BenFB
Commander
Commander

Can BEAT run over a different port than UDP 8443?

Jump to solution

We have multiple Unified Access Gateways (UAG) deployed behind a load balancer for remote access to our Horizon View environment. Currently we only allow TCP 443 from the Internet to our UAG for Blast Extreme. We would like to explore adding Blast Extreme Adaptive Transport (BEAT) which defaults to UDP 8443. I looked at the documentation and it indicates that you can run BEAT over UDP 443 but I'm not clear on how to do that.

We have our Blast External URL configured for 443 per the documentation. However, when initiating a connection to the UAG we see that it is still attempting to use UDP 8443.

Blast TCP and UDP External URL Configuration Options

Blast uses the standard ports TCP 8443 and UDP 8443. UDP 443 can also be used to access a desktop through the UDP tunnel server. The port configuration is set through the Blast External URL property.

In addition do we need to configure IP forwarding rules? If so does anyone have an example of what that would look like?

To configure ports other than the default, an internal IP forwarding rule must be added for the respective protocol when deployed. The forwarding rules might be specified on the deployment in the OVF template or through the INI files that are input through the PowerShell commands.

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee

BenFB - The Horizon Tunnel on UDP 443 is not related to Blast/BEAT. Blast/BEAT is a display protocol and uses TCP 8443 and optionally, also BEAT on UDP 8443. Some people use TCP 443 instead of TCP 8443 when they have a requirement that if everything is blocked other than TCP 443, things will still work.

The Horizon Tunnel on UDP 443 is separate. It is not a display protocol but an alternative to the control/authentication protocol (XML-API) that normally runs on TCP 443. It is used in "poor mode clients" where the is no TCP at all. Everything is UDP. Those clients start with Horizon Tunnel (UDP 443) to perform authentication and get the list of entitled desktops, then they launch a BEAT session on UDP 8443.

Refer to the Horizon ports diagram - Network Ports in VMware Horizon 7: VMware Horizon 7 version 7.2 - Note the communication between client and UAG. You'll see that Horizon Tunnel on UDP 443 is separate to Blast Extreme (TCP 8443/UDP 8443). The diagram uses default port numbers.

The reason you won't see documentation in Horizon Connection Server or Security Server guides about Horizon Tunnel on UDP 443 is because they don't support it. It is only supported between Horizon Clients and UAG.

Your original question was "Can BEAT run over a different port that UDP 8443?". The answer is yes, but don't change it to a UDP port already in use such as UDP 443 or UDP 4172 etc. Pick an unused port. Better still, leave it as the default of UDP 8443.

View solution in original post

0 Kudos
22 Replies
BenFB
Commander
Commander

markbenson​ Do you mind weighing in on this?

0 Kudos
Saaditani
Contributor
Contributor

Hello,

I have the same problem, internally everything works horizon-client can connect and I login and I can view my entitlements, however from externally to the Netscaler I can login but it keeps trying to connect, I can't reach my entitlement VMs.

any ideas what could be the reason?

note that HTML access externally but not horizon-client on whether on the ios/android or pc.

0 Kudos
BenFB
Commander
Commander

We are not having any issues with users connecting externally like to described. Did you reply to the wrong post?

0 Kudos
BenFB
Commander
Commander

I just deployed 3.3.1 and I'm still unable to make this work. I'm thinking I need something like.

forwardrules=udp/443/10.20.30.40:8443

I've filled an SR with VMware to see if they can assist.

0 Kudos
MikleF
Enthusiast
Enthusiast

Hi,

Should be possible.

When specifying the UAG Blast Gateway you can use the following:

https://ap1.myco.com:443/?UDPPort=443

This should enable BEAT to run over port 443.

Is this how it is set up at your env.

Kind regards,

Michael

0 Kudos
BenFB
Commander
Commander

So when deploying a UAG with powershell change the following line in the ini file?

blastExternalUrl=https://ap1.myco.com:443

to

blastExternalUrl=https://ap1.myco.com:443/?UDPPort=443

0 Kudos
MikleF
Enthusiast
Enthusiast

Yeah should be ok.

Or you can access the management interface and change it there.

0 Kudos
BenFB
Commander
Commander

Based on firewall logs it appears to now be trying UDP 443 instead of 8443 but we are seeing minimal traffic. Do you know of a way to confirm that BEAT is working?

0 Kudos
MikleF
Enthusiast
Enthusiast

You can install tcpdump on the UAG through usage of a script already on the UAG.

Script location: /etc/vmware/gss-support/install.sh

You can install tcpdump on the UAG through usage of a script already on the UAG.

Check out this guide to using tcpdump to monitor ports for traffic. (There are other guides as well)

Even Gooder: Troubleshooting Port Connectivity For Horizon’s Unified Access Gateway 3.2 Using Curl A...

Use an older client (4.7 or earlier) where you can set the network connection quality connection yourself and set it to poor.

This should force it to use BEAT always.

Also check the BLAST admx GPO setting to allow UDP. (I think default not configured means it is disabled.)

0 Kudos
markbenson
VMware Employee
VMware Employee

BenFB - If you only allow TCP 443 from the Internet you can't use Blast Extreme Adaptive Transport (BEAT) anyway. UAG does support Blast over TCP 443 though, so you can do everything from a Horizon client on just TCP 443 if required (Horizon XML, Horizon Tunnel and Horizon Blast - all on TCP 443). This is good for very restrictive environments. To do this you just append :443 to the blastExternalURL seting on UAG.

If you also want to support BEAT, then you should additionally open up UDP 8443. The clients will work out what's open anyway so if UDP 8443 is blocked, it will happily just use TCP 443 or TCP 8443 according to what you've set for the TCP port with blastExternalURL.

If you don't specify the TCP port for blastExternalURL then it defaults to TCP 8443. Similarly if you don't specify the UDP port it also defaults to UDP 8443. Lack of UDP port specification explains why you still see UDP 8443.

It is generally best to use defaults for the Blast/BEAT TCP/UDP port numbers. This is TCP 8443 and UDP 8443. We completely understand that in some cases, doing everything on TCP 443 is preferable, which is why we also support specification of :443 for TCP 443. The recommendation is therefore to use TCP 8443 and UDP 8443 for Blast/BEAT. If required, you can use TCP 443 instead of TCP 8443. TCP 443 as opposed to TCP 8443 is not quite as efficient, but allows connection in environments where only TCP 443 is permitted.

UAG also supports the ability to run BEAT UDP over a different port other than UDP 8443, although this is not a common requirement. The only restriction is that you can't use UDP ports already in use for other purposes. e.g. don't try this on UDP 443 as this port is already used for the Horizon UDP Tunnel Server (for Horizon Clients operating in "poor network condition" mode). Although not recommended, if you want to run BEAT UDP on say UDP port 27443 instead of UDP 8443, then you would specify 27443 for the UDP port on blastExternalUrl to get the client to use UDP 27443 and you would add a forwarding rule on UAG to forward incoming UDP 27443 datagrams to 127.0.0.1:8443. This is a forward rule of "udp/27443/127.0.0.1:8443". As I say, not recommended but it does work. Some customers use non standard ports in order to share a single IP address among multiple UAGs when used without a source IP affinity load balancer but in that case, the load balancer forwards to UAG using UDP 8443 so no forward rule is needed.

0 Kudos
BenFB
Commander
Commander

markbenson

I'm a little confused here. I'm allowing TCP/UDP 443 from the Internet to my UAG. My understanding is that Blast Extreme Adaptive Transport (BEAT) implies UDP and is what is used when the user has a poor network connection (See the below links). Is that the same as the Horizon UDP Tunnel Server?

https://blogs.vmware.com/euc/2017/09/deep-dive-horizon-blast-extreme-adaptive-transport.html

https://blogs.vmware.com/euc/2018/08/blast-extreme-network-intelligent-transport.html

https://blogs.vmware.com/euc/2017/03/blast-extreme-protocol-closer-look.html

We have a UAG deployment where we only allow the Blast display protocol. We are running the Horizon Primary Protocol and Secondary Protocol (BLAST) over TCP 443. I'm trying to find out if we can run BEAT over 443.

0 Kudos
markbenson
VMware Employee
VMware Employee

BenFB

Horizon UDP Tunnel is separate. This uses UDP 443.

Blast/BEAT uses TCP 8443 and UDP 8443. This is for the display protocol. There are options to use alternative ports for this as specified in the blastExternalUrl setting in UAG. e.g. if it ends with :443 then this forces the TCP part of Blast to use TCP 443 instead of the default of TCP 8443. There are also options to use a port other than UDP 8443 but it can't be UDP 443 as that is already in use by the Horizon UDP Tunnel. You'll also need forwarding rules on UAG or PNAT for this which gets complicated so it is best to use the default port numbers.

This diagram might also help - https://techzone.vmware.com/resource/network-ports-vmware-horizon-7

0 Kudos
sjesse
Leadership
Leadership

I've been following this, and if I understand correctly there is no way to use just use 443 if you want BEAT, it works for blast but not both. I remember reading that there was work done on the UAG to improve port sharing, will it be possible in the future to use 443 for everything?

0 Kudos
markbenson
VMware Employee
VMware Employee

You should use UDP 8443 for BEAT.

There are cases where only TCP 443 is allowed. Certain client environments may block everything other than TCP 80 and TCP 443, or an internet facing firewall in a DMZ may only want to allow TCP 443. In this case, if the UAG blastExternalUrl ends in :443 this will still work. Blocked UDP will be detected and the display protocol will use just TCP 443. However if UDP 8443 is accessible then it will use that. This is the best of all worlds where if the default ports are accessible it will use them, but ultimately if only TCP 443 is allowed, it will still work. For many customers this is important.

The original question was "Can BEAT run over a different port than UDP 8443?". The answer is yes. Just don't use a port that is already in use by something else (e.g. don't try and use UDP 443 which is already used by Horizon UDP Tunnel). I don't see a good reason to swith from UDP 8443 to say UDP 21443. It's an unnecessary complication.

0 Kudos
markbenson
VMware Employee
VMware Employee

I believe the original question has been answered.

0 Kudos
markbenson
VMware Employee
VMware Employee

BenFB​ - are there any outstanding questions on this thread, or has it now been answered?

0 Kudos
BenFB
Commander
Commander

Hi markbenson​,

Thank you for clarifying.

Is the Horizon UDP tunnel server the same as Blast Extreme Network Intelligent Transport (BENIT) that is mentioned in the link you provided? Basically if the Horizon Primary Protocol can't be completed over TCP 443 it will try UDP 443? My confusion is that I cannot find any reference to the Horizon UDP tunnel anywhere in the Horizon documentation. UDP 443 is also not listed as a required port in the Horizon documentation (Horizon 7 TCP and UDP Ports​) so this is the first time I'm hearing of it.

0 Kudos
markbenson
VMware Employee
VMware Employee

BenFB - The Horizon Tunnel on UDP 443 is not related to Blast/BEAT. Blast/BEAT is a display protocol and uses TCP 8443 and optionally, also BEAT on UDP 8443. Some people use TCP 443 instead of TCP 8443 when they have a requirement that if everything is blocked other than TCP 443, things will still work.

The Horizon Tunnel on UDP 443 is separate. It is not a display protocol but an alternative to the control/authentication protocol (XML-API) that normally runs on TCP 443. It is used in "poor mode clients" where the is no TCP at all. Everything is UDP. Those clients start with Horizon Tunnel (UDP 443) to perform authentication and get the list of entitled desktops, then they launch a BEAT session on UDP 8443.

Refer to the Horizon ports diagram - Network Ports in VMware Horizon 7: VMware Horizon 7 version 7.2 - Note the communication between client and UAG. You'll see that Horizon Tunnel on UDP 443 is separate to Blast Extreme (TCP 8443/UDP 8443). The diagram uses default port numbers.

The reason you won't see documentation in Horizon Connection Server or Security Server guides about Horizon Tunnel on UDP 443 is because they don't support it. It is only supported between Horizon Clients and UAG.

Your original question was "Can BEAT run over a different port that UDP 8443?". The answer is yes, but don't change it to a UDP port already in use such as UDP 443 or UDP 4172 etc. Pick an unused port. Better still, leave it as the default of UDP 8443.

View solution in original post

0 Kudos
BenFB
Commander
Commander

markbenson I think we are saying the same thing. Smiley Happy

The link you provided lists Blast Extreme Network Intelligent Transport (BENIT) as the only thing that runs on UDP 443. That is why I was asking if it's essentially the Horizon Primary Protocol (XML-API) over UDP instead of TCP. If Blast Extreme Network Intelligent Transport (BENIT) is not the correct name for the UDP tunnel server than the documentation at Network Ports in VMware Horizon 7: VMware Horizon 7 version 7.2  needs to be updated.

My plan is to leave TCP/UDP 443 open from the Internet to our UAG and add UDP 8443 for Blast Extreme Adaptive Transport (BEAT). I'll continue to run Blast over TCP 443.

Earlier in the thread you mentioned that moving Blast from TCP 8443 to TCP 443 is not as efficient. Can you expand on that? We are using TCP 443 since we found that TCP 8443 can be blocked on some networks that are users are connecting from that we have no control over.

0 Kudos