posted

5 Comments

by Hasan Mahmood

In VMware View 4.5 and earlier, PCoIP connections were restricted to internal connections or connections through VPN as a direct connection was required between the Client and the View Desktops. Starting with VMware View 4.6 we have the ability to use PCoIP connections from outside the firewall. This version allows us to connect to the View Desktops on the 4172 port through the server that is running the PCoIP Secure Gateway. Who says we don’t listen to our customers!

The PCoIP Secure gateway can be run on the Security Server or the Connection Broker. You can have multiple PCoIP Secure gateways running. Any Security Server or Connection broker that will run the PCoIP Security Server is required to run Windows 2008 R2 64 bit. With a properly configured PCoIP Secure Gateway, PCoIP traffic is passed through the gateway between the View Client and the View Desktop allowing for a single IP address/port to be opened in the firewall to allow PCoIP communications.

The PCoIP Secure Gateway must be run on the server where the Clients will be connecting, for external users it will be the Security Server, for internal users it will be Connection Server. Internal users do not require to use a gateway server for PCoIP, however it may be required if there is no direct connection possible between the clients and the View Desktops. Also note that the use of the PCoIP Secure gateway is configured from a Connection Server and applies to a Connection server and Security Server pair. Where there is only one Connection server and Security Server all users, both external and internal will need to use the PCoIP Secure Gateway and the gateway must be run on both the connection Server and the Security server.

When configuring a PCoIP Secure Gateway, one must keep in mind that the gateway uses port 4172 for remote console connection while the USB traffic is diverted through port 443 for VMware View Clients. Thin Clients use port 4172 for all communication. The PCoIP Secure Gateway configuration requires two parameters: External URL and PCoIP External URL. On the Security Server the External URL is a URL that is resolvable from the locations the clients are connecting from. It is the firewall IP that is forwarded to the Security Server.

The PCoIP External URL must be provided as an IP address. This can be the same firewall IP for the External URL. Connections from the outside on port 443 (TCP) and 4172(TCP, UDP) must be open.

When configuring PCoIP on a Connection Server, the External URL and PCoIP External URL refer to the DNS name of the Connection server. The requirement that the PCoIP External URL be specified as IP address also applies.

When using the Security Server as the PCoIP Secure Gateway in a DMZ, the firewall must be configured so that the Security Server can connect to all the View desktops on port 4172 and 32111. There are other firewall rules you need to follow as well. Consult the View Architectures Planning for complete details.

VMware KB articles Configuring PCoIP Secure Gateway in VMware View 4.6, Troubleshooting PCoIP Secure Gateway (PSG) issues and VMware View Administration are useful in configuring and troubleshooting PCoIP Secure Gateway.