Just got my quarterly security scans back, and while I thought I had my Security Server configured correctly, apparently I still have issues with the PCoIP port/cert.
The scans show the PCoIP gateway on 4172 responding to SSLv3 and not providing a valid cert. I've double and triple checked the registry settings and locked.properties files to be sure I'm not serving SSLv3 and presenting a valid cert, and all those settings look correct.Checking ports 443 or 8443 shows that the protocols/cert are working properly, but the same scan on 4172 shows it responding to SSLV3 and issuing a self-signed (default) PCoIP cert.
Here's what my locked.properties file looks like in C:\Program Files\VMware\VMware View\Server\sslgateway\conf:
secureProtocols.1=TLSv1.2
secureProtocols.2=TLSv1.1
secureProtocols.3=TLSv1
preferredSecureProtocol=TLSv1.2
enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.2=TLS_DHE_DSS_WITH_AES_128_CBC_SHA
enabledCipherSuite.3=TLS_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.4=TLS_RSA_WITH_AES_256_CBC_SHA
enabledCipherSuite.5=TLS_DHE_DSS_WITH_AES_256_CBC_SHA
enabledCipherSuite.6=SSL_RSA_WITH_RC4_128_MD5
enabledCipherSuite.7=SSL_RSA_WITH_RC4_128_SHA
enabledCipherSuite.8=SSL_RSA_WITH_3DES_EDE_CBC_SHA
enabledCipherSuite.9=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
And here are the registry settings that the PCoIP gateway should be using for the cert (The SSLCertPSGNI key is properly set to the public fqdn of the Security Server):
The friendly name on the cert in the Windows cert store is vdm, and there is a private key associated with the cert. As I mentioned, it's only failing on 4172 - 443 and 8443 are working as expected. Any clue where to start looking for why the PCoIP gateway isn't respecting these settings on 4172?
Thanks,
Geoff