Security Basics

Domains to Allow in Restrictive Network Environments

Sometimes users reside behind corporate networks that have strict network access policies. Connection issues can arise if certain domains are being blocked. To avoid this, administrators ensure that the Network Configuration Requirements for their deployment architecture are met.

Anti-virus Software on Frame

Frame images do not include anti-virus or anti-spyware tools. Administrators are responsible for installing and configuring their own choice of AV/AS tools. For non-persistent Frame accounts, systems are stateless. As long as administrators are diligent about their work in the Sandbox servers, “exposed” production systems that are infected will be reverted on reboot. In the case where Nutanix provides the initial base image (public cloud infrastructure only), Nutanix ensures that all base images are scanned customers use them.

While many anti-virus software packages will work on Frame, due to the large number of anti-virus packages, and the possible complexity of configuration, interoperability is not guaranteed. Anti-virus software that prevents components of the Frame service from executing may cause loss of functionality within a Frame session, up to and including a complete inability to connect to sessions. Prior to installing an anti-virus package, a backup of your account’s Sandbox should be taken in the event that issues occur. Since most Frame customers use stateless systems, all anti-virus database updates will download each time a production instance is started. This can be avoided either by maintaining the Sandbox image (updating the Sandbox and publishing to production instances regularly) or using Persistent Desktops.

Any anti-virus software used on Frame-managed workloads must be configured to allow the following directories and associated sub-directories:

  • C:\ProgramData\Frame\ – Contains libraries and utilities for Frame Service, Server, and logs (FGA 7.x and below).

  • C:\Program Files\Frame\ – Contains Frame Service and Xi Server executables which provide communication to the Frame Platform for orchestration (FGA 7.x and below).

  • C:\ProgramData\Nutanix\Frame\ – Contains libraries and utilities for Frame Service, Server, and logs (FGA 8.x).

  • C:\Program Files\Nutanix\Frame\ – Contains Frame Service and Xi Server executables which provide communication to the Frame Platform for orchestration (FGA 8.x).

  • C:\Program Files\CloudDrive\ – Contains Cloud Drive integration libraries and executables.

  • C:\Program Files\OFS\ - Contains Frame file system driver and control application.

If you intend to use Enterprise Profiles, please allow following folders and files:

Folders:
  • C:\Program Files\ProfileUnity\ and all subfolders

  • C:\Windows\Temp\ProfileUnity\

  • C:\FADIA-T\

  • C:\ProfileDiskMounts\

Files:
  • C:\Windows\System32\drivers\Cbfltfs3.sys

  • C:\Windows\System32\drivers\Cbfltfs4.sys

  • C:\Windows\System32\drivers\Cbreg.sys

  • C:\Windows\System32\drivers\cbfsfilter2017.sys

  • C:\Windows\System32\drivers\cbfsregistry2017.sys

  • C:\Windows\System32\drivers\cbregistry20.sys

Note

Please ensure that anti-virus “Tamper protection” is disabled during the publishing process.

SSL Break and Inspect

Frame Remoting Protocol (FRP) relies on Secure WebSockets for bi-directional communication between the end user and the workload VM for streaming the audio/video from the workload VM and sending keyboard/mouse/peripheral input from the endpoint. Customers can use out-of-band monitoring solutions to monitor these FRP streams; however, inline or in band solutions that break and inspect FRP traffic are not supported as they prevent FRP from functioning or introduce latency that degrades the end user experience.

Frame orchestration and brokering management communication between Frame Guest Agent (FGA) on the workloads and Frame Platform as well as from Prism Central/Element to Frame Platform originates within the customer’s private network from the workload, Workload Cloud Connector Appliance (WCCA), and Cloud Connector Appliance (CCA) VMs as HTTPS requests, switching over to Secure Web Sockets for bidirectional communication. FGA on the workload VMs, WCCAs, and CCAs can be configured to support outbound HTTPS/Secure Web Socket proxy servers.

Security and Compliance

The security and privacy of our customers’ data has always been and will continue to be a top priority. For further details on our security, data protection, and privacy programs, visit our Nutanix Trust page. There you can learn about our:

  • Security

  • Privacy, including how we control cross-border data transfers under GDPR

  • Compliance & Certifications

For our Nutanix License and Services Agreement, visit https://www.nutanix.com/legal/eula

If you have any questions, please contact support through my.nutanix.com.