Re: Can not open RDP connection from internet

Sinosh · ‎07-11-2009

Hello all,

We deployed security server in DMZ and need access vm from internet.

80 and 443 port are open from internet to security server.

4001 and 8009 port are open from security server to connection server.

3389 port is opened from security server to ESX host.

I can open the view portal from internet , and can list the vms after log in, but can not connect to the vm.

After click the vm , a little spot will appeare on the left top of the screen and it will disappera after about 6 seconds. The RDP console will not appear. If I use the view client to log in the internet IP directly, it will also list the vms

but still can not open RDP connection. While everything is OK if use it from within internal net.

My view administrator version is 3.0.1. In the view administrator , I set the external url as (it's internal IP address) in the view server. Set the external URL in security server as (it's the internet IP address). Also generate and put the configuration file to the security server. I have tested to check and uncheck the 'direct connection desktops ', but result is the same..

Anyone knows how to resolve it? Thanks a lot in advance...

Regards,Sinosh

AndreTheGiant · ‎07-11-2009

Try to log firewall log to see which port are blocked.

The configuration seems fine, like page 33 of http://www.vmware.com/pdf/view31_manual.pdf

But maybe there are some reply rules that is not working.

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro

admin · ‎07-12-2009

Does your internal DNS work properly? You should try to ping from the server to the agent and from the agent to the server with the FQDN. Also check if there is the Windows firewall enabled on the agent. For testing purposes disable it.

Regards,

Christoph

Don't forget to award the points if this answer was helpful for you.

Blog:

http://communities.vmware.com/blogs/dommermuth |

pjpg · ‎07-12-2009

Are ports 3389 & 32111 open from the Security server to each of the Virutal PCs?

As a test, can you use MS's RDC to access the Security sever from one of the virutal PCs?

Can you use MS's RDC to access one of the Virutal PCs from the Security server?

..pjpg

Thanks, ...pjpg

Sinosh · ‎07-12-2009

Thanks pipg.

Currenly we only open 3389 port from security server to the ESXi host whic hosts the virtual PCs. I can not use RDC to connect from security server to virtual PC.

Do you mean that it need open the 3389 port from security server to all the virtual PCs?

As a test , I will change one virtual pc's IP to the same ip address of the ESXi host to see the result..

Sinosh · ‎07-12-2009

Internal DNS has no problem, I can ping from connection server to agent, also can ping from agent to server. Firewall is disabled.

Just confused the 3389 should be opened from security server to ESX server or virtual PCs? Does the RDP connection flow is from the security server to vitual pcs directly or through ESX server ?

pjpg · ‎07-12-2009

As far as I know, the RDP conneciton flows from the Security Server to the Virutal PCs. When testing the link, I like to use RDC from the Security Server to one of the Virutal PCs, and RDC from a virutal PC back to the Security server.

Port 32111 will also be needed when you move to VMware View 3.1.

..pjpg

Thanks, ...pjpg

Sinosh · ‎07-12-2009

I have changed the IP address of virtual pc as ESX host's IP, which is opened in firewall on port 3389.

Now I can RDP the virtual pc in security server . But still can not open RDP connection from the internet. Any idea?

If the 3389 port need be opened two-way? Means also opend from virtual pc to security server?

pjpg · ‎07-12-2009

Well. the chart says no (Page 33 of http://www.vmware.com/pdf/view31_manual.pdf ) , but that is how I have it setup here.

My Virutal PCs can open an RPC connection to the Security Server. And darn handy it is too. saves me walking out to our server room to make changes.

I know you said you had them open, but if you havent alreadly then you might want to try using a telnet client to test out the other opened ports.

Can you open a telnet session from your Security Server to the Connection Server using port 4001 (telnet xxx.xxx.xxx.xxx 4001)

Can you open a telnet session from your Security Server to the Connection Server using port 8009 (telnet xxx.xxx.xxx.xxx 8009)

Can you open a telnet session from your Virual PC to the Connection Server using port 4001 (telnet xxx.xxx.xxx.xxx 4001)

...pjpg

Thanks, ...pjpg

Sinosh · ‎07-12-2009

From security server to connection server, telnet 4001 and 8009 works.

From virtual pc to connection server, telnet 4001 works.

I'd try to setup a two-way 3389 firewall rule from virtual pc to security server...

Sinosh · ‎07-13-2009

After testing, I can connect to virtual pc from internet now.

Actually I did't set the two way 3389 connection on firewall, just disable the 'direct connection to desktop' option in view administator, then I can connect to the virtual PC. It seems this option will direct the RDP connection through security server to virtual PC.

If I enable the 'direct connection to desktop', it will then direct the RDP connection from view client to virtual pc and bypass security server, right?

If that's the truth, then I have to configure firewall to allow 3389 from security server to all virtual PCs? Actually it possibly be rejected by our firewall team...

Does it have an alternative way to configure RDP channel from security to one server (like an RDP agent) instead of many(maybe 1000+) virtual PCs?

If anyone from vmware to give me an official answer...thanks.

mittim12 · ‎07-13-2009

Just deploy a replica connection broker that doesn't utilize direct connect and point your security server to this box. Leave direct connect enable on the other servers as this will allow the other Conection broker and replica servers to utilize direct connect for internal resources.

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Sinosh · ‎07-13-2009

Mittim, could you describe how to deploy it in detail?

Is this replica server located in internal network or DMZ?

If I dont mis-understand, I will deploy another server in internal network, in the progress of installation , I choose "replica server", then point the 3389 port from security server to this replica server. And disable "direct connection to desktop" for this replica server.

Then allocate the virtual PCs which need be accessed from internet to this replica server.

Am I right?

mittim12 · ‎07-13-2009

This replica server would be on the internal network. If you remember when you installed the security server you were prompted for a connection broker/replica server. Use the replica server you just created and you should be good to go

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Sinosh · ‎07-13-2009

Mittim, if I setup a replica server, besides 3389 port, should I also open the 4001 and 8009 port from security server to the replica server?

Can I use the existing standard connection server and open 3389 from security server to it, thus all RDP will go through the standard server to virtual PCs?

shajith · ‎07-28-2009

Hi,

Have found a Solution for this,

Am running the VMware VDI with the following enviornment

Inside the Virtual Network say "Host Only" Network with Network Segment 192.168.1.0/24

And My Physical Network is "Bridged" with 192.168.0.0/24 to the VDM 3.1 is running on Windows Server 2003 and which is Running as ICS to outside with One More Network Adapter "Host Only"

And My Active Directory inside the "Host Only" VM network is Windows Server 2008

And My client is "Windows XP Professional" VM network which holds the Agent for VDM

Have had the same Issue with the External Access of VDI,

But Have enabled the Routing and Remote Access on my ICS(Windows Server 2003) and Made a route to outside the Physical Network.

And In my Physical Firewall have made a Route to inside the Virtual LAN through the VDM "Bridged" Network.

And then I was able to access my VDI outside the Virtual LAN as well as from Internet.

All

Can not open RDP connection from internet