pda123
Contributor
Contributor

VDM Client over the Internet

Hi.

I wondering if anyone can give me a hint on this.

I am currently testing VDI. Everything works extremely well in the internal network, but not from the Internet.

The VDM Client ask for the initial credentials and then stays a long time on "authenticating...".

Then it finally says "The VDM Server authentication failed. A secure connection to the VDM Server cannot be established. Initialization failed."

Tried the web client as well, but that one just hangs the browser after the authentication screen.

Here are a few notes regarding the environment and the tests I've made:

  • The connection is going through an ISA Server 2006 with an SSL certificate.

  • The VDM Server fqdn is the same in the internal and external DNS (also tried different ones)

  • Tried all combinations in the external address field (internal ip, external ip, fqdn, port 80, port 443)

  • Configured the locked.properties with the protocol, ip address, and certificate information (and tried variations in these)

  • Already tried HTTP and HTTPS and the symptoms are the same.

  • I enabled debugging on the clients, but cannot see real errors there.

  • When I am trying to connect, the VDM Server says the the user is connected, but logs a message a few moments later saying that it was disconnected.

  • If I establish a VPN connection I can get it to work (of course, I am in the LAN)

  • Cannot see any errors reported in the ISA Server logs too.

The only way I got it to go from the "authenticating..." message to the next screen where you choose the DesktopVM was by enabling direct access to the VM (then it fails to connect to the desktop - ok).

I don't want this option because I am not planning to open the traffic from the internet directly to the desktops.

Connection layout:

Client in the Internet --> ISA Server 2006 (Publishing the VDM Server in the LAN - NAT) --> VDM Server (in the local network as the VirtualCenter Server)

Thanks, PDA.

0 Kudos
10 Replies
jpvlsmv
Contributor
Contributor

I'm having a similar problem, except using a different technology stack.

For security policy reasons, I can not allow TCP connections from the DMZ-hosted VDM system (the security server) to the virtual desktops' RDP port (3389)

So what I need to set up is a server in the DMZ that simply passes the SSL traffic through to the LAN-based VDM server. Since I'm more of a Unix guy, I've been trying to use Apache as a reverse proxy (and SSL termination) but when that didn't work, I read suggestions that the Squid HTTP cache server might work better as the reverse proxy/SSL terminator.

Unfortunately, so far it hasn't.

Has anyone been successful at getting a separate SSL box to work between the VDM client and the HTTPS port on a VDM Security server?

--Joe

0 Kudos
TomHowarth
Leadership
Leadership

Thread moved to the product specifice VDM forum

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
pda123
Contributor
Contributor

Some more info to add to what i said earlier.

I found that after the VDM Client authenticates, there is a disconnection error reported in the logs.

These appear to be the main lines:

<SessionHandler> hasSessionLostContact()+ ++Tunnel IO problem: java.io.IOException: Broken pipe ++Tunnel reported as disconnecte +user disconnected from the VDM Secure Gateway

I attached a .txt file with the log messages after the user login. Any clue of what may be happening?

0 Kudos
pda123
Contributor
Contributor

The problem was fixed by changing the publishing rule in the ISA 2006 Firewall to a non-web server publishing rule (simple nat).

Regards, PDA.

0 Kudos
rich_s
Contributor
Contributor

I am having exactly the same problems, how did you set up your publishing rule for ISA? I have tried a non-web server rule but to no avail.

Cheers

0 Kudos
SnosurfurCO
Contributor
Contributor

I am having the same problem. I also tried to publish the VDM Security server as a non web-server-publishing rule.

I have the ability to plug my laptop in and give it a DMZ address (same subnet as VDM Security Server). I have no problems connecting using either the web or client interface. It definitely seems to be something with ISA2006 and the way that server is published to the outside. Maybe it is my NAT rules. Anyone care to brainstorm?

0 Kudos
Raresh
Contributor
Contributor

Hi,

I tried both web plubishing rules and server rules, but they both provide the same output. The page freezes when is attemting the second connection to the View Server. Could you please share your rule configuration? Thanks.

Raresh

0 Kudos
revjvegas
Contributor
Contributor

Anyone get a resolve for this?

I'm having exact same challenge.

0 Kudos
jusrr
Contributor
Contributor

Would anybody care to detail how they were able to successfully use an ISA server with View Client. I am new to ISA 2006 and can not use the SS in my environment.

J

0 Kudos
GaryHanson
Contributor
Contributor

"Anyone get a resolve for this?

I'm having exact same challenge."

_______________________________________________

I've just started working with this and assume I will have the same issue.

0 Kudos