Hi Jon,

I am using VDM web access on Windows XP with IE6

Here is the error message:

A connection to the VDM Server could not be established.

The SSL initiation failed.

and the log report:

10:18:39,843 INFO Windows Client started as ComServer

10:18:40,671 ERROR Socket: recv FAILED, size read = 16384, size received = 0

10:18:40,687 INFO Tunnel Unnamed: Could not start server hfeavdm01, reason: Socket: recv FAILED, size read = 16384, size received = 0

10:18:54,515 INFO VMware Silverstone Windows Client stopped

11:50:59,015 INFO Windows Client started as ComServer

11:50:59,265 ERROR Socket: recv FAILED, size read = 16384, size received = 0

11:50:59,312 INFO Tunnel Unnamed: Could not start server hfeavdm01, reason: Socket: recv FAILED, size read = 16384, size received = 0

12:02:44,812 INFO VMware Silverstone Windows Client stopped

12:03:22,750 INFO Windows Client started as ComServer

12:03:22,890 ERROR Socket: recv FAILED, size read = 16384, size received = 0

12:03:22,890 INFO Tunnel Unnamed: Could not start server hfeavdm01, reason: Socket: recv FAILED, size read = 16384, size received = 0

12:03:48,015 INFO VMware Silverstone Windows Client stopped

The VPN appliance is allowing the VDM server to route through port 443, is that the correct port for VDM to create a tunnel?

Regards

OK. Doesn't look like an External URL/routing issue then.

Some people have reported needing to modify MTU sizes for the VPN connection for this. I don't know how effective this is for this problem. It does look like a data transfer problem through the VPN. e.g. see some Juniper forum posts on this such as http://forums.juniper.net/jnet/board/message?board.id=SSL_VPN&message.id=333

Mark.

Hi Mark,

that implies using a public facing IP address.

I though the point of using a VPN was to avoid that

Also with an Internet resolvable address anybody can access it even without the VPN

Paolo

If you can ping the internal VDM Connection Server using its fully qualified host name then you won't need to set up an External URL. You only need to do that if you need to use a different hostname from the client. That depends on your routing. Externally resolvable names won't be required in your environment if you are using a VPN which allows full access to the VDM environment and name resolution etc. as though you were internal.

From the logs, it doesn't look like the initial connection failed. It failed while transfering data as part of the SSL negotiation. It looks like a data transfer problem when going through the VPN. This could be an MTU setting problem or it could be something else. It would be useful to compare the logs when going through the VPN with the logs from a direct internal connection to see if you can see a difference. In theory, using the VPN should make no difference but clearly there is an issue here.

Thanks.

Mark.

Hi Mark,

I can ping the connection server within the VPN, also did a nslookup and I can resolve the FQDN of the connection server

Here is the log from the internal network connection:

13:14:16,973 INFO Windows Client started as ComServer

13:14:17,645 INFO Tunnel Unnamed: connected to server 'hfeavdm01.hfea.gov.uk', start tunnel protocol

13:14:17,692 INFO Tunnel Unnamed authenticated Ok, set state = running

13:14:22,096 INFO RDP control version = 5.1.2600.2180

I will upgrade the OS on my juniper VPN appliance as the thread you sent me suggest that the newer version resolved the MTU issue

Hopefully that will be it

Thanks

Hi Mark

Would you mind elaborating on your end to end configuration?

Specifically the Juniper setup and the DNS / host entries required to access a VDM session via Juniper?

We are looking at setting this up.

Thanks

John

I have used the Juniper SSL VPN "Network Connect" functionality to provide access to the VDM environment. I couldn't get it working with the regular Web access feature (I think it was having some issues with the ActiveX re-writing), and the Juniper tech suggested that I try Network Connect.

Network Connect sets up a virtual network adapter on your client pc, and then based on the rules you configure, it will open an ssl tunnel to your corporate network via that virtual adapter and IP address. So, my rules specify that http/https traffic destined for my VDM servers IP address should be re-directed over this vitrual adapter tunnel.

Seems to be working well so far. Is a little bit of a pain to setup the first time as you have to assign a range of IP's on your corporate network that can be used for the Virtual Adapter etc.

Regards

Thanks Juice13.

I also got this running yesterday as a JSAM resource - Juniper Java Secure Application Proxy. This is a POC environment so this may not be the best way, but it works and doesn't require the Network Connect install which can be an issue on non trusted / no admin access machines!

Some details...Juniper Authentication realm was already setup.. Let me know if you'd like more details there.

A.DNS / Hosts - I set up an externally and internally resolvable name eg. vdi.ras.net. This allows the JSAM to advertise the

1. External DNS as a client loopback address vdi.ras.net 127.0.10.1 (refer Step C.6. and D.2 for relevance to you).

2. Internally (set via Hosts on the Juniper) vdi.ras.net resolves to the Internal VDM server ip address.

3. Set these properties on the VDM server in file

C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf\locked.properties

clientHost=vdi.ras.net

clientPort=443

clientProtocol=https

4. Restart your VDM server.

B. Create a User Role which has a bookmark to your VDM server

1. URL vdi.ras.net

2. The Juniper must be able to resolve this to the internal name (set via Juniper host entry).

3. Juniper must also have 443 connectivity through your backend firewall to the VDM server.

Test - at this stage you should be able to access and login to the VDM server home page via this Role. (the tunnel wont work until after Step C).

C. Setup the JSAM App resource as per the 'Defining resource profiles: JSAM' in the Juniper help (which i summarise here).

1. Users > Resource Profiles > SAM > Client Applications - New Profile

2. Type = JSAM

3. Application = Custom

4. Servername = vdi.ras.net (I installed a 1 box install so no security server since Juniper does the 2FA etc).

5. Serverport = 443

6. Client Loopback = 127.0.10.1

7. Client Port = dynamic (which ends up being 443 - same as server resource)

8. Select - Allow the JSAM to dynamically select a port.

9. Select - Create an access control policy allowing SAM access to these servers.

D. Assign the JSAM to the User Role which has the Web Bookmark back to your VDM server created in Step B.

Set the JSAM User Role Options - User Roles -> <your-role> -> SAM -> Options ->

1. Select Auto Launch SAM

2. Select Automatic host-mapping this will auto create a host entry (you can bypass this by using the DNS Step A, I have left this here if you don't have external DNS control and wish to test on a machine the user will have access to update the hosts on).

3. Select Auto-close JSAM window on sign out

Basic system flow.

User Browser <443 Front FW> Juniper <443 Back FW> VDM Server.
VDM Client <443> JSAM Loopback <443 Front FW> Juniper <443 Back FW> VDM Server.

1. User Browser hits Juniper Realm and logs in. eg. URL virtualdesktop.ras.net

2. JSAM starts and waits for client to access external DNS name vdi.ras.net on loopback address eg 127.0.10.1

3. User opens bookmark to Internal server vdi.ras.net Juniper resolves internally for this part.

4. User logs in to VDM.

5. VDM Client attempts to establish a tunnel, VDM client uses the external address which JSAM is listening on, JSAM forwards traffic to the internal vdi.ras.net IP - Tunnel connection established.

Hope this helps.. Cheers John.

John,

Great step by step posting there. I'm relateively new to using the SSL VPN, and have not used WSAM/JSAM yet. I agree that the installation of Network Connect is a definate issue.

If I recall correctly, when I looked at the JSAM/WSAM avenue it requires the addition of a digital certificate for the new dns name that you are publishing. I think that is why I didn't look into it further as I didn't want to have to get another cert. I too am at the POC stage with the VDM, and want to use it via the Juniper and avoid the VDM security servers. I'm trying to make the Juniper our single entry point for remote access, and as you mentioned it can use 2 factor authentication as well.

Now that you've provided the details for JSAM I may give it a try.

Thanks

Justin