Hi,

Thank you for your quick response.  I thought it should be done this way but wanted clarification.  All up and running externally.

I've got the same scenario minus the number of users (by far).  We have about 8 that use it and I want to stay as small as possible with my infrastructure.  Most users will use the vm's when they are at home or traveling, ie mainly external users.  I would like to be able to use a couple of vm's internally as well, however, I would like to stay away from a replica server or security server, if possible.  Attached is how I'm currently setup.  External FQDN, and then our public IP which is NAT'd to our internal Connection Server.  Of course, the example doesn't have our actual IP scheme, but I'm sure you all already knew that .

Side note, I've setup in our local DNS a forward lookup zone, external.mydomain.com (from example), so that our local clients will resolve using our internal IP's and not go out the firewall and back in.

Local connectivity with the pool set to PCoIP gets the black screen.  RDP works fine.  Windows firewall is disabled per a GPO on all machines, servers and workstations.  Per some documentation I was working with for 4.6, I had opened tcp ports, 3389,4001,4100,4172 (tcp/udp), 8009,9427,80,443,32111 and there is a static NAT from the inside IP address of the Connection server to it's public IP.

Can't seem to get PCoIP working using a single server.

Doing this with a single Connection Server is possible but it will require that your internal and external clients all access the same Connection server using the PCoIP External URL IP address 2.1.3.4.

Assuming that 2.1.3.4 is the internet IP address of the VIP that will route external View client PCoIP to this Connection Server, then it is also required that your internal  clients can also use 2.1.3.4 to get to this Connection Server. This won't be optimum as PCoIP will need to go out to the Internet and back in, but it will work if your firewalls don't block it.

If there are any firewall blocks or routing issues with that IP then when you try PCoIP desktop connections you'll just get a black screen for a few seconds and it will disconnect.

It's easier with a Security Server, but still possible with a single Connection Server.

Wireshark may help you to trace where PCoIP is being blocked.

Mark.

Mark,

I had actually opened a case prior to posting this and was told exactly what you laid out.  Also, I was informed that the next release is going to require a Security Server, so since I'm just in testing phase now, I will be throwing up a Win2k8R2 vm for Security Server and I'm sure that will make life a lot easier anyway.

As I understand it, when I use View on the internal network, I will point the client to the "netbios" name and the PCoIP settings on the Connection Server will point to its internal address which will remove the complexity of traversing the FW and remote clients will point to the Security Server and the PCoIP settings there will point to the public address on the FW and the NAT'ing will point to the Security Server.

Does that sound about right?

Thanks again.  Your content/postings are spot on!

Your second paragraph is exactly right. The use of a Security Server will indeed avoid the need for clients to route outside and back in again for PCoIP. A single Connection Server and correct networking/firewall rules etc. will still work though. The main purpose of a Security Server is to avoid having to expose your virtual desktops to the Internet or having to place the Connection Server in a DMZ.

I didn't understand your comment in the first paragraph ("Also, I was informed that the next release is going to require a Security Server"). That's not true for the next release (or even the one after that).

Mark.

The support engineer I worked with told me the next release was going to change the architecutre requirements to require the use of a separate Security Server, which is where that statement came from.  Quite frankly, if I need to hit my vms from inside my network, I can simply RDP to them using Remote Desktop Connection in Win7.  The majority of use of these vms, 99.999% is going to be from outside my network, which I why I was wanting to stay with a single server.  I was told also that the only inbound ports I needed to open were tcp 80,443,4172,32111.  Also, I was informed that I may need to allow UDP 4172 outbound, but we have a Cisco ASA which the last line for outbound traffic is an implied allow all.

Now I'm questioning the time I spent on the phone today.

Thanks again, Mark.

Mike

mlewis70 wrote:

... the next release was going to change the architecutre requirements to require the use of a separate Security Server, which is where that statement came from.

Now I'm questioning the time I spent on the phone today.

Thanks again, Mark.

Mike

Perhaps the conversation was at cross-purposes. There is no change regarding the requirements for Security Server. I'm sorry if you've been mislead. My staements remain valid for the next release too.

I'll be happy to assist if you need further support on this. What you are doing is perfectly reasonable.

Mark.

Thanks, Mark, I'll definitely take you up on that.  I'm actually at home right now and connected to one of my test vm's and I had to choose RDP as the connection protocol, as I still get the black screen.  I have made sure that the External URL is set to https://myviewserver.mydomain.com:443, the PCoIP Secure gateway is set to my external address 1.1.1.1:4172, which is NAT'd to the internal address 10.x.x.x on the Connection Server and I have opened 80,443,4172,3211 tcp ports on my firewall and I have a rule right before my last outbound rule to allow udp port 4172 out.

I appreciate it a ton!

Mike

mlewis70 wrote:

... and I have opened 80,443,4172,3211 tcp ports on my firewall and I have a rule right before my last outbound rule to allow udp port 4172 out.

You also need UDP 4172 in.

Thanks, Mark.  I added udp 4172 inbound and I am now able to connect using PCoIP from my home pc, my iPad and even at public wifi connection from my iPad.  Thanks for all of your input!!

I have one last question for you, the support engineer I worked with re-installed the agent on the vms and then they were working internally (they initially were not working internally even though we had the settings for the connectivity using internal naming/ips), and after we connected he stated that they've seen this behavior a fair amount and that the agent can just crash, so if it is just a couple of vms that we cannot connect to, just re-install the agent.  Have you seen this to be prevelant? 

Thanks again, Mark.

Mike