How the TCP/UDP communication for the shadowing feature between UMS Console and Endpoint via ICG works?

Good morning everyone! I’ve installed the latest UMS and ICG in our environment. Now I have some problems with shadowing. I think this is a communication issue. Before I start looking into a thousand logs ans posting error messages: Does anyone know, how the TCP/UDP communication for the shadowing feature between UMS Console and Endpoint via ICG works? I couldn’t find any KB article, they only describe shadowing without ICG. Thanks!

Learn more, read the entire thread inside the IGEL Community o Slack

Good morning Daniel, I will ask internally if we have the possibility to share internal technical documents! Did you enabled Secure VNC globally under UMS Administration, Remote Access?

It’s switched on. And the profile on the endpoint says “Allow remote shadowing” and “Secure Mode”.

If there are technical documents for this I would be very interested.

Might be a dumb question, but which firmware are you using on the endpoint side?

And a last one, we are speaking about a client that is registered in ICG, right?

Is the device connected to a LAN which might be contacted by UMS directly (without ICG)?

Is Secure Shadowing working in general, without ICG?

What happens when resetting to defaults the test device?

No dumb question. Latest Firmware ( Everything is new😉 That’s why I think I’m forgetting something.

The clients are always in remote offices (like ours) and talking only to ICG.

Our UMS and ICG servers are set up in a datacenter/bunker. UMS in “green zone” and ICG in the dmz. So no possibility to connect directly to the UMS. So I can’t say if it’s working in general.

I will reset again and make a simple “debug-profile”.

I’ve resetted the device. Now only a debug profile with the setting Shadowing allowed and Secure Connection ist deployed.

I’ve two different situations:

1) If I use the UMS console on our management VDI that connects to UMS, then the remote client is asked whether to allow the connection or not. But no success. After a while it times out and the error appears.

2) If I open the UMS console on UMS server and try to shadow there, the error appears immediately without any message on the client side.

Firewall log analysis is a bit tricky because UMS is a bit chatty. Difficult to narrow down. That’s why I’d like to know how it is supposed to work.

I‘m on business trip, will try to investigate but please open a ticket in parallel, just to get it tracked properly!

I will open a ticket in around two weeks when I’m back from my holidays. So no rush with your investigations either.

@member hope you are enjoying your vacation! The communication, when using secure shadowing over ICG, traverses the socks tunnel ums console->icg->endpoint. As it traverses the socks tunnel, the port used is of no interest, as it goes inside of the tunnel. The socks tunnel is default 8443 (customizable from “ums to icg” and from “endpoint to icg” during setup).

Thanks Fredrik! So the UMS console is talking, not the IGELrmserver. That explains a lot. I only allowed the UMS server to talk to ICG. I thought, whatever the console is doing it passes UMS first. So I have to create separate firewall rules if I’m using the console from a different host than the UMS server.

Now I finally had time to set it up the right way so both variants of Shadowing work:

• Console (on UMS server) > ICG > Endpoint (off-site) ✔️

• Console (on VDI) > ICG > Endpoint (off-site) ✔️

It did not work at first because I didn’t allow our VDIs to communicate with ICG directly. Thanks for your help!

How do you get it to work? I have the same deployment. The ICG is on the DMZ and the UMS is on the intranet. All devices connected via ICG. Firewall rules allow any device from Internet connect to the ICG via TCP/8443 and ICG connect to UMS via TCP/8443. When I try to shadow using the UMS Console – Device – Shadow option I got error the below error. I notice that it is trying VNC to internal IP addresses that it is not allow.

By the way I am using the latest version of ICG and UMS

Right, local VNC over ICG, isn‘t feasible. Which Firmware version of Igel OS are you using?

That’s what I think is the way to go.

UMS Console must be able to communicate to UMS server so you can click on the shadow function:

Windows VDI (UMS Console) [Green Zone] — 8443 —> Linux Server (UMS) [Green Zone]

AND the UMS console must be able to communicate to ICG server because the VNC connection is built directly from console to ICG, not via UMS:

Windows VDI (UMS Console) [Green Zone] — 8443 —> Linux Server(ICG) [DMZ Zone]

ICG must be accepting connections from the endpoints so the tunnel stands:

Linux Server (ICG) [DMZ Zone] <— 8443 — Endpoints (IGEL OS) [Off-Site]

So the VNC communication goes like this:

UMS console —> ICG —> Endpoint

Yeah, I’m a little confused on this, as well. I get the “Connection was closed by VNC server” when I attempt to shadow an ICG device directly from the UMS server’s UMS console. Something has to be missing here.

Continue reading and comment on the thread ‘How the TCP/UDP communication for the shadowing feature between UMS Console and Endpoint via ICG works? ‘.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base

Ask a question or comment on the above message thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!

Popular Message Threads

Categories & Tags: