View Client Certificate authentication phenomenon and fix
Situation:
Deployment of View Client 5.4.x in production environment.
Issue:
Massive delay on connection to connection server from client.
Background & Troubleshooting:
Deployment of View Client 5.4.x in production environment.
Issue:
Massive delay on connection to connection server from client.
Background & Troubleshooting:
TEST FROM ALT HARDWARE –
DIRECT CONNECT LAN
"2014-06-27","11:03:40","ComputerName" / Latency "1.37 ms", / WRITE "453.5648800", /READ "Mbps","205.2395120","Mbps”
Connection to VIEW CONNECTION SERVER is 5 seconds from alt hardware (My laptop) using on floor network cable and port.
NOTE ON NETWORK:
Speed tests on alternate hardware showed a connection at over 400 Mbps (10 test AVERAGE)
TEST FROM LOCAL HARDWARE – DIRECT CONNECT LAN
NOTE ON NETWORK:
Testing the local system again shows surprisingly fast results with transfer times @ 1/10th of a second per 1MB. (10 test AVERAGE)
Connection to VIEW CONNECTION SERVER is 60+ seconds from production hardware using on floor netowork cable and port.
At this point it looks like the client and not the wire are having problems.
Re-ran setup batch file to remove and reinstall View client.
Testing with a direct connection to the server IP not using Citrix load balancer.
- - No effect on delay
NOTE:
Trouble appears to be at connection to connection server post connection View maintains good functional speed.
Troubleshooting local hardware View Client:
- Disabled auto connection
o No effect
- Enabled auto connection
- Disabled All unused protocols
o No effect
- Enabled unused protocols
- Installed different version of View Client
o No effect
- Reran default install scripts
- Test for UDP connections with Citrix load balancer VIP and connection server passed
- Check local PC certificate config
o All required root certificates already installed (Validated)
"2014-06-27","11:03:40","ComputerName" / Latency "1.37 ms", / WRITE "453.5648800", /READ "Mbps","205.2395120","Mbps”
Connection to VIEW CONNECTION SERVER is 5 seconds from alt hardware (My laptop) using on floor network cable and port.
NOTE ON NETWORK:
Speed tests on alternate hardware showed a connection at over 400 Mbps (10 test AVERAGE)
TEST FROM LOCAL HARDWARE – DIRECT CONNECT LAN
NOTE ON NETWORK:
Testing the local system again shows surprisingly fast results with transfer times @ 1/10th of a second per 1MB. (10 test AVERAGE)
Connection to VIEW CONNECTION SERVER is 60+ seconds from production hardware using on floor netowork cable and port.
At this point it looks like the client and not the wire are having problems.
Re-ran setup batch file to remove and reinstall View client.
Testing with a direct connection to the server IP not using Citrix load balancer.
- - No effect on delay
NOTE:
Trouble appears to be at connection to connection server post connection View maintains good functional speed.
Troubleshooting local hardware View Client:
- Disabled auto connection
o No effect
- Enabled auto connection
- Disabled All unused protocols
o No effect
- Enabled unused protocols
- Installed different version of View Client
o No effect
- Reran default install scripts
- Test for UDP connections with Citrix load balancer VIP and connection server passed
- Check local PC certificate config
o All required root certificates already installed (Validated)
SSolution / Workaround:
-
Disabled certificate
validation in View Client
o Resolved connection hang
-
Tested on three
workstations all showed significant speed increase at connection to connection
server
Dropped connection time from 60+
seconds to an average of 6 seconds.
Connection bottleneck identified
as View Certificate security checks initiated by client:
Proposed current resolution:
Modify installation batch file to
add reg DWORD value to local workstation:
HKEY_LOCAL_MACHINE\Software\VMware,
Inc.\VMware VDM\Client\Security DWORD Value: CertCheckMode Value: 0
CODE:
reg add "HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security" /v CertCheckMode /t reg_dword /d 0 /f
\CODE
Proposed long term resolution:
Use VMWARE VIEW ADM template to
create View GPO policy applying this setting from the domain to the
workstations running View.
Will allow for seamless upgrades
of the View Client software.
Hopefully this will save someone a bit of troubleshooting time and hair pulling.
I will be working at a root issue but as of right now I am comfortable with this temp work around.
We are currently automating access to our View environment using Imprivata's SSO OneSign.
The connection to the View Connection Server's URL is enforced by policy and users can not modify any settings on the endpoints.
Additional Info:
SILENT / NO SHORTCUT / NO Start Menu / INSTALL OF VIEW CLIENT FROM COMMAND LINE:
CODE:
\\sharelocation\viewclient.exe /s /v"/qn REBOOT=ReallySuppress DESKTOP_SHORTCUT=0 QUICKLAUNCH_SHORTCUT=0 STARTMENU_SHORTCUT=0 VDM_SERVER=desktop.lakehealth.org ADDLOCAL=ALL"
\CODE:
(All on one line)
PLEASE NOTE:
All of the described is a workaround and not a true solution to the issue. Disabling certificate checking can leave endpoints vulnerable to man-in-the-middle attacks and prevents the View client from behaving in a secure manner. Use at your own risk.
Comments
Post a Comment