VMware View 4.6 has been just released and as everyone expected this release introduces support for external secure remote access with PCoIP, without requirement for a SSL VPN. This feature is also known as View Secure Gateway Server. VMware’s Mark Benson, in his blog article, does a very good job explaining why tunnelling PCoIP traffic through the Security Server using SLL was never a viable solution because VMware didn’t want to interfere with the advanced performance characteristics of the protocol.
I previously discussed the issue when using PCoIP over VPN at my article: PCoIP over SSL VPN: UDP or TCP?. Long story short – TCP manages message acknowledgment, retransmission and timeout. Multiple attempts to deliver the message are made. If it gets lost along the way, the server will re-request the lost part. In TCP, there’s either no missing data, or, in case of multiple timeouts, the connection is dropped. In UDP when a message is sent, it cannot be known if it will reach its destination; it could get lost along the way. There is no concept of acknowledgment, retransmission or timeout. PCoIP however, does occasional acknowledgements via TCP port 4172 to make sure the end-point is still alive.
In a VERY simplistic way the picture below demonstrate the two layers (TCP SSL and UDP PCoIP) stacked up.
Prior to View 4.6 if VMware decided to utilise the existing Security Server SSL PCoIP packets would end-up getting acknowledged at the bottom SSL TCP layer. This acknowledgement would defeat the purpose and nature of UDP transmission which is better datagram flow and ability to handle packet loss. Common network applications that use UDP include: the Domain Name System (DNS), streaming media applications such as IPTV and Voice over IP (VoIP).
It is still possible and there is nothing to prevent the use of an SSL VPN over TCP 443. However, verify that your VPN solution is capable of creating UDP tunnels that would provide better performance for PCoIP than TCP based VPN.
VMware View 4.6 support PCoIP tunnelling on Security Servers and Connection Servers. It is also possible to proxy PCoIP through Connection Servers. The architecture is rather simple, however in order to utilise the PSG (PCoIP Software Gateway) it is required to upgrade existing Security Servers to Windows 2008 R2. If the Connection Server must work as PCoIP proxy it is required to upgrade them to Windows 2008 R2. Each PCoIP Gateway will support a validated maximum of
1,000 (correction 2,000) simultaneous connections.
It is possible to pair a security server that runs on a Windows 2008 R2 host with a Connection Server instance that runs on Windows Server 2003 or 2003 R2 without affecting PCoIP Gateway functionality.
The PCoIP Secure Gateway handles not only PCoIP display traffic but also authentication. USB redirection and Multimedia Redirection (MMR) acceleration features can be enabled at the View Secure Gateway component in order to forward that data through a TCP port. USB redirection uses TCP port 32111 alongside PCoIP.
Firewalls and routers will need to be configured to Accept/Forward TCP 80, TCP 443 and TCP/UDP 4172 for the PCoIP Gateway. Make sure you configure TCP 4172 in and UDP 4172 in both directions.
During the installation it is required to specify the external PCoIP URL, in addition to the external address for the SSL connectivity. This address must be an IP Address, not a DNS name. The installation wizard will also configure Windows Firewall automatically with the required configuration.
The configuration of Security Servers in View 4.6 Connection Manager is still pretty similar to previous releases, with exception to an additional PCoIP External URL field. This must be the same IP:Port configured during the installation of the Security Server.
The next step is to configure the Connection Brokers to “Use PCoIP Secure Gateway for PCoIP connections to desktop”. Administrators will need to enable the option for each Connection Broker accepting proxied PCoIP connections.
If PCoIP proxy connection at Connection Broker level are not required, and therefore the server is not upgraded to Windows 2008 R2 the below error message will be displayed. The error message is not necessarily an issue, and only identifies that the Connection Server will not tunnel PCoIP connections, however the Security Server running Windows 2008 R2 and View 4.6 will normally proxy PCoIP.
Now, you only need to point your VMware View Client to the external IP address or Fully Qualified Domain Name, authenticate, and select PCoIP for the protocol to be used.
Note: The pictures above may be different in GA release of VMware View 4.6.