Solved: Re: Can you install Connection server and security...

Marc_Alumbaugh · ‎11-06-2011

I've been searching around and found an older post that said you could do it.

I'm tried the View 5 documentation but not a lot of luck there.

If the deployment is small say 20 View users total.

Could you install the connection and security server on the same VM? W2K8R2 64-bit?

I certainly understand some of the security risks.

TIA

markbenson · ‎11-09-2011

Marc Alumbaugh wrote:
Any other ideas?

No other ideas, but we should stick with the previous ideas and continue to work through them. You are making progress in this analysis - keep going! When it's configured correctly, you've set up firewalls/proxies etc not to block PCoIP and you're using at least View 4.6 on the Client and Server, this does work.

It still looks as though something is blocking PCoIP in your environment - hence the black screen.

So when the "PCoIP External URL" on the Connection Server is set to InternalIP:4172, your View Client on the internal network connects fine. If you run Wiresahrk on your Connection Server to capture the connections, you'll see an HTTPS connection come in on TCP 443. Then when you select a desktop pool you'll see a PCoIP connection come in. This will be TCP 4172 from the Client to the Connection Server and then UDP 4172 also from the Client to the Connection Server and also UDP 4172 in the reverse direction. For this reverse part, the source UDP port will be 4172 and the destination UDP will match the source port on the incoming UDP packets. Verify that this is the case. This will prove that the Connection Server is gatewaying your PCoIP correctly.

So far so good.

Next, you should switch to your remote View Client coming in over the Internet. For this, you will set the "PCoIP External URL" to ExternalIP:4172. Note that you don't need to reboot the Connection Server for this to take effect. It takes effect immediately. This IP will be the public IP address which probably goes through a NAT/Firewall to get to your Connection Server. You can first verify that this IP address is correct by using it for the Connection Server address when you satrt the View Client. When using this same IP address at the Client and getting through the authentication step, it will prove that it is set up correctly in terms of routing/NAT etc. Then monitor with Wireshark at the Connection Server and observe what happens when you select a virtual desktop pool and get the black screen. You should see the same pattern of PCoIP activity on your Connection Server as in the internal test case (i.e. starting with the incoming TCP connection on port 4172). The View Client will be using the ExternalIP address you specified in the "PCoIP External URL" to make the PCoIP connection to the Connection Server. So if you don't see this TCP 4172 com in to the Connection Server, or you don't see the UDP 4172 packets then something is blocking it. This is usually caused by a firewall or proxy blocking PCoIP.

If this is the case and you don't see these packets at the Connection Server, then run Wireshark on the Windows View Client and see if you can see TCP 4172 and/or UDP 4172 being sent to this ExternalIP. If so, then you know that something (such as firewall or proxy) between the View Client and View Connection Server is blocking it.

Let us know what it was.

Hope this is helpful.

Mark.

View solution in original post

Linjo · ‎11-07-2011

The Security server is actually a subset of components from the Connection Server, so if you install a Connection Server you have all the Security Servers features and functions also.

The bad thing about this is that you will expose the admin interface and an AD-connected server to the "insecure" networks.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".

admin · ‎11-07-2011

Thanks for information.......

Marc_Alumbaugh · ‎11-07-2011

Linjo

Thanks for the reply. If I want to get the PCoIP working across internet then how do I do that?

I've watched markbenson piece here

http://communities.vmware.com/docs/DOC-14974

I've read the PCoIP FAQs

http://communities.vmware.com/docs/DOC-15389

It seems like you have to have the security server going.

So do I configure something different in the connection server so that it will also handle the security server - proxy and tunneling functions?

Or do I still need to install the security server software on the same box as the connection server?

Also if I can install the security server on the same box as the connection server is that a VMware support configuration?

TIA

markbenson · ‎11-07-2011

You don't have to have a Security Server in order to do PCoIP over the Internet although generally it is better to do so.

If you want to do this with just a Connection Server then simply go to the View Admin UI, select the Connection Server, select Edit and tick the box "Use PCoIP Secure Gateway ..." and then set the PCoIP External URL correctly. This is the same as you would do for the Security Server.

Mark.

Marc_Alumbaugh · ‎11-07-2011

Thanks Mark for the reply.

I tried what you suggested but no luck.

View 5 client gets through the login then selects the Pool.

I see the black screen for about 30 seconds and then "The Connection to the remote server ended" message.

If I edit the external URL to the internal IP address and connect inside the firewall no issues.

I change the external URL back to the public IP address (and the port number) and connect from the outside no luck.

I have port 4172 open but for UDP and TCP.

I've even tried opening every port through the firewall to the connection server - still no luck.

Any other ideas?

TIA

markbenson · ‎11-07-2011

The black screen is quite a common problem and there are several threads on this here. It is almost certainly because one of the 3 required steps has not been done correctly. If any are wrong, you just get a black screen for a few seconds after selecting the desktop. It's because PCoIP is being blocked.

You say you've been editing the "External URL", but for this, you must also edit the "PCoIP External URL".

Check very carefully the 3 steps http://communities.vmware.com/docs/DOC-14974 - this is how others have solved it.

You may find wirshark helpful in setting this up correctly so that you can see what you are getting from and sending to the client.

What value do you have for "PCoIP External URL"? This should contain the same IP address as is resolved by your remote client from the hostname entered.

Mark.

Marc_Alumbaugh · ‎11-08-2011

Thanks again Mark

HTTPS Secure Tunnel - External URL

https://FQDN:443 (The FQDN is resolvable to the external IP address)

Use Secure Tunnel connection to desktop IS SELECTED

PCoIP Secure Gateway - PCoIP External URL

PublicIP:4172

Use PCoIP Secure Gateway for PCoIP connections to desktop IS SELECTED.

I've rebooted the Connection Server.

I've check what the Public IP address is and it's being NAT'd correctly.

I have 80,443 open to it

I have UDP and TCP 4172 open to it.

Still getting black screen then Disconnected meesage.

ANy other ideas?

TIA

markbenson · ‎11-08-2011

It is going to be because PCoIP is being blocked. If this works internally then it won't be anything with the View Agent or anything else on the virtual desktop.

Double check the firewall rules. Note that the UDP 4172 is both directions, not just inbound but also reply UDP data back out to the client again.

Check the Connection Server logs.

Make sure the Connection Server is at least 4.6 and running on Windows Server 2008 R2.

If you still can't get it configured correctly, use Wireshark on the Connection Server. You should see incoming TCP 4172 from the Client and Incoming UDP 4172 and reply UDP data back out to the client. The same protocols for PCoIP will also be present between the Connection Server and your virtual desktop. This may identify if any of these TCP or UDP protocols are being blocked anywhere along the line.

Let us know what it was.

Thanks.

Mark.

Marc_Alumbaugh · ‎11-08-2011

I'm running the connection server on W2K8 R2 - 64-Bit.

I'm using View 5

IPV6 is enabled but I didn't see anything about having to disabled.

Also Micrsoft is recommending to NOT disabled it.

If I change the

PCoIP Secure Gateway - PCoIP External URL

InternalIP:4172

I can connect fine and PCoIP works.

If I change back to the External-IP it doesn't work.

I do see this in the Event log

AJP Connection test failed: com.vmware.vdi.ob.tunnelservice.dy: Failed to write data to server: java.net.SocketException: software caused connection abort: socket write error

I've even tried a firewall rule of allowing everything through and it doesn't work.

I've disabled the Windows Firewall too (even though internally it works fine).

If I watch the active connections on the firewall I can see

Port 443 coming through.

The VIew client is able to login and select the VMPool and when they click connect I don't see any 4172 ports starting up.

If I switch to RDP protocol it works fine - not sure if that helps

Any other ideas?

markbenson · ‎11-09-2011

Marc Alumbaugh wrote:
Any other ideas?

No other ideas, but we should stick with the previous ideas and continue to work through them. You are making progress in this analysis - keep going! When it's configured correctly, you've set up firewalls/proxies etc not to block PCoIP and you're using at least View 4.6 on the Client and Server, this does work.

It still looks as though something is blocking PCoIP in your environment - hence the black screen.

So when the "PCoIP External URL" on the Connection Server is set to InternalIP:4172, your View Client on the internal network connects fine. If you run Wiresahrk on your Connection Server to capture the connections, you'll see an HTTPS connection come in on TCP 443. Then when you select a desktop pool you'll see a PCoIP connection come in. This will be TCP 4172 from the Client to the Connection Server and then UDP 4172 also from the Client to the Connection Server and also UDP 4172 in the reverse direction. For this reverse part, the source UDP port will be 4172 and the destination UDP will match the source port on the incoming UDP packets. Verify that this is the case. This will prove that the Connection Server is gatewaying your PCoIP correctly.

So far so good.

Next, you should switch to your remote View Client coming in over the Internet. For this, you will set the "PCoIP External URL" to ExternalIP:4172. Note that you don't need to reboot the Connection Server for this to take effect. It takes effect immediately. This IP will be the public IP address which probably goes through a NAT/Firewall to get to your Connection Server. You can first verify that this IP address is correct by using it for the Connection Server address when you satrt the View Client. When using this same IP address at the Client and getting through the authentication step, it will prove that it is set up correctly in terms of routing/NAT etc. Then monitor with Wireshark at the Connection Server and observe what happens when you select a virtual desktop pool and get the black screen. You should see the same pattern of PCoIP activity on your Connection Server as in the internal test case (i.e. starting with the incoming TCP connection on port 4172). The View Client will be using the ExternalIP address you specified in the "PCoIP External URL" to make the PCoIP connection to the Connection Server. So if you don't see this TCP 4172 com in to the Connection Server, or you don't see the UDP 4172 packets then something is blocking it. This is usually caused by a firewall or proxy blocking PCoIP.

If this is the case and you don't see these packets at the Connection Server, then run Wireshark on the Windows View Client and see if you can see TCP 4172 and/or UDP 4172 being sent to this ExternalIP. If so, then you know that something (such as firewall or proxy) between the View Client and View Connection Server is blocking it.

Let us know what it was.

Hope this is helpful.

Mark.

Marc_Alumbaugh · ‎11-10-2011

Thanks Mark

So I did the wireshark and sure enough - nothing coming in through the firewall to the connection server on 4172.

I was able to see the https session start up and the connection server talking to AD to authenticate the user.

Saw the connection server talk to the desktop and some traffic on 4001 and then some 4172 traffic but nothing from the client to the connection server on 4172.

Double checked the firewall and the rule was there to allow UDP and TCP 4172 through.

Open telnet on the client PC and tried to open a session to the connection server on port 4172.

(Looking back - I should of tried this FIRST - so for anyone else reading this thread - TRY THIS)

Failed immediately and nothing on wireshark.

Deleted the firewall rule and then just re-added the same rule.

Tried telnet again and sure enough got a connection and saw it on Wireshark.

Tried the View client and it worked.

And what a difference using PCoIP versus RDP - it's worth the effort

Thank you again - VMworld 2012 I owe you a beer 😉

markbenson · ‎11-10-2011

Thanks for posting back and I'm glad it was solved by the 3 steps.

Hopefully others will benefit from this post too.

I'll look forward to that beer 🙂

Mark

All

Can you install Connection server and security server on same VM?