VMware View 4.6 PCoIP Software Gateway (PSG)

VMware View 4.6 has been just released and as everyone expected this release introduces support for external secure remote access with PCoIP, without requirement for a SSL VPN. This feature is also known as View Secure Gateway Server. VMware’s Mark Benson, in his blog article, does a very good job explaining why tunnelling PCoIP traffic through the Security Server using SLL was never a viable solution because VMware didn’t want to interfere with the advanced performance characteristics of the protocol.

I previously discussed the issue when using PCoIP over VPN at my article: PCoIP over SSL VPN: UDP or TCP?. Long story short – TCP manages message acknowledgment, retransmission and timeout. Multiple attempts to deliver the message are made. If it gets lost along the way, the server will re-request the lost part. In TCP, there’s either no missing data, or, in case of multiple timeouts, the connection is dropped. In UDP when a message is sent, it cannot be known if it will reach its destination; it could get lost along the way. There is no concept of acknowledgment, retransmission or timeout. PCoIP however, does occasional acknowledgements via TCP port 4172 to make sure the end-point is still alive.

In a VERY simplistic way the picture below demonstrate the two layers (TCP SSL and UDP PCoIP) stacked up.

clip_image002

Prior to View 4.6 if VMware decided to utilise the existing Security Server SSL PCoIP packets would end-up getting acknowledged at the bottom SSL TCP layer. This acknowledgement would defeat the purpose and nature of UDP transmission which is better datagram flow and ability to handle packet loss. Common network applications that use UDP include: the Domain Name System (DNS), streaming media applications such as IPTV and Voice over IP (VoIP).

It is still possible and there is nothing to prevent the use of an SSL VPN over TCP 443. However, verify that your VPN solution is capable of creating UDP tunnels that would provide better performance for PCoIP than TCP based VPN.

VMware View 4.6 support PCoIP tunnelling on Security Servers and Connection Servers. It is also possible to proxy PCoIP through Connection Servers. The architecture is rather simple, however in order to utilise the PSG (PCoIP Software Gateway) it is required to upgrade existing Security Servers to Windows 2008 R2. If the Connection Server must work as PCoIP proxy it is required to upgrade them to Windows 2008 R2. Each PCoIP Gateway will support a validated maximum of 1,000 (correction 2,000) simultaneous connections.

It is possible to pair a security server that runs on a Windows 2008 R2 host with a Connection Server instance that runs on Windows Server 2003 or 2003 R2 without affecting PCoIP Gateway functionality.

The PCoIP Secure Gateway handles not only PCoIP display traffic but also authentication. USB redirection and Multimedia Redirection (MMR) acceleration features can be enabled at the View Secure Gateway component in order to forward that data through a TCP port. USB redirection uses TCP port 32111 alongside PCoIP.

Firewalls and routers will need to be configured to Accept/Forward TCP 80, TCP 443 and TCP/UDP 4172 for the PCoIP Gateway. Make sure you configure TCP 4172 in and UDP 4172 in both directions.

clip_image004

During the installation it is required to specify the external PCoIP URL, in addition to the external address for the SSL connectivity. This address must be an IP Address, not a DNS name. The installation wizard will also configure Windows Firewall automatically with the required configuration.

clip_image006

clip_image008

The configuration of Security Servers in View 4.6 Connection Manager is still pretty similar to previous releases, with exception to an additional PCoIP External URL field. This must be the same IP:Port configured during the installation of the Security Server.

clip_image010

The next step is to configure the Connection Brokers to “Use PCoIP Secure Gateway for PCoIP connections to desktop”. Administrators will need to enable the option for each Connection Broker accepting proxied PCoIP connections.

clip_image012

If PCoIP proxy connection at Connection Broker level are not required, and therefore the server is not upgraded to Windows 2008 R2 the below error message will be displayed. The error message is not necessarily an issue, and only identifies that the Connection Server will not tunnel PCoIP connections, however the Security Server running Windows 2008 R2 and View 4.6 will normally proxy PCoIP.

clip_image014

Now, you only need to point your VMware View Client to the external IP address or Fully Qualified Domain Name, authenticate, and select PCoIP for the protocol to be used.

Note: The pictures above may be different in GA release of VMware View 4.6.

11 comments

5 pings

Skip to comment form

  1. Great post! Looking forward to PCoIP via Security Server.

    Jas

    • Philbert on 02/26/2011 at 8:11 am

    I’m having a hard time finding anything in the documentation saying anything about the ability to route PCoIP traffic from the internet through the Security server, through the Connection server to the Virtual desktop. Your blogpost seems to indicate that is possible.

    I operate in a real locked down, multi-customer environment. Network is not gonna like opening PCoIP from the DMZ to the internal LAN.

  2. @Philbert – To the best of my knowledge, that’s not possible. PCoIP traffic is “tunnelled” (NAT’d) by the Security Gateway and from there must pass unhindered directly to the View desktop VMs. Yes, this means opening up some (very specific) TCP and UDP ports from the Gateway to the VMs.
    If this causes problems for you in your environment, let your VMware rep know – they should be able to help work with you to understand any concerns your security teams may have and how to alleviate them.
    (Disclaimer: I work for VMware)

  3. We never recommend placing Windows boxes into the DMZ, its not a secure design. I can definitey see how this makes an attempt to address a long-stwnding void, but this is a baby step.
    Disclaimer – I work at Citrix.

    • Philbert on 02/28/2011 at 5:15 am

    @Mark Vinokur
    You know, I’m really sick of the back and forth between VMware and Citrix. It’s a constant nattering and so immature. Do you think your customers are impressed?

  4. @Philbert – say you invented a battery operated battery charger, and tried to market it, I would say – more power to you, but in my review of your device I’d at least ask the potential customer to think before buying.

    I guess I’m looking for others (other technology) to leap-frog, not try to keep up with Citrix. I have to agree with @rspruijt on Twitter, it was a good read.

    • Philbert on 03/01/2011 at 7:37 am

    @Mark Vinokur
    However, your critique of my battery operated battery charger would mean a whole lot more if you didn’t work for Energizer. You have a vested interest and have a biased opinion.

    The point I’m trying to make is: I’m not interesting in listening to the vendors squabble like little children.

  5. Nice article Andre, and it’s about time this issue was addressed. But it’s more complicated than it needs to be. I hope future releases will be more refined.

    @Mark Vinokur, your comment was petty and incorrect. People like me have been deploying CSG’s (Citrix Secure Gateway’s) into DMZ’s for years. If you lock them down and secure them correctly, there is nothing wrong with placing Windows servers in the DMZ.

    Cheers,
    Jeremy.

  6. @Jeremy Saunders
    I don’t have inside track, however I think thereare many new features on the pipeline for PCoIP Gateway and VMware View itself, including integration with the vShield line of products. Again, I have no inside track.

    • Jim French on 09/02/2011 at 11:30 am

    UDP provides no reliable delivery so it is incumbent on the application to provide it. TCP does have it’s limitations with having to acknowledge the packets and your mileage with various TCP stacks will vary. That said, WAN accelerators improve and normalize the behavior of TCP to fill the pipe and mitigate acknowledgement latency. PCoIP over SSL over optimized TCP would fair better.

    • Mando on 02/01/2014 at 9:40 pm

    If your security gateway is not in the DMZ. Is there any special configuration for this.

    • Tweets that mention VMware View 4.6 #PCoIP Software Gateway (PSG) #vdi #virtualization #networking #vdi #view46 -- Topsy.com on 02/25/2011 at 3:36 pm

    […] This post was mentioned on Twitter by Matt Lesak, Aaron Delp, Jim Yanik, Bryan Salek, Xinity Bot and others. Xinity Bot said: VMware View 4.6 PCoIP Software Gateway (PSG) (myvirtualcloud.net) http://bit.ly/fVfQrc […]

  1. […] Andre Leibovici – myvirtualcloud.net […]

  2. […] than any competing product.  Make sure you have a View 4.6 environment and have followed Andre’s directions to make it work with PCoIP through a […]

  3. […] (up to 20Mb/s) than AES-128 bit. However, Salsa20-256 bit cannot be used with PSG (read more on VMware View 4.6 PCoIP Software Gateway). The PCoIP Secure Gateway does not allow Salsa20-256 to be negotiated because the encryption […]

Leave a Reply