«

»

PCoIP over SSL VPN: UDP or TCP?

Remote Access to corporate virtual desktops is becoming standard these days. Because of that, organisations are leveraging their existing VPN infrastructure to provide users with a better remote computing experience.

PCoIP is a remote graphics protocol originally designed by our partner, Teradici, and available today in hardware implementations. VMware has been diligently working with Teradici to create a virtualized implementation of this robust, innovative protocol and deliver the premier remote desktop experience for VMware View.

As today, VMware View Security Server provides support for RDP connection only. So it is necessary to leverage existing SSL VPN solutions to provide users with PCoIP like experience.

PCoIP is a server-centric protocol makes use of UDP datagrams, not TCP. Here you will find some good information about how the UDP protocol works.

The issue here is that most SSL VPN operates with TCP.

TCP is a connection oriented protocol and operates on port 443 just like standard HTTPS traffic, but being a TCP based tunnel, it will suffer from potentially poorer throughput because of the built in error checking. It will perform retransmission if there is an error detected in the 3-way handshake of the communication setup. Real-time traffic like VoIP, video and PCoIP streaming may suffer due to increased lag.

On the other hand we have got PCoIP that uses UDP.

The UDP based SSL VPN provide faster and better user experience but that comes at the cost of reliability. IMHO it should not make much difference for PCoIP, a protocol that was design to work under such constraints, and where datagram’s may not arrive at the destination.

If your SSL VPN appliance already provide the capability to establish UDP based VPN connection you should use it.

The downside to UDP SSL is that it is much easier for someone to detect and block. In some cases where connections are filtered and/or authenticated you may find that TCP encapsulation will remediate the issue. These cases are usual for hotels, public internet hot spots and restrictive governments.

I recommend you to run your own tests to understand how PCoIP work over TCP and UDP SSL VPNs. The performance difference between TCP and UDP tunnels is easily measurable with a simple ping test.

Just as information, UDP transparent tunnelling utilise ports 500, 4500, and 10000 to communicate securely between VPN clients and concentrators.

Vendors such as Juniper and Cisco have already started to publish some documentation on the subject.

VMware View with Juniper SA Series SSL VPN
Cisco Solutions for a VMware View 4.0 Environment Design Guide

If you are looking for a free VPN solution check OpenVPN, a open-source community based appliance that run on your ESX environment.

2 comments

  1. Cheap EV SSL

    The problem in tunnelling UDP in HTTP is that HTTP is built on TCP that is a reliable protocol ( automatically handles retransmission ).

    So there is a clash: you are layering a unreliable protocol (where reliability is handled by the application) on a reliable one (TCP), so you obviously can’t do all the thing that PCoIP does with UDP (ignoring missing packets without requesting, interpolate them…) because there is a FORCED retransmission.

    The big advantage also of Web portal (like those used ICA / RDP ) is that is obiquitous (no added complexity and http is well estabislhed protocol) and also can work through http proxies (present in most enterprises).

    So I really want to see what are vmware next moves from an implementation point, maybe

    •losing some agility in pcoip traffic handling using TCP/http when used through web

    •provide some “gateway” applet downloadable from web portal that tunnels in some way (but this will not work with proxies )

  2. Andre Leibovici

    @Cheap EV SSL
    F5 has an appliance (Big IP Edge Gateway) that implement dTLS (datagram TLS) and TCP fall back.

    Here you can see a video demonstration of UDP tunnelling with and without dTLS
    http://devcentral.f5.com/weblogs/dctv/archive/2008/11/07/pete-silva-demonstrates-datagram-tls-in-the-big-ip-secure-access.aspx

    That might be a possible solution for these shortfalls. I’m not sure what other options would be available.

Leave a Reply