VMware Horizon Community
KC135ATS
Contributor
Contributor

How do remote View thin clients use local network for Internet?

We have recently installed a new View system at our home site in our VMware 5.5 server farm. The thin clients (HP 610) we use to run View perform great as local user stations and surf the Internet quite well over our 100Mb T-1. Obviously, that type of performance was to be expected from a local client. As we've started deploying our thin clients to some of our remote sites, (their desktops are being served to each thin client over a secure BOVPN connection from the remote sites firewalls to our home site), the users have began to complain more and about their thin units performance, especially when surfing the Internet. Recently, I had an opportunity to visit a remote site so I took a look a their complaints, especially surfing the Internet. When they were accessing apps and services hosted at our home site, the performance seemed adequate to me. When surfing the Internet, I had to agree with them. It is slower. When I examined the home site firewall's traffic monitor, it appeared the remote thin clients were surfing the Internet through the home site firewall instead of going out their own firewall. Has anyone else seen this and/or is this normal behavior? I realize the View VMs are running at our home site it would make sense for them to access the Internet as I've described. My question is, can I configure our remote thin clients to use their sites' own firewall for Internet access instead of our home site firewall? They should only be talking our home site for View and internal apps. Thanks in advance for any help. Everyone have a great 4th of July.

Billbo

Reply
0 Kudos
8 Replies
CameronUBC
Enthusiast
Enthusiast

Are you using full-PCs on your remote site, if so how are they set up? They should be set up the same. If I understand what you're trying to do, this should be set on your router and not your thin client. Essentially you should have a routing rule to forward your home network across your VPN and a default rule to go out to the internet on your remote site. Maybe I don't quite understand the situation you're in but your network setup sounds a little funny. In addition, I'm not sure why you chose to route your view traffic across the VPN when you can use a View security server and SSL. It's a better supported configuration, however, if you're happy with routing View traffic across a VPN then no sense is breaking what works when you have other fish to fry at the moment. They way it's setup like this though makes me think that your network architecture decisions may not have been made carefully.

If that's not entirely helpful, then perhaps you could shed a little more light on your situation? What OS are you using on your Thin Clients?

Reply
0 Kudos
BillOfBo
Contributor
Contributor

Thanks for helping CameronUBC. It’s much appreciated. Yes, at each of our remote sites there are a few full PCs. Being normal clients on their network, they surf the Internet just fine. All clients we have (full PCs, laptops, thin clients) will be running Windows 7. Our home site is serving the remote sites via branch office VPNs (BOVPNs) which use IPSec and are configured with the best encryption setup WatchGuard has available with their XTM 11.10 release. Though I agree with you, due to a customer requirement, we are not allowed to use any public facing servers for AF security reasons so unfortunately the View Security Server is off the table. At the remote sites, all clients use DHCP from their local firewall. The remote desktops provided to each thin client in use remotely or locally use DHCP from our home site firewall. For example, at remote site 1, their subnet is 10.0.21.1/24 and their DHCP pool is 10.0.21.101-10.0.21.50. The View remote desktops at the main site use a DHCP pool of 192.168.128.1/23 (our main site DHCP). What you’ve suggested makes sense but how do I configure it? For example, a thin client at remote site 1, via DHCP has secured IP address 10.0.21.101/24 for its HP 610 thin client unit to use. Then, a user logs onto the thin client with their valid AD username and password, in turn, connecting them to the View Connection Server hosted at our main site on our LAN Servers subnet, 192.168.100.1/24. Once authenticated, View connects the remote user’s thin client to the user’s dedicated remote WIN7 desktop session. By all appearances, everything is working fine. The remote View desktop can access the resources it requires at our home site and performance seem to be okay. According to the remote users, surfing the Internet is their big problem. After examining their traffic, it appears all of the remote client’s Internet traffic is going back through their BOVPN to our main site, accessing the Internet via our firewall, then returning their Internet traffic back to the remote user’s View Desktop over their BOVPN connection. I do realize this is definitely not the optimum communications setup. How do I setup the View Desktop and/or HP 610 thin client to use the remote site’s firewall for Internet access instead of using the main site’s via routing? Since the View Desktops actually reside on a main site subnet, it does make some sense why they use the main site’s firewall for Internet. How do I configure routing so they’ll each capitalize on their own site firewall for Internet? Currently, as we bring more thin clients on line, all sites overall performance is slowly being impacted. Thanks again for your input.

Billbo

Reply
0 Kudos
CameronUBC
Enthusiast
Enthusiast

The first thing to do is read the documentation for your firmware version and understand how routing is working with the VPN virtual interface. I checked this documentation http://www.watchguard.com/help/docs/wsm/XTM_11/en-US/v11_9_WSM_User_Guide_(en-US).pdf

Don't make any changes yet - just read about it and get an comfortable understanding of how this is set up. Figure out what you want to change and then contact the vendor for help to validate your changes, then when you make the changes please back up your firewall configuration and know how to restore it. Make the changes after hours and have a testing plan made ahead of time so you can validate that it's working as designed and doesn't have any adverse affects.

Reply
0 Kudos
BillOfBo
Contributor
Contributor

I manage all of the firewalls and keep them up-to-date on their changes as well as activities. As I said in my first reply, we're using IPSec with XTM 11.10 most secure capabilities. I've read the WatchGuard material more than once searching for an answer to this problem. If we could use SSL's split-tunnel capability, it may be of help but for the remote sites connections to our main site, only BOVPN connections are allowed by the customer. From your first reply, I was under the impression we could possibly make a routing change to the View Desktop and/or the HP 610 thin client. Back to the drawing board now. 😞

Reply
0 Kudos
BillOfBo
Contributor
Contributor

I'm also getting more than one message from you and replying to each them. Seems like none of my replies are being posted when emailed and one of the emails I received from you was removed from the thread. To reply, I've been having to reply directly to the discussion.

Billbo

Reply
0 Kudos
CameronUBC
Enthusiast
Enthusiast

The only other possibility is to modify your routing tables on your clients to point to another gateway, but I doubt you have a second gateway. The thing is your gateway is going to be doing the routing so you cant really bypass it.

Adding a TCP/IP Route to the Windows Routing Table

Reply
0 Kudos
mkolus
Contributor
Contributor

It's the expected behavoir. The desktops are at your home site and they will use your home network and internet connection.

If you use a route it will be the same: the packet would travel to the remote site via VPN, then to the internet, back to the remote site and finally back to your home site. I won't recommend that (it would even be a complicated setup).

What i would do is to host the desktops at the remote site, even when this means that you'll have more administration overhead (backups, redundancy, etc.). If they are at the remote site, they will use it's network.

I don't know it there's some "use the local network for connections to..." implemented in the PCoIP protocol.

Greets.

Reply
0 Kudos
BillOfBo
Contributor
Contributor

I've been reading tons of material on this issue and I believe you're correct. Since the View Desktop VMs are published and hosted by our View system which is only on our main site network, their network access is controlled buy the routing tables of the main site's firewall. If the VMs were hosted at each remote site, their firewall's routing tables would make the thin clients work correctly. Mkolus's reply about hosting at each site backs my conclusion. Using an embedded OS may very well work, too.

Reply
0 Kudos