VMware Horizon Community
RTE
Contributor
Contributor
‎06-24-2014 04:35 AM

VMware Blast within VMware Horizon View 5.3(1) trough port 443 instead of port 8443 because of security policy within the Financial Services segment

Still i would like to know if there's a decent way to configure the HTML 5 acces (blast) on port 443 instead of port 8443 because of the fact our customers in the finance branch are highly secured, and there's no possibility to use the 8443 port for connections outside to our clients Horizon View solution?

- figured out there are some 'solutions' with a sort of reverse proxy configuration, but the won't work (tried pfSense, IIS7, TMG reverse-proxy, all with URL rewrite methodes)

Very little information within VMware explaining the proces of this Blast 'reverse-proxy' service, where i should be possible to run a secondary security-server for the use off VMware Blast service on port 443? VMware does describe this 'problem' but only gives some solution to change the port 8443 to p.e. 9443, which isn't an option in this particular case.

Maybe someone out here knows better (i hope......) and got some explanations?

thanks in advance!!

Tags (3)
5 Replies
RabbiX
Contributor
Contributor
‎06-24-2014 09:28 AM

It is definitely possible to do with the right reverse proxies since I have been doing it for a while now.  I am using an F5 LTM now, and it is fairly simple with that solution.  I have also done it successfully with NGINX setup as the reverse proxy.

Getting into the actual proxy server setup would be kind of involved, but basically to give you an idea of the actual view configuration:

Connection Server settings as an example: (you may want a connection server that is configured only for this department):

HTTPS Secure Tunnel (enabled)

External URL: https://view.yourdomain.com:443

Blast Secure Gateway (enabled)

Blast External URL: https://blast.yourdomain.com:443

You should have A-Records in DNS that will point these URLs to your reverse proxy server.  Then the reverse proxy listens only on 443 and terminates the SSL session.  It passes the "view" URL to the internal connection server over 443, while passing the "blast" URL to the connection server over TCP 8443.

When I did this with NGINX, this broke PCOIP using the view client (another reason to use a separate connection server).

Something to keep in mind, is that the actual blast connection uses a protocol called WSS (Secure Web Sockets), and I think this is where alot of other reverse proxies fail, since they seem to not handle that protocol correctly.  The newer version of NGINX can though.

WIth the F5 LTM, this is very trivial, and everything basically just works perfectly, even PCOIP.

This link below shows you the applicable lines needed in the config for the secure web sockets protocol if you want to try and get this working through NGINX:

WebSocket proxying

0 Kudos
markbenson
VMware Employee
VMware Employee
‎06-25-2014 11:56 PM

You can also do it with simple port mapping. Use a different IP address/FQDN on the outside and map 443 on this address to 8443 to your Security Server. You can do this mapping on a firewall/ NAT (PNAT) device. Your Blast External URL will use this new FQDN with port 443 and then your firewall just needs to let 443 in.

Mark

753713
Enthusiast
Enthusiast
‎01-07-2015 01:16 AM

Hi,

please look here:

http://www.client-server-management.de/?p=358

0 Kudos
globoudou
Contributor
Contributor
‎03-06-2015 01:12 AM

Trying to "hide" blast and portal under the same url/port I test with success this conf base on the last post and nginx doc : WebSocket proxying

# VMWARE View nginx reverse proxy configuration
# nginx>=1.3.13 (tested with 1.6.2)
# frontend for both access portal and Blast servers under the same url/port
##########

# To upgrade connection only when requested
##########
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server{
listen 443 ssl;
server_name blast.domain.public;
ssl on;
ssl_certificate /etc/ssl/certs/blast.domain.public.crt;
ssl_certificate_key /etc/ssl/private/blast.domain.public.key;

# Reverse VMWARE View Blast service (websocket)
# upgraded connection and Blast resources seems to be under /r
##########
location /r {
  proxy_pass https://blast.domain.local:8443/r;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
}

# Reverse VMWARE View Portal
##########
location / {
  proxy_pass https://blast.domain.local;
}
}

0 Kudos
markbenson
VMware Employee
VMware Employee
‎03-06-2015 04:08 AM

Thanks for posting this. Although this NGINX setup may be OK for a lab test environment, it is not a VMware supported method for a production environment with either View Connection Server or Security Server. View broker traffic,  tunnel traffic, Blast traffic and SSL client certificate negotiation etc. could be adversely affected by using such a configuration.

VMware supports Blast on 8443 (or other non 443 port), or the port mapping technique described in my earlier reply for doing this all on 443.

Mark

0 Kudos