PCoIP traffic getting dropped because it's using SSL

Reply
L7 Applicator

Facebook is easy to identify by the Common Name field of the certificate (generally *.facebook.com). Many other popular SSL applications work the same way. From that, the firewall can determine that while it is SSL, it's actually Facebook.

 

Your VMWare View app is likely going to a server with a private IP address, or is a doman name that is unknown to the application database. That's why it's only SSL.

 

If you decrypt the traffic, the firewall can see beyond the key handshake, and can identify the traffic by its actual requests and responses. Until you decrypt it, the firewall only has access to the handshake itself.

L3 Networker

We run VMWare View (now Horizon) in our environment.  Our experience is that the built in vmware-view application did not work for us.  It seems to expect that all the services will run on one server, which is a little bit unrealistic.  I think Palo Alto should have split them down into their individual applications within View rather than trying to bundle them.  For instance, you may not want to allow RDP for instance, or USB redirection, but by default they are included.  When you start looking to block these it can get tricky and downright just not work because of “rules validation”.

 

In our case we have separate view hosting and security servers.  For us to get it to work correctly we had to configure custom applications, application overrides, and a few rules for view.  Note that View was the only application that we had to do this for.

 

Custom Apps:

 

view custom apps.jpg

 

Application Override

 

application override.jpg

 

Rules

 

view rules.jpg

 

Remember that PCoIP streams on UDP/4172.  The TCP/4172 side of PCoIP is used for control, which simply looks to be SSL traffic just on a custom port, which is probably why Palo Alto firewalls sees it as SSL.

 

I'm not a fan of having turn off layer 7 application inspection for these particular servers and ports, but this seemed to be the only option.  If anyone else has done this in a more simplified manner, I would love to hear about it.

 

-Matt

L3 Networker

Nice, thanks for taking the time to write an informative answer. I didn't know the other features such as USB were over a different port, I thought it was all tunneled over SSL.

 

When I look at my traffic, I'm only seeing ports 80, 443, and 8443. It seems everything is tunneled over SSL. We are using a VMAP server though, which all clients must connect to first. Maybe thats the difference?

 

 

Thanks!

L3 Networker

Are you sure that your clients are configured for PCoIP?  Make sure you check the Horizon Client and make sure PCoIP is checked in the options.

 

If you are using a security server (such as for public facing clients), SSL will be used for the connection protocol and to encapsulate RDP (TCP) traffic.  PCoIP, from what I've experienced, is a completely different stream UDP stream that will be need to be allowed.

 

That being said, I didn't set up our View environment, so i can't speak to if its set up in accordance to best practices or not

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!