adamabel
Contributor
Contributor

Horizon Desktop Client fails auth "coud not establish tunnel connection"

Jump to solution

I've recently been testing a horizon 8 deployment for RDS host VDI.  During testing when the horizon server was completely isolated to our internal network for testing I could use the html or desktop client without issue.  Since we moved it to a pubilc facing url the html side still works but the desktop client is giving me this error when i attempt to authenticate.  I have ports 80, 443, 4172, and 8443 open in our corporate firewall towards the connection server.  When doing this testing from a domain joined machine it works fine.  I get this error whether I'm connected to our corporate VPN or not.  I pulled up wireshark on my machine to see if that would give me a clue and I'm connecting over  https to the server just fine the last packets before things stop and it waits for time out are towards my machine so I suspect its an issue with my machine.  Any suggestions on where to look beyond this? 

 

Machine is Windows 10 enterprise LTSC 20H2

Labels (1)
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
adamabel
Contributor
Contributor

Thanks for the reply to fill in some gaps in my original post we are using blast for the protocol, and during my packet capture only 443 was used to establish the connection to the connection server.  Note In this test I am not actually connecting to a RDS server or a VDI instance just the connection server to get the list of RDS and VDI's I have available as a client.  We did not deploy a UAG or an SSO workspace one server yet. One of my colleagues on a domain machine was getting a cert error and look into our proxy and found that we didn't have a proper cert.  Once it was updated my issue was resolved as well.  This was on a Nginx proxy server.  Hope this helps anyone else googling this problem as all the solutions or issues I found were related to connecting to a VDI not just pulling the list of machines. 

View solution in original post

0 Kudos
2 Replies
MiMenl
Enthusiast
Enthusiast

This is not really my cup of tea.

According to your story, it works on domain joined machines which are probably all trusted and i suspect there is no real internal fire walling going on internally. also you are probably directly connetiong ovet internal adresses and not through the outside facing IP for internal connections.

in this case HTML is working but this might be because HTML is run from the connection server if I am corerrect which can be exposed to the ouside and kinda uses the normal https ports.

when using is client a couple of things get important.

Which diplay protocol will you be using blast > ? in that case other ports are required where most is TCP  based iIthink blast also has an UDP part,
Then there isthe tunneling part. are you using your onnection server in tunnel mode or not, did you implement UAG's ? . this will change the behaviour too. cause reading your story only the external part is configured towards the connection server an not the endpoint side which might cause a peer to peer connection to fail.  

this might be a difference from within the domain ( or your test environment) were alle is/was probably routed and able to reach eachother.

maybe take a look at : https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-installation/GUID-AF394B4F-B36A-4C32-9FFA-6... in case you did not do his already.

I'm not too  much into networking but this is what I would take a look at.

 

 

 

 

 

It's not code it's spaghetti, and who doesn't like pasta ?
0 Kudos
adamabel
Contributor
Contributor

Thanks for the reply to fill in some gaps in my original post we are using blast for the protocol, and during my packet capture only 443 was used to establish the connection to the connection server.  Note In this test I am not actually connecting to a RDS server or a VDI instance just the connection server to get the list of RDS and VDI's I have available as a client.  We did not deploy a UAG or an SSO workspace one server yet. One of my colleagues on a domain machine was getting a cert error and look into our proxy and found that we didn't have a proper cert.  Once it was updated my issue was resolved as well.  This was on a Nginx proxy server.  Hope this helps anyone else googling this problem as all the solutions or issues I found were related to connecting to a VDI not just pulling the list of machines. 

0 Kudos