VMware Horizon Community
KKitzulSEI
Contributor
Contributor

PCoIP Gateway Connection Issues

I am having trouble getting the PCoIP Gateway to work. Everything works fine internally. All the settings seem to be correct. PCoIP Secure Gateway on Security Server is set to the Externalip:4172 and on the connection server Use PCoIP Secure Gateway connections to machine is checked with the PCoIP ExternalURL: InternalipOfConnectionServer:4172

I do not have access to the firewall but here are the rules the network admin setup for me:

- Anybody external to DMZ security server - TCP 443, TCP 8443, TCP and UDP 4172

- DMZ security server to Internal connection server - TCP 8009, TCP 4001, TCP 4002, UDP 500, ESP

- DMZ security server to Internal Client VMs VLAN - TCP 3389, TCP 22443, TCP and UDP 4172

- Internal connection server to DMZ security server - UDP 500, ESP

When connecting externally over PCoIP I get "The connection to the remote computer failed" I have spent a lot of time trying to diagnose and troubleshoot but have come up blank.
Anyone have any ideas?

Reply
0 Kudos
9 Replies
joshopper
Hot Shot
Hot Shot

Firewall rules for DMZ-based Security Servers

  • Front-End Firewall Rules

    SourceDestinationPortProtocol
    Any External IPSecurity Server80HTTP
    Any External IPSecurity Server443HTTPS
    Any External IPSecurity Server14172PCoIP
    (TCP and UDP)


  • Back-End Firewall Rules

    SourceDestinationPortProtocol
    Security ServerView Transfer Server80HTTP
    Security ServerView Transfer Server443HTTPS
    Security ServerConnection Server8009AJP13
    Security ServerConnection Server4001JMS
    Security ServerConnection Server4002JMS (Secure)
    Security ServerView Desktop3389RDP
    Security Server 1View Desktop4172PCoIP
    (TCP and UDP)
    Security ServerView Desktop32111USB Redirection
    Security ServerConnection Server500IPSec (UDP)
    Security ServerConnection Server4500NAT-T ISAKMP (UDP)
    Connection ServerSecurity Server500IPSec (UDP)
    Connection ServerSecurity Server4500NAT-T ISAKMP (UDP)
    Security Server 1Connection Server4172PCoIP
    (TCP and UDP)
    Security ServerRemote Desktop Services4172PCoIP
    (TCP and UDP)
Reply
0 Kudos
KKitzulSEI
Contributor
Contributor

Firewall rules were setup as per this

Firewall Rules for DMZ-Based Security Servers

Excluded was port 80, 9427, and 32111.

this one is not listed in the Horizon 6 documentation.

Security Server 1Connection Server4172PCoIP
(TCP and UDP)

We can see the TCP 4172 traffic between the External Client <---> DMZ Security Server <--> VM running Agent

but it never attempts to switch over to UDP 4172 like it does internally. It just errors out.

Reply
0 Kudos
joshopper
Hot Shot
Hot Shot

If you are using tunneling then the PCoIP traffic needs to pass through the internal connection manager, that port needs to be open between the security server and the internal connection broker.

Reply
0 Kudos
larsonm
VMware Employee
VMware Employee

When using a security server, PCoIP communication occurs directly between the security server and the VDI desktop.  Does your security server have multiple network adapters?  Also, are the secure tunnel settings correct on the security server?

Reply
0 Kudos
KKitzulSEI
Contributor
Contributor

I see TCP 4172 traffic between the security server and the connection server both ways however it never attempts to switch to UDP.

My PCoIP Secure Gateway external URL is set to the externalip:4172 so that is right. I have verified the secure tunnel settings as well.

Thanks in advance

Reply
0 Kudos
whibr
Enthusiast
Enthusiast

I ran into a similar issue after Horizon 6.2.1 upgrade recently.  After upgrading our Windows users to latest Horizon Client, they were then able to successfully connect to their desktops externally (via security server).  Internal access still seemed to work with the older clients, however.  I think it is related to TLS 1.0 being disabled in the newer security server.

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

I see TCP 4172 traffic between the security server and the connection server both ways

That's not correct. The PCoIP flow is from Client > Security Server and then Security Server to Virtual Desktop. PCoIP does not flow from Security Server to Connection Server. Same flow with Access Point in place of Security Server.

I would double check this analysis and also the firewall rules to make sure TCP and UDP 4172 is open between Internet and Security Server and also Security Server to any virtual desktop.

Blocking UDP 4172 is the most common cause of this error.

Mark

Reply
0 Kudos
BungeBash
Enthusiast
Enthusiast

Read Carl's blog. Like the whole thing. It's good stuff.

www.carlstalhood.com/vmware-access-point/

Reply
0 Kudos
GaryMclean
Enthusiast
Enthusiast

According to your FW Rules you have listed,

You are missing communication from your DMZ Security server --> Anybody External Clients (INTERNET) 4172 UDP

REF:https://kb.vmware.com/kb/1026766

  • 4172 (TCP/UDP)

    Used for PCoIP in a VMware View 4.5 and later environment. This port is required for the PCoIP display protocol.
    The port 4172 UDP must be open in both inbound and outbound directions.
    The port 4172 TCP must be open in only the inbound direction.
Reply
0 Kudos