VMware Horizon Community
knkty
Enthusiast
Enthusiast

External Blast connection Blank Screen

Hi,

At the beginning when i was setting blast for a project for external users, blast port was set to default 8443 and i was not working. I read on one of the discussions and it was saying to set the blast port to 443 and some entries to the locked.properties file.

locked.properties

checkOrigin=false

enableCORS=false

enableCSP=true

content-security-policy=font-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';img-src 'self' blob: data:

portalHost=a.a.com

Everything was working fine until i started to do tests with load balancer products. It didn't work out and i reverted back all the settings.

But now i cannot get the screen from a browser or a horizon client with blast protocol. I get a blank screen. But when i check the events i can see the logon process and there is no error. It says connected and the protocol is blast. PCoIP works fine.

Internally with browser and horizon client works fine.(PCoIP and Blast).

Nearly i read all the discussions about this issue on the community but couldn't find any solution.

Connection servers settings.

pastedImage_1.png

Uag settings

pastedImage_8.png

Any ideas?

Thank you

Reply
0 Kudos
17 Replies
sjesse
Leadership
Leadership

Do you have port 22443 open between your UAGs and the virtual desktops?

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

yes it is open. didn't change and fw rules.

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

I see you have a UAG in play. You should not be doing any sort of tunneling / BSG when connecting via UAG. Otherwise both the CS and UAG will attempt to proxy your connection to the agent and your connection will fail. You have PCoIP disabled which is why it is working.

Try turning it off on the Connection Server and report back your results.

That’s one of the beauties of UAG - you do not need any special configuration on your Connection Servers.

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

I disabled blast on the connection server but did not do any difference.

I can connect , system authenticates me. After i click on the desktop pool it starts loading and turns black screen.

And i can see my session on the horizon console. protocol blast.

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

How many connection servers do you have? Is the UAG pointed to a specific Connection Server or load balancer? Only one UAG in play?

That configuration is specific to each CS. If load balanced, you'll need to go through each one and select "Do not use Blast Secure Gateway."

If they're all set that way, you are likely denying port 22443 somewhere between UAG - > VDA. You should be able to run "curl -v telnet://VDA:22443" from UAG and get an established connection. You can also run tcpdump 'port 22443' from UAG to see if you see the VDA responding back to the UAG's 22443 traffic when you try to establish the connection.

If you haven't already, run /etc/vmware/gss-support/install.sh on the UAG to enable tcpdump.

Troubleshooting Firewall and Connection Issues

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

Ah - I just realized your Connection server name and Blast external URL on the UAG are configured the same. The Blast External URL, Tunnel URL, and PCoIP External URL should be the UAG name/IP (or load balanced name/IP if behind a VIP). This will tell the client to proxy the Blast/PCoIP connection via the UAG.

Upon connection, the connection is attempting to be proxied via the Connection Server URL, which is likely why it's breaking.

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

2 connection servers. Now UAG point to 1 connection server and i have changed the connection server on UAG with the connection servers ip address.

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

Got it - see my previous post to see if that fixes your issue. Use the UAG name for your Blast/Tunnel URLs.

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

changed the urls with the uag's ip address. client works over blast but browsers dont.

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

I am getting content security policy error message.

CSP14312: Resource violated directive 'default-src 'self'' in Content-Security-Policy: wss://a.a.com:8443 ..................................... Resource will be blocked.

I was getting this message when i first deployed the system so i created locked.properties file and added the lines (below) in it.After that it started to work from EDGE with Blast.

It is the same file and the values but i still get the error. I deleted and re created the file.

checkOrigin=false

enableCORS=false

enableCSP=true

content-security-policy=font-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';img-src 'self' blob: data:

portalHost=a.a.com

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

Remove everything in locked.properties except for checkOrigin=false and reboot the CS. See if the problem persists.

-Nick

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

removed everything except checkOrigin=false. still the same.

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

By the way, i am doing my test only with EDGE.

Chrome or firefox works okay.

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

Ah, I thought you were referring to Edge from a network perspective, not a browser. Does Edge work internally (not going through UAG)?

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

pastedImage_0.png

Are you using a self-signed cert for testing?

VMware Horizon HTML Access 5.2 Release Notes

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

everything works from inside.

i do my test externally.

Reply
0 Kudos
knkty
Enthusiast
Enthusiast

actually it was set to 443 after it broke down i switched it back to 8443.

when port is set to 8443 i can connect with horizon client or firefox/chrome. but not with edge.

When i set the port to 443 i can connect from every thing but i get blank screen.

I know it sounds weird but i spent hours on this issue couple of months ago and i have the notes from that time. I did every thing but some thing breaks the process.

Reply
0 Kudos