VMware Horizon Community
garymansell
Contributor
Contributor
Jump to solution

VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue

Hi,

I have a view connection server which we have been using internally that I now want to use externally as well - I would like workers to be able to re-connect to their workplace daytime sessions from home and continue working.

To this end I have setup an Access Point Server in our DMZ (with the rules to/from the Internet and LAN as per online docs) and can login from an Internet based client as a user OK, but when it tries to initiate the PCOIP session, I just get a black screen and then the connection terminates.

Firewall Rules:

Internet to the Access Point machine in DMZ (machine has a 192.x.x.x. address in the DMZ NAT'd to an external RIPE IP)

          443 TCP & UDP

          4172 TCP an UDP (UDP 4172 must be allowed outbound too)

Access Point machine in the DMZ to internal LAN (view connection server stc-vmconn-01.stc.ricplc.com and view vm's are located on the LAN):

          443 TCP to stc-vmconn-01.stc.ricplc.com

          4172 TCP and UDP to stc-vmconn-01.stc.ricplc.com and UDP 4172 back

          32111 TCP to stc-vmconn-01.stc.ricplc.com

I am presuming that as I am using Access Point instead of a Security server - there is nothing to add in the Security Servers Tab on the view connection server, is that correct?

As I am running through the Access Point server in the DMZ and don't want to add routes from all the horizon view agent VM's out to the Internet, I want to tunnel PCOIP via the View Connection server so that all conversations go via the AP and the View Connection server - I think I need to enable and set a PCOIP Secure Gateway <IP Address>:4172 on the View Connection Servers Tab of the Connection Server / Servers page - I am a little unsure as to which IP to set here. Should it be the external Internet IP address of the AP (in which case, it seems to break internal clients from being able to connect when they could before), or should I set it to the internal View Connection Server's IP (in which case internal clients work OK, but externals still get the black screen).

When running a wireshark trace on the internal View Connection Server, I can see a couple of PCOIP (4172) packets going to/from the remote client on the Internet before the connection is droppped.

If I look at the debug logs on the external client machine, I see this error, that might be the problem?

2017-02-08T16:13:54.702Z WARN  (0C44-026C) <NodeManagerWatcher> [vmware-view-usbd] SocketChannel: Unable to connect to 172.30.85.43:32111

Now, this is a machine on the Internet, so there is obviously going to be a problem accessing 172.30.85.43 (which is the VDI VM internal IP) as this is non-routable over the Internet - why am I seeing this?

Any ideas what may be wrong here, cos I am stumped!!

Rgds

Gary

Reply
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
Jump to solution

Those firewall rules are not quite correct, and on Access Point you need to enable Tunnel, PCoIP gateway and Blast Gateway and set the 3 external URLs correctly.

On Access Point:

tunnelExternalUrl should be set to https://fqdn:443

blastExternalUrl should also be set to https://fqdn:443

pcoipExternalUrl should be set to ip_addr:4172

fqdn is the fully qualified DNS hostname that a client on the Internet will use to connect to Access Point. It should be resolvable on Internet DNS.

ip_addr is the IPv4 address of that fqdn. These values are used by the client to connect respective protocols from client to Access Point.

You can make these settings in your .ini file, then you just need to rerun the apdeploy command and all your original settings will also be reapplied. See Using PowerShell to Deploy VMware Access Point

You can also key them in manually through the admin UI, but then they would be lost next time you rerun apdeploy command.

Disable Blast Secure Gateway on Connection Server.

For the firewall, your rules are correct from Internet to Access Point. You also need to allow the following from Access Point to your virtual desktops/RDS Hosts: TCP and UDP 4172 (also with UDP reply datagrams out), TCP 32111, TCP 22443. You also need to open TCP 443 from Access Point to your Connection Server (but it sounds like that has already been done).

The error "Unable to connect to 172.30.85.43:32111" is seen because the tunnel is not enabled on Access Point and therefore the client is attempting to connect the framework channel (TCP32111) directly from the client to virtual desktop which will rightly fail.

PCoIP is resulting in a black screen either because the PCoIP external URL IP address is wrong in Access Point or because your inner firewall is blocking PCoIP from Access Point to your virtual desktop. Either of these config errors will result in a black screen.

Post back when you have it working.

Mark

View solution in original post

Reply
0 Kudos
7 Replies
pari2k3
VMware Employee
VMware Employee
Jump to solution

Hi,

Disable Tunnel and BSG/PSG at View Connection Server settings if the same has been configured with AccessPoint.

Reply
0 Kudos
garymansell
Contributor
Contributor
Jump to solution

Hi thanks for getting back to me.

I was under the impression that I needed to tunnel / use PSG to ensure that the traffic between the client on the Internet and the VM's on the internal LAN went via both the AP in the DMZ and the View Connection Server on the LAN?

Otherwise there will need to be firewall rules to allow all the individual VM's (with dynamic IP's) access through the internal LAN/DMZ firewall interface, so that there is a path from the VM's to the AP and back out to the client on the Internet.

Is this not the case? Am I missing something here, can you explain?

Thanks

Gary

Reply
0 Kudos
alienjoker
Enthusiast
Enthusiast
Jump to solution

Hi Gary,

As per the previous post, it is recommended that you disable tunnelling on the Connection Servers (otherwise you're tunnelling internally too, which will mean if you patch the View Connections, you will sever desktop connectivity). You will then need to change your Firewall rules to permit access from the DMZ Access Point appliance to the LAN Subnet hosting the VDI clients on TCP/UDP 4172.

To do this, replace the following rule you have defined:

4172 TCP and UDP to stc-vmconn-01.stc.ricplc.com and UDP 4172 back

with

4172 TCP and UDP to VDISubnet/XX (replace /XX with whatever the subnet mask is i.e. /23 or /24) and UDP 4172 back

Hope that helps!

Cheers

Andrew

Reply
0 Kudos
garymansell
Contributor
Contributor
Jump to solution

OK, thanks both, I will give that a go

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

Those firewall rules are not quite correct, and on Access Point you need to enable Tunnel, PCoIP gateway and Blast Gateway and set the 3 external URLs correctly.

On Access Point:

tunnelExternalUrl should be set to https://fqdn:443

blastExternalUrl should also be set to https://fqdn:443

pcoipExternalUrl should be set to ip_addr:4172

fqdn is the fully qualified DNS hostname that a client on the Internet will use to connect to Access Point. It should be resolvable on Internet DNS.

ip_addr is the IPv4 address of that fqdn. These values are used by the client to connect respective protocols from client to Access Point.

You can make these settings in your .ini file, then you just need to rerun the apdeploy command and all your original settings will also be reapplied. See Using PowerShell to Deploy VMware Access Point

You can also key them in manually through the admin UI, but then they would be lost next time you rerun apdeploy command.

Disable Blast Secure Gateway on Connection Server.

For the firewall, your rules are correct from Internet to Access Point. You also need to allow the following from Access Point to your virtual desktops/RDS Hosts: TCP and UDP 4172 (also with UDP reply datagrams out), TCP 32111, TCP 22443. You also need to open TCP 443 from Access Point to your Connection Server (but it sounds like that has already been done).

The error "Unable to connect to 172.30.85.43:32111" is seen because the tunnel is not enabled on Access Point and therefore the client is attempting to connect the framework channel (TCP32111) directly from the client to virtual desktop which will rightly fail.

PCoIP is resulting in a black screen either because the PCoIP external URL IP address is wrong in Access Point or because your inner firewall is blocking PCoIP from Access Point to your virtual desktop. Either of these config errors will result in a black screen.

Post back when you have it working.

Mark

Reply
0 Kudos
garymansell
Contributor
Contributor
Jump to solution

That was it - I had completely missed the part where I had to configure the tunneling on the Access Point !!!

Once I had done that and disabled the Tunneling and Secure Gateways on the internal View Connection server, I was up and running

At least I was until, I started tightening up all the firewall rules that I had been loosening and tweaking in order to try and get it working !!!

I think I will be OK now, just need to tweak the rules to get it working securely again

Reply
0 Kudos
garymansell
Contributor
Contributor
Jump to solution

All sorted now - thanks everyone

Reply
0 Kudos