VMware Horizon Community
dawho9
Enthusiast
Enthusiast

Connection problem with VMware View Security Server | Authentication works

Afternoon all. Just wondering if anyone has any suggestions to the following error. So I have a Security server that allows successful authentication to the server and I'm allowed to select to the desktop. However, when I attempt to connect to a specified desktop I get the following error in the event viewer:

desktopGetConnection (desktop-connection) response xml ERROR = failed launching desktop: java.lang.Exception: Error raising port: Session has not connected yet

Everything works great internally. For outside config, I have set my external address and port in the configuration and successfully made and copied over my locked.properities file.

Thanks everyone,

Richard

Reply
0 Kudos
11 Replies
mittim12
Immortal
Immortal

Just curious if you are using the direct connection option or connecting through the Security server?

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Reply
0 Kudos
knudt
Hot Shot
Hot Shot

Have you opened the internal firewall ports to allow port 3389 to the virtual desktops? One goofy thing with the security server is that it will talk directly to the virtual desktops at this stage.

If you find this or any other post helpful, please award points. Mark thread as answered if question was answered successfully.

Brian Knudtson

vExpert, VCP, VAC

~If you find this or any other post helpful, please award points. Also mark thread as answered if question was answered successfully.~ Brian Knudtson vExpert, VCP, VCAP
Reply
0 Kudos
dawho9
Enthusiast
Enthusiast

Direct Connection is not enabled. I get no error when I have direct connection enabled it just says the session is not available and could be busy if it's enabled.

As for firewall, I can successfully RDP from the connection server to the guest VM's. So the firewall is open and allowing connections.

Thanks,

Richard

Reply
0 Kudos
mittim12
Immortal
Immortal

If you are not using direct then as the other poster said you will need port 3389 unblocked from the Security server to the desktops. I know you said you could remote desktop from the connection broker but what about the security server?

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Reply
0 Kudos
dawho9
Enthusiast
Enthusiast

Sorry, mistype. I can RDP from both the security server and the connection server to the VM's.

Richard

Reply
0 Kudos
mittim12
Immortal
Immortal

I would start with verifying each of the DMZ ports listed in the Admin guide. You have already knocked out 3389 so there are only a couple left. These can be found on page 34 of the admin guide, . They include 3389,4001, and 8009 for the backend.

I

f you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Reply
0 Kudos
admin
Immortal
Immortal

The HTTPS connection from the client goes to the Security Server. From there the server speaks JMS and ARJ with the Broker. If authenticated correctly the broker gives the list of entitled desktops back to the client. If you start a session, the client talks SSL/HTTPS with the Security Server and the Security Server connects to the virtual desktop via 3389/RDP. So be sure, that the Security Server can talk to the virtual desktop via 3389 and the FQDN/DNS are working.

Thanks,

Christoph

Reply
0 Kudos
jbrown2
Contributor
Contributor

Does anyone have any timelines for View supporting remote access without requiring us to open up 3389 from the security server to all of the desktops? In order to support adding existing physical desktops to View we'd essentially needed to open up RDP to the whole network since we use DHCP for all our desktops/laptops... The RDP connection should really be pushed to the connection broker and then it should establish the connections...just like when connecting from inside the network using the non-direct connection method.

Reply
0 Kudos
CWedge
Enthusiast
Enthusiast

I'm also in the process of having vmware update thier docs to include Port 4100

Put a sniffer on the network and you'll see all things VIEW talking over 4100 dooh!!

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

I know this post is quite old now but I missed it before. Just to be clear, TCP port 4100 is not required between Security Server and Connection Server and therefore does not need to be opened in any external firewall. It is for JMS Inter router traffic which is only used between multiple Connection Servers on the internal network. See VMware KB: Network connectivity requirements for VMware View Manager 4.5 and later 

This problem will be caused by the DMZ backend firewall ports not being correctly set and is unrelated to JMS IR 4100 traffic. See http://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-architecture-planning.pdf table 5-2 for the full list of DMZ backend firewall rules needed and this quite rightly does not include TCP 4100.

Mark

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

jbrown2 wrote:

In order to support adding existing physical desktops to View we'd essentially needed to open up RDP to the whole network since we use DHCP for all our desktops/laptops...

You should only open up ports to desktops (PCoIP and/or RDP) from Security Servers only. This way you get the assurance that only traffic on behalf of View authenticated users can go to your desktops and only to the desktops that the user is authorised to access. Doing a double hop for PCoIP or RDP is not necessary and would just slow down the user experience. I agree that opening up RDP to any desktop from any DMZ server or directly from the Internet would be bad.

Mark

Reply
0 Kudos