2009/02/18

VMware View 3.0 and proxies

Oops, I haven't blogged the first part of this story. Oh well, maybe later. In brief, we have VMware VDM to satisfy das corporate security. It was working for people on our LAN and on the corporate network, and I got it to work from the internet (but requiring a valid smartcard (SSL User Certificates) before letting a user in). This was a cool project I'll have to document here some time.

Well, time moves on and VMware View Manager 3.0 (nee VDM 3.0) was released and implemented in this environment.

The first problem we noticed started when a home user upgraded their View client to 3.0 as they were prompted on the login page. This was when the smartcard authentication from the internet stopped working. A little investigation (watching network traffic, decrypting with Wireshark, etc) and I found that while the old client would send an HTTPS post command just like IE, the new client didn't send the user SSL certificate. But since VMware never supported this sort of setup, I just worked through it (another cool solution I'll have to post later). A little bit of rearchitecture, and I was able to still protect enough of the View environment to make me feel secure and to convince the security people that it was sufficient.

Now, I've got a similar error from the corporate network. Same message: Connection to View server could not be established". But WTF? this is on the LAN, there shouldn't be a proxy problem. IE works just fine*, but View can't connect.

That is to say IE worked fine with the proxy, but the proxy requires user authentication, which is cached for the browser session, and I didn't think of that until later.

So fire up Wireshark again, and once again, the first couple of View CONNECT :443 requests from IE happily sent the Proxy-Authorization: header, but the last one tried to do a CONNECT without that header, and was tossed back a Squid Authentication Required 407.

Ah, that's a relatively easy one to fix, if only I could get the proxy admin to turn of authentication (nope, that's verbotten) or do the same sort of magic as I did on the outside firewall deployment (eww, that'd be messy) or maybe bypass the proxy for this? I mean, they're on the LAN. Luckily VMware apparently thought of this and implemented an undocumented registry key: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\ProxyBypass that contains a MultiSZ list of names or IPs for View to connect directly to instead of using the proxy.

Did I mention that all of this new behavior is undocumented? And that what I'd been doing in the first place was both unsupported and completely WORKING?

I'd guess that the new View client switched from a standard MS HttpRequest method to something they threw together without the nice functionality that IE bundles into its method. Oh well. It's working again now.

--Joe

4 comments:

New Faith said...

Hey how what was your solution to the following:
"found that while the old client would send an HTTPS post command just like IE, the new client didn't send the user SSL certificate"

Thanks,
Chuck
chuck.collins@cbn.org

Unknown said...

So... if I had a proxy which requires authentication, and my client and server are NOT on the same LAN, how do I get the View client to work then? Is there another undocumented fix for the View client to either prompt the user or pass through the current Windows credentials to the proxy?

JMoore said...

In (long-delayed) answer to both these comments...

There is no workaround. The view client doesn't have any way to deal with more than a simple permissive proxy.

For the SSL certificate issue, I set up a second SSL port that did not require the client certificate, but checked that the HTTPS traffic that was coming in was a POST to /ice/tunnel (which experience showed me was what the view client is supposed to do)

JMoore said...

And in the newest version (View 4), naturally, they've changed things again.

Now, not only do they not use a proxy-auth-aware request, but the client now operates independently of IE for the login process.

So my previous (v3) workaround of a separate non-authenticated port doesn't work any more either.

All of the client requests go to the main port (443), and until you are logged in, it doesn't ever touch the secondary port definition until connecting to the desktop.

--Joe