VMware Horizon Community
Wardy8124
Enthusiast
Enthusiast
‎04-27-2009 11:43 AM

Vmview Authentication issues/ View Security Server

Hi all,

I've been racking my brains for a few days now over a problem i've got trying to connect a external client to my test environment view connection server. My environment is as follows:

ESX VI 3.5

View Connection Server (VCS) running as a VM guest on a Windows 2003 Enterprise sp2 OS on a test domain with one DC and DNS in a self contained virtual environment.

In the DMZ there is a View Security server (VSS) which as got rules for 443 and 80 incoming from the WWW and DMZ - LAN 8009 and 4001 ports open.

The DNS of the VSS points to our DNS servers internally which then forward any test domain requests to the test domain DNS server.

The internal VDI clients work fine and can get their desktops with out any problems.

Now the problem i have is that if I try connecting a client externally using the vmview client or https I get the pre logon message and the username and password prompt but as soon as i enter the correct creds in I get an error "Unable to Authenticate with the view connection server". Having scoured google for possible remedies I came accross on that told me to enable "direct connections" in the VCS properties located on the VDM. This then enables me to authenticate fine and gives me the test desktop pools i created but when it attempts to connect it times out anyway.

My thoughts are that either my VSS isn't set up right, my firewall hasn't got all the ports it needs to allow the VDI session to take place or I've got some minor configuration boo boo on the VCS.

Can you confirm that in order to set up a DMZ topology I need to put the IP address of the VSS server in the "External URL" properties on the VDM or the actual IPaddress which the external client needs to enter in their view connection client?

Any help on this would be greatfully received.

Regards to all

Ward8124

0 Kudos
9 Replies
lbourque
Virtuoso
Virtuoso
‎04-27-2009 12:12 PM

Try opening up port 3389 in the DMZ - LAN internal side. RDP has to go directly to the security server. Although tunneled is used, it bypasses the connection broker to tunnel into the security server. The URL should be the FQDN of the View Connection server, not the View Security Server (which is a proxy server if you will).

Want make a difference in the future of VMware Products? Feature request your ideas ( )!

Wardy8124
Enthusiast
Enthusiast
‎04-27-2009 12:21 PM

Cheers for the pointers but have I missed something in that the connection broker is the VCS or the VSS? Or is this another component i need to install and if so where? I can't remember seeing it on the install pdf's i've got. I'd also prefer to keep the RDP ports shut for security and not open them up unless absolutly necessary.

0 Kudos
lbourque
Virtuoso
Virtuoso
‎04-27-2009 12:33 PM

The Connection broker is the VCS or View server. The VSS is NOT a connection broker but a HTTPs Proxy. You can try it without 3389 open but you will find the desktop won't open. See page 32 of the Admin guide for the diagram (http://www.vmware.com/pdf/viewmanager3_admin_guide.pdf). look at the left line that connections the VM to the Security server. You can put in a set of rules that go explicitly from/to the SS and the VMs explicitly (see page 34 for firewall rules)

Want make a difference in the future of VMware Products? Feature request your ideas ( )!

Wardy8124
Enthusiast
Enthusiast
‎04-27-2009 12:47 PM

Ok I will give that a shot. I was looking on the admin guide and it does look as though I need to set the external url on the VSS by creating a locked.properties file and adding the FQDN of the VSS as well as port and protocol. It also mentions to set the VCS external URL too which I think needs to be the same external URL as the one in the VSS otherwise the connection will fail. What do you reckon?

0 Kudos
lbourque
Virtuoso
Virtuoso
‎04-27-2009 01:07 PM

That should do it. Smiley Happy

Want make a difference in the future of VMware Products? Feature request your ideas ( )!

0 Kudos
IanGibbs
Enthusiast
Enthusiast
‎04-28-2009 03:23 AM

The "External URL" setting in the CS is not related to the value in locked.properties. locked.properties sets the access URL for DMZ clients, and the External URL settings is for internal clients. As long as those internal clients can resolve the CS's DNS name it shouldn't ever be needed.

0 Kudos
WCHAdmin
Contributor
Contributor
‎05-04-2009 01:18 PM

Post deleted due to mistake in posting location.

0 Kudos
IanGibbs
Enthusiast
Enthusiast
‎05-05-2009 01:37 AM

You are right. In both cases the URL should be set to the first thing the client hits.

--- original message ---

From: "WCHAdmin" <communities-emailer@vmware.com>

Subject: New message: "Vmview Authentication issues/ View Security Server"

Date: 4th May 2009

Time: 9:18:17 pm

Ian Gibbs,

A new message was posted in the thread "Vmview Authentication issues/ View Security Server":

http://communities.vmware.com/message/1242892#1242892

Author : WCHAdmin

Profile : http://communities.vmware.com/people/WCHAdmin

Message:

0 Kudos
WCHAdmin
Contributor
Contributor
‎05-05-2009 04:57 AM

Thanks Ian, I reloaded the security server from scratch and was able to get it to work.

0 Kudos