We have a third party who maintains our Cisco ASA firewall. I have been working with them for days trying to get the remote access to work for Horizon View 5.2. Using the View Client, we can connect, authenticate, chose the desktop, but then we get the black screen. Using HMTL accces, we can connect, authenticate, choose the desktop, but then we get this error An error has occurred: {"code":"ETIMEDOUT","errno":"ETIMEDOUT","syscall":"connect"}.
I have followed all the docs, etc that are published on these and everything points to the Firewall configuration. Unfortunately, I do not know how to maintain the firewall and so I am at the mercy of the 3rd party vendor. They tell me it is all correct.
I am hoping there is someone out there who knwos a CISCO ASA 5510 that can review these settings and let me know what they are missing or doing wrong.
We have two connection servers. One is paired with a Security server that sits on the DMZ. The other is used internally for direct PCOIP access.
Here is our current ASA configuration for these servers. I have changed the actual IP's but here are the meanings
Security server outside IP address 1.1.1.1
Security server DMZ address 2.2.2.2
Connection server address 3.3.3.3
View desktops 4.4.4.X
access-list outside-in extended permit tcp any host 1.1.1.1 eq https
access-list outside-in extended permit tcp any host 1.1.1.1 eq 4172
access-list outside-in extended permit udp any host 1.1.1.1 eq 4172
access-list outside-in extended permit tcp any host 1.1.1.1 eq www
access-list outside-in extended permit tcp any host 1.1.1.1 eq 8443
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq 4001
access-list dmz-inside extended permit udp host 2.2.2.2 host 3.3.3.3 eq isakmp
access-list dmz-inside extended permit udp host 2.2.2.2 host 3.3.3.3 eq 4500
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq 8009
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq 3389
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq 4927
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq 4172
access-list dmz-inside extended permit udp host 2.2.2.2 host 3.3.3.3 eq 4172
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq 32111
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq www
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq https
access-list dmz-inside extended permit tcp host 2.2.2.2 host 3.3.3.3 eq 22443
access-list dmz-inside extended permit tcp host 2.2.2.2 4.4.4.0 255.255.255.0 eq 3389
access-list dmz-inside extended permit tcp host 2.2.2.2 4.4.4.0 255.255.255.0 eq 4927
access-list dmz-inside extended permit tcp host 2.2.2.2 4.4.4.0 255.255.255.0 eq 4172
access-list dmz-inside extended permit udp host 2.2.2.2 4.4.4.0 255.255.255.0 eq 4172
access-list dmz-inside extended permit tcp host 2.2.2.2 4.4.4.0 255.255.255.0 eq 22443
access-list dmz-inside extended permit tcp host 2.2.2.2 4.4.4.0 255.255.255.0 eq 32111
static (inside,DMZ) 3.3.3.3 3.3.3.3 netmask 255.255.255.255
static (DMZ,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 dns
In looking at this doc from VMWARE it does not appear that our config covers everything and there are entries from the security server to the connection server that may bit be needed. But not really knowing firewalls, maybe it is correct. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102721...
Any help would be greatly appreciated.
Hey
Did you enable the PCOIP and blast secure gateway on your paired connection server?
Do you have the public facing IP in the PCoIP External URL of your security server?
Did you setup the correct Blast External URL?
Regards
Yes - both boxes are checked.
Yes - the public IP is correct
Yes - yes the public url is correct
I can actually connect remotely - I get authenticated to our AD, it presents me with my desktop. I select it - then I just get a black screen. VM support had my move the security server back to the LAN to confirm all the setup was working. I had no issues. So they said it has to be a problem with the Cisco firewall configurations as that is the only thing different when it is moved to the DMZ