myvirtualcloud.net

Time to share! I have been working with NeoAccel engineers on a solution to allow access to VMware View remote sessions over the internet.

Then you say – Everyone does that today!

– Yes, that is true, but no single VDI product on the market cover all possible scenarios today.

The solution allow users without administrative privileges to deploy the VPN client and VMware View client. User have seamless, integrated, secure and fully contained experience when connecting to the virtual desktops from any Windows enabled endpoint device. For the users on managed end points or with local administrative rights to the workstation/notebook the VPN and View client installations are transparent and the session is automatically established through Single-Sign On. Take a look at the video below.

How does it work?

NeoAccel VPN is a virtual appliance based on next-generation encryption technology that combines performance (faster than most clear traffic), ease of use and ubiquity (leveraging browser-based SSL). In addition to encryption and tunnelling, it provides each endpoint with end to end security comprising data leakage prevention, end point compliance, authentication, audit and logging, data cleanup, and WAN optimization.

NeoAccel is comparable to the solutions provided by Cisco, F5 and Juniper, and mentioned at VMware release Solution Briefs covering SSL VPN & PCoIP.

What has been automated…

• Installation and execution of NeoAccel VPN client in both scenarios (with Admin/without Admin privileges) ? YES
• Verification if VMware View client is already installed and execute the application? YES
• Installation of View Client in silent mode if user has Admin rights and execute application? YES
• Download and automated execution of a ThinApp version of the VMware View client for users without Admin rights? YES
• Single Sign-On for all scenarios (Full View Client / ThinApp)? YES
• Execution of PCoIP over UDP tunnelling in both scenarios (Full View Client / ThinApp)? YES

Tech Preview video of the solution
I’m sorry but the audio/video are not that great because this was recorded over a WEBEX session.

NeoAccel SSL VPN with VMware View from Andre Leibovici on Vimeo.

Who is NeoAccel?

NeoAccel was founded and is managed by Michel Susai. Michel is an innovator of pioneering technologies that optimize the performance of Internet applications. In 1997, he founded NetScaler, Inc whose unique technology significantly improved web-content delivery for large-scale corporations. NetScaler was acquired by Citrix Systems in 2005 in a $300 million transaction.

Who is currently using NeoAccel today?

Several large corporations use NeoAcel products but the most impressive is that NeoAccel is the solution OEM’d into some IBM, Net Pilot and Allied Telesis security products.

If you are interested or would like more details visit their website http://neoaccel.com.
I’m sure they would be keen to help you!

F5 Networks released a deployment and procedures guide for VMware View. This document provides guidance and configuration procedures for deploying the BIG-IP Local Traffic Manager (LTM) v10 with VMware View.

Probably one of the most interesting features provided by F5 BIG-IP appliance is the ability to create UDP tunneling with dTLS (datagram TLS) and TCP fall back. dTLS aim to improve PCoIP UDP end user experience over high latency networks such as the internet.

The video below demonstrate the capabilities of the dTLS datagram:

Deploying the BIG-IP LTM system with VMware View is tested and validated with BIG-IP LTM v10.0 and 10.1 and View v4.

The deployment guide can be found here.

A security advisory released today by leading Australian information security consultancy StratSec warns of a security weakness in a third party component used by many software companies including VMware, potentially allowing the theft of user credentials.

The vendor of the third party component – WebWorks – worked with VMware and stratsec for approximately six months to develop the necessary patches to minimise the security risk to their clients.

During the course of our research at stratsec (www.stratsec.net) we have identified several cross-site scripting (XSS) vulnerabilities in the latest version of the VMware Infrastructure Web Access system used in several VMware products. After subsequent discussion with VMware, the issue was identified to be present in a third party component utilised by VMware, namely WebWorks Help.

Interesting is that VMware was notified on 13/07/2009 and only now is releasing a bug fix.

In general cross-site scripting vulnerabilities allow the theft of credentials associated with the domain on which the XSS bug exists.

In this particular case an exploit would grant an attacker access to the VMware Infrastructure Web Access interface which can be used to access the console interface to any virtual machines which the user has access to, change networking modes for virtual network devices, create virtual machines, etc.

Congratulations to StratSec, a Australian owned security advisory company.

Affected Products:

• VMware vCenter 4.0
• VMware Server 2.0.2
• VMware ESX 4.0
• VMware Lab Manager (all)
• VMware Stage Manager (all)

VMware Security Advisories (VMSA-2009-0017) – http://www.vmware.com/security/advisories/VMSA-2009-0017.html

http://www.stratsec.net/files/SS-09-001-Stratsec-VMWare%20WebWorks%20XSS%20Advisory%20v1.0.pdf

Recently I have been involved with deployment of PCI DSS at TeleTech for the APAC region. It’s good to say that TeleTech has been oficially declared PCI compliant however VMware is still on track to get their products certified. This puts a barrier for organizations with high virtualisation levels but I am not here to discuss the PCI requirements and its validity. Dwayne Melancon has already started this discussion for us Security, Compliance and Best Practices » Blog Archive » The need for a new perspective.

During our work with PCI we were forced to distribute firewalls in front and behind (or in transparent mode) different servers and applications with no exception to ESX/ESXi and VSphere hosts. Services like Service Console and VKernel had to be placed in dedicated VLans – there it goes “Best Practices” – but unused TCP ports had to be also locked down.

I found a very good blog entry at lotoga labs containing list of all network ports used by VMware products. This came very handy and I would like to share it with you.

VMware Network Port List | latoga labs

Have Fun and Break a Leg