External Access View and Workspace

etsmc · ‎04-23-2013

Have a question on external access with Horizon View and Horizon Workspace, thought i would ask it here as there seems to be more activity.

We would like users to be able to access Horizon View externaly which we can do by fowarding ports 443,4172 and 8443 to our security server but the problem comes when we also want them to access Horizon workspace as this also requiers 443 to be forwarded to the gateway.

Ultimatly what we would like is the user to be able to log in to the Horizon Workspace site and then select their desktop and connect to it either through HTML Access or the view client.

Any tips on how we can do this preferably without changing ports?

Schenkewitz · ‎06-05-2013

Hi,

you have one option with realizing it with two public ip-adresses.

IP 1: VMware View 443, 4172, 8443
IP2: VMware Horizon Workspace 443

To implement this you need an gateway or firewall appliance which can deal with this. We used Microsofts ForeFront Threat Management Gateway Server 2010 and also publish Microsoft Exchange 2013 OWA, OA, OAS, OAB and a handfull of SharePoint 2013 Sites.

You also have to implement the Horizon Workspace FQDN with Split-DNS. FQDN "workspace.company.com" for internal access with internal ip-adress (172.16.xxx.xxx) and FQDN e.g "workspace.company.com" with external public ip-adress (xxx,xxx,xxx,xxx) and DNS. All internal Clients use your internal ip-adress to connect with Workspace and all external devices with resolve your FQDN with external public ip-adress and use this to connect with workspace.

adamRbarber · ‎06-05-2013

thanks we ended up tring a few different reverse proxies to get this working and the one that got it all working was HAProxy running in TCP mode.

we now have seperate DNS records for VIEW and HORIZON pointing to or public ip and then from there HAProxy sends it to the relevant gateway. Then as you said we have the split-DNS handling the internal requests.

The good thing about HAProxy is that we should be able to load balance if we need to add another gateway for VIEW or HORIZON.

access360 · ‎06-14-2013

WOuld you be able to share the setup of the HAProxy? I've been struggling with various proxy/reverse proxy servers to get external access with workspace and view. I have it all working if you opt for RDP view connections, but would prefer both blast and pcoip for external access. I've tried NGINX as well as HAProxy without much luck. From what I see in wire shark captures, internal requests to get a view desktop sent a packet which starts the udp pcoip session - coming in on 4172 and going out (on the LAN) to udp port in the 50000 range. when I attempt to get the desktop over the wan, I see the request for pcoip comes I'm from the public ip, but the udp pcoip session never starts. This reminds me of my first Citrix gateway configuration! Lol

adamRbarber · ‎06-17-2013

We are using one of the latest development builds as we couldn't get it working with the latest stable release.

443 is the only port forwarded to the reverse proxy 4172 is forwarded straight to the security gateway

or config is:

global

maxconn 4096

pidfile /var/run/haproxy.pid

daemon

defaults

log 127.0.0.1:514 local0 debug

log 127.0.0.1:514 local1

mode tcp

retries 3

option redispatch

maxconn 2000

contimeout 5000

clitimeout 50000

srvtimeout 50000

stats enable

stats auth admin:admin

frontend test :443

mode tcp

log global

tcp-request inspect-delay 5s

tcp-request content accept if { req_ssl_hello_type 1 }

use_backend VIEW_BE if { req_ssl_sni -i view.PublicDomainName }

use_backend HORIZON_BE if { req_ssl_sni -i horizon.PublicDomainName }

default_backend VIEW_BE

backend VIEW_BE

log global

server view (view Security GatewayIP):443

backend HORIZON_BE

log global

server horizon (horizon gateway IP):443

Hope this helps