VPN on a stick: DoD Lightweight Portable Security

In a previous post, I mentioned the DoD’s Lightweight Portable Security bootable Linux as applicable for some situations.  The current LPS Public 1.3.5 ISOs come in two configurations, the basic and deluxe.

The deluxe version is a 401MB bootable ISO. It includes clients for Citrix, VMware View, and MS Remote Desktop.  Also includes OpenOffice and Firefox.

As a bootable ISO, it also works within a virtual machine.  This makes for a handy way to use the bootable ISO’s included clients for Telework without giving up full use of your physical computer during the remote session.

For government organizations which need additional customizations (pre-loading target URLs, additional client apps/versions, etc), customization is available at no cost to DoD organizations.  Other non-DoD Federal organizations, the customization charge is $10K with an annual $2K maintenance fee.  The Air Force organization providing this is looking into means to offer customized versions for State and Local govt organizations as well.  The public versions are free to everyone.

Additional documentation is available on their website.

For someone just beginning the process of creating a bootable LiveCD for their own organizational needs, this provides a nice clean example to start from.

Two-Factor Authentication Solutions for VMware View


Are there VMware View, Two-Factor Authentication solution, alternatives to using RSA SecurID?

In these times of budget tightening, organizations are experiencing concerns about the growing costs of RSA al-a-carte pricing for each component and license count.  As a result, this article will explore the question of RSA alternatives.

Currently, the organization is using RSA SecureID Tokens for two factor authentication.  In addition to Active Directory usernames and passwords, users are required to enter a SecureID Passcode when accessing certain resources.  Additionally, the user is required to prefix the generated token with a PIN.  In this case, the PIN is required to be an alpha-numeric value of a minimum length and character combination type.  Passwords and TokenPINs are required to be changed after a specified number of days.

As the organization seeks to protect additional resources and make more services available to a mobile workforce, they are finding the RSA costs can grow very quickly.  In some cases, adding another RSA feature can effectively double the organizations license costs.

As a result, I’ve been asked two investigate several alternative solutions for compatibility with VMware’s View products.

With View 4.x, VMware provided significant ease of integration for incorporating RSA Secure ID.  Here we’ll be looking at what additional capabilities (and compatibilities) are available in View 5.x.

The organization is particularly interested in potential compatibility with Entrust or Symantec.  I’ll note any other two-factor solutions I find for View 5.x, but I’ll focus on the details of the two customer preferred solutions.

VMware View

VMware View 5.x supports a variety of client types making inbound connections via the View Manager Server or the View Connection Server.  The View Connection Server functions as a security gateway and also enables some protocol optimizations which help simplify and improve the service for external user connections.

Authentication Methods

VMware architecture documentation for View 5.0 states VMware View uses your existing Active Directory infrastructure for user authentication and management.  For added security, you can integrate VMware View with RSA SecurID and smart card authentication solutions.

  • Active Directory Authentication – Each view connection server is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain.  Users are also authenticated against any additional user domains with which a trust agreement exists.
  • RSA SecurID Authentication – RSA SecurID provides enhanced security with two-factor authentication, which requires knowledge of the user’s PIN and token code.  The token code is only available on the physical SecurID token.
  • Smart Card Authentication  – A smart card is a small plastic card that is embedded with a computer chip.  Many government agencies and large enterprises use smart cards to authenticate users who access their computer networks.  A smart card is also referred to as a Common Access Card (CAC).

Using Smart Cards with View

Smart card authentication is only supported by the Windows based View Client and View Client with Local Mode.  It is not supported by View Administrator.

View Connection Server instances can be enabled for smart card authentication. This requires adding your root certificate to a truststore file and modifying the View Connection Server settings.  Client connections must be SSL enabled.

To use smart cards, client machines must have smart card middleware and a smart card reader.

The requirement to pre-install middleware and hardware card readers means that Smart Cards solutions are not compatible with usage of untrusted end-point computers such as internet cafe machines and other public internet kiosks.

Additionally, there are few available Smart Card reader solutions for mobile devices.  This web page lists some Bluetooth CAC readers military users have found for connecting to DOD services.  Costs range from $200 to $500.

Although DOD approved Bluetooth CAC readers are available, VMware’s mobile client apps do not support this authentication method.

Other security solutions vs compatibility with View 5.x

RADIUS – Customers have been asking VMware for RADIUS support for quite some time now.  As of Dec 6th, 2011, View still does not support RADIUS.  While VMware personnel have long stated they are working on it, there remains no indication of when it might ever become available.

Some customer have speculated that this could have something to do with EMC ownership.  VMware still trades under it’s own NYSE stock ticker (VMW), but it was acquired by EMC in 2004 and operates as a separate software subsidiary.  RSA was acquired by EMC in 2006 and operates as a security division.  EMC does not provide separate financial information for the RSA division.  I won’t speculate on this theory, but I do believe due diligence require that customers understand the material relationships of their key vendors.


There are numerous VPN solutions available for a multiple of user scenarios.  Two many to list here.  Instead I’ll just briefly describe VPN two scenarios which might satisfy most use cases.

Browser Based VPN

The concept is two provide a mobile user with a client-less VPN service.  The user accesses a browser based service which can then authenticate and launch a VPN tunnel to the end user’s device.  Some of these offerings create tunnels which can be used by non browser applications.

Juniper is one vendor providing a commercial offering via their line of SSL VPN products.  Juniper does offer support for two factor authentication; but verifying the extent of that support is beyond the scope of this VMware View document.

Mobile Device VPN

Most mobile devices now include native operating system support for multiple VPN technologies by including client software APIs from commercial vendors such as Cisco and Juniper.  Many of these Mobile VPN clients support multi-factor authentication.   Additional certificates, keys, passcodes, or secrets can be included in the provisioning and authentication process to enable identification of the device and the user.

Custom integration of alternate Two Factor solutions

In many technology projects, we would at least consider customer integration of an alternate solution.  Usually I will present a case against in-house customization; but I do prefer to provide the option so the customer can decide for themselves.  Unfortunately, VMware does not offer or support any mechanisms for integrating custom authentication services into the View Client, the View Administrator, or the View Connection Server.

There is no supportable means to have View utilize the two-factor solutions from Entrust, Symantec, or others.


Given the current realities of the VMware View product, there appear to be only two solutions for using two-factor authentication with this service.

RSA SecureID

VMware provides tight integration between View Clients, View Servers, and the RSA products.  Given their relationship with EMC and RSA, it is highly probable that RSA integration and support will continue to be a strong feature of the View products.

Mobile Device VPN

For users accessing these services from a mobile device, a Device VPN offer many choices for two-factor authentication solutions.  Additionally, the Device VPN greatly simplifies the user experience as they only have one connection to manage from which they can access all of their authorized organizational resources.  However, a Device VPN solution may not satisfy the organization’s security requirements for non-managed personally procured equipment (ie., private cell phones).  Requiring users to “opt-in” to organizational device management solutions in exchange for gaining access can mitigate security issues inherent in personal devices.

If a Mobile Device VPN solution is implemented for a community of View Client users, then a security and policy review may determine that Active Directory authentication would be sufficient for the final View Client connection (which would occur within a two-factor authenticated VPN tunnel).

In my opinion a Mobile Device VPN solution wins out for the following reasons:

  • better leverage of network infrastructure.  I believe in controlling network access and admission prior to reaching the application service.
  • less vendor lock-in.
  • easier to respond to evolving authentication challenges.
  • easier to maintain separation of application security from network security.
  • better overall user experience when consuming multiple services from the hosting organization.

Some additional thoughts on remote access

VPN on a stick

For remote users who require a largest desktop experience during their Vmware View Windows session, there is another option I was not asked to include in the analysis but will mention here.  PC on a stick.

The user is provided an USB Thumb Drive containing a bootable Linux image.  The Department of Defence (DoD) provides a free Linux image which government agencies or (private organizations) can freely customize to their own needs.  Or you can roll your own from a wide variety of Linux distributions.  The DoD image is referred to as Lightweight Portable Security (LPS) and distributed in ISO form.

Organization can pre-configure this bootable image with authentication agents, VPN clients, application clients (such as View or Citrix), and whatever else appropriate.

Several USB Thumb drives are available which incorporate keypads to require a PIN entry before booting.  Other even provide a built-in finger print reader on the surface of the drive.

Client-less VPN or Browser Based SSL VPNs

Some organizations are resistant to provisioning their users these additional security devices, and even go so far as to insist they need a way to remotely authenticate a user who has lost their laptop, cell phone, identification badge, secure token, and pc on stick usb drive.

If that user was just mugged, they’ll probably be more concerned with contacting 911 and their bank then logging in to update another spreadsheet for the office.  On the other hand, if that user just mysteriously lost all of these items with no apparent cause… perhaps they shouldn’t have access to secure environments in the first place.

Solved: VMview Composer provisioning failure/error with WinXP linked clones.


Error creating linked clones based upon image/snapshot of WinXP SP3 with View Agent 4.5:

View Composer agent initialization state error (18): Failed to join the domain (waited 880 seconds)


Step 1 – Return to the base image and install MS KB944043 for XP.

  • That KB patch has four other dependencies.  KB961501, KB968389, KB975467, KB971657, and then finally install KB944043 last.

Step 2 – take a new snapshot of the base image.

Step 3 – recompose the pool.

  • NOTE:  a recompose will delete and recreate all of the clones in the pool. 


Tested and verified that the pool successfully provisioned the WinXP SP3 linked clones.

manual drive mapping over PCoIP, back to the physical laptop running VMview client

One of the VMview forum threads mentioned some ways to map a drive from a Virtual Machine back to the physical machine running the VMview client.

After looking at the suggested scripting, I decided to see if I could do it manually.  Within the remote virtual desktop, use these steps:

  • Windows File Explorer.
  • Menu | Tools | Map Drive.
  • Select a drive letter.
  • Enter a source –>  example…  “  \\xxx.xxx.xxx.xxx\c$ “.
  • When prompted, enter login credentials.

 Replace xxx.xxx.xxx.xxx with the IP address of your physical client machine.

The steps I used to test how well this would work and verify what protocol the file transfer would use included:

  • map the drive from the VIEW VM back to my laptop.
  • Launch Wireshark on my laptop and filter traffic on “net xxx.xxx.xxx.xxx/xx”.
  • Moved about 340MB of files thru the View Client session.
  • Analyzed the protocol/traffic results in the Wireshark capture.
  • RESULT –> observed ~340MB of traffic over UDP 50002 (PCoIP).   

The forum thread mentioned an area of the VM’s registry where a script can look for the user’s client IP address.

\HKEY_CURRENT_User\Volatile Environment

Quite a bit of session information in here, including:

  • LOGONSERVER                                               \\SERVERNAME
  • USERDNSDOMAIN                                          YOUR.DOMAIN
  • ViewClient_Broker_DNS_Name                   ViewConnectionManager.YOUR.DOMAIN
  • ViewClient_Broker_URL                                 http://ViewConnectionManager IP:80
  • ViewClient_Broker_Remote_IP_Address    “your client machine’s IP Address”
  • ViewClient_IP_Address                                    “your client machine’s IP Address”
  • ViewClient_LoggedOn_Domainname            “your client machine’s DOMAIN”
  • ViewClient_LoggedOn_Username                  “your client machine’s HOSTNAME”

So it certainly appears we can build scripts/policies for the View sessions which make decisions based on which domain or network the user’s physical client comes from.  Or, in the event we deploy multiple connection brokers/URLs, we could base policy/script decisions on how they connect to the View environment (which URL, which security level, which protocol, etc.,)

Disable hibernate in Win 7


A customer with Windows 7 VMs in their VMview environment is seeing a lot of disk space consumed by hypernate files.  The VMview Manager, vSphere, and ESX can manage the power, memory, and disk images for each VM.  As a result, it is redundant and even counter-productive to allow the Windows OS perform power management for themselves when running as a Virtual Machine.


  1. Click Start, and then type cmd in the Start Search box.
  2. In the search results list, right-click Command Prompt, and then click Run as Administrator.
  3. When you are prompted by User Account Control, click Continue.
  4. At the command prompt, type powercfg.exe /hibernate off, and then press ENTER.
  5. Type exit and then press ENTER to close the Command Prompt window.


Eliminated 3.1GB of disk usage from each Windows 7 VM in the customer’s VMview environment.  This setting achieved a savings of approximately 7TB of Enterprise SAN.

iPad with Citrix and video out to external monitor

I’ve got the iPad on my desk connected to an external monitor right now (with the iPad VGA Adapter).  Also have the iPhone connected via BlueTooth as a wireless trackpad/mouse.

For “video out”, in the iPad’s CitrixReciever app, GoTo Settings | Display Options, and slide the “External Display” option to “ON”.  You have to make that setting prior to launching one of the Citrix published apps.  I believe you can leave the setting on all the time without any problems… unless you know there would be times you’ve connected an external monitor and would not would the video out mirroring.

There are several bits of “quirkiness” about all this:

  • Seems that if you close out of PPT, XLS, whatever on the iPad  (ie., using the dropdown control and selecting “HOME”)… but are still in the CitrixReciever, the external monitor image will go to a “default display” the initial PPT or XLS app.  Not sure what’s actually happening.  Hmmm… just had XLS up as the active app, and when I selected the HOME button, the CitrixReciever went back to the “explore” screen, and the external video display changed back to the previous view of PPT.  Can’t actually interact with that PPT view… it may be some display artifact/bug in the current version of the CitrixReceiver client.
  • The mouse pointer on the external monitor lags behind the mouse pointer movements on the iPad/iPhone… seems to lag several hundred milliseconds.
  • The video out function is not quite the same as some other apps like Apple Keynote.  Keynote will put the active presentation file on the external monitor, and switch the iPad display to various navigation/menu functions.
  • When the CitrixReciever is using “video out” the active CitrixApp (ie., PPT, XLS, whatever) will be mirrored on both screens.  However, the little dropdown/control panel that hoovers at the top of the iPad screen will only be display on the iPad screen.

FYI… iPad MultiTasking… using the double-tap home button / task bar to switch between iPad apps seems to work ok.  With the Citrix/XLS session mirrored to an external display, I switched back and forth between CitrixReciever and Safari… the external screen (and the iPhone/Mouse session) both came back when switching back into a running Citrix session.

Overall, I’d say the experience was pretty good.  I believe the solution will be quite useful for folk who need to access a native desktop application and make quick updates to a document.

VMview PCoIP experience (testing remotely WAN session during snowstorm)

From home, I’ve been working almost entirely through PCoIP sessions to View desktops for the past two days.

In the interest of seeing how this would work for a GIS type person in the field, I set up a clean (from Microsoft media) image of WinXP and went through all the various Windows updates, VMware tools/agent installs, and some other stuff.

Plus some some troubleshooting.  This was during a snow storm, working with an IP Sec VPN connection from a local cable modem across two carrier networks into my customer’s VPN Gateway.  From there, my packets had to travel across several timezones back to a VMview lab environment.  Using the View Manager’s web interface and the vCenter desktop client, I created a new VM and a new VMview Pool.

Once the new VM was running smoothly I made some baseline observations in the View Manager and ESX vCenter consoles before continuing.

As I proceeded with testing various use cases, I was able to successfully connect my Garmin GPSMap76csx and my iPhone to applications running in the View Desktop.  Just to be clear, these were two USB devices physically plugged into my View/PCoIP client (at my house), but logically connected to a virtual Windows XP desktop running at the far end of a VPN tunnel.

Even though I had a display and these two devices sitting next to each, the communications between what I did on the device and what I saw on my computer screen were traveling through over 6,000 miles of networks.

As you may expect, the interaction between the Garmin GPS device and it’s desktop software counterpart had some sluggishness.  So did the interaction between the iPhone and iTunes.  However, despite this slight delays in what would normally be instantaneous interactions, it all worked.  The network delays gave a feeling of running these activities on an older/slower computer, but the applications and devices connections performed their work without any errors.

During this test, the clean image WinXP image was configured with:

  • Windows Firewall, Windows Update, and some Apple services running automatically.
  • VMview Agent software/services.
  • VMware tools.
  • Garmin GPSMap software and device drivers.
  • rebooted just prior to observing the CPU, RAM, and network utilization.
  • the only app launched manually was the MS SysInternals ProcessExplorer to observe the perf.
  • ProcessExplorer was set up to monitor/display a lot of activity to ensure the PCoIP has something to display to the client at all times.  The PCoIP server activity and the network traffic are also being monitored and displayed.  By keeping this process explorer window in the foreground at all times, and selecting a lot of items to monitor, it effectively forced the remote VM to provide constant screen updates even if I had turned away from the computer and stopped providing user interaction.
  • VM configured as Dual Core AMD Opteron 8218 2.61Ghz with 2.0GB RAM.
  • running XP Pro 2002 SP3 with patches up to date.

After a full reboot, the VM had 35 running processes, 386.3 MB Physical RAM, and 1.5% to 10% CPU Utilization.

After viewing the results, the ViewClient session was minimized for several minutes.  With no need to display anything, the VM’s View processes quiet down significantly.   CPU Utilization dropped to a range of 0% to 1.5% and stayed at or near zero until I brought the client display session back to the foreground.

vSphere reported “Active Guest Memory: 389 MB” and “Consumed Host CPU: 235 MHz”.

During a 1 Hour and 33 minutes session which began with a VM image rebooted and performed numerous use case tests, the VM sent ~32MB of data to the client via it’s PCoIP server.

I did not attempt any multi-gigabyte synchronizations with the Garmin or iPhone, but numerous 230MB transfers completed without error.