VMware Horizon Community
Najtsob
Enthusiast
Enthusiast
Jump to solution

Horizon 6.2.4 - External Connection vs. Tunneled Connection

Can someone explain in layman's terms the difference between External Connection and Tunneled Connection mode.

I'm looking at this document: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-use...

We always thought that you need, enable this to use security server, so the client connections travel trough security security server to connection server and finally to the VDI (horizon agent) ?
pastedImage_2.png

Reply
0 Kudos
1 Solution

Accepted Solutions
sjesse
Leadership
Leadership
Jump to solution

I think your mostly correct

1.)Using a security server there is an ipsec tunnel thats created between the connection server and the security server. The horizon client connects to the  security server the traffic is tunneled through the security server and its ipsec tunnel and exits the connection servers on its way to the desktops.

2.)The UAG moved the gateways you see in the horizon admin configuration from the connection server to the UAG. When you use them in the UAG the connection into the UAG and out to the desktops. Thats why there are 1 2 and 3 network card configurations. The most secure is the one with a dmz, interneal, and management network connection. This lets the connection enter the application in a dmz zone and exit through a interface in a internal zone. If you use the one network configuration you will have to let the appliance in the dmz direct access to your desktops.

View solution in original post

Reply
0 Kudos
10 Replies
Najtsob
Enthusiast
Enthusiast
Jump to solution

OK I'm looking a bit more in this.

Tunneled connection, communication goes like this:

client -> security srv -> connection srv -> horizon agent

so from DMZ to internal network you just need to allow communication from security to connection server.

External connection, communication goes like this:

client -> UAG -> horizon agent

In this case you need allow that UAG in DMZ cann access to all the desktops inside internal network

Is UAG interchangeable with security server (regarding external connection) or not ?

Reply
0 Kudos
sjesse
Leadership
Leadership
Jump to solution

First UAG does not use those settings, you need to turn them off if your using the UAG, they are if your using the security server.

Without the security tunnels enabled a connection goes like this

1.Horizon client contacts the connection server

2.Connection server authenticates the use

3.)Connection server provides a list of resources back to the agent

4.Horizon client sends the users choice to the connection server

5.)Connection server provides a desktop

6.)Horizon client connects directly to the desktop

With a tunnel its

1.Horizon client contacts the connection server

2.Connection server authenticates the use

3.)Connection server provides a list of resources back to the agent

4.Horizon client sends the users choice to the connection server

5.)Connection server provides a desktop

6.)Horizon client connects to the security server, the security server connects to the connection server, and the connection server connects to the desktop that is chosen

Reply
0 Kudos
Najtsob
Enthusiast
Enthusiast
Jump to solution

I am looking from network standpoint and for a case when you have users connecting from public internet.

So I guess/hope that View client doesn't need to talk directly with connection server that sits on the internal network ?

I would like to know how packets flow from view client to the view agent and back again.

Reply
0 Kudos
sjesse
Leadership
Leadership
Jump to solution

read this, there are diagrams of almost every situation, its for 7 but 6.2.4 uses the same.

Network Ports in Horizon 7

its really goes over how all the connections work. The basic part is if you aren't using the tunneling the horizon client wants to connect to the virtual desktop directly, so for external/ internet connections you always want to use the tunneled connection.

Reply
0 Kudos
Najtsob
Enthusiast
Enthusiast
Jump to solution

This it the diagram to which I posted the link in my first post and I don't understand difference between security server or UAG and tunneled or external connection.

So from your posts now I understands as:

1) with security server you want to use tunneled connection.

From public internet you need open access just to security server, traffic is then tunneled from security server to connection server and from connection server then flows to desktops.

2) with UAG you don't even have available tunneled connection and documentation now call this external connection.
From public internet you have to open access to UAG which acts as proxy/FW and if the user successfully authenticates the allows traffic to flow to desktops. So you need open pcoip, https, blast ports from DMZ network to the desktop networks.

Correct ?

Reply
0 Kudos
sjesse
Leadership
Leadership
Jump to solution

I think your mostly correct

1.)Using a security server there is an ipsec tunnel thats created between the connection server and the security server. The horizon client connects to the  security server the traffic is tunneled through the security server and its ipsec tunnel and exits the connection servers on its way to the desktops.

2.)The UAG moved the gateways you see in the horizon admin configuration from the connection server to the UAG. When you use them in the UAG the connection into the UAG and out to the desktops. Thats why there are 1 2 and 3 network card configurations. The most secure is the one with a dmz, interneal, and management network connection. This lets the connection enter the application in a dmz zone and exit through a interface in a internal zone. If you use the one network configuration you will have to let the appliance in the dmz direct access to your desktops.

Reply
0 Kudos
Najtsob
Enthusiast
Enthusiast
Jump to solution

Thank you very much.

So with UAG, you takeover most of the connection server functionality, it seems just a matter of time when we won't need Windows based connections servers any more.

Reply
0 Kudos
sjesse
Leadership
Leadership
Jump to solution

I think we will get a appliance for the connection server at one point. The connection server is still used to authenticate the user still and any connections to the desktops. This method keeps the server handling the user connections separate from the one that is used to manage the desktops and users.

Reply
0 Kudos
Najtsob
Enthusiast
Enthusiast
Jump to solution

But for internal users, you still direct them to connection server and not UAG ?

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso
Jump to solution

A connection server is still required with a UAG. The UAG only replaces the role of the security server.

It would be nice if VMware could deliver an appliance based connection server. The challenge as I understand it is that the connection server leverages AD LDS and they would have to move to something else.

Reply
0 Kudos