VMware releases View 4.6. PCoIP Gateway is in. Profile virtualization is still out? Full analysis.

Last week VMware released View 4.6. It's a minor release with the main new feature being the "VMware View Security Server" which is a security proxy that lets users connect via PCoIP without needing a corporate VPN.

Last week VMware released View 4.6. It's a minor release with the main new feature being the "VMware View Security Server" which is a security proxy that lets users connect via PCoIP without needing a corporate VPN. But perhaps the bigger news is what's not there, specifically View 4.6 still doesn't include the profile virtualization VMware got when they bought RTO Software.

Let's take a look at what each of these means.

VMware View Security Server: A secure proxy for PCoIP that does not use SSL

One of the limitations with PCoIP in past versions of View was that users connecting from outside the firewall required a direct connection to their View desktops. Since pretty much no company on Earth allows this, outside users typically had to connect to a VPN first. While this in-and-of-itself wasn't all that bad, the real problem was that most VPNs are made for TCP, and PCoIP is a UDP protocol. That means that there's a lot of overhead spent to wrap the UDP packets in TCP, not to mention that since TCP is reliable and UDP isn't, you're getting even more overhead with all the acknowledgements and retransmits and everything of TCP that you don't need for PCoIP. (I wrote about the UDP versus TCP issue on SearchVirtualDesktop.com a few months ago.)

So now in View 4.6 you can install a View Connection Server in a "Security Server mode" which is basically a special mode where the Connection Server sits in the DMZ and acts as a PCoIP proxy server that lets users connect through it to their back-end View desktops. It does all the things a server in a DMZ should, namely, it doesn't allow anyone to get through that hasn't been authenticated, and it only allows them to access specific resources on the inside that they're allowed to access.

Now here's the surprising thing about this Security Server: It does NOT use SSL. Repeat: The VMware View Security Server is a proxy for UDP-based PCoIP. It is NOT an SSL gateway and it's not an SSL-VPN.

From a pure security standpoint this is fine, since like I said it only allows authenticated users through and the PCoIP protocol is already AES 128-bit encrypted. The main downside is that while SSL is allowed from anywhere, users' PCoIP connections to the View Security Server are via port 4172. (First via TCP, then the connection runs over UDP.) And some companies aren't going to allow that. That was actually a problem for me at TechTarget. I had to put in a helpdesk ticket to get them to open up 4172 at our office. I'll keep you posted as to how much of a problem that is elsewhere. So far it's fine for my 3G connection, but who knows whether this will be a problem in other offices and hotels?

Even though the Security Server doesn't encrypt the traffic stream with SSL, you do still have the option of installing an SSL certificate for initial FQDN authentication to prevent man-in-the-middle attacks, so that's cool.

So the bottom line with the View Security Server is a mix of good and bad news. Using UDP all the way to the endpoint is great because that's how PCoIP was designed, and since the Security Server is just a proxy and not adding extra encryption/decryption, it shouldn't slow things down or add any more size to the protocol. But despite all that, I'm still slightly worried about finding TCP/UDP 4172 open everywhere.

Ok, now where the hell's Persona?

Seriously guys. It's been a year. (Here's my story from back then, and VMware Desktop CTO Scott Davis' blog post.) At this point I don't think anyone's buying the excuse that they're working on "integration," so can someone just come out and tell the truth? Where is RTO Virtual Profiles? Why is it not part of View 4.6? (Remember we saw the beta version way back in View 4.5, but then it disappeared at the last minute. The excuse VMware gave at the time was that it was not compatible with Windows 7, but given that RTO's Virtual Profiles product was compatible with Vista and VMware got RTO Software (and BriForum presenter) Kevin Goodman as part of the deal, I can't imagine that Windows 7 is the real reason.

Regardless of the reason, VMware's starting to look pretty silly around this. They talk about how awesome profile virtualization is in their blogs and the RTO transition documentation, but then it's actually not available from them. (And in a masochistic twist, VMware's View reference architecture linked to from the View 4.6 announcement recommends using "profile management software like RTO Software or Liquidware Labs" (Pages 7 and 24). Except when VMware bought RTO Software, they immediately stopped selling RTO Virtual Profiles (VMware's RTO Acquisition FAQ, Page 3). Soooo..... I guess they want us all to use Liquidware Labs Profile Unity now?

I asked VMware PR where Persona was and why it's not in View 4.6. All I got was this answer:

Profile management is a key component of VMware's strategy to modernize the enterprise desktop and will be offered in future releases of View. The release of View 4.6 focuses on PCoIP support for VMware View Security Server which provides a simple and secure way for users to access their VMware View desktops remotely, while taking advantage of a superior PCoIP experience. VMware View currently supports third-party persona management capabilities from several VMware partners. Customers can expect further innovation and integration of persona management as VMware continues to advance its model for end user computing within the enterprise.

That was some nice tap dancing that in no way answers the question that I asked.

But hey, you can sync your iPhone!

One of the cool little updates to View 4.6 is that you can now sync your iOS device (iPhone/iPod/iPad) with iTunes running in your View VM that's connected to the client via USB.

Bottom line

+1 for the PCoIP proxy. That's really cool.

-1 for still no profile virtualization and for a super lame non-answer on why.

So I guess they cancel out, and View 4.6 is.... fine. (In related news, I'll be installing View 4.6 this week for my second month of full-time VDI usage. I'll keep you posted!)

Join the conversation

11 comments

Send me notifications when other members comment.

Please create a username to comment.

UDP proxy with no SSL... don't know for you but most of the people I know will not allow easilly new port open in their firewall to accept traffic or allow it to be send out...


On the way out, there is more and more customer I know that refused SSL as encrypted traffic could not been controlled by statefull proxy...


Cancel

Almost - if not all - of the hotels and airports are open only HTTP and HTTPS... so the secure connection to View will not work.


It's looks like VMware loosing (or even already lost?) any connection to reality.


Cancel

The proxy for pcoip is interesting.  I have been doing the citrix consulting gig for more than a decade.  Back in the late 90s, as you know, citrix didn't have secure gateway or access gateway. We do now. Why? Because companies would NOT open port 1494 on their external firewall. Even though ICA had 128 bit encryption with SecureICA, it didn't matter.  You either have 80 or 443 or you are out of luck.


Cancel

@Daniel, The problem with SecurICA was still that you had to open direct connections to your individual MetaFrame severs. So if you didn't have a VPN, you still had to have all those public IPs AND you were breaking your security rules by allowing unauthenicated traffic into your trusted network. So the View Security Gateway does solve that.


Like I said I'm really curious.. I'm not worried about the company side.. I mean if they're doing View then they have buy-in, and we already allow mail and all sorts of other non-HTTP/SSL traffic into our DMZ.. But from the client side.. I wonder if that will be an issue? Honestly I thought that these days it wouldn't matter since these PCoIP connections would be client-initiated.. I thought everyone would allow it. And the fact that TechTarget didn't.. I was thinking that was sort of a relic. (Like our Search site designs and the fact we call IT "MIS")


Cancel

@brian - True, you did have to open up direct connections, or NAT'd connections, or a whole slew of other things. I even saw some companies put a MetaFrame server in the DMZ and used it as a proxy to do double-hop ICA, esssentially making it somewhat of a proxy. Even had others setup SOCKS proxys to overcome the many paths. Thank goodness those days are behind us.


But even to this day, when you start asking companies to open up additional ports on the external firewall, you will immediatly see them shut the door on you.You mentioned email. That is pretty much a no brainer now. But how hard was it when that decision was first being made? It didn't happen overnight. It took a very long time and then slowly more companies opted to do it.


In the end, some people might open up a port here or there, but there must be a very good reason, and this is going to seriously slow down any deployment.  And because not everyone will do it, what do you do for the majority who won't?  


Cancel

Good luck opening up external firewall ports. It takes years to make a single change globally in the enterprise. The client side is going to be a problem. UDP everywhere good luck with that and getting your friendly security person on board....


Cancel

View 4.6 is a very small incremental release and if you recall they rarely add features to mid-year products.  I am guessing after this was leveraged at VMworld for all of their hands-on labs the cat was out of the virtual bag and they had to release this product as soon as possible.  Now whether companies will open up 4172 or not on their firewall is up for debate.  Some will and others will fight it.  Maybe when they realize they can simply funnel all PCoIP traffic through one tunnel and prioritize it properly instead of one large blob of SSL or they realize that no additional software is required to make all of the View clients work.  Or if a company is looking at a zero client solution and they want to secure the communication, point it at the SS and they are done.  There are some key benefits of their model.  SSL is also great technology, but it sits at layer 4 on the stack vs UDP at layer 2, why add the overhead?  I have seen an Ipad working over 3g through the SS and it was very impressive.  I cannot wait for the Ipad client to be released.  All sources say it is soon.  Brian, are you going to do a head to head on the ipad clients?  As for hotel internet, my 3g/4g is always faster so why bother with hotel internet.  


I always laugh when the virtual profile solution from either Citrix or VMware comes up.  Everyone I know is using LWL or Appsense and I do not see many people changing that when both Citrix and VMware are offering or will offer only a basic service.


Cancel

@winviewguru, man I was right with you all the way to the end when you wrote about the real world using LWL or AppSense and the vendor stuff just being basic.. To me it seems like LWL is the most "basic" stuff out there.. just a bunch of scripts. (Which I think they agree with.) Now they're good scripts to be sure, and I can see the use (especially given the price), but it seems that RTO Virtual Profiles was actually much more advanced than LWL.


Of course now that VMware Consulting uses LWL and it's in the reference architecture, maybe that's a done deal and they don't need RTO?


Cancel

Sometimes the simplest implementation of technology is the most powerful.  I agree the scripts are a simple approach but the functionality they provide via their offering is pretty solid.  They have a nice DR play, data migration element, a good bit of location awareness, thinapp mgmt (might be extending this more to other technology) and they work across virtual and physical with both XP and Win7.  This helps solve a lot of problems for customers and it is at an awesome price point.  I try and follow the KISS way of life when possible.  Cheers


Still hope you do an Ipad showdown.


Cancel

If VMware ever releases a View client for the iPad, then I will definitely do a showdown. It would be cool to have the HDX, View, maybe Pocket Cloud and something like IRdesktop (oh, and my favorite, LogMeIn).. all running on iPad 1 and iPad 2, with different connection types.. Fun project!


Cancel

I agree with Brian so much and I want to add a few more sticks to the fire. Currently I have about XX major VDI deals and they all are going to Citrix and the VMware reps have the audacity to ask why?


-No Profile Management! Storing the persona on disk does not cut it.


-Linked Clones do not scale and whomever tells you they do is simply lying or have not really deployed view in any scale!


-Desktop pools are confusing at large scale I mean really how confusing you can’t just have one 2000 desktop pool of linked clones…..


-No IPAD Client – Oh finial today and they are of course very happy but let me really think about this? Does anyone reward the loosing team of the Super Bowl? Does anyone really care who came in second? Maybe it is just the people at vmware are like the same people who do not keep score in kids games but out here in the real world we do.


-Further they have the nerve to compare Web Interface to that lack of so called view portal.


-No light weight web client


VMware’s approach is to simply walk away from the game like and shrug off failure with a where not going to compete attitude. Citrix Profile management is not great but it exist not like the Unicorn RTO can I say “missing”. That just bolsters their argument that they are a total solution in the desktop space. They toss around words like elegant what that is code speak for is that is “does not scale”.  I mean seriously are they attempting to compare security server with Netscaler or even the VPX gateway please….


VMware does not get what it takes to win in this space and they never will not with the current team they have in place. I have been in meetings and they are like a Cat that has only eaten only one brand of cat food they simply do not know any better. They need to learn to sell what is on the truck and stop trying to sell futures because the track record has been bleak at best. RTO and PC over IP – have been sold with a failure to deliver out of the gate in every case.


This War started three years ago and Citrix was blindsided however they have come on like the United States after Pearl Harbor. I truly believe that if VMware does not get it’s act together soon they are going to get the A-Bomb dropped on them soon. Living in denial as they seem to be is not the answer to this game.


I mean seriously in a bake off it is like going to war with a butter knife, I read up in the blog that someone thought RTO was more advance and Liquidware was a bunch of scripts. Well if that is the case then I would fire every VMware guy on staff because RTO is like 7up never worked never will so if a bunch of scripts work then by all means deploy them…


That is just how it is in the real world.


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close