Have any of you guys deployed or managed a View environment w a Security Server in the DMZ and had users connecting from the outside to linked clone desktops on the internal network? Currently our environment is this:

- Two internal connection servers, one for internal only connections and the second paired with our Security Server in our DMZ

- Palo Alto PA-3020 Firewall with rules to allow external connections being proxied through the security server to our internal desktops

- RSA 2-factor configured for the external connections

The issue is that to get external connections to work we have to explicity have the IP address or IP range of the VM being connected to in our firewall rule to allow PCoIP traffic to flow from the internal desktop towards our DMZ security server and vice versa. This is fine with persistent full desktops but we're trying to migrate towards linked clones which have dynamic IP's and different users (ones w remote access permissions and ones w no remote access permissions).

I've spoke with Palo Alto and had a couple tickets open w them on getting the user-id function to work in this use case but they were unable to get it to work because the user-ip mapping was not being recognized on the DMZ security server, only on the internal connection server was there an ip-user mapping.

Has anyone gotten remote access to linked clone desktops to work with an enterprise firewall without specifying an IP range in the firewall rule? Our main concern with doing that is that someone could pick up somebodies lost RSA key and use that token to get in and then be able to log into their own desktop/someone else's that theyve obtained credentials to.

I suppose you can make a pool exclusively for remote access and use a connection server tag to pin it the external connection server.