Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

PCoIP & Virtual Desktop Issues

This thread has been viewed 0 times

  • 1.  PCoIP & Virtual Desktop Issues

    Posted Dec 06, 2012 04:20 PM

    We have recently run into a problem with our BYOD users connecting to the Virtual Desktop environment and I thought I would share the symptoms of this issue.

     

    All of our BYOD devices connect via our wireless guest network and terminate on an anchor controller in our DMZ. From here, there are firewall policies that permit ports 443tcp, 4172tcp, & 4172udp in both directions.

     

    Symtoms:

    • Users from guest wireless would connect but get black screen (not painting) - iPad users would get the message “Desktop Loading Warning. Your desktop is loading too slowly” - XP users were not able to get a desktop at all
    • Users from Internet  were able to connect with no issues (these users would traverse the same firewall policy as guest users)

     

    I found an article here that recommends the PCoIP MTU size to be at least 1300 bytes to avoid fragmentation. As you may already know, the GRE tunnels by default between Aruba controllers are 1100. 

     

    Fixes:

    • Adjust the GRE tunnels between the local controller and DMZ controller to 1400, or something greater than 1300 + overhead. This would be a more temporary solution as it is not the default setting.
    • Adjust the MTU size on the Virtual Desktop side to something lower than 1100-overhead.

    Has anyone else ran into this issue? Fixes?

     

     



  • 2.  RE: PCoIP & Virtual Desktop Issues

    EMPLOYEE
    Posted Dec 06, 2012 11:47 PM

    Please do a wired packet capture to determine  what is happening.



  • 3.  RE: PCoIP & Virtual Desktop Issues

    Posted Dec 07, 2012 06:55 AM

    We did a packet capture on a working device and a non-working device. We see bi-directional traffic and the only difference is truly the packet size which is around 1000-1040 byte size over the Aruba GRE.



  • 4.  RE: PCoIP & Virtual Desktop Issues

    EMPLOYEE
    Posted Dec 07, 2012 06:58 AM

    That is important information.  I would open a case with your Virtual Desktop vendor and present your findings.  They would have much more pertinent information about the application behavior and what causes it.

     



  • 5.  RE: PCoIP & Virtual Desktop Issues

    Posted Dec 07, 2012 08:10 AM

    I've found it to be industry standard to change the MTU settings on the network prior to making and adjustments to the application. In this case, the vendor recommends the same as smaller packet size could impact performance. We will update this thread once a decision is made on which direction we proceed with.

     

    Curious if anyone has seen issues with this and direction they took?



  • 6.  RE: PCoIP & Virtual Desktop Issues

    EMPLOYEE
    Posted Dec 07, 2012 08:14 AM
    @euskodiac wrote:

    I've found it to be industry standard to change the MTU settings on the network prior to making and adjustments to the application. In this case, the vendor recommends the same as smaller packet size could impact performance. We will update this thread once a decision is made on which direction we proceed with.

     

    Curious if anyone has seen issues with this and direction they took?

    Quite honestly, I don't know what the industry standard is, but I know that if an application does not work like it should, the manufacturer should say what is deficient and then fixes can be made based on their recommendation.  If you change the MTU in the network and other applications or other functionality breaks, you can hold the manufacturer responsible for their recommendation.

     

    It would be very interesting to see if any others have this issue.