GarTomlon
Enthusiast
Enthusiast

External connection thru load balancer

Jump to solution

We have an external URL connection into our Horizon View.  That connection is NAT'd to our Load Balancer (NSX edge and configured for SSL passthru).  My networking guy is assuring me that ports 443, 8443, and 4172 are allowed thru.  I can conect thru a browser externally and log in to the portal and select a desktop pool.    However, when I try to connect thru the client (after putting in credentials). I see the portal with the pool Icons, but then I get a 403 access denied error.   I went back to ask the networking guy if there could be ports not getting thru and he again assured me that if there was a firewall issue, I would be getting a timeout error and not a 403 error.  This load balancer has two UAGs within it pool.  Each UAG is currently paired with the same connection server.  Now, I can connect to the external URL of each UAG and log in with no issue with the client (getting as far as getting the desktop).  Just not thru the load balancer.  

0 Kudos
1 Solution

Accepted Solutions
TechMassey
Hot Shot
Hot Shot

I think if anything, networking, load balancing, and firewalls will always be the biggest effort in any VDI implementation. The number of cogs that must spin just right is no small number. 

 

That said, with a little insight, you can break right through the fog your dealing with. 

 

Based on your description, there can be a few causes and steps to troubleshoot. One item to mention when discussing issues with UAGs is the number of NICs for that UAG. Adding two or more NICs is fine, just note it adds one more layer which must be done correctly. 

 

Possible Causes

1. External UAG URLs are not matching
2. The UAG IPs or Subnet do not have access to the VDI VLAN for required ports
3. With Multiple UAG NICs, static routing is easy to misconfigure. 
4. Possible Load Balance VIP group configuration issue


Research Steps


1. Review the client connections networking requirements in this excellent Technet Article - Link.
  1.a - That article will show you in details the source and destination for every horizon component. 
2. Review Troubleshooting Firewall & Connection Issues for the UAG on this VMware Doc - Link
3. include getting familiar with manager log on UAG and Connection Server logs to correlate where in the path to the desktop the failure occurred. 


Investigation Steps

1. First, verify that both UAGs are green status on Horizon Admin Console
2. Externally, use telnet or similar tool to verify each port is open. 
3. SSH into UAG, verify required ports are open to load balance VIP, connection server, and VDI desktop IP
4. Leverage TCP Dump steps in the UAG troubleshooting, to watch live attempts
5. Finally, simplify approach by first leaving only one member in the LB VIP group. Then, remove the LB VIP group, NAT directly to UAG, etc, etc. Keep simplifying until root cause is found. 


Finally, try to do as many of these steps without contacting the networking team. When building a good relationship with other IT teams, I have found doing my homework as much as possible and bringing solid evidence to be worth its weight in gold. 

Good Luck!

 

 


Please help out! If you find this post helpful and/or the correct answer. Mark it! It helps recgonize contributions to the VMTN community and well me too 🙂

View solution in original post

2 Replies
TechMassey
Hot Shot
Hot Shot

I think if anything, networking, load balancing, and firewalls will always be the biggest effort in any VDI implementation. The number of cogs that must spin just right is no small number. 

 

That said, with a little insight, you can break right through the fog your dealing with. 

 

Based on your description, there can be a few causes and steps to troubleshoot. One item to mention when discussing issues with UAGs is the number of NICs for that UAG. Adding two or more NICs is fine, just note it adds one more layer which must be done correctly. 

 

Possible Causes

1. External UAG URLs are not matching
2. The UAG IPs or Subnet do not have access to the VDI VLAN for required ports
3. With Multiple UAG NICs, static routing is easy to misconfigure. 
4. Possible Load Balance VIP group configuration issue


Research Steps


1. Review the client connections networking requirements in this excellent Technet Article - Link.
  1.a - That article will show you in details the source and destination for every horizon component. 
2. Review Troubleshooting Firewall & Connection Issues for the UAG on this VMware Doc - Link
3. include getting familiar with manager log on UAG and Connection Server logs to correlate where in the path to the desktop the failure occurred. 


Investigation Steps

1. First, verify that both UAGs are green status on Horizon Admin Console
2. Externally, use telnet or similar tool to verify each port is open. 
3. SSH into UAG, verify required ports are open to load balance VIP, connection server, and VDI desktop IP
4. Leverage TCP Dump steps in the UAG troubleshooting, to watch live attempts
5. Finally, simplify approach by first leaving only one member in the LB VIP group. Then, remove the LB VIP group, NAT directly to UAG, etc, etc. Keep simplifying until root cause is found. 


Finally, try to do as many of these steps without contacting the networking team. When building a good relationship with other IT teams, I have found doing my homework as much as possible and bringing solid evidence to be worth its weight in gold. 

Good Luck!

 

 


Please help out! If you find this post helpful and/or the correct answer. Mark it! It helps recgonize contributions to the VMTN community and well me too 🙂
GarTomlon
Enthusiast
Enthusiast

Thanks for these tips.  IT ended up being a mis-configuration within our external  reverse proxy service (Cloudflare).  We disabled the proxying service and the load balancer works perfectly.  

0 Kudos