VMware Horizon Community
CptvSAN
Contributor
Contributor
‎11-26-2020 07:03 AM

External Blast Secure Gateway access via UAG

Hello Everybody,

I have a strange problem on multiple customer sides and I hope you can help me with that.

Scenario:

  • 2 UAGs (3.10)
    • One-Nic configuration
    • load balanced via internal mechanism
    • positioned inside the DMZ
    • only connections via BSG allowed
    • DNAT from external IP to DMZ UAG VIP
  • 2 Connection Servers (7.13)
    • 443 load balanced via CTX ADC
    • no tunnel configuration

So far so good...

Internal connections via client are fine. Connections via browser are not necessary.

External connections via BSG T/U 8443 sometimes work, sometimes not. I figured out if I use the external BSG Port 443 instead of 8443, the connections works fine. So it seems to be a problem with the standard BSG Port T/U 8443. I have checked the firewalls many times and dont find any solution for the problem.

I usally want to use the BSG Port T/U 8443 because auf BEAT. As I know, the BEAT feature is not available if I use the Port 443 instead of 8443.

Do you have any recommendations or ideas for this issue?

Many thanks for your answers!

Reply
0 Kudos
8 Replies
nburton935
Hot Shot
Hot Shot
‎11-26-2020 12:35 PM

It sounds like you are missing a persistence group on the ADC. When you originally auth via 443, your 8443 connection can load balance to the other UAG which you have not authenticated to, so your session fails. Persistence group ensures your 8443 connection will remain on the same node as your 443 connection.

See this article on how to create a persistence group on Citrix ADC, which should fix your issue. Just add your 8443 and 443 virtual servers to this group.

https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-persistence/p...

Reply
0 Kudos
CptvSAN
Contributor
Contributor
‎11-26-2020 11:13 PM

Hi,

thank you for your reply.

Since we have no Citrix LB for 8443, because we only load balance 443 in front of the connection servers for auth. propose, we don't need persistency groups.

The UAGs are load balanced via the internal high availability mode, not via ADC.

The error appears not in the auth. process. It appears in the session etablishment process.

Via external HTML connection we've got the Error: "Failed to resolve proxying route for request."

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot
‎11-27-2020 04:48 AM

Gotcha - so no load balancer in front of UAGs. Can you confirm that on each UAG, you have the individual UAG name set for the Blast and Tunnel URLs and you can reach each one individually by name from the internet with no cert errors?

With UAG HA, the initial auth is done via the HA floating IP, but the session traffic is then routed to the individual UAG.

Reply
0 Kudos
CptvSAN
Contributor
Contributor
‎11-27-2020 05:35 AM

You mean that in our setup the both UAGs must have different Blast and Tunnel URLs? The HA function works well. We see on the connection servers, that sessions over UAG1 and UAG2 were established (only if we use port 443 as BSG). The Firewall Ports in front of the UAGs are also opened as described here:

## External -> DMZ

External x.x.x.x -TCP/UDP 443-> UAG1
External x.x.x.x -TCP/UDP 8443-> UAG1
External x.x.x.x -TCP/UDP 4172-> UAG1
External x.x.x.x -TCP/UDP 443-> UAG2
External x.x.x.x -TCP/UDP 8443-> UAG2
External x.x.x.x -TCP/UDP 4172-> UAG2
External x.x.x.x -TCP/UDP 443-> UAG VIP
External x.x.x.x -TCP/UDP 8443-> UAG VIP
External x.x.x.x -TCP/UDP 4172-> UAG VIP

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot
‎11-27-2020 06:22 AM

Correct. When using UAG HA, each one must be configured with its individual name/IP. That also means you should have both UAGs individually resolvable from the outside and SANs for each. The reason it is working with 443 is because the UAG is doing internal port forwarding 443>8443 via the XML-API port, which is being handled by the floating IP. Looks like your firewall rules are good.

Reply
0 Kudos
CptvSAN
Contributor
Contributor
‎11-27-2020 08:36 AM

Ok just for clarificatio. That means our setup must look like the following (only for 8443):

External IP 1.2.3.10 -> Firewall DNAT -TCP/UDP 8443-> UAG1      DMZ IP 10.0.0.10
External IP 1.2.3.20 -> Firewall DNAT -TCP/UDP 8443-> UAG2      DMZ IP 10.0.0.20
External IP 1.2.3.30 -> Firewall DNAT -TCP/UDP 8443-> UAG VIP DMZ IP 10.0.0.30

External DNS Resolution:

vdi1.domain.com -> 1.2.3.10
vdi2.domain.com -> 1.2.3.20
vdi3.domain.com -> 1.2.3.30

BSG Settings

UAG1
BSG Adress:    https://vdi1.domain.com:8443
Tunnel Adress: https://vdi1.domain.com:443

UAG2
BSG Adress:    https://vdi2.domain.com:8443
Tunnel Adress: https://vdi2.domain.com:443

UAG VIP
BSG Adress:    https://vdi3.domain.com:8443
Tunnel Adress: https://vdi3.domain.com:443

That means, that I need 3 external IP adresses correct?

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot
‎11-27-2020 09:47 AM

Correct - you will need 3 external names and IPs. Don’t forget to add the 443 NATs if you’re only NATing on individual ports. Your  NAT list on top only had 8443. Other than that, I believe your config looks good.

-Nick

Reply
0 Kudos
CptvSAN
Contributor
Contributor
‎11-27-2020 10:18 AM

Sounds too good to be true 😀

I will try to test this configuration and keep you informed, if the provided solution works.

Reply
0 Kudos