VMware Horizon Community
BenFB
Virtuoso
Virtuoso
‎03-30-2018 08:00 AM
Jump to solution

Can BEAT run over a different port than UDP 8443?

We have multiple Unified Access Gateways (UAG) deployed behind a load balancer for remote access to our Horizon View environment. Currently we only allow TCP 443 from the Internet to our UAG for Blast Extreme. We would like to explore adding Blast Extreme Adaptive Transport (BEAT) which defaults to UDP 8443. I looked at the documentation and it indicates that you can run BEAT over UDP 443 but I'm not clear on how to do that.

We have our Blast External URL configured for 443 per the documentation. However, when initiating a connection to the UAG we see that it is still attempting to use UDP 8443.

Blast TCP and UDP External URL Configuration Options

Blast uses the standard ports TCP 8443 and UDP 8443. UDP 443 can also be used to access a desktop through the UDP tunnel server. The port configuration is set through the Blast External URL property.

In addition do we need to configure IP forwarding rules? If so does anyone have an example of what that would look like?

To configure ports other than the default, an internal IP forwarding rule must be added for the respective protocol when deployed. The forwarding rules might be specified on the deployment in the OVF template or through the INI files that are input through the PowerShell commands.

Labels (1)
Labels
Reply
0 Kudos
23 Replies
markbenson
VMware Employee
VMware Employee
‎11-23-2018 02:16 PM
Jump to solution

TCP 8443 for Blast is slightly more efficient as it goes direct to the BSG process on UAG. In the case of TCP 443 it takes a double hop going to esmanager process on UAG first and then routed internally to BSG.

I agree that running it on TCP 443 gives greater access, for cases where TCP 8443 is not possible.

UAG supports both.

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso
‎11-28-2018 12:51 PM
Jump to solution

Is there a measurable difference between TCP 443 vs. 8443 for Blast? I'd like to continue to use TCP 443 but it would be good to know what impact of any our users are experiencing.

Reply
0 Kudos
travis1w
Contributor
Contributor
‎10-30-2019 01:55 PM
Jump to solution

Obviously this is a very late response, but just wanted to reply for others.

We first looked at using only TCP/443 (configured in UAG) as well since its easier for those that might be blocked by their local firewall. Having TCP/443 configured with only around 300 users caused the standard-sized UAG to go 100% CPU usage instantly. We started have delay in getting connected to a VDI Desktop and complaints of sluggish connections. We almost immediately had to go back and change back to using 8443 instead.

From what I was able to gather before implementing the UAG, the sizing guides mentioned 2000 connections on a UAG. It doesnt say 2000 on a certain port/protocol. So, I think the documentation could be more clear for those looking to use 443 for their Blast configuration.

Unified Access Gateway System and Network Requirements

Reply
0 Kudos
dreuss
Contributor
Contributor
‎07-16-2021 02:48 PM
Jump to solution

@markbenson , thanks for your responses here. Really appreciate the insight. We have a security requirement to only allow port 443 TCP/UDP externally, on the firewall. We're doing that now and its working great for North American users. Unfortunately, users in India are having issues a certain times of the day, and i think its network congestion, tied with high latency. The way to combat that would be using UDP, instead of TCP, but with this configuration, there does not appear to be a way to use both TCP and UDP through port 443. We do not need MMR, USB redirection, RDP, etc. 

Question: Is there ANY WAY to allow BLAST/BEAT, over both TCP and UDP, through a single port?

Thanks!

Reply
0 Kudos