VMware Horizon Community
VMLicColAdmin
Enthusiast
Enthusiast

Eliminate security server from setup

Hi,

We have a View Connection 4.6 server at 10.10.1.1 and a security server at 10.10.1.2. Internally, view.company.com resolves to 10.10.1.1, externally this resolves to an external IP on the firewall which is then forwarded to 10.10.1.2 server. Everything works fine for both internal and external clients.

Now, since we keep security server in the same network as connection server (we have no DMZ), the security server doesn't appear to provide us with benefits for which it was designed. We'd like to eliminate this server from the setup, leaving only one connection server to serve both internal and external clients.

To this end, we have tried this: A) setup firewall forwarding to go to connection server instead of security server, and B) set PCoIP secure gateway external URL to externalIP:4172 instead of 10.10.1.1:4172 (to match what is configured on security server). Once this is setup, external clients can connect fine, however internal clients can not connect to their desktops. They can login, authenticate, get to the point where they chose their designated desktops, and then connection fails, saying desktoop can't be connected or something to that effect (unfortunately I don't have the exact wording).

I've contacted support about this and they suggested that this is by design and that View can't work off a single server, or at least that it is not supported, and suggested we log a feature request. I'm sure this can be made to work and there are setups out there that run on a single box for testing or in production for smaller shops.

I sort of suspect internal DNS resolution still resolved view.company.com into 10.10.1.1, and new PCoIP external URL may be messing with this, but if we are to point this to external IP then we create dependency on the firewall and that's not a good solution for us.

I'd appreciate if someone can point me in the right direction.

Thanks

Reply
0 Kudos
8 Replies
advref
Contributor
Contributor

We are running VMWare View with only a Connection Server and both internal and external clients (Windows and Ipad) connect to their virtuals just fine.

Under our connection server config, we have the url that everyone connects to with port 443 at the end and then we have the external ip address as the PCoIP with port 4172 at the end.

Are you using a Vcenter to host your pools? Or are you using a terminal server or physical machines?

We are only using the VCenter with dedicated virtuals for each user and are not using the Composer.

I would also check your DNS. We have the url pointing to an internal ip address. Also check the dns on the client machines. They may need to have the DNS cache flushed and reloaded for the internal users.

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

The disadvantage of having a single Connection Server to support internal and external users is that internal users will then have their desktop traffic (PCoIP) gatewayed through the Connection Server. For internal users, this is not as efficient as doing PCoIP directly between View Client and virtual desktop.

By installing a second Connection Server (a replica instance) you get the best of both worlds. Remote users (using one of teh Connection Servers) have their PCoIP gatewayed through the Connection Server. Internal users perform PCoIP directly giving a better user experience.

This setup has other benefits too. You can use tagging on pools to ensure that some pools are only available to internal users etc. You can't do this if you try to do everything through a single Connection Server.

These are the reasons why we recommend having dedicated Connection Server(s) for the internal and external case.

Mark

Reply
0 Kudos
VMLicColAdmin
Enthusiast
Enthusiast

Here is what we have:

View Configuration > Servers > under View Connection Servers, we have only one, and properties are :

Tags : empty, nothing here

HTTP(S) Secure Tunnel :

     External URL: https://view.domain.com:443

PCoIP Secure Gateway :

     PCoIP External URL: IP:4172

What do your settings look like? Should PCoIP External URL field be populated with "view.company.com:4172" instead of "IP:4172"? In that case external and internal clients would resolve view.company.com into external and internal IPs as appropriate, based on their DNS? So external clients go in through the firewall while internal go direct to the box?

Thanks

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

Test wrote:

Should PCoIP External URL field be populated with "view.company.com:4172" instead of "IP:4172"?

No. PCoIP External URL must be IP address based. PCoIP requires this.

The recommendation is to have two Connection Servers. This allows internal users to connect PCoIP directly between the View Client and View Desktop.

Mark.

Reply
0 Kudos
VMLicColAdmin
Enthusiast
Enthusiast

I don't have a problem with clients going through View Connection server. I'd still like to maintain one server for this, and it obviously can be done. It just seems we've tried the recipe above and while external clients were ok, internal couldn't connect.

If someone is running single server setup I'd appreciate if they can post their relevant settings.

Thanks

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

If you don't mind the PCoIP always going via the Connection Server, you can just set the PCoIP External URL to the external IP address. This is what your internet users will use to connect PCoIP via the Connection Server. You will also need to make sure that when the internal users use this same external IP address, that the PCoIP connection will route to your Connection Server.

Mark

Reply
0 Kudos
VMLicColAdmin
Enthusiast
Enthusiast

That's what we tried, but when we put external IP only external users can connect, while internal can't. Also the problem with that is that they would have to bounce thorugh the firewall and that piece I'd like to avoid - I don't mind internal users going through View Connection server but they shouldn't go bouncing off firewall too.

I'd still like to see someone's settings for a sanity check...

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

If you want to do this with a single Connection Server, then you'll have the same IP Address based "PCoIP External URL" for both internal and external users. This means that the same IP address for the PCoIP connection will be used by internal and external users. The only way you can do this is if you allow the internal users to connect to the Connection Server on this same IP address.

Doing it any other way will require you to either deploy a Security Server, or deploy additional replica Connection Server. Either will work.

Mark.

Reply
0 Kudos