Network devices that use RTSP Inspection may cause problems in certain App-V scenarios
We are aware that many of our App-V/SoftGrid users that are in the process of migration will follow our advice and upgrade the clients first before upgrading the management servers, and we're also aware that scheduling and testing with multi-server environments will require extended periods of time where 4.5 or 4.6 clients will be used in conjunction with 4.1 servers.
You may, however, encounter some problems during these migrations if you are using App-V Clients and App-V/SoftGrid servers in an environment where the network infrastructure employs firewalls, routers, VPN concentrators, or any network device using security software that employs RTSP stateful inspection.
These problems occur when trying to authenticate over RTSP during desktop configuration refresh as well as when streaming an application over RTSP.
Examples of some of these issues include:
1.) “Network Operation did not Complete in Time” errors:
You may see these errors on SoftGrid 4.2 and 4.1 as well as App-V 4.5 when communicating to a 4.1 server.
An example of this kind of error is when on a server refresh or during an RTSP stream you receive the following error:
A network operation did not complete in time. Check your network connection, and then try again. If the problem persists, report the following error code to your System Administrator.
Error code: xxxxxx-xxxxxx0A-10000005
2.) “The Server will not Allow a Connection Without Valid NTLM Credentials” errors:
You may get this with local domain accounts as well as if using another trusted domain account.
An example of this kind of error is when on a server refresh or during an RTSP stream you receive the following error:
The server will not allow a connection without valid NTLM credentials Please report the following error code to your System Administrator.
Error code: xxxxxx-xxxxxx 0A-00002002
3.) “The publishing Server returned invalid data in response to the Client's request.”
The publishing Server returned invalid data in response to the Client's request. Report the following error code to your System Administrator.
Error Code 45242F4-24E00B04-00000910"
You will also see potential problems with RTSP exclusive to the use of FQDNs (Fully Qualified Domain Names) with using 4.5 and later clients with pre 4.5 servers (SoftGrid Virtual Application Servers.)
Errors may go back and forth between the above examples as well.
Causes
This ties into the relegation of authentication down levels to achieve legacy compatibility. We have seen that this inspection can modify the authentication information post SSPI negotiation and that this can possibly be interpreted as a false positive for an RTSP exploit. In other words, the RTSP authentication the server receives is not what the client sent (e.g. it's truncated).
Resolutions and Workarounds
1.) Complete the server upgrade to App-V version 4.5 or later: App-V 4.5 clients and servers negotiate Kerberos/SSPI and do not exhibit the issue when working with the ASA Software. This requires a DB upgrade.
2.) Disable RTSP inspection on the network device: This would only need to be in place until the server-side upgrade to App-V 4.5 is complete.
3.) Leverage a separate protocol (RTSPS/HTTP/HTTPS:) This would require reconfiguration on both client and server side.
4.) Leverage different virtual application delivery methods: Use of SCCM R2 integration or stand-alone deployment removes desired features only offered through the server solution (e.e. licensing control, active upgrade, etc).
The quickest workaround is #2: Disabling RTSP inspection. Depending on the type of network device being used this will vary as to the approach and may violate your corporate security policy.
The majority of issues relating to this coming into the App-V support team are from our users working with the various devices employing the Cisco adaptive security appliance (ASA) software or the various firewall internetworking operating systems (PIX, etc.)
In one recent example, the final resolution was to remove the RTSP inspection from the default inspection map within the global_policy map. This was done as follows:
ASA# conf t
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap)# no inspect rtsp
The above example was on a device using Cisco Adaptive Security Appliance Software Version 8.2(1) and Device Manager Version 6.2(1)
More Information
In the mid 1990’s, the standards for a new streaming protocol that we now know as the Real Time Streaming Protocol (RTSP), were submitted to the IETF. It was originally designed as a media delivery protocol to transmit real-time, streaming media to client media software such as RealPlayer, QuickTime, and others. Since the media leverages XML and other forms of metadata, it can also be leveraged for exploitations and for potential man in the middle attacks. Most RTSP inspection software operates by examining the session setups and authentication to apply normal stateful inspection to stop any malicious behavior.
Note: This information was originally contributed by Steve Thomas, Senior Support Escalation Engineer, on the App-V Team blog: