Sorry for being not clear.

The symptoms  are that I cannot connect using the PCOIP protocol and when I have forwarding port for 80 and 443 pointing to 192.168.1.9 I cannot connect from external at all. With forwarding port 80 and 443 to 192.168.1.4 it works, which the router forwards to the connection server. This make me think that the seurity server is not working at all.

I could successfuly pair the security server with the connection server.

Thanks,

Edy

Since you're exposing your connection broker to your public net, the security server is not helping you here.  Typically, the design scenario includes the security server with a public and private NIC, and connection broker paired on the private that allows the tunnel through the security server.

-KjB

@dvhorvath,

Thank you for your detailed instructions. Unfortunately it did not work, but I believe now there is a communication issue between the security server and connection server. Every time I change forwarding port for 80 and 443 to IP 192.168.1.9 I cannot reach View desktops. I believe this means I cannot reach the connection server, which acts as a broker. Althought Windows Firewall are all set off on  both connection and security server and I can ping each server and vice versa from the 192.168 network. The seurity server is not a member of a domain, but as per instruction of Vmware manual this is fine.

I think next I'm going to remove the paired security server and reinstall the security server again to repair it.

Thanks,

Edy

You don't need a separate connection server for security server use.  But, since you've configured your connection server with an external IP, it's serving a similar function as the security server.  With the security server design case, your security server will have the external and internal interfaces, and your connection server has the internal connection only to allow for the "tunneled" connection.

Should be interesting to see if the security server rebuild will fix your problem.

-KjB

We have a similar situation;

VDI pool on a 11.x.x.x network;  everything works fine for all internal users on the 11.x.x.x connecting via connection server.

We also have offshore users who are on 10.x.x.x network with point-to-point VPN connection and we NAT their 10.x.x.x addresses and user's are able to get to 11.x.x.x address. Since the VDI pool uses DHCP address NATing does not work, VMware's recommendation was to add a VIEW security server to solve the problem !   Any suggestions ?

Just set up a replica Connection Server. That way you can optimally support internal and external users acessing the same View environment with PCoIP.

As mentioned above, see http://communities.vmware.com/docs/DOC-14974

Mark

Hello All,

Sorry for not replying in good time. I have had some other priority.

But I have some good news. The security server is definitely working now and I can connect to the 192.168 network from outside through the security server. I changed the setup a bit the connection server has now only one nic for the internal 10.97 network. The security server two nics for 192.168 network outside and 10.97 network inside. The router is configured to forward ports 80, 443 and 4172 to 192.168.1.9 which is the security server.

A side note here in the past I was able to reach the admin page of the connection server from outside. This is no longer possible through the security server. Is this by design?

We are able now to access View desktops from outside with RDP protocol but unfortunately not with PCOIP yet. On the 10.97 we are able to connect to View Desktops using RDP ord PCOIP protocol. I have read the link posted here above about the 4172 port. This port is open for UDP and TCP on the router/firewall, so I guess now the problem is between the security sever and View Desktops. Windows Firewall is on for the 192.168 network on the security server and I noticed the installer for the seurity server has configured windows firewall rules. This makes me believe the port should be okay.

Could it be possible that View Desktops blocks PCOIP port? Well I don't think so because wthing the 10.97 we can connect using the PCOIP network. What else could block external PCOIP yet?

I believe I'm almost there.

Thanks,

Edy

fafa24 wrote:

The router is configured to forward ports 80, 443 and 4172 to 192.168.1.9 which is the security server.

You just need to open TCP 443, TCP 4172 and UDP 4172.

fafa24 wrote:

A side note here in the past I was able to reach the admin page of the connection server from outside. This is no longer possible through the security server. Is this by design?

Yes.

fafa24 wrote:

We are able now to access View desktops from outside with RDP protocol but unfortunately not with PCOIP yet.

What happens? Do you get a black screen for e few seconds and then it disconnects?

If so it will be because PCoIP protocol on TCP 4172 or UDP 4172 is being blocked somewhere along the line or that one of the other steps of the 3 listed in the previous link has not been done or not been done properly.

fafa24 wrote:

This port is open for UDP and TCP on the router/firewall, so I guess now the problem is between the security sever and View Desktops.

It's possible, but it could be other things too. If the client network blocks UDP 4172 or TCP 4172 for example, then that too will cause a black screen. A black screen will also happen if you get the "PCoIP External URL wrong" or forget to set ""Use PCoIP Secure Gateway for PCoIP connections to desktop" on the Connection Server.

Check your settings very carefully.

What is your "PCoIP External URL" set to?

fafa24 wrote:

Could it be possible that View Desktops blocks PCOIP port? Well I don't think so because wthing the 10.97 we can connect using the PCOIP network.

Not in your case. As you suggest, because you are able to access the same virtual desktop using PCoIP from the internal network, you know that it will allow TCP 4172 and UDP 4172 in. The View Agent installer configures this automatically.

fafa24 wrote:

What else could block external PCOIP yet?

This is usually caused by one of the 3 setup steps in the above link not being done or not being done properly. If you still get a black screen after re-checking those three things, it'll be time to run Wireshark on the Security Server. Capture a failed attempt. When it works you will see TCP 4172 connection from the Client and to the Virtual desktop. You will also see UDP 4172 packets in both directions between Client and Security Server and also between Security Server and View Desktop. If any of these flows are missing, it will cause a black screen and will help you to narrow it down.

fafa24 wrote:

I believe I'm almost there.

Thanks,

Edy

I do too. Stick with it and you'll get it working. This certainly all works when it is setup correctly.

Mark

Thanks Mark for your help. I followed your instructional video and was able to add a Security Server and everything works.

Great. Glad it helped you. Thanks for posting back on this.

Mark

I was not so successull like y_wisdom.

I also followed Mark's video and think that I have everything setup properly but port 4172 is still not working. The issue is with PCOIP I can connect and get a blank screen for some seconds and then disconnect. I guess this is the typical sympton that something block 4172.

I need to investigate further. I guess next I will use wireshark.

This was an update

Thanks,

Edy

Yes, if it works internally but on remote access you get a PCoIP black screen then it is because PCoIP is getting blocked somewhere. Follow the 3 setup steps very carefully and it will work. If any of the steps are wrong, you'll get a black screen for a few seconds followed by a disconnect.

Let us know what it was. Thanks.

Mark

Hi,

After a long time I decided to troubleshoot the issues with PCOIP.

The status is:

- it works internally

- it doesn't work from external, but my troubleshooting did improve the issue I guess. Before It was connectiing and disconnecting in less than 5 seconds. Now I get a blank screen for much longer than 5 seconds, I would say 15 seconds. I attach the View Client log.

So my assumption, there is a connection timeout according to the log. Since it works internally the View Agent doesn't block anything and most likely the connection server as well.

It could be the connection server, security server or router. I see in the log that it connects to the internal IP address of the security server on Port 4172. Does this mean the router is not the issue? The router forwards Port 4172 to the external address of the security server.

I looked at Windows Firewall on the security server and connection serve. VMware Inbound Rules on both servers were configured for all profile (Domain, Public and Private), but no outbound Rules.

Any hints?

Thanks,

Edy

I was hoping someone could look at the log I attached in my previous message. I'm a bit lost what is still blocking PCOIP from outside. I tried even to bypass the security server and connected directly from outside. For this I changed the port forwarding of the router to the connection server.

I hope the reason is not that I don't have a signed SSL.

Thanks,

Edy

Check the 3 steps carefully.

What has the IP address 10.97.254.241? From outside, that is the address being used by the client to connect to your Security Server.

Mark

10.97.254.241 is the internal address of the security server. The security server has two nics. One nic has the IP address 192.168.1.9. This is the IP adress to which the router forwards port 4172. The other nic has the IP address 10.97.254.241 which is seen in the log.

Should the security server has only one nic for the external address and the connection server two nics for internal and external adresse to route? Perhaps this confuse me.

Thanks,

Edy