VMware Horizon Community
evlaa1990
Contributor
Contributor

VMware View - Palo Alto

Hi All,

Sorry this is more of a network/firewall question, i've posted on the relevent network communities as well. We have a fairly large deployment of VMware Horizon View and we're recently migrated from our old firewalls (Fortigate) to Palo Alto and since then inbound connections to our View Platform at this site have stopped working. The basic inbound connection follows this flow:

External Client --> Palo Alto External --> Palo NAT to VIP on F5 LB --> F5 LB balance traffic to VMware UAGs --> Internal F5 LB --> F5 LB Balance Traffic to VMware Connection servers --> VMware VDI Desktops.

I have done various packet captures and it looks as though traffic is being passed through the load balancers and the return traffic is going back through the load balancers so the session should still be open on the Palo. When we connect to VDI we are presented with an RSA login prompt, this goes through successfully, the next step is to add the username and password, this just hangs and then eventually errors out.

Packet captures on the client workstation show that there is 2-way communication until the point where the client errors out.

2x things to note here, the ISP where the inbound connections enter is not the default gateway, the default gateway is another firewall (soon to be migrated to the same Palo) so inbound source translation is needed for the return traffic to work. The other is the VMware UAG's are not in a DMZ they are on the LAN/ server network.

We can see that the connection servers are selecting a VDI desktop but this never gets presented to the user.

Has anyone experienced similar issues or know of a way around this?

Labels (3)
Tags (3)
Reply
0 Kudos
1 Reply
fabio1975
Commander
Commander

As you have already verified it seems that there is a communication block after authentication on the connection Server (the part of MFA with RSA works and should be managed by the UAG).

From the info that you have given it appears that the UAG Virtual Appliances are in the same network segment as the connection servers. Have you tried to remove the balance of the F5 from the UAG to the Connection Servers? (Maybe by temporarily implementing DNS Round Robin or pointing to a single Connection Server).

 

 

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos