VMware Horizon Community
joshopper
Hot Shot
Hot Shot
Jump to solution

Tunneling traffic through the Access Point

In the JSON settings of the Access Points I have "tunnelenabled": true;

And on the associated Connection servers the Access Point config guide recommends not enabling tunneling.

The end result is that traffic is passing through the Access Point and not passing through the Connection Server. The customer wants to keep the absolute minimum for open ports between objects so I want to tunnel the traffic from the Access Points through the connection server and then on the internal virtual and physical machines that have the view agent installed. Even when I check the tunneling options on the connection server it still appears as though traffic is bypassing the connection broker and going straight to the agents.


What configuration change do I need to make to have all traffic pass through both the Access points and associated Connection Servers?


Thanks in advance for any assistance or suggestions -


J

Reply
0 Kudos
1 Solution

Accepted Solutions
joshopper
Hot Shot
Hot Shot
Jump to solution

After a lot of trial and error we narrowed it down to the certificates that we had created for the Access Points. HTML5 Blast gateway did not like having Subject Alternative Names in the cert. Once we gave them a cert that only had the URL and not the SAN (subject alternative names) with the actual Access Point server names Blast started working again.

View solution in original post

Reply
0 Kudos
5 Replies
joshopper
Hot Shot
Hot Shot
Jump to solution

So it appears as though on the connection brokers if I select the checkboxes to tunnel the traffic it is working for PCoIP but failing for RDP. Usually I wouldn't make a fuss over this but they are considering using the view agent installed on physical desktops and don't want to purchase the physical hardware to use PCoIP. So two possible solutions... is there a way to use PCoIP to physical desktops without purchasing hardware? or is there a configuration change somewhere I can make to successfully tunnel RDP traffic through the Access Point and the Connection Broker?

Thoughts?

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

Access Point is the same as Security Server in this respect. When the Horizon Secure Tunnel is enabled on Access Point (or Security Server), the tunneled traffic goes between the Horizon Client and Access Point, and then the tunneled protocols (RDP, the Framework channel for USB redirect etc.) then go from Access Point to the virtual desktop (or RDS Host). There is no need to direct that traffic via Connection Server.

In terms of firewall rules, the only traffic that should be allowed into the green zone (via a firewall between DMZ and green zone) is traffic from the Access Point appliances themselves and this can be limited to the small number of ports required. The ports are 443, 4172 (TCP and UDP), 3389 for RDP, 32111 for Framework channel and 22443 for Blast. Obviously you just allow the ports you need, and *only* from the Access Point appliances. This gives you the assurance that these protocols for desktop traffic to the virtual desktops is traffic on behalf of an authenticated user and *only* to resources that the user is actually entitled to.

Mark 

Reply
0 Kudos
joshopper
Hot Shot
Hot Shot
Jump to solution

Yes, typically the traffic is only from the Access Point to the end point, whether that be rds or the virtual desktop. However you can tunnel it through the connection server by enabling tunneling on the internal connection server as well. This is currently working for PCoIP but is not working for RDP and now I am testing BLAST. The "need" part comes from my customer, they do not want to open the ports from the Access Point to the virtual desktop subnet they only want to open the ports from the Access Point to the Connection Broker.

The question at hand being if this works for PCoIP why not for the other two protocols?

Reply
0 Kudos
joshopper
Hot Shot
Hot Shot
Jump to solution

FYI the official answer from VMware is this configuration is not supported with Access Points. So I switched back to the supported configuration and now I cannot get BLAST to work through the Access Point where is was operational before. PCoIP is working still, I have downloaded the logs and sent them in to support but if anyone has any thoughts on this let me know:

Steps I have already taken:

1.) made sure the check boxes for tunneling were unchecked on the connection servers

2.) rebooted both Access points and Connection servers

3.) Checked and double checked firewall traffic (there is no sign of 22443 between the access point and the end points)

Reply
0 Kudos
joshopper
Hot Shot
Hot Shot
Jump to solution

After a lot of trial and error we narrowed it down to the certificates that we had created for the Access Points. HTML5 Blast gateway did not like having Subject Alternative Names in the cert. Once we gave them a cert that only had the URL and not the SAN (subject alternative names) with the actual Access Point server names Blast started working again.

Reply
0 Kudos