Installing View agent on unmanged desktop source

When you need to install View agent on a physical box or an unmanged desktop source.  When you don’t control the VM infrastructure or maybe the VDI is in the cloud.  When you don’t have vCenter or license for vCenter managing the ESXi, one would argue that if you have license for VDI you have license for all the component to run VDI.  For my special use case, my View Connection Server is not going to be able to talk to the backend vSphere management Infrastructure for it is in a complete separate network.  In other words the virtual machine network and the vSphere network is physically separated and they don’t talk to each other.  There is one nic from each ESXi to the virtual machine network to expose the Win7 VMware View vm’s.  There would be zero attack footprint from the virtual machine network to the vSphere network infrastructure.  The only way to attack the vSphere infrastructure is through some kind of VMware tools to hypervisor vulnerability exposed on the VM itself that can attack the underlying hypervisor.  I don’t know of such vulnerability but it doesn’t mean there’s none and does not guarantee the future.  The possibility of such attack exist.  I don’t know what kind of sandboxing techinique VMware has for their vmtools for protection.  The other attack is, pretty obvious, if you are in the vSphere network itself, duh!!  Enough blablabla, this will take you to the GUI install and prompt you to supply the View Connection Server IP or FQDN.

VMware-viewagent-x86_65-5.3.-xxxxxx.exe /v”VDM_VC_MANAGED_AGENT=0″

Win7 + McafeeHIPS IPS on + VMware View agent = Windows update error

These 3 combination for whatever reason cripples Windows update.  This issue is still unsolved for me due to lack of any Mcafee logs that can point to the signature that is causing it.  I would disable IPS every patch Tuesday to get the updates as a workaround for the time being.  Here are the symptoms.

1.  Win7 + McafeeHIPS IPS on + VMware View agent = Windows Update not working

2.  WinXP + McafeeHIPS IPS on + VMware View agent = Windows Update no issue (weird)

3.  Win7 + McafeeHIPS IPS on = Windows Update no issue

4.  Win7 + VMware View Agent = Windows Update no issue

5.  Win7 + McafeeHIPS IPS on + VMware View agent = When IPS is disabled then re-enabled crashes and restarts the VM.

The hard part is not have a clear log that points the the root cause.  Another issue is whether to call Mcafee or the VMware View team.  This is going to require more time to be diagnose properly in the near future.

VMware View Single Sign On Timeout -1

Note:  Please do not confuse VMware View SSO with VCenter SS0, they are not the same.

VMware View single sign on (SSo) is enabled by default which is excellent.  The bad thing is that the default timeout setting is set to infinite which is very insecure.  Not having a timeout setting by default means a bad guy could go behind you while you’re taking a bathroom break and back out to “Desktop Library” and choose a different vm that you are entitled and SSO will take the bad guy in without prompting for credential.

The fix is documented since 4.6 release

Multiple site shows you how to use Windows built in tools ADSI EDIT but I could see why few folks still gets lost using the instruction.  If you follow this instruction, I can guarantee success.

1. Open ADSI EDIT from one of the clustered View Connection Server.    Tip: c:\windows\system32\adsiedit.msc

Without any spaces type “cn:common,ou=global, ou=properties,dc=vdi,dc=vmware,dc=int” to connect to “localhost”

adsiedit 1

2.  Right click the “Common” folder and change the value of “pae-SSOCredentialCacheTimeout” from “-1” to whatever value you want in minutes (mine is 5 minutes).  Hit apply.

adsiedit 2

This will replicate to all the View Connection Server replicas.  I hope you take the time to close this neglected security hole.  I wish VMware have chosen a more secure default value or include this  on the Web Interface but no big deal.  

View 5.1.2 Directory Traversal


I thought this was a relax Friday at the office today before CHRISTmas but I guess it is not.  After reading the reference patch from VMware advisory, I realize the urgency of the patch.  This is very important if you have a View Security Server expose from the outside network.  Without the patch you are asking for trouble so if you can’t patch it right away for whatever reason, you should shut down the Security Server or block users from reaching the Security Server until you patch the server.  Obviously if you have users using it applying the patch immediately is very important.  It is so important that you can’t wait for a nightly maintenance or if your boss is on CHRISTmas off and you can’t get permission.  This is an emergency patch.

You must also patch the View Connection Server VCS but this one is less risky than the Security Server (Still risky) since typically the VCS are only exposed internally.  This is true if your View infrastructure in designed with best practice in mind.  What do I mean, some View admins might use a full blown VCS and expose it to the internet for outside mobile users which is not the best practice.  If that is the case then you are at high risk and I hope you have your resume up-to-date and ready to go and if not, shut down your expose VCS first before you draft the latest one =).  Kidding aside, you should fix the architecture nondomain-joined View Security Server on the DMZ paired with the domain-joined VCS and apply the 5.1.2 patch.

The agent patch on the VM guest has no urgency so there is no need to apply the patch on each and every vm guest.  At least I did not see any urgency from the advisory.

I wish you all a blessed CHRISTmas!!


Imagine this:  You are an hour early to catch your morning flight so you decided to pull out your trusty IPAD .  While sifting a hot grande on your left, your right hand is harvesting your Farmville tomatoes.  You might as well clean up your NMCI webmail before it hit its limit.  Then you remember that you needed to respond to a colleague on SIPRNET DCO about the new F22 fighter jet lesson learned brief.  You fire up VMware View, connect to NSA approved SIPRNET View Security Gateway, connect to your Win7 virtual machine and post a quick response.  After quickly checking your email, you put away the IPAD as the intercom calls for final boarding.

How close are we from getting this to reality? In all honesty I thought this will never happen until I realize it Friday (17AUG2012).  Part of my daily routine is to catch up on latest tech news and read through several tech blog site I religously follow.  I happen to end up on Teradici’s release of the Tera2 chipset for their zero clients.  I am not new to Teradici’s zero client for I have designed and engineered our VDI infrastructure around this product at work.  Therefore, I monitor their website closely for any press releases.  As I read through the middle of the page, “suite B cyphers” caught my eye and this is where the idea all started.

Suite B cyphers are NSA approved cyphers that tag along the strength of AES 128-256 ciphers to allow communication of two nodes to pass SECRET up to TOP SECRET information.  Suite B cyphers was penned in 2005 but I am just now hearing about it.  After digging a little bit more I realize that General Dynamics, Aruba wireless and others have devices that take advantage of the suite b cyphers that already went through NIAP approval while some still awaits approval.

In the past NSA only allows “suite A” (type 1) cyphers to guard SECRET to TOP SECRET information.  These cyphers or crypto equipment are very secure because the handling of NSA approved device and keys are carefully tracked by the NSA with strict COMSEC monitoring program.  The personnel handling this equipment go through a strict background check before they are entrusted with this equipment.  This is done so that the device along with the key does not fall on the enemies hands.  This proves to be so secure that we have been operating under this program ever since.  Suite A cypher is still the most widely adopted mechanism for securing information for the federal government.

The problem: The problem is that this is an expensive process.  The process is extensive from the development of the device, certification and approval to the manufacturing and transaction of the device.  By the time you get the device installed, configured and ready to use, the technology is already 3 or 4 years old already.  Check below references for more information regarding the problem.  Let me just state the problem from VDI’s pair of glasses.  Currently, on a typical DoD user’s desk they would have two separate workstations.  One is unclassified NIPRNET which is a Dell or HP workstation that runs on separate switch/servers/routers.  The user also has a second workstation for Secret SIPRNET which also is on Dell or HP workstation that also runs on separate switch/server/routers.  This two system never cross streams.  In addition, if the user has a Top Secret desktop that will also require a separate setup.  For simplicity let’s discuss about SIPRNET for now and forget about TOP SECRET network.  Essentially, SIPRNET is one big VPN for the Department of Defense.  Each SIPRNET node goes to an NSA approved Type 1 encryption and it needs to talk to another NSA approved type 1 encryption.  One has to go through DISA for all the paper work to get authorization for SIPRNET connection.  Without going through more details, that is SIPRNET in a nutshell.

The Solution:  I propose one PCOIP ZERO client on the user’s desk, taking advantage of NSA suite B ciphers.  Utilizing VDI, specifically VMware View.  The user will just need to connect to NSA approve SIPRNET View Security Gateway to access his/her Secret Win7 VM.  The connection from the Zero client – View Security Server – Win7 vm needs to undergo NIAP approval.  The PCOIP protocol is already using FIPS approved AES-128, so for NIAP approval it shouldn’t be that hard.  There are lots of moving parts to make this happen.

– Diagrams 1 and 2 show the user starting from the Zero client using smart card PKI authentication and encrypting communication using suite B cyphers.
– The encrypted traffic travels through unclassified NIPRNET network.  It passes through the ASA FW/IPS rules and terminates to the GREEN/RED View Security Server.
– Note that the View Security Server has a one NIC facing the unclassified NIPRNET and a second NIC touching the classified SIPRNET.
– View Security Server checks with its paired View Connection Server for the PKI credentials authorization and checks the assigned desktop pool.  The View Security Server and the Connection server are separated by a second RED ASA to limit the ports and protocol of the Security Server to its bare essential.
-Once credential is all good the View Security Server proxies connection to WIN7 VM and send the pixels to the Zero client through the encrypted channel.  The View Security Server and the WIN7 VM is also separated by a RED ASA to limit the Security Server to tcp/udp 4172

Here are the moving parts:
The Client – This will be at the user’s desk.  There are three types that I am going to describe.

  1. Zero Client – The zero client would be the easiest client to pass the NIAP approval since these clients does not have any hard drive for any accidental storing of classified information.   I will concentrate this solution utilizing the zero client.  With the latest Firmware 4 and the support for SIPR token for PKI authentication, this is the perfect client for the problem.  Samsung and LG make an integrated monitor and Clearcube is releasing a portable zero client which is a laptop form factor with CAC reader built in to the unit.  The Tera2 that will be officially announced for release this month at VMWORLD 2012 will support the NSA suite B cyphers but I do not know if it has went through NIAP approval.
  2. Thin Client/IPAD – In reality the IPAD analogy introduction might take two to three more years to get certified compared to its zero client brother.  Software thin client could be a problem and they are difficult to control.  First the host machine needs to be secure for any malicious Trojan or keystroke logging/pixel capturing software.  Second, the software client needs to go through a rigorous certification process to make sure that it does not store any classified information in memory or on the device.  IPAD need the token reader to be able to read SIPRNET token for PKI authentication.  Laptop thin client should be no problem for Windows XP/7/MAC/LINUX using PKI authentication.
  3. Read-only thin client – This one warrants a separate category and takes a little explaining.  My colleague and I built a bootable-cd Linux client base on strip down Lubuntu for repurposing perfectly good laptops (or Desktop).  There are manufacturer like IGEL, WYSE, DEVONIT, HP and others that use the same technique to accomplish the same thing.  Our company’s use case is due to transport of classified information.  In the past we have to make sure that we ship Windows XP laptop as UNCLASSIFIED.  Once it is plugged to SIPRNET it is classified from then on.  We have to DOD wipe the drive for shipment back after every event.  Each event last a couple of weeks.  Inherent to this bad model, it will always fall off the security patches/antivirus etc.  DOD has HBSS suite which is mandated for the Department of the Navy.  The installer is classified so I can not install it on the laptop.  HBSS is a MacAfee EPO suite with AV/HIPS and a whole bunch of plugins.  Once we Ghost it with an outdated image (2 weeks is considered outdated) the cat-and-mouse cycles around again.  As you can see laptop/ghosting models is not the way to go.  A read-only OS with VMware View open client is the way to go.  A portable zero client is even ideal but Clearcube’s product is not out on the market yet until early quarter of 2013.

USB redirection – USB redirection would need to be turned off to prohibit removable media.  Luckily, this is easy to implement at the firewall level.  USB redirection rides on TCP 32111, separate from PCOIP 4172.  Kudos for VMware and Teradici for separating it.  Turning off USB redirection may be a negative downside but it is a small price to pay to achieve higher security.  This will affect isochronous webcams for DCO functionality.   Audio can be accomplished through the mini 1/8 inch jack.
VMware View Security Server – This would fall heavily on the shoulders of VMware.  This view security server would need to be very secure because it shall have one NIC on the unclassified side and a second NIC on the SIPRNET side.  The current security server that is installed on Windows will not fly, due to the underlying OS attack footprint.  VMware will need to create a special hardware appliance that is purposely built for this.  Firmware type upgrade is preferred.  It needs to have a built in firewall and an IPS function to actively prevent common port scan and HTTP attack.  It does not need a full blown IPS signature since there are only a few ports open.  The Unclassified NIC specifically just need to allow just TCP 443 and TCP/UDP 4172 and that is all.  Any management on the device will have to be done on the SIPRNET side or better yet a 3rd management NIC.  This security server should probably need to have some PIXEL recording capability for auditing purpose and also a login/logoff timestamp, or it can be off loaded through other means.   The protocol that rides on TCP/UDP 4172 are already using approved TLS DCM encryption and are approved FIPS.  It just needs the extra NIAP certification to be approved for SECRET.  The success of this vision falls on this View Security Server because it is the gateway for Unclassified to classified SIPRNET VM.  In the DoD world it is labeled as “Cross Domain Solution”.
SIPRNET token – PKI authentication is a must and it should not be optional.  Two factor authentication is paramount for the overall security of the system.  VMware View and the PCOIP Zero Client supports PKI authentication.
WIN7 VM – The VM will need to be DOD STIG compliant, including HBSS enforcement.  This VM should be surrounded by perimeter FW and IPS for additional security.  I would treat these VM as untrusted VM, separating them from the server and also the SIPRNET.
Web proxy – Web browser must go through a web proxy for tracking and accountability.
Cisco ASA FW/IPS – This is by preference but the device needed to be NIAP approved.   Firewall function for the View Security Server can be offloaded to the ASA for performance.  This can help speed up the process for the Security Server certification since it does not need to certify its FW/IPS functionality.

Use Case:  There are lots of use cases for this technology and this is just to name a few.

  • NMCI, ONENET, Entire DoD can use this to minimize footprint on the user’s desk and switching fabrics.  One zero client to connect to NIPRNET VMWARE VIEW suite or SIPRNET VMWARE VIEW suite (also maybe TOP SECRET VMWARE VIEW suite).
  • It can also be used as hot disaster recover site for the whole DOD.  Label it SIPRNET on the cloud.  It will need to be redundant, one suite for west coast and another for the east coast.
  • Another use case is for travelling government officials to be able to connect to local wireless/hotel/airport/4g networks and access their SIPRNET VDI.
  • Also troops in the battle field does not need to carry sensitive suite A (Type 1) encryption equipment in the battle field to access classified information.  No need for any Data At Rest (DAR) encryption since classified data stay safe at the data center where it can be easily safeguarded.

Closing Remarks:  I understand that you can probably engineer this to run if you put suite B device in front of each client device.  However, what I envision is simplicity for the end user without compromising security.  Giving every user a suite B device adds to the total cost of ownership.  Product provider like General Dynamics is going to kiss us if we require this added “tax” for it would mean more business for them.  Why do it if it is not necessary because TERADICI’s new TERA2 are already NSA suite B compliant.  We just need to make sure that they are NIAP approved from end to end.
The use case for this architecture is phenomenal.  But this can only happen if NSA, VMware and Teradici will decide to make it happen.  The stars are all aligning, just a few minor tweaks and we are there.  I can see this being accomplished in the next year but no more than two years.  This idea is only possible because of NSA’s support to suite B cypher.  Without the suite B cypher we would not be exploring on this possibility.
Would VMware make the Security Server Appliance? Why not, they would be way ahead of Citrix or any competition.   They would appeal more to government due to this feature alone.  They would be “THE” choice above every other VDI solution.
Would Teradici help? Teradici has a vested interested on their own flagship product.  You bet that they would do anything within their power to make this a success.  Who knows, they might even build the Security Server Appliance themselves utilizing their PCOIP server offload card.  Teradici can do this without VMware and/or VDI.  Teradici’s hardware to hardware TERA2 solution is already using suite B cyphers.  But in reality, VDI would be the way to do it instead of a bunch of traditional desktop hosted on datacenter.
Would NSA do it?  Ultimately this question would be the show stopper.  The only reason that they would stop it from being implemented is because this would potentially give SIPRNET in the palm of everyone’s hand, including our adversary.  However, they can control and limit users such as only allowing selected politicians, special forces, or high ranking government officials, then the reason becomes acceptable.   In the end NSA has the ultimate authority to allow this to happen.
This would be a very exciting event to watch for the next couple of years and it would be interesting to see who will make the first move.


Vmware View and PCOIP future prediction

We all need to learn something from Redhat and the Spice protocol.  They have a lot of work in front of them before they can catch up with the two giants.

I like the ability of Spice protocol being OS agnostic.  If Vmware and Teradici can learn from this architecture and be able to accomplish the same thing to their PCOIP protocol then I can see this being big for both company.  It would be nice to have a second NIC (or teamed NIC) manage by the hypervisor just for PCOIP protocol alone and not mix with other management interface (that would be catastrophic)..

The benefit of doing it on the hypervisor instead of running it as a services is huge.  The biggest one is what I already stated above and this alone should be a sufficient reason to do it.   Here is a short list:

-OS agnostic.  It does not care what OS you are running.  It can be Window XP, Linux, Mac OSX, or even Windwos 15 whatever.

-No extra service to run on the VM.  Which means you don’t need to install anything else on the VM.  Which also means no security hole or extra port that needs to open on the VM IP stack.

-Security patches on the PCOIP protocol would be done on the hypervisor.  On ESXi this means a firmware update.  (I like firmware updates)

-Possibly, one IP for the whole PCOIP interface.  Your firewall admins’ going to kiss you for this.

-You can see the machine booting up just like a traditional PC.  (I know how everyone gets excited watching a beautiful machine boot up just like I do)

That only took me a few minutes to jot down those reasons so I am sure there are others I miss but the beef of it is there.

This can also apply to Citrix and the HDX protocol.  But the problem with Citrix is the XEN hypervisor, not a lot of people in the industry trust the XEN hypervisor for their important services.  You can argue with me on that note but Vmware is the industry standard when it comes to virtualization, they have been doing this gig for a while and they are the best of what they do, and that is why they are number one.  Sure HDX can run on Vmware, but you have to have complete control of the hypervisor to do this architectural change easily (key word “easily”).  Most IT trust Vmware hypervisor with their precious data so they are more positioned to accomplish this task if they want to.

That’s it, now we’ll see how the future will roll.  I really have a good feeling about this…