AlessandroG72
Contributor
Contributor

Horizon Blast Gateway

Hello,

I wanted to change my server connection server configuration, but unfortunately I have difficulties and I can't understand where the problem is.

Currently the configuration is: Use Blast Secure Gateway for all Blast connections, and I wanted to change it to Donot use Blast secure Gateway.

Unfortunately, if I change this setting, two things I can't understand: either from the pc zero client or from the client on windows, as soon as I enter the login credentials, the vm machine assigned to the user goes into error (blue screen). This happens on all of us on numerous vm.

Can you help me understand how I can understand what's going on?

Thanks Alessandro

0 Kudos
21 Replies
BenFB
Commander
Commander

Enabling or disabling the BSG (Blast Secure Gateway) on your connection servers should not cause your VMs to BSOD.

With BSG enabled all connections from the endpoints are tunneled through the connection servers. This can greatly simplify and control the communication in your environment. With it disabled the endpoints need to communicate directly with the virtual desktops running the Horizon Agent. I could see the user logging in and then receiving a black screen before being disconnected if the required firewall rules are not in place. I don't like to use any of the tunnels on my connections servers and instead like the use of load-balanced UAG both externally and if necessary internally.

0 Kudos
AlessandroG72
Contributor
Contributor

Thanks BenFB

you got it right !!!!

I'm looking for using UAG (into dmz) and i followed this link   "https://www.carlstalhood.com/vmware-unified-access-gateway/"
I have read that I must disable all the "internal" gateways to the connection servers (are in my Lan) . I followed the mapping of the ports for UAG 443-8443-4172 for the UAG server, but unfortunately I always get black screen. As connetion server inside uag I entered https: //contoso.local and as Blast External URL I entered https://contoso.com:443, but unfortunately I always get black screen.

I state that inside I have everything in client tunnel connection and everything works well

can ypu help me for search problem

Thanks Alessandro

0 Kudos
sjesse
Leadership
Leadership

The desktop your connecting to, are you selecting blast or the default blast, if not you may be using pcoip and if you don't have that tunnel setup it may not work either.Can you post screenshots of settings in the connection server and the uag, feel free to block out the ssl thumbprint and dns names, I'm just curious to see what the rest looks like.Also what does horizon settings look like in the uag are they all green like this

pastedImage_0.png

0 Kudos
BenFB
Commander
Commander

The black screen is a connection issue (firewall, routing, configuration, etc...). Are you currently load balancing the UAG? Persistence needs to be maintained during the primary and secondary horizon protocols from the endpoint to the UAG.

The UAG implement the HTTP(S) Secure Tunnel, BSG (Blast Secure Gateway) and PSG (PCoIP Secure Gateway). You must disable the HTTP(S)/BSG/PSG on the connection servers.

0 Kudos
AlessandroG72
Contributor
Contributor

Hello Sjesse

this is my UAG

pastedImage_0.png

0 Kudos
AlessandroG72
Contributor
Contributor

Hi  BenFB

pastedImage_0.png

My settings are these, I left the gateways otherwise internal users cannot connect .I left this way, because users inside my network (LAN) connect directly to the connection server, without going through DMZ

0 Kudos
sjesse
Leadership
Leadership

In the connection server uncheck all of them, you don't want them to be checked, the only place you want the gatway settings are in the uag.

0 Kudos
AlessandroG72
Contributor
Contributor

Uncheck ONLY https and PCoIP ?

thanks Alessandro

0 Kudos
sjesse
Leadership
Leadership

0 Kudos
AlessandroG72
Contributor
Contributor

Hi sjesse

i read this guide but if i uncheck all " Gateway "  , my zero-pc don't connect with  vm , somtimes i see that vm enter in error with blue scrrem

In this moment i uncheck first and second , but when i try to connect from external with PCoIP , i don't try nothing

Thansk Alessandro

0 Kudos
BenFB
Commander
Commander

That sounds like a firewall or possibly routing issue. When you uncheck the tunnels/secure gateways your endpoints need to be able to communicate with the Horizon Agent in addition to the connection servers.

You need to do one of the following.

  1. Configure the necessary firewall rules/routing
  2. Cutover to use UAG internally
  3. Keep these connection servers for internal traffic and deploy a new pool just for external connections that the UAG will point to. All tunnels/secure gateways must be disabled on these.
0 Kudos
AlessandroG72
Contributor
Contributor

Thanks BenFB

I wanted to ask you something please. Checking with the VMWARE schema port  I saw that UAG (DMZ) must connect with Horizon agent on port 222443.

i try wiith this comand un pc into LAN  , but i haven'u respond ?  It's right ?^

curl -v telnet://VIRTUAL-DESKTOP:22443

Thanks Alessandro

0 Kudos
sjesse
Leadership
Leadership

I'm not sure it responds to curl, but you need to make sure 22443 is open between the uag and any virtual desktop. Look at this if you haven't

Network Ports in VMware Horizon 7: VMware Horizon 7 version 7.2

As it has all the required firewall ports needed, I'd review more than just the uag though, and make sure all components can talk to each other.

0 Kudos
sjesse
Leadership
Leadership

also do you have your desktops joined to ad and do they have valid dns records?

0 Kudos
AlessandroG72
Contributor
Contributor

Hello BenFB

unfortunately I followed all your instructions, but I still couldn't get a result. Even disabling all the gateways in the connection server, I always get a black screen both from the outside and from the inside through the VMware Client.

I checked the ports on the firewall and always everything ok.

There is no log that can put me on the right way ?

Thanks Alessandro

0 Kudos
sjesse
Leadership
Leadership

Have you tried setting up a UAG in the same network to make sure the configuration is correct, you abosuletly cannot have the secure gateway options checked on the connection servers when your using a UAG.

0 Kudos
AlessandroG72
Contributor
Contributor

Hello, thank you for your help.

i wnat to summarize my situazion:

1) I have 80 users who connect to their Vm
2) At the moment the 80 users have a zero-client in the office
3) The possibility arose that some of these users must connect from home.
4) so I will have a mixed situation

At the moment, all zero client PCs connect to the server via SRV-HORIZON.CONTOSO.LOCAL  (connection server)

On the connection server I have all the gateways activated.

Zero client, vm, and server connection are on the same network

I tried disabling the gatewaws on the connection server but after the zero clients didn't connect.

First question, when I disable gateways from zero-client computers, where do these computers have to connect to the UAG server or to a connection server?

Fyi my UAG is into DMZ

Thanks Alessandro

0 Kudos
BenFB
Commander
Commander

First I want to make sure it's understood what the gateway does for your endpoints (in this case your zero clients).

  • With the gateway enabled, your endpoints only communicate with the connection server(s). The connection server(s) then initiate communication with the horizon agents. This is often used when security policies require restricted communication to the virtual desktops.
  • With the gateway disabled, your endpoints still start with the connection server(s) for the horizon primary protocol (authentication and pool selection) but then communicate directly with the horizon agent for the secondary protocol (PCoIP, Blast, RDP).

When you disable the gateways on the connection servers what error are you receiving on the endpoints? We need to get that working first before introducing the UAG. Alternatively you can leave these connection servers as is and deploy new connection servers just for use with the UAG.

Can you provide the following (obfuscate as needed)?

Number of connection servers and version:

Any load-balancers in use:

Horizon agent version:

Subnets that your endpoints, connection servers, VDI (horizon agents) and UAG are on.

0 Kudos
AlessandroG72
Contributor
Contributor

Hi BenFB

Number of connection servers and version:      1 server (SRV-HORIZON.contoso.local) +  1 replica server  (SRV-RHORIZON.contoso.local)

Any load-balancers in use:   NO

Horizon agent version:   4.8

Subnets that your endpoints, connection servers, VDI (horizon agents)  :  all same subet  10.10.0.0/23 vlan 1

I followed your advice, I turned off UAG and disabled all the gateways both on the connection server and on the replication server

In this situation with the PCoIP protocol both zero client clients, both with the client installed on a windowns 10 machine, and through the web, I can connect without any problem.

this happens both on the client zero PC and on the client view

When I try with the BLAST protocol, I can't connect, because  after login, blue screen with error and then the machine restarts ,  this happens both on the client zero PC and on the client view

I'm trying to understand why the BLAST protocol doesn't work, what advice can you give me?

Thanks Alessandro

0 Kudos