Can someone explain in layman's terms the difference between External Connection and Tunneled Connection mode.
I'm looking at this document: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-use...
We always thought that you need, enable this to use security server, so the client connections travel trough security security server to connection server and finally to the VDI (horizon agent) ?
I think your mostly correct
1.)Using a security server there is an ipsec tunnel thats created between the connection server and the security server. The horizon client connects to the security server the traffic is tunneled through the security server and its ipsec tunnel and exits the connection servers on its way to the desktops.
2.)The UAG moved the gateways you see in the horizon admin configuration from the connection server to the UAG. When you use them in the UAG the connection into the UAG and out to the desktops. Thats why there are 1 2 and 3 network card configurations. The most secure is the one with a dmz, interneal, and management network connection. This lets the connection enter the application in a dmz zone and exit through a interface in a internal zone. If you use the one network configuration you will have to let the appliance in the dmz direct access to your desktops.
OK I'm looking a bit more in this.
Tunneled connection, communication goes like this:
client -> security srv -> connection srv -> horizon agent
so from DMZ to internal network you just need to allow communication from security to connection server.
External connection, communication goes like this:
client -> UAG -> horizon agent
In this case you need allow that UAG in DMZ cann access to all the desktops inside internal network
Is UAG interchangeable with security server (regarding external connection) or not ?
First UAG does not use those settings, you need to turn them off if your using the UAG, they are if your using the security server.
Without the security tunnels enabled a connection goes like this
1.Horizon client contacts the connection server
2.Connection server authenticates the use
3.)Connection server provides a list of resources back to the agent
4.Horizon client sends the users choice to the connection server
5.)Connection server provides a desktop
6.)Horizon client connects directly to the desktop
With a tunnel its
1.Horizon client contacts the connection server
2.Connection server authenticates the use
3.)Connection server provides a list of resources back to the agent
4.Horizon client sends the users choice to the connection server
5.)Connection server provides a desktop
6.)Horizon client connects to the security server, the security server connects to the connection server, and the connection server connects to the desktop that is chosen
I am looking from network standpoint and for a case when you have users connecting from public internet.
So I guess/hope that View client doesn't need to talk directly with connection server that sits on the internal network ?
I would like to know how packets flow from view client to the view agent and back again.
read this, there are diagrams of almost every situation, its for 7 but 6.2.4 uses the same.
its really goes over how all the connections work. The basic part is if you aren't using the tunneling the horizon client wants to connect to the virtual desktop directly, so for external/ internet connections you always want to use the tunneled connection.
This it the diagram to which I posted the link in my first post and I don't understand difference between security server or UAG and tunneled or external connection.
So from your posts now I understands as:
1) with security server you want to use tunneled connection.
From public internet you need open access just to security server, traffic is then tunneled from security server to connection server and from connection server then flows to desktops.
2) with UAG you don't even have available tunneled connection and documentation now call this external connection.
From public internet you have to open access to UAG which acts as proxy/FW and if the user successfully authenticates the allows traffic to flow to desktops. So you need open pcoip, https, blast ports from DMZ network to the desktop networks.
Correct ?
I think your mostly correct
1.)Using a security server there is an ipsec tunnel thats created between the connection server and the security server. The horizon client connects to the security server the traffic is tunneled through the security server and its ipsec tunnel and exits the connection servers on its way to the desktops.
2.)The UAG moved the gateways you see in the horizon admin configuration from the connection server to the UAG. When you use them in the UAG the connection into the UAG and out to the desktops. Thats why there are 1 2 and 3 network card configurations. The most secure is the one with a dmz, interneal, and management network connection. This lets the connection enter the application in a dmz zone and exit through a interface in a internal zone. If you use the one network configuration you will have to let the appliance in the dmz direct access to your desktops.
Thank you very much.
So with UAG, you takeover most of the connection server functionality, it seems just a matter of time when we won't need Windows based connections servers any more.
I think we will get a appliance for the connection server at one point. The connection server is still used to authenticate the user still and any connections to the desktops. This method keeps the server handling the user connections separate from the one that is used to manage the desktops and users.
But for internal users, you still direct them to connection server and not UAG ?
A connection server is still required with a UAG. The UAG only replaces the role of the security server.
It would be nice if VMware could deliver an appliance based connection server. The challenge as I understand it is that the connection server leverages AD LDS and they would have to move to something else.
