I am having trouble getting the PCoIP Gateway to work. Everything works fine internally. All the settings seem to be correct. PCoIP Secure Gateway on Security Server is set to the Externalip:4172 and on the connection server Use PCoIP Secure Gateway connections to machine is checked with the PCoIP ExternalURL: InternalipOfConnectionServer:4172
I do not have access to the firewall but here are the rules the network admin setup for me:
- Anybody external to DMZ security server - TCP 443, TCP 8443, TCP and UDP 4172
- DMZ security server to Internal connection server - TCP 8009, TCP 4001, TCP 4002, UDP 500, ESP
- DMZ security server to Internal Client VMs VLAN - TCP 3389, TCP 22443, TCP and UDP 4172
- Internal connection server to DMZ security server - UDP 500, ESP
When connecting externally over PCoIP I get "The connection to the remote computer failed" I have spent a lot of time trying to diagnose and troubleshoot but have come up blank.
Anyone have any ideas?
Firewall rules for DMZ-based Security Servers
Source | Destination | Port | Protocol |
Any External IP | Security Server | 80 | HTTP |
Any External IP | Security Server | 443 | HTTPS |
Any External IP | Security Server1 | 4172 | PCoIP (TCP and UDP) |
Source | Destination | Port | Protocol |
Security Server | View Transfer Server | 80 | HTTP |
Security Server | View Transfer Server | 443 | HTTPS |
Security Server | Connection Server | 8009 | AJP13 |
Security Server | Connection Server | 4001 | JMS |
Security Server | Connection Server | 4002 | JMS (Secure) |
Security Server | View Desktop | 3389 | RDP |
Security Server 1 | View Desktop | 4172 | PCoIP (TCP and UDP) |
Security Server | View Desktop | 32111 | USB Redirection |
Security Server | Connection Server | 500 | IPSec (UDP) |
Security Server | Connection Server | 4500 | NAT-T ISAKMP (UDP) |
Connection Server | Security Server | 500 | IPSec (UDP) |
Connection Server | Security Server | 4500 | NAT-T ISAKMP (UDP) |
Security Server 1 | Connection Server | 4172 | PCoIP (TCP and UDP) |
Security Server | Remote Desktop Services | 4172 | PCoIP (TCP and UDP) |
Firewall rules were setup as per this
Firewall Rules for DMZ-Based Security Servers
Excluded was port 80, 9427, and 32111.
this one is not listed in the Horizon 6 documentation.
Security Server 1 | Connection Server | 4172 | PCoIP (TCP and UDP) |
We can see the TCP 4172 traffic between the External Client <---> DMZ Security Server <--> VM running Agent
but it never attempts to switch over to UDP 4172 like it does internally. It just errors out.
If you are using tunneling then the PCoIP traffic needs to pass through the internal connection manager, that port needs to be open between the security server and the internal connection broker.
When using a security server, PCoIP communication occurs directly between the security server and the VDI desktop. Does your security server have multiple network adapters? Also, are the secure tunnel settings correct on the security server?
I see TCP 4172 traffic between the security server and the connection server both ways however it never attempts to switch to UDP.
My PCoIP Secure Gateway external URL is set to the externalip:4172 so that is right. I have verified the secure tunnel settings as well.
Thanks in advance
I ran into a similar issue after Horizon 6.2.1 upgrade recently. After upgrading our Windows users to latest Horizon Client, they were then able to successfully connect to their desktops externally (via security server). Internal access still seemed to work with the older clients, however. I think it is related to TLS 1.0 being disabled in the newer security server.
I see TCP 4172 traffic between the security server and the connection server both ways
That's not correct. The PCoIP flow is from Client > Security Server and then Security Server to Virtual Desktop. PCoIP does not flow from Security Server to Connection Server. Same flow with Access Point in place of Security Server.
I would double check this analysis and also the firewall rules to make sure TCP and UDP 4172 is open between Internet and Security Server and also Security Server to any virtual desktop.
Blocking UDP 4172 is the most common cause of this error.
Mark
Read Carl's blog. Like the whole thing. It's good stuff.
According to your FW Rules you have listed,
You are missing communication from your DMZ Security server --> Anybody External Clients (INTERNET) 4172 UDP
REF:https://kb.vmware.com/kb/1026766