Security on Cameyo

Cameyo protects its own instances from HTTP and Remote Desktop Protocol (RDP)-related threats by using a unique, zero-maintenance security functionality.

When you enable Remote functionality on a Windows machine, you open its RDP ports to the Internet, specifically ports 3389, 3387, 3392. To mitigate RDP brute-force and vulnerability attacks, Cameyo's RDP Port Shield feature addresses this threat by closing RDP ports at the Windows Firewall level, and then opening them specifically to authenticated users, when needed. It works by creating, and managing in real-time, an RDP allowlist firewall rule on the server.

Activate Port Shield security on Cameyo sessions

You can toggle the Port Shield feature on your Cameyo Server page.

To activate Port Shield:

1. On the Cameyo Admin console, select Servers .
2. From the list of servers, click your server .
3. Under General, click HTTP/S Port Shield to activate.
4. Under General, click RDP Port Shield to activate.
5. Under General, click Restrictions to optionally add a list of comma-separated IP addresses that will always be allowed through.
6. If you change any of these settings, click Save.
7. Restart your server to activate the new setting:
   1. Select Servers .
   2. From the list of servers, click your server.
   3. Select Restart service.

How Port Shield security works

This security mechanism works in 3 phases:

1. When the server starts, Cameyo disables any existing Windows Firewall rules that allow access to HTTP/RDP ports. It then adds its own allowlist rules named Cameyo Port Shield (TCP/UDP-In). If you added any IP addresses to the allowlist for Cameyo Port Shield, these are automatically pre-authorized. Otherwise, a placeholder address 255.255.255.254 is added instead. At this point, no HTTP/RDP access is allowed to the machine.
2. When approved Cameyo sessions are initiated through the Cameyo portal, one of two scenarios takes place:
   1. When regular HTML5 sessions are started, no changes are made. HTTP/RDP ports remain closed. Cameyo's HTML5 sessions do not require user-to-server HTTP/RDP port interaction.
   2. When direct RDP sessions are started, Cameyo's portal (through which users authenticate to initiate sessions) informs the relevant server to open RDP access to the requesting user's IP address. Direct RDP sessions include:
   • Admin access (through Cameyo portal's Generate .RDP file)
   • Sessions initiated using Cameyo's Native Player
   • Sessions initiated through mobile Android devices
3. Allowlisted IP addresses are removed and cleaned up upon Cameyo service restart, typically every few hours.

Cloud Tunneling ensures that your firewall ports are closed to the open Internet and eliminates the need for VPNs. Combined with Cameyo's Port Shield, all of your server and firewall ports are closed, protecting you from ransomware, brute force attacks, etc.

Its configuration is flexible and allows for hybrid mode - a single Cameyo server can provide either connectivity mode (Direct or Cloud Tunneling) depending on apps, users or conditions and can be defined via the PowerTag !CLOUDTUNNEL=1/0.

How Cloud Tunneling works

Instead of connecting end-users directly to your Cameyo server's HTTPS port, both the end-user and the Cameyo server connect to a cloud node serving as a bridge. This eliminates the need for inbound connection, allowing to securely operate sessions on on-prem servers without connecting to a VPN and without having to open inbound firewall ports.A user clicks the application's URL in Cameyo's cloud portal. The stages in the process are:

1. The User gets redirected to and authenticated through the customer's SSO provider
   The portal selects the best Cameyo Play server.
2. The Cameyo Play server checks if there is a new session assigned.
3. The assigned Cameyo Play server connects to the Cloud tunnel on port 8443.
4. The cloud portal redirects the user to the assigned Cloud Tunnel on port 443.

Exclude internal users

In self-hosted (on-premises hosting) scenario, you'll generally want to exclude internal users from going through Cloud Tunneling, since the server is within their company LAN. To do this, you can define your internal company IP addresses using the Admin > Company > Advanced.

Users initiating sessions from these predefined IPs will then be excluded from Cloud Tunneling, and will connect to the server directly.

Cloud Tunneling servers

Cloud Tunneling servers are provided and maintained by Cameyo. While you don't need to manage or maintain them, this section describes the inner workings of this cloud component:

• The Cloud Tunneling server faces your on-prem Cameyo Play servers on one side on port 443, and the user's browser on the other side on port 8443.
• When a session request is initiated which involves Cloud Tunneling, the Cloud Tunnel server receives an HTTPS request from the Cameyo portal which tells it to start brokering a session between the Play server and the user's browser. It validates the request using an API call which also gives the IP addresses of both the Play server and the user.
• The user's browser connects to the Cloud Tunnel server on port 8443 and waits for the Play server's connection to be brokered.
• The relevant on-prem Cameyo Play server obtains the job through regular polling (checking Cameyo's cloud API for a job every X seconds). It then connects to the Cloud Tunnel server on port 443.
• The Cloud Tunneling machine then acts as a transmitter between both parties. Cameyo's proprietary tunneld component is in charge of transmitting the communication between both parties.

If you decide to use an antivirus or endpoint security solution, make sure you disable network scanning and add the following folders to the exclusion list, to improve performance:

• c:\RemoteAppPilot
• c:\RapStartSvc
• c:\RapPrereqs
• c:\guacd

If you want to add the above folders to Windows Server Protection (Defender), run the following PowerShell lines with elevated privileges:

Add-MpPreference -ExclusionPath "C:\RemoteAppPilot"

Add-MpPreference -ExclusionPath "C:\RapStartSvc"

Add-MpPreference -ExclusionPath "C:\RapPrereqs"

Add-MpPreference -ExclusionPath "C:\guacd"

To check if the exclusions are set (in Windows Server Protection), run the following command:
(Get-MpPreference).ExclusionPath

Incompatible antivirus solutions

Cameyo supports most antivirus and virus protection products. Antivirus solutions known to cause incompatibility issues with Cameyo include:

• Trend Micro: random issues including random crashes of guacd.exe were observed, and resolved when the anti-virus was completely uninstalled.
• Symantec Endpoint Protection (SEP): random issues including: "System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at https://api.cameyo.com/CameyoOnline.svc that could accept the message."
• Carbon Black: known and reported to cause slowdowns.

We recommend uninstalling an antivirus product to determine whether it's causing issues. Simply disabling an antivirus or adding exceptions is not enough to determine whether it is related to a conflict or not. Once the relation between the antivirus solution and the issues has been established, you can then reinstall the antivirus software and try defining exceptions.

False alarms

False alarms do not affect compatibility. They just need to be acknowledged and accepted:

• SentinelOne: false positives on Cameyo's executables.