VMware Horizon Community
billdossett
Hot Shot
Hot Shot
‎03-26-2015 11:35 AM
Jump to solution

view security server and firewall problems

I throw myself at everyone's mercy.  After 4 days of trying to get the firewall configured for my security server, still no joy.

Unfortunately, the firewall management is outsourced and I can only ask them to put rules in, but have no way of seeing if they are actually there or anything conflicting.

I have put sniffers on the security server, the connection server the virtual desktop and the client.

What I am seeing is that the client connects and asks for credentials, the credentials are passed to the desktop - if I am logged onto the desktop, I get kicked off.  But I get a blank screen at the client and after about 30 secs, it says it is disconnected.

I can connect to the desktop using HTML, but not the full client.  On the sniffers I see no traffic on port 4172 on any of the boxes.  4172 is open for UDP and TCP on the backend and front firewalls.

Is there anywhere I can look, logs etc to see what is happening, or not happening in this case?  we have opened the ports for MMR and USB-R.  Basically followed the fine document on vmware pubs for security server in DMZ - but I a pretty much out of ideas on where to look next.

I am using a Mac client to connect to this... it is View 5.3 I think, the latest 5.x release anyway.

If anyone could give me any tips on where to look other than the firewall, or the sequence of the connection so that I can check with the sniffer where it is getting blocked and what is not getting thru, I would HUGELY appreciate it.

Thanks

Bill

Bill Dossett
0 Kudos
1 Solution

Accepted Solutions
JackMac4
Enthusiast
Enthusiast
‎03-27-2015 08:13 AM
Jump to solution

It depends on if you have tunneling configured. Check your SS and CS settings for tunneling. If you tunnel everything then you should see the traffic go client <-> ss <-> cs <-> agent otherwise it could go client <-> ss <-> agent

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4

View solution in original post

0 Kudos
5 Replies
JackMac4
Enthusiast
Enthusiast
‎03-27-2015 07:38 AM
Jump to solution

Just a hunch, but it sounds to me that if you can access with HTML and not the client that the firewall rules aren't correct and while they are allowing access for tunneled connections, they aren't allowing connections through the SS to the desktops directly.

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
0 Kudos
billdossett
Hot Shot
Hot Shot
‎03-27-2015 07:55 AM
Jump to solution

that's exactly it - HTML works.  But it seems that PCoIP isn't getting thru.  I'm just wondering where I should look for that starting?  Does the PCoIP connection initiate with the Agent on the VDI?  cos I have watched with a sniffer there and it doesn't appear to be any UDP or TCP on 4172 on the desktop.  Just thinking if it does initiate at the client, I haven't checked on the client as  I am using a mac - And I just checked with tcpdump and sure enough, I have a few packets on 4172 going out, but nothing coming back... so back to chasing up netops for a dump of the firewall rules

Bill Dossett
0 Kudos
billdossett
Hot Shot
Hot Shot
‎03-27-2015 08:03 AM
Jump to solution

hmm, now I am confused even more

The packets I saw going out on 4172, have the destination address of the VDI itself... not the security server...  is this normal?  is it traversing via and SSL tunnel?  I thought it would be 4172 to the security server anyway, as I opened that port...  or could I have misconfigured something on the security server?  Thanks for any ideas on what I am doing wrong.

Bill Dossett
0 Kudos
JackMac4
Enthusiast
Enthusiast
‎03-27-2015 08:13 AM
Jump to solution

It depends on if you have tunneling configured. Check your SS and CS settings for tunneling. If you tunnel everything then you should see the traffic go client <-> ss <-> cs <-> agent otherwise it could go client <-> ss <-> agent

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
0 Kudos
billdossett
Hot Shot
Hot Shot
‎03-27-2015 08:24 AM
Jump to solution

I feel stupid 😞   I hadn't checked the PCoIP over secure gateway...  but I had done the HTML blast check box.

Though the URL in my HTML is the internal connection server, so no idea how that is working!  need to play around with that a bit more to fully understand it.

Not sure why anyone would set up a security server and not tunnel the PCoIP over it.... I suppose maybe better performce, but less secure allowing 4172 direct into your VDI network maybe?

Well thanks for that pointer, I had forgotten all about those settings and the last time I set this up was like 2 years ago, so didn't' remember that,

Geesh, I can enjoy the weekend!

Bill Dossett
0 Kudos