Published: November 12, 2007   |   Updated: February 25, 2008

A SoftGrid streaming infrastructure requires unobstructed communication between several different components of the infrastructure including:

• Active Directory
• SQL Server
• VAS
• SoftGrid Management Console
• SoftGrid clients
• Application content distribution points

By default, SoftGrid uses a number of network protocols to perform this communication. In addition to some defined ports, there is a requirement for a range of ephemeral ports to be opened. An ephemeral port is a TCP or UDP port that is automatically allocated from a predefined range by the TCP/IP stack software. For organizations that have intra-site firewalls, opening a large number of ports reduces the effectiveness of the firewall. SoftGrid can be configured to use a restricted set of ports in order to reduce the number of ports that will be opened through the firewall. This communication is accomplished by using several different network protocols, which are described in the following table.

Table 8. Default Protocols Used in SoftGrid Instance

* In SoftGrid versions 4.5 and later, this port number will change to 322.

The following diagram depicts the standard port communication paths between the various SoftGrid infrastructure components.

Figure 4. Communication protocol usage within a SoftGrid environment

When validating the network requirements for the SoftGrid deployments, it will be important to note where SoftGrid communications may cross intra-site firewalls. Microsoft does not support Internet-facing client access to SoftGrid servers. Clients, therefore, cannot connect to the VAS from outside a perimeter firewall.

Clients connect to the network through a Virtual Private Network (VPN) may have access to the SoftGrid infrastructure. It is important to note that this is not a supported configuration as the latency across the VPN tunnel will potentially be great enough to degrade the streaming experience. Applications already present in cache will still run; however, additional applications or delta update performance will be impaired.

Option 1: Standard Ports

Clients are deployed in a trusted context in relation to the VAS. This means that the clients have no communication limitations or barriers such as firewalls or proxy servers between them and the VAS. By default, SoftGrid uses the standard ports listed Table 8 for communication.

Option 2: Restricted Ports

Where HTTP communication is used, interactions between the Management Console and the management server are performed in the clear. HTTPS can be implemented to provide an encrypted tunnel. HTTPS can also be applied to clients when they request application configuration data from a Web server.

Clients may also stream applications using Real-time Transport Streaming Protocol Secured (RTSPS). This uses Transport Layer Security (TLS) to secure the application stream using Port 332. Additionally, Real-time Transport Protocol (RTP) and Real-time Transport Control Protocol (RTCP) communications are transmitted over Port 332, reducing the overall number of ports needed. This is useful when configuring SoftGrid to function across site firewalls as there are fewer ports to open.

The following diagram depicts the communication path when using restricted ports to allow a client to cross an internal firewall within an organization.

Figure 5. Restricted port usage

Internet-facing scenarios are not supported in SoftGrid 4.2. HTTPS and RTPS communication is achieved by employing public key infrastructure. In order to secure communications, a trusted certificate will need to be generated from a certification authority (CA). As with any certificate-based encryption, the clients and the servers secured with the certificates must trust the CA that issues the certificates. If the certificate is issued by a public CA, most clients will recognize and trust the issuer. However, certificates from public CAs usually increase the cost of the deployment. If a stand-alone or enterprise CA is used, ensure that all clients and servers trust the CA.

Evaluating the Characteristics

Validating with the Business

• What kind of security policy must be applied to applications? Many companies have compliance and privacy laws that affect applications. This can often necessitate that application interactions be secured. It is important to make sure that applications that interact with sensitive business information and data be kept in compliance with legal and security policies.

Decision Summary

SoftGrid services can be made to use standards-based encryption protocols. The protocols can also be restricted to use a limited number of ports.

The decision to employ restricted ports will be based on internal policy and the requirements of the application that is being streamed.

Once the application begins running on the client machine, the application will use the ports required by the application; these are not necessarily the ports defined for the SoftGrid system.