VMware Horizon Community
wreedMH
Hot Shot
Hot Shot
‎11-22-2018 03:49 PM

Horizon 7.6 and UAG 3.3.1 users can connect internally, but not externally

Hello All,

We are setting up a simple View POC. I have a View Connection Server 7.6 and UAG all deployed internally on a 10.254.254.x/24 network. We have the View Agent installed on 1 2016 RDSH server and have published Chrome, and Notepad. The Horizon Client connects fine and launches the application internally.

Our vdi url is https://vdi.acmeco.com both internally and externally. Problem is we have a split-DNS. When you are internal vdi.acmeco.com resolves to 10.254.254.25, externally its goes to its public IP.

We have TCP-UDP NAT for the UAG with ports 443, 8443, and 4172 allowed.

External users get prompted for authentication, but them the View Agent says "the connection to the remote computer ended"

Any ideas on how to make this work?

0 Kudos
4 Replies
markbenson
VMware Employee
VMware Employee
‎11-22-2018 11:16 PM

wreedMH​ After authentication via UAG, your Horizon Client will make the display protocol connection (Blast or PCoIP) to the hostname or IP address that you specified in the blastExternalUrl or pcoipExternalUrl setting on UAG. The connection goes from client to UAG and then UAG to the virtual desktop (or RDS Host).

Most problems of "the connection to the remote computer ended" turn out to be configuration problems in either UAG, with routing to UAG or with firewall settings.

1. Check your external URL settings on UAG. Make sure they use a hostname or IP address that the client can use to connect to that particular UAG appliance. Blast or PCoIP must not route to a different UAG appliance. Initially, just use a single UAG appliance so that you can't get issues of routing to the wrong one.

2. Check your firewall rules. If you are using the default ports, then from the Internnet to UAG you must not block TCP 80, TCP 443, TCP 8443, UDP 8443, TCP 4172 or UDP 4172. If you have a firewall between UAG and your virtual desktops, you must not block TCP 22443, UDP 22443, TCP 4172, UDP 4172, TCP 32111, TCP 9427.

3. Make sure Blast Secure Gateway and PCoIP Secure Gateway are not enabled on your Connection Server.

You should initially just focus on one display protocol (Blast or PCoIP) and get that working first. You can then switch to the other and test that. Look at your firewall logs to see if any of these ports are being blocked.

0 Kudos
wreedMH
Hot Shot
Hot Shot
‎11-25-2018 05:57 PM

1. Where do you set these ExternalURLs at? What page of the UAG?   FYI. I only have 1 UAG.

2. Internet to UAG, all ports open in your list. No internal firewalls.

3. Blast and PCOIP are not enabled on my connection server.

0 Kudos
wreedMH
Hot Shot
Hot Shot
‎11-26-2018 09:36 PM

I got it to work, I just disabled PCoIP everywhere and used BLAST. Works both internally and externally now. BLAST works because I can use a hostname instead of an IP address.

0 Kudos
markbenson
VMware Employee
VMware Employee
‎12-03-2018 01:20 PM

Glad this is answered.

You can make PCoIP work as well if you want. Just set the enable PCoIP and set pcoipExternalUrl with an IP address. This will be the IP address that the client uses to connect to UAG. You also have to open up TCP and UDP 4172 on the firewall between the client and UAG and also between UAG and the virtual desktop.

0 Kudos