PCoIP Dst NAT for VMWare View

miahac · Wed Jul 06, 2011 9:13 pm

I am having problems getting PCoIP through a client NAT.

VMWare view is a thin client/rdp service for running Virtual Desktops. When using thin clients you connect with PCoIP protocol ( I do not know anything about the PCoIP standard except that it is better than RDP because it lets you map local devices very well.

The thin client connects to a "Security Server" which proxies the connection to the virtual machine (it may re-invite which may be the real problem, ill get to that later) This works fine inside our lan. I followed the steps from vmware to open up/forward the correct ports to the security server.
http://communities.vmware.com/docs/DOC-14974

For Example: I have a VMWare View Security Server set up inside of a masquerade.
Additionally, but not mentioned in the instructional, is that https:443:tcp also needs forwarded also for the initial connection.

Security Server 192.168.0.57
VIEW SERVER 192.168.0.56, 192.168.0.55
Here are the relevant firewall rules

/ip firewall nat
add action=masquerade chain=srcnat comment="Office Lan" disabled=no src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="HTTPS To VMView" disabled=no dst-address=xx.xx.xx.194 dst-port=443 protocol=tcp to-addresses=192.168.0.57 to-ports=443
add action=dst-nat chain=dstnat comment="JMS To VMView" disabled=no dst-address=xx.xx.xx.194 dst-port=4001 protocol=tcp to-addresses=192.168.0.57 to-ports=4001
add action=dst-nat chain=dstnat comment="JMSIR To VMView" disabled=no dst-address=xx.xx.xx.194 dst-port=4100 protocol=tcp to-addresses=192.168.0.57 to-ports=4100
add action=dst-nat chain=dstnat comment="AJP13 To VMView" disabled=no dst-address=xx.xx.xx.194 dst-port=8009 protocol=tcp to-addresses=192.168.0.57 to-ports=8009
add action=dst-nat chain=dstnat comment="4172 To VMView" disabled=no dst-address=xx.xx.xx.194 dst-port=4172 protocol=tcp to-addresses=192.168.0.57 to-ports=4172
add action=dst-nat chain=dstnat comment="UDP 4172" disabled=no dst-address=xx.xx.xx.194 dst-port=4172 protocol=udp to-addresses=192.168.0.57 to-ports=4172

/ip firewall filter
add action=accept chain=forward comment="Outbound VMView" disabled=no src-address=192.168.0.57

When I connect from outside it gets past the https authentication stage, it then once the actuall session is set up I get a blank screen. There is no packet count on the ports 4172.

My theory is that the security server is re-inviting the connection to the Virtual Desktop server rather than proxying, which would cause a problem.

Anybody have any experience/ideas?

petrn · Wed Jul 06, 2011 10:58 pm

Additionally, but not mentioned in the instructional, is that https:443:tcp also needs forwarded also for the initial connection.

I have no experience with View, but i would run this:
1. torch/sniffer on inside/outside interfaces
2. sniff communication between devices without firewall/nat

this might help:

/ip firewall nat
add action=masquerade chain=srcnat comment="Office Lan" disabled=no src-address=192.168.0.0/24 out-interface=<iface>

Just to be sure: is this dst-address=xx.xx.xx.194 same IP as masquerade?

miahac · Thu Aug 18, 2011 4:56 am

Just to be sure: is this dst-address=xx.xx.xx.194 same IP as masquerade?

It is the public ip we are using for VIEW. We are not specifying any public ip in masquerade

sploit · Mon Sep 29, 2014 6:37 pm

I have the exact same issue :/

Did you get any further?

ne0031 · Tue Mar 01, 2016 3:38 pm

Anyone solve this? I have the same issue as the original poster.

PCoIP Dst NAT for VMWare View

PCoIP Dst NAT for VMWare View

Re: PCoIP Dst NAT for VMWare View

Re: PCoIP Dst NAT for VMWare View

Re: PCoIP Dst NAT for VMWare View

Re: PCoIP Dst NAT for VMWare View

Who is online