VMware Horizon Community
twrangham
Contributor
Contributor
‎08-21-2014 07:38 PM

PCoIP and Security Servers

My question is more of a clarification of my understanding. It pertains to the external users hitting the VDI. Unlike internal connections that are direct connections we want external users tunnel through the PCoIP Secure Gateway only. For simplicity sake, for the external users, say there are 2 security servers both paired to their own single connection server. So 2 Security Servers, 2 Connection Servers. It is my understanding that in this setup the traffic goes as follows:

1. View Client to Security Servers

2. Security Server to paired connection server

3. Connection server to view agent/desktop

4. View Agent back to the Security server bypassing the paired connection server

5. Security Server tunnels traffic from Agent/VM to Client

Please someone correct me if this is wrong so far. With all that in mind do we simply set the PCoIP Secure Gateway setting on the 2 security servers and NOT the paired connection servers because we are only tunneling the external traffic (4172) on security servers? Does it make a difference whats on the Connection Server PCoIP S.G setting if its paired to a S.S. that is doing the tunneling?

Hope this makes sense, just trying to be solid on the proper way this should look.

Thanks!

Reply
0 Kudos
4 Replies
twrangham
Contributor
Contributor
‎08-22-2014 05:38 AM

Removing the PCoIP Secure Gateway from the paired Connection Server disables the option on its Security Server. So, I guess it is indeed required, but would someone be able to explain why, since it seems the Security Server is doing the PCoIP tunneling, not the Connection Server?

Thanks!

Reply
0 Kudos
mittim12
Immortal
Immortal
‎08-22-2014 05:49 AM


You are correct in your order of traffic in the orignal post.   I think the paired connection broker is used for authentication and pool listing but once the connection is made it's no longer in the mix.    Also, as you found out the tunnel option has to be set on the paired connection broker too  I'm not sure I can explain the reason behind the requirement but it does have to be set.

Reply
0 Kudos
Linjo
Leadership
Leadership
‎08-22-2014 06:38 AM

On #5, there is not really any tunneling at this point. The PCoIP traffic is end-to-end and is just relayed through the security server.

Best practice is to have at least 2 connection brokers per type of connection, so in this case it would be 4. 2 for external and 2 for internal users.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
twrangham
Contributor
Contributor
‎08-22-2014 07:10 AM

Thanks mittim12 and Linjo for your replies! Linjo, I think we are in agreement, its more a matter of terminology. For the external users/Security server I am utilizing PCoIP Secure Gateway not direct connections. Why do the connections servers for the external traffic need PCoIP Secure Gateway checkbox enabled if a connection on port 4172 doest exist. I understand the security servers obviously needing this checked, just not the connection servers paired with them.

Reply
0 Kudos