client_profile disk0: / SRHVPN_client_profile.xml
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first [68]
AnyConnect enable
tunnel-group-list activate
tunnel-group-preference group-url
CERT certificate-Group-map - map 10 SRHVPN
type of tunnel-group SRHVPN default citrix receiver application
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
SR.VPN.donot.TS value by default-field
internal GroupPolicy_SRHVPN group strategy
attributes of Group Policy GroupPolicy_SRHVPN
value of server WINS 10.10.10.253
value of server DNS 10.10.10.252
VPN - connections 3
VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
SR.VPN.donot.TS value by default-field
the address value SRHVPN pools

You have a dhcp server that is configured on the tunnel-group. Who would take the preference for an address assignment. Order of an address assignment is AAA, DHCP and then local.

attributes global-tunnel-group SRHVPN
address (outside) SRHVPN pool
address SRHVPN pool
Group Policy - by default-GroupPolicy_SRHVPN
DHCP-server 10.10.10.253

I recommend you remove this configuration if you do not use a dhcp server.

Also, when is assigned by DHCP, the ASA may disable a local vpn address assignment. The default value is a hidden command, so you should see "run all" to see. Like this:

ASA # sh run all | in vpn-addr
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
VPN-addr-assign local reuse-delay 0

If you use only the local pool to assign ip addresses, the above would be the configuration you need. If you need to DHCP or AAA ip address assignment active the parameter by adding the command.

Host multi-domain phone Cisco C2960-mode does not go to the field of voice

Hello world

I'm working on the deployment of dot1.x through our company. I'm stuck on configuring Cisco phones to go on one VLAN correct when the multi domain host-mode option is used. I tried on two C2960 switch with two different images. No matter what I do, the phone is going to area: DATA and unable to connect to the network as more likely, it is a wrong VLAN. Poster as authenticated port ISE and MAB works very well. When I set up stream host-mode, the phone Gets a VLAN correct and can top to the network.

Here is what I use:
- C2960S-48-i/s-L with C2960S-UNIVERSALK9-M or if C2960 with c2960-lanlitek9 - tar.150 - 2.SE7
- Phone Cisco 7960 and 7962
- ISE 1.3.0.876
Here is the current port configuration:

GigabitEthernet1/0/1 interface

switchport access vlan 2

switchport mode access

switchport voice vlan 703

multi-domain of host-mode authentication

authentication order mab dot1x

authentication priority dot1x mab

Auto control of the port of authentication

periodic authentication

MAB

dot1x EAP authenticator

dot1x tx-time 10

spanning tree portfast

end

Here is the output of logon authentication show inter Gig1/0/1

MAC address: 0013.1a58.xxxx

IP address: unknown

Username: 00-13-1A-xx-xx-xx

Status: Authz success

Area: DATA

Oper host mode: multi-domain

Oper control dir: in

Authorized by: authentication server

Policy of VLAN: n/a

The session timeout: 5400 s (local), remaining: 5384 s

Delay action: authenticate again

Idle timeout: N/A

The common Session ID: 0AF301450000000C001F3391

ACCT Session ID: 0x00000010

Handle: 0x0400000D

Thanks for your help.

Looks like youre missing the device class = attribute in your profile authz voice.

AnyConnect 4.1 - cannot get the secure gateway configuration

So I AnyConnect working on one SAA however, ASA another located in another country, I get the following error:

"Unable to get the secure gateway configuration.

I get a prompt for the username and password seems to be authentication very well however in step 'check' the profile updates this error.

I was comparing my two setups and they look identical.

Working ASA model: 5512 worm 9.1 (4)

Does not not ASA: 5510 worm 9.1 (4)

Client version: 4.1.02011

Any ideas?

Thank you

Hello, Kevin.

I know, if there is no customer profile configured on ASA, the software Anyconnect client will use the client profile by default, which is placed on the local computer (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) when installing Anyconnect software.

MAB authentication fails on the port of multi-domain: dead result of authentication "server."

Hi all

First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.

I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.

Switch = 48-3560G IOS version 12.2 (55) SE1

RADIUS = Freeradius (version 2.1.10)

http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3560/software/release/12.2_55_se/configuration/guide/swiosfs.html is my bible

On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected

The switch configuration:

AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!

interface GigabitEthernet0/29
235 a description
switchport access vlan 4
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
action retry authentication event 0 failure allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
restrict the authentication violation
MAB
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!

dead-criteria 5 tent 5 times RADIUS server
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS server key 7 xxx
RADIUS vsa server send accounting
RADIUS vsa server send authentication

Radius response: (for the full reply see attached RADIUS - response.txt)

Sending acceptance of access to the port id 98 to 10.1.1.207 1645
Cisco-AVPair = "Tunnel-Type = VLAN.
Cisco-AVPair = "Tunnel-Medium-Type = 802.
Cisco-AVPair = "Tunnel-private-Group-ID = 7.
Cisco-AVPair = "Tunnel-preference.

That's why access accept with assignment data VLAN

Debugging on the switch :

001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC

So RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.

Help would be appreciated!

Chris

Hi Chris,

In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
http://Tools.Cisco.com/Squish/d1791

or using the pair of cisco-av according to the link:
http://Tools.Cisco.com/Squish/8Bd61

As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
Debug RADIUS
Debug authentication of all the
debug functionality of authentication all

As a result the customer authentication event, also benefit from the following switch:
display the interface authentication sessions

I met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.

When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:

RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL

So the 2nd link, with the changes:
Cisco-avpair = "tunnel-type(#64) = VLAN (13).
Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.

If you still have a question, please include the output of debug/display above which will shed light on the problem.

Thank you
Alex

VMware Security Advisory VMSA-2016-0001 on "shared folders".

SO, I just received this notice of VMware in my Inbox, and I don't understand how this is related to the ESXi. I am aware of the shared folders when you are working in fusion and workstation VM, I did, but since when is that a feature in ESXi? If it is there, his escape me all these years of work with the products of basic infrastructure...
Can someone please shed some light on how this VMs Advisory effects running on ESXi and how to use this shared functionality issues with virtual machines running on ESXi.
I do not see the specific newsletter you would need to have installed the toolbar of the virtual machine full version, but still, have not heard of this with ESXi and vCenter... and I can not find instructions on how to configure it with the virtual machines running on ESXi.
Newsletter details are below:
- ------------------------------------------------------------------------
VMware security advisories

Advisory ID: VMSA-2016-0001
Synopsis: updates VMware ESXi, Workstation, player and Fusion
vulnerability of elevation of comments address important privilege
Release date: 2016-01-07
Updated the: 07-01-2016 (NPRM)
CVE number: CVE-2015-6933

1 Summary

Address updates of VMware ESXi, Fusion, player and Workstation
elevation of privileges vulnerability important comments

2. emissions

VMware ESXi 6.0 without patch ESXi600-201512102-SG
VMware ESXi 5.5 without patch ESXi550-201512102-SG
VMware ESXi 5.1 without patch ESXi510-201510102-SG
VMware ESXi 5.0 without patch ESXi500-201510102-SG

VMware Workstation before 11.1.2

VMware Player before 7.1.2

VMWare Fusion before 7.1.2
3. description of the problem
Elevation of privileges important comments non-windows in VMware Tools

Kernel memory corruption vulnerability is present in VMware tools
"Shared folders" feature (HGFS) running Microsoft Windows. Successful
exploitation of this issue could lead to an escalation of privilege in
guest operating system.

VMware would like to thank Dmitry Janushkevich of the Secunia
Research team for reporting this issue to us.

Note: This vulnerability does not allow for elevation of privileges of
the guest to the host operating system. Memory of the host cannot be
manipulation of the guest operating system by exploiting this vulnerability.

The Common Vulnerabilities and Exposures (cve.mitre.org) project
CVE-2015-6933 identifier assigned to this issue.

Workarounds
Removal of the feature "Shared Folders" (HGFS) already installed
VMware Tools removes the possibility of exploitation.

Column 4 of the following table lists the measures required to
fix the vulnerability in each version, if a solution is
available.
The VMware product running replace by.
Version of the product to Apply Patch *.
============= ======= ======= =================
VMware ESXi ESXi 6.0
ESXi600-201512102-SG *.
VMware ESXi ESXi 5.5
ESXi550-201512102-SG *.
VMware ESXi ESXi 5.1
ESXi510-201510102-SG *.
VMware ESXi ESXi 5.0
ESXi500-201510102-SG *.

VMware Workstation 12.x.x him is not affected
VMware Workstation 11.x.x any 11.1.2

VMware Player 8.x.x him is not affected
VMware Player 7.x.x all 7.1.2

VMware Fusion OSX unaffected 8.x.x
VMware Fusion OSX 7.1.2 7.x.x

Hello

This seems to be a problem with VMware Tools which contains the driver HGFS. Even if it does not work on ESXi, if the virtual machine is migrated to a non-ESXi system and HGFS is enabled then HGFS would have the problem. ESXi has other controls does not affect the fact that HGFS has a problem. It's one of the reasons that the Hardening Guide said to turn it off in any case.

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009-2015

Author of the books ' VMWare ESX and ESXi in the business: Planning Server Virtualization Deployment, Copyright 2011 Pearson Education. ' Of VMware VSphere and Virtual Infrastructure Security: securing the virtual environment ', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Practice of virtualization, LLC - vSphere Upgrade Saga - virtualization security Table round Podcast

Secure Gateway

Hello
We have a mixture of zero clients and software, and I'm having a problem where the internal software customers seem to be tunnelling through the gateway PCoIP secure servers for internal connection, rather than connect directly on the desktop. This works until we do maintenance on our servers connection, as software clients disconnected when we reboot a server connection.
In the example below, the top one is a client software, the bottom is a zero client.
Our internal connection servers have no "Use PCoIP Secure Gateway" checked as shown below.
Anyone has an idea why this happens? Can we change the behavior so that clients of the software don't not tunnel by connecting servers, or what are the expected behavior?
We run see 5.1, Win 7 mV with agent 5.1 connection.
Thank you

The answer is on the screenshot you posted - nothing happens through PCoIP Secure Gateway, but software clients always establish an HTTP (S) Secure Tunnel connection to the login server. This is used for the channel framework (used for the USB transport for customers of software) and MMR, among other things. If you want real direct connections then this should also be disabled. Please see the administration guide for more details on this setting.

Mike

Problems with PCoIP secure Gateway

I am using view 4.6 and faced with this configuration. Under the "view Configuration", "Servers", then "view connection server" it shows my connection to the server. The PCoIP column he says no secure portal is installed which is true. See screenshoot
the problem arises in the settings of the connection servers.
When I select my connection to the server and fill in the external URL 'Tunnel secured HTTP (S)' and uncheck it ' user secure Tunnel connection to the Office I cam continue to use the internal connection server.
When I check the box and check also the "gateway of PCoIP PCoIP connections for desktop machine, so this will work remotely, but not internally. Also the external URL PCoIP is grayed out.
To sum up I can't get this to work for internal or external use and not both at the same time.

You can do this work with just a single server connection or an external as internal access, but it will mean that internal PCoIP is unnecessarily sent by gateway through a connection to the server or security server.

It is best to dedicate servers to connect to internal and external to internal PCoIP direct access between the client and the virtual office.

There is a detailed description of this http://communities.vmware.com/docs/DOC-14974 here, which includes a video detailing a deployment configuration of view for internal and external access.

Select this option.

VMWare Security Gateway - Multi domain?

Similar Questions

CSCua89091 Details of bug

Maybe you are looking for