Step 5: Determine Network Protocols Scheme

Article
02/25/2008

Published: November 12, 2007 | Updated: February 25, 2008

A SoftGrid streaming infrastructure requires unobstructed communication between several different components of the infrastructure including:

Active Directory
SQL Server
VAS
SoftGrid Management Console
SoftGrid clients
Application content distribution points

By default, SoftGrid uses a number of network protocols to perform this communication. In addition to some defined ports, there is a requirement for a range of ephemeral ports to be opened. An ephemeral port is a TCP or UDP port that is automatically allocated from a predefined range by the TCP/IP stack software. For organizations that have intra-site firewalls, opening a large number of ports reduces the effectiveness of the firewall. SoftGrid can be configured to use a restricted set of ports in order to reduce the number of ports that will be opened through the firewall. This communication is accomplished by using several different network protocols, which are described in the following table.

Table 8. Default Protocols Used in SoftGrid Instance

Port Description	Standard Port	Protocol Used	Restricted Port	Secure Protocol Used
Communications from the Management Console to the Management Web Service	80	HTTP	443	HTTPS
Communications between the SQL Server-based server and the Management Service	1433	ODBC	1433. (IPsec)	ODBC
Communications between the SQL Server-based server and the VAS	1433	ODBC	1433 (IPsec)	ODBC
Communications between the SoftGrid clients and the VAS	554	RTSP	332*	RTSPS
RTP and RTCP use the high TCP port ranges to manage communications after initial communication is established between the client and VAS.	49152-65535	RTP RTCP	332*	RTPS/RTCPS

* In SoftGrid versions 4.5 and later, this port number will change to 322.

The following diagram depicts the standard port communication paths between the various SoftGrid infrastructure components.

Figure 4. Communication protocol usage within a SoftGrid environment

When validating the network requirements for the SoftGrid deployments, it will be important to note where SoftGrid communications may cross intra-site firewalls. Microsoft does not support Internet-facing client access to SoftGrid servers. Clients, therefore, cannot connect to the VAS from outside a perimeter firewall.

Clients connect to the network through a Virtual Private Network (VPN) may have access to the SoftGrid infrastructure. It is important to note that this is not a supported configuration as the latency across the VPN tunnel will potentially be great enough to degrade the streaming experience. Applications already present in cache will still run; however, additional applications or delta update performance will be impaired.

Option 1: Standard Ports

Clients are deployed in a trusted context in relation to the VAS. This means that the clients have no communication limitations or barriers such as firewalls or proxy servers between them and the VAS. By default, SoftGrid uses the standard ports listed Table 8 for communication.

Option 2: Restricted Ports

Where HTTP communication is used, interactions between the Management Console and the management server are performed in the clear. HTTPS can be implemented to provide an encrypted tunnel. HTTPS can also be applied to clients when they request application configuration data from a Web server.

Clients may also stream applications using Real-time Transport Streaming Protocol Secured (RTSPS). This uses Transport Layer Security (TLS) to secure the application stream using Port 332. Additionally, Real-time Transport Protocol (RTP) and Real-time Transport Control Protocol (RTCP) communications are transmitted over Port 332, reducing the overall number of ports needed. This is useful when configuring SoftGrid to function across site firewalls as there are fewer ports to open.

The following diagram depicts the communication path when using restricted ports to allow a client to cross an internal firewall within an organization.

Figure 5. Restricted port usage

Internet-facing scenarios are not supported in SoftGrid 4.2. HTTPS and RTPS communication is achieved by employing public key infrastructure. In order to secure communications, a trusted certificate will need to be generated from a certification authority (CA). As with any certificate-based encryption, the clients and the servers secured with the certificates must trust the CA that issues the certificates. If the certificate is issued by a public CA, most clients will recognize and trust the issuer. However, certificates from public CAs usually increase the cost of the deployment. If a stand-alone or enterprise CA is used, ensure that all clients and servers trust the CA.

Evaluating the Characteristics

Complexity
Standard Ports	Standard ports do not significantly increase complexity.	Low
Restricted Ports	Using restricted ports increases the complexity of the SoftGrid deployment. Certificates need to be deployed and maintained for RTSPS and HTTPS.	High

Cost
Standard Ports	Standard ports do not significantly increase cost.	Low
Restricted Ports	Using restricted ports increases the cost of the SoftGrid deployment. Certificates need to be deployed and maintained for RTSPS and HTTPS.	Medium

Performance
Standard Ports	Standard ports do not significantly increase performance.	→
Restricted Ports	Using restricted ports can decrease the performance of the system due to the additional overhead associated with negotiating secured channels and encrypting the data flowing across those channels.	↓

Security
Standard Ports	Standard ports use clear text TCP protocols. There is no security advantage to deploying using standard ports.	→
Restricted Ports	Using restricted ports increases security of the solution. It also reduces the amount of ports being used. Note that some communications on the server cannot be secured natively in SoftGrid.	↑

Validating with the Business

What kind of security policy must be applied to applications? Many companies have compliance and privacy laws that affect applications. This can often necessitate that application interactions be secured. It is important to make sure that applications that interact with sensitive business information and data be kept in compliance with legal and security policies.

Decision Summary

SoftGrid services can be made to use standards-based encryption protocols. The protocols can also be restricted to use a limited number of ports.

The decision to employ restricted ports will be based on internal policy and the requirements of the application that is being streamed.

Once the application begins running on the client machine, the application will use the ports required by the application; these are not necessarily the ports defined for the SoftGrid system.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Share via