VMware Horizon Community
Mike_MT
Contributor
Contributor
Jump to solution

Internal Untrusted Clients Directed to External IP for PCoIP Traffic

I have a network segment off my firewall for some untrusted clients. When the untrusted clients connect to View (5.3) they use a DNS name that resolves to a DMZ host (View Security Server). This is where I think the problem is: It seems that Security Server responds with it's external IP address and then all the PCoIP traffic gets routed out to my router (where the external IP address can be found) and then back in to View and the client. SSL login traffic works fine, traffic stays inside and does not get directed to the external IP. It's only PCoIP traffic that gets directed to use the external IP.

It seems like DNS is not enough - Security Server seems to respond and connect using only the external IP configured in the PCoIP External URL field - is this correct? If so, then there needs to be an override for the External URL so that internal untrusted traffic doesn't get routed out to the external IP - this creates a lot of unnecessary traffic, messes with QoS, etc.

Another thought would be to allow the untrusted clients to connect directly to a Connection Server instead of sending them to the Security Server, but I don't believe this is a best practice...?

Mike

Reply
0 Kudos
1 Solution

Accepted Solutions
mpryor
Commander
Commander
Jump to solution

As Linjo says, the simplest solution is to set up an additional security server to point these clients to (no need for another connection server, you can pair it with the existing one). You are required today to provide an IP address for the PSG, so you will need a second server if you need to route them through a different one.

Of course, if they are completely untrusted clients then you may want to force them to go through the external access point anyway but it sounds like you need to avoid the extra traffic cost of that approach.

Mike

View solution in original post

Reply
0 Kudos
3 Replies
Linjo
Leadership
Leadership
Jump to solution

You then need to setup another connection-broker/security server that will handle that traffic.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
mpryor
Commander
Commander
Jump to solution

As Linjo says, the simplest solution is to set up an additional security server to point these clients to (no need for another connection server, you can pair it with the existing one). You are required today to provide an IP address for the PSG, so you will need a second server if you need to route them through a different one.

Of course, if they are completely untrusted clients then you may want to force them to go through the external access point anyway but it sounds like you need to avoid the extra traffic cost of that approach.

Mike

Reply
0 Kudos
Mike_MT
Contributor
Contributor
Jump to solution

This helped. I paired another security server with my connection server and set it's 'external ip' as one that my untrusted internal clients can reach.

Thanks,

Mike

Reply
0 Kudos