VMware Horizon Community
ErikSteffens
Contributor
Contributor

Security server dmz firewall config

Hello,

I've installed a 5.1 security server in the dmz. I've paired it successfully with a view connection server in the internal network. I can connect from the internet to the security server and authenticate with the connection server, but after I entitled mine desktop, I get the famous black screen and a time out. All ports needed for the connection are open on the firewall.

Subnet DMZ : 10.127.x.x (security server)
Subnet Internal servers : 10.128.8.x (connection server)
Subnets VMware View Clients: 10.128.48.0, 10.128.56.0 and 10.128.248.0

On my security server, in the dmz, when it asks the connection broker for a view desktop I see that it is given an IP address from the VMware View Clients Subnet on the internal network. The security can only talk to the 10.127.x.x subnet, so the connection fails. The ports are configured on the firewall as described in VMware View documentation.

How can I explain to the network guys how to setup the Cisco ASA firewall to allow the right kind of traffic? What kind of rules needs to be added? Has anyone experience with this kind of config?

Please need some help here.

Reply
0 Kudos
4 Replies
mittim12
Immortal
Immortal

This document has helped many a user setup external View access with PCOIP. 

http://communities.vmware.com/docs/DOC-14974

Reply
0 Kudos
ErikSteffens
Contributor
Contributor

Yes, thank for the link. I had seen the website already.

I've checked the rules with the network guys. The say it is configured as documented.

The error I found on the security server is: Failed to allocate onbound connection to 10.128.48.x:32111.

Looks likes me he is looking for an internal IP address. That connection is not available because the security server is in the DMZ. No direct traffic is allowed to the internal network only through NAT.

What can I tell the network guys to the traffic go from the security server to the view desktops? What rules do they need to configure on the Cisco ASA Firewall?

Reply
0 Kudos
mittim12
Immortal
Immortal

32111 is for USB redirection so that might not be the error related to your black screen. 

Reply
0 Kudos
BrandonJ
Enthusiast
Enthusiast

Without seeing your config, it's hard to say exactly which pieces are missing.

First and foremost, you need to setup a pair of connection servers...one for internal users and one for external. The reason being is the the PCoIP gateway is enabled on a per connection server basis and if you enable it on the one connection server you have, then it will try to send all users out to the security server on the DMZ (the actual PCoIP gateway) and back in.

Second, be sure and enable the PCoIP gateway. To be clear, the security server is the gateway but the configuration is set on the connection server that the security server is linked to.

Third, the firewall rules for PCoIP, USB, and RDP traffic must be configured to allow those ports from the security server all the way through to the virtual desktop subnet/VLAN. Again, the security server is the PCoIP (and RDP) gateway here, not the connection server. The security server is logically functioning similar to a portal device like Microsoft IAG or UGA, a reverse proxy, SSL VPN, etc. If there is a network between your DMZ and your internal network, you'll either have 2 firewalls to drill the holes through or multi-home your security server with one leg on the DMZ and one leg on the middle layer network.

To sum up the port opens, you need:

Open from Internet to security server: TCP 443, TCP & UDP 4172 (TCP 443 is what RDP and USB are tunneled through)

Open from security server to virtual desktops: TCP & UDP 4172, TCP 3389, TCP 32111

These are well documented in the VMware VIew Architecture Planning PDF.

Of course there are rules required from the security server and connection server as well but sounds like those are working.

Reply
0 Kudos