Solved: Horizon UAG Local Network Access

afriestedt · ‎04-24-2020

I'm testing out a Horizon setup in my small business and am having an issue accessing the UAG from the FQDN within our office.

Here is my setup

Internet => Firewall => (NIC1 = 10.10.20.2) [UAG] (NIC2 = 192.168.15.205) => Connection Server (192.168.15.200)

Corporate network = 192.168.15.0/24

FQDN = remote.example.com (IP = 96.68.xx.xxx).

It resolves to the firewall (96.68.xx.xxx) and port forwards 443, 8443, and 4172 to 10.10.10.2 (the external NIC1 on the UAG).

When I'm on the Internet (outside of the corporate internal network 192.168.15.0/24)... I can access the UAG by using https://remote.example.com. The service works as expected However, when I'm in the office behind the UAG and try to access https://remote.ecample.com I get ERR_CONNECTION_TIMED_OUT. Same is true when I try https://96.68.xx.xxx from inside the corporate network.

I've installed a signed TLS Server Certificate on the "Internet Interface". It works as expected from a remote location. I can ping remote.example.com from the office and it resolves to the static IP assigned to the firewall. So traffic is routing correctly from the internal network to the external IP of the UAG (The public static on the firewall that is port forwarded to the UAG).

When I try curl from inside the corporate network I get the following:

curl https://remote.example.com

curl: (7) Failed to connect to remote.example.com port 443: Timed out

When I try https://192.168.15.205 (The internal NIC2 of the UAG) from inside the corporate network I'm able to access the Horizon Login page....

Why in the world can't I access the Horizon login page from inside the corporate network when I use https://remote.example.com? I've spent HOURS trouble shooting.

thx

afriestedt · ‎04-24-2020

My Untangle Firewall has (2) Internal NICs

NIC0 = Corporate (192.168.15.0/24)

NIC1 = UAG (10.10,2.0/24)

192.168.15.1 can ping 10.10.2.1. However it cannot ping 10.10.2.20 (UAG External NIC) Routes are not required on my firewall to accomplish this because I'm not NATing these interfaces.

I just put 10.10.2.20 on the NIC0 interface and setup a route for 10.10.2.0 to NIC0. I can now ping remote.example.com AND 10.10.2.20. This solved the problem. However, I want to understand why my old setup on NIC1 did not work. This is a strange firewall routing issue I'll dig into.

Thanks again for everything.

View solution in original post

Mickeybyte2 · ‎04-24-2020

afriestedt

Do you have a split DNS configuration setup for example.com? This would mean you have an external DNS server for your example.com domain but also an internal DNS server for example.com. This way, you can set remote.example.com on your internal DNS to 192.168.15.205 and the external DNS to 96.68.xx.xxx.

The way you do it now, is you're trying to go from the internal network to the WAN side of your firewall, which will then be NAT-ted (or maybe it's not NAT-ted and that could be the problem) to the UAG IP NIC1. Most likely this will be a configuration error on your firewall that prevents this from working.

As you can access the NIC2 interface from your LAN, and the UAG works fine from external, it seems the UAG setup is ok.

The ping to 96.68.xx.xxx will work, cause you're actually pinging the firewall interface, not the UAG.

Regards, Michiel.

afriestedt · ‎04-24-2020

@Mickeybyte

Thank you so much for looking at my question. After all my trouble shooting I was thinking the same exact thing. But for some reason I thought the Internal traffic needed to hit NIC1 (External NIC) of the UAG. I do NOT have a split DNS setup but can implement no problem.

Should I point remote.example.com to NIC2 of the UAG or should I point it to the Connection Server?

I followed the vmware installation guide and disabled HTTP(s) Secure Tunnel, PCoIP Secure Gateway and Blast Secure Gateway on the Connection Server to avoid a double hop. I'm wondering if that impacts where I direct remote.example.com.

Thanks again for your help!

Mickeybyte2 · ‎04-24-2020

afriestedt

Disabling the Tunnels on the connection servers was the correc thing to do. This however has nothing to do with the issue you have. Your issue is a firewall issue.

I'm not sure if you can point the internal DNS to NIC2, I haven't setup an UAG like this before. I always set them up with a single NIC, so I'm no sure if the capabilities of the UAG depend on which interface you're accessing it. Just try

If it's not working, check this: You've said you can access the UAG internally by the NIC2 IP, which is normal, because it's the LAN side. Can you also access the UAG by the NIC1 IP from the LAN? If that works, point your internal dns to the NIC1 IP. If it doesn't work, sort out your firewall rules until it's working :smileygrin:

Regards, Michiel.

afriestedt · ‎04-24-2020

Well this is without a doubt a firewall issue. This is an untangle issue. I will trouble shoot with support there and post the ultimate resolution.

I basically have two issues. I'm unable to ping the Static Public of the UAG from within the corporate network. AND I cannot ping the private Internet Static of NIC1 on the UAG. I can ping the gateway of the private static of the UAG (10.10.2.1 but can't hit 10.10.2.20). I can hit other Public statics in my range, but just not the one allocated to the UAG.

So strange. I will dig deeper and post the results to hopefully help others.

thx again for the tips!

Mickeybyte2 · ‎04-24-2020

I'm thinking of:

- default gateway in UAG?

- routing setup firewall

Regards, Michiel.

afriestedt · ‎04-24-2020

My Untangle Firewall has (2) Internal NICs

NIC0 = Corporate (192.168.15.0/24)

NIC1 = UAG (10.10,2.0/24)

192.168.15.1 can ping 10.10.2.1. However it cannot ping 10.10.2.20 (UAG External NIC) Routes are not required on my firewall to accomplish this because I'm not NATing these interfaces.

I just put 10.10.2.20 on the NIC0 interface and setup a route for 10.10.2.0 to NIC0. I can now ping remote.example.com AND 10.10.2.20. This solved the problem. However, I want to understand why my old setup on NIC1 did not work. This is a strange firewall routing issue I'll dig into.

Thanks again for everything.

All

Horizon UAG Local Network Access

Workspace ONE Access