VMware Horizon Community
BadfishGT
Enthusiast
Enthusiast
‎04-24-2018 09:26 AM

External Users getting blocked once inside a VDI instance

Any guidance would be helpful.

Has anyone experience issues with external users not being able to access applications with a VDI environment from their corp networks where using a personal connection worked?  It appears that some corp networks don't like the Data flow from a Security server into a VDI application?  For example, the port 22443 seems to be giving some corp networks trouble.

Environment

2 DMZ Windows based Security servers fronted by F5 Load balancers and paired with 2 internal Connection servers.

Users can access the VDI portal and log into it seeing the apps, but once an application is clicked, the connection seems to fail access the .local RDSH server on port 22443. Users not able to connect from their corp environments can access the apps fine from an personal internet connection.  Something about some corp networks not liking the route and port the traffic takes.

Thanks

0 Kudos
4 Replies
techguy129
Expert
Expert
‎04-25-2018 05:06 AM

Sounds a lot like a firewall issue on the corp network. They are probably blocking 8443 or 4172. If they are using blast, their clients will use 443/8443 to the security servers. If PCoIP they should be connecting by 4172. Only time 22443 is used is if you are using direct connect which it doesn't should like if they are logging into the portal.

Check out the client logs. That will tell you your issue.
Horizon Client for Windows Logs

List of Ports:

TCP and UDP Ports Used by Clients and Agents

0 Kudos
jmatz135
Hot Shot
Hot Shot
‎05-02-2018 01:30 PM

Watch out for the protocol used.  If using PCOIP the corporate network will probably block the port.  Blast uses the standard 443 port so that shouldn't be blocked, but there is one more thing to watch out for.  If using the client some corporate networks flag the traffic as VPN traffic and block it.  See if the HTML 5 access works from the corporate network.

0 Kudos
BenFB
Virtuoso
Virtuoso
‎05-03-2018 08:33 AM

In addition you need to allow the following internal traffic.

For Blast port 22443 TCP/UDP needs to be allowed from the Security Server/UAG to the Horizon agent.
For PCoIP port 4172 TCP/UDP need to be allowed from the Security Server/UAG to the Horizon Agent.

0 Kudos