Ha! The man himself shows up - I love getting info directly from the source.

Before I saw this reply this morning I started messing with how the connection servers were set up. This is the part that got me on setup (from Carl Stalhood's writeup)

"In your Horizon Connection Servers, there is no need to enable any of the Gateways."

I guess I'm confused on that specific point - I got this working by clicking on things until they worked.

I'm like almost *almost* there now, still dealing with a RADIUS thing but this got me really far along in using these appliances instead of Windows-based security servers.

- mike

What did you do to make it work? We want to help others!

Did you untick the Blast Gateway option on Connection Server?

What's the RADIUS thing? Tell us more and we can fix that too.

Mark

When I deployed these, I config'd them via the GUI - not the PS script.

We added these to a functional 7.1 environment that originally had Windows security servers.

On the servers that these appliances forward to, we still had "Use Secure Tunnel connection to machine" and "Use Blast Secure Gateway for Blast connections to this machine" still checked.

Once we deselected those, communication started working.

As for RADIUS, our ultimate goal is to have the UAG's handling RADIUS auth. When configuring these through the GUI, we've set up the RADIUS server info and the service goes green when enabled. Connecting to the external VIP (and hitting those UAG's) we do not get prompted for a 2fa token. But when we set RADIUS on the Windows connection servers we get prompted for a 2fa token. Basically, whether or not RADIUS is set up on the UAG's, only setting up RADIUS on the backend, internal servers will kick off a token challenge.

Right now I've destroyed the two GUI-deployed UAGs and am working through the 2.9 v3 PS script using the RADIUS template as a starting point. So far, when specifying the following in the file, I don't even see RADIUS as being set up once I can get to the GUI of the gateway. We have two RADIUS servers in different subnets for redundancy.

[Horizon]

<snip some stuff up here>

authMethods=radius-auth && sp-auth

matchWindowsUserName=true

[RADIUSAuth]

hostName=xx.xx.xx.46

authType=MSCHAPv2

authPort=1812

radiusDisplayHint=XXXpassword

hostName_2=xx.xx.xx.17
authPort_2=1812

Once I get into the GUI of the appliance, I don't see any of this info there.

More info after several hours of trying to get these two appliances deployed using PowerShell:

Even though I'm specifying "authMethods=radius-auth" RADIUS is not turned on when I check the appliance. This is concerning - it's like it's just skipping past that config that I'm specifying in the .ini file.

I originally deployed these using the OVF import GUI in vCenter and they worked for a bit until I tried troubleshooting the RADIUS stuff (that and I want to be able to deploy from script).

I'm mimicking pretty much everything that I'm doing in the OVF GUI - but I cannot now even get these appliances to pass traffic through to the connection servers. From our outside IP all I get is "Failed to contact connection server" in the HTML interface, just a timeout in the 4.4 client.

Yah, I have to get back to a very, very basic setup of the appliance - I was just fried yesterday for a variety of reasons not related to this issue. This has deepened my understanding of the architecture and I'm fully invested in getting this to work.

I really, really appreciate your help on this!

- mike

We, too, have been working with support on this - we got the UAG's deployed and working well for almost everything other than RADIUS.

No matter what we tried, we've settled back to enabling RADIUS on the underlying Windows servers instead. This pushes us back to roughly the same config that we've been running with 7.0.2 where we have separate VIPs for hitting the environment externally vs internally.

I mean it works, it's just double the amount of internal View servers needed (in our case, 4 Windows View servers instead of 2)

We plan on an upgrade to 7.1 ASAP as it's pretty cool and would probably push out the UAG's using RADIUS to a later version.

As this thread is now answered, it would be better to start a new thread if you have UAG RADIUS config/setup problems. We'll then be able to sort out your specific issue.

Mark

Hi Mark. My issue is similar. I have HTML, PCoIP, Blast Extreme all working fine within the LAN. I deployed UAG 3.1 (single appliance) to handle external connections. Here's the oddity. From everything I've read I'm supposed to uncheck all 3 settings (use secure tunnel https, use pcoip secure gateway..., use blast secure gateway...). Now, if they are unchecked I can authenticate with the View client, receive a list of entitled desktops, but when I click on one (any protocol) it will just stay on 'The connection server is preparing the desktop'. Nothing in View Admin illustrates that any desktops have been connected.

When I go back into the properties of the Connection server and check all 3 settings I can successfully login to the desktop via PCoIP ONLY (external connections). Blast or HTML do not work externally. I definitely have Blast enabled on the UAG and the Blast External URL points to the public resolvable name. When I choose Blast for the protocol within the View client and launch, I just get a black screen. HTML exteranlly will actually accept my authentication and show me a list of the entitled desktops. When I click one the url redirects to the Blast External URL but the webpage just spins like it's waiting for something.

So, hoping for an explanation of why I need to checkmark all 3 settings on the Connection server to even just have external PCoIP work, Second, why doesn't external Blast and HTML work?

Thanks