VMware Horizon Community
mobcdi
Enthusiast
Enthusiast

Troubleshooting Security Server to Connection Server 4.01

Hi all,

I'm trying to narrow down communication problems between my security server (SC) and my internal connection server (CS). Other than running the Generate View Connection Server log Bundle what other tools would help narrow down the problem?

I think my connection is getting as far as the DMZ gateway but would like to be able to go to my network people with more than ping & tracert outputs

Any suggestions/ pointers welcome

Reply
0 Kudos
25 Replies
PCoIPinsider
Enthusiast
Enthusiast

>Krowczynski wrote:

>Ok at first you must know, that PCOIP isn't supportrd over WAN.

Just to clarify, PCoIP not currently supported with Security Server.

PCoIP works just fine on WAN via VPN.

-Ian

Reply
0 Kudos
admin
Immortal
Immortal

And support on the WAN, using a VPN. I work from my VM across the WAN all day every day Smiley Happy

WP

Reply
0 Kudos
krowczynski
Virtuoso
Virtuoso

For sure with VPN no Problems, but we were talking about connection from outside through the DMZ.






MCP, VCP

MCP, VCP3 , VCP4
Reply
0 Kudos
mobcdi
Enthusiast
Enthusiast

I think my problem has been closed as the network team say that RDP port is not permitted by their firewalls between the security server and the vm desktops so that would prevent using the view client to rdp to the vm's unless the rules are changed.

But that got me thinking if RDPcommunication goes from the view client -> connection server then -> security server and finally -> to the vm desktop why am I able to connect from the inside network using PCoIP?

Or have I got the communication flow all wrong?

Reply
0 Kudos
admin
Immortal
Immortal

You kind of have the communication flow wrong. There also have been some post related to this that have incorrect info that make this a little confusing.

A connection server and security server (SS) are one in the same. A connection server has the tunnel component or security server capability built in. When you deploy the security server in the DMZ you are deploying a connection server, minus the data store and some other components. Becaus you do not want to put your config data in the DMZ it is stripped down. The SS then works with it's connection server peers to securely get connection information that is passed to the client.

In a LAN deployment when direct connect is off ( not checked 😞

This enables the SS or tunnel component of a connection server. In this case all connections beside PCoIP connections are tunneled through the connection server. Because the SS or tunnel component does not currently support PCoIP. PCoIP connections are established directly from the client to the virtual desktop by passing the connection server. when this setting is off ( direct connect disabled ) and you have both RDP and PCoIP connections the RDP connections are still tunneled through the connection server.

This is the default deployment option unless changed. It should be noted that there are also some client implementations, clients that are implemented using our Client API and not the full View client. These often do not implement the tunnel support and also connect directly like we do with PCoIP.

In a LAN deployment when direct connect is on ( Checked 😞

This disables the SS or tunnel component of a connection server. In this

case, all connections are established directly

from the client to the virtual desktop bypassing the connection

server. If this setting is on and you have both RDP and PCoIP

connections both bypass the connection server and connect directly from the client to the virtual desktop.

Deploying a SS in a DMZ:

In this case the tunnel part is deployed in a DMZ. When clients connect the SS securely gets the connection infomation for the client from the connection server inside the trusted network using AJP. So ports from the SS to connection server need to be allowed. Once the client goes to establish and RDP session the SS acts as a proxy or tunnel. All connections are tunneled through the SS to the Virtual Desktops. So, you need 3389 open from the SS to the Virtual Desktops. Connections are not from the Client to the SS then to the connection server and finally to the virtual desktop.

http://www.vmware.com/pdf/view40_architecture_planning.pdf

WP

Reply
0 Kudos
jusrr
Contributor
Contributor

Hi Warren,

Great explanation. Can you clarify a few things in relation to how the External URL works in relation to the Sec and Connection servers?

In a DMZ setup the View Client makes 2 separate connections to the SS one for authentication and desktop selection and then one to initiate the actual SSL tunnel. The Admin guide states that the first connection is initiated by the URL entered by the user in the View client. Then after authentication and desktop selection the SS returns the external IP or hostname for the SS to initiate the tunnel connection.

Wouldn't the IP or hostname be the same as the URL entered by the user in the View Client?

Is there a configuration where URL entered by the user to reach the SS not be the same URL return by the SS? How would this be setup?

Am I completely wrong and the SS is returning something else?

Also if I am using only a Con Server for internal users only do I have to configure the External URL setting for my internal users as well?

Thx

J

Reply
0 Kudos