9 Replies Latest reply on Mar 30, 2016 10:57 AM by GaryMclean

    PCoIP Gateway Connection Issues

    KKitzulSEI Lurker

      I am having trouble getting the PCoIP Gateway to work. Everything works fine internally. All the settings seem to be correct. PCoIP Secure Gateway on Security Server is set to the Externalip:4172 and on the connection server Use PCoIP Secure Gateway connections to machine is checked with the PCoIP ExternalURL: InternalipOfConnectionServer:4172

       

      I do not have access to the firewall but here are the rules the network admin setup for me:

       

      - Anybody external to DMZ security server - TCP 443, TCP 8443, TCP and UDP 4172

       

      - DMZ security server to Internal connection server - TCP 8009, TCP 4001, TCP 4002, UDP 500, ESP

       

       

       

      - DMZ security server to Internal Client VMs VLAN - TCP 3389, TCP 22443, TCP and UDP 4172

       

      - Internal connection server to DMZ security server - UDP 500, ESP

       

      When connecting externally over PCoIP I get "The connection to the remote computer failed" I have spent a lot of time trying to diagnose and troubleshoot but have come up blank.
      Anyone have any ideas?

       

        • 1. Re: PCoIP Gateway Connection Issues
          joshopper Hot Shot

          Firewall rules for DMZ-based Security Servers

           

          • Front-End Firewall Rules

            SourceDestinationPortProtocol
            Any External IPSecurity Server80HTTP
            Any External IPSecurity Server443HTTPS
            Any External IPSecurity Server14172PCoIP
            (TCP and UDP)


          • Back-End Firewall Rules

            SourceDestinationPortProtocol
            Security ServerView Transfer Server80HTTP
            Security ServerView Transfer Server443HTTPS
            Security ServerConnection Server8009AJP13
            Security ServerConnection Server4001JMS
            Security ServerConnection Server4002JMS (Secure)
            Security ServerView Desktop3389RDP
            Security Server 1View Desktop4172PCoIP
            (TCP and UDP)
            Security ServerView Desktop32111USB Redirection
            Security ServerConnection Server500IPSec (UDP)
            Security ServerConnection Server4500NAT-T ISAKMP (UDP)
            Connection ServerSecurity Server500IPSec (UDP)
            Connection ServerSecurity Server4500NAT-T ISAKMP (UDP)
            Security Server 1Connection Server4172PCoIP
            (TCP and UDP)
            Security ServerRemote Desktop Services4172PCoIP
            (TCP and UDP)
          • 2. Re: PCoIP Gateway Connection Issues
            KKitzulSEI Lurker

            Firewall rules were setup as per this

            Firewall Rules for DMZ-Based Security Servers

            Excluded was port 80, 9427, and 32111.

             

            this one is not listed in the Horizon 6 documentation.

            Security Server 1Connection Server4172PCoIP
            (TCP and UDP)

             

             

             

            We can see the TCP 4172 traffic between the External Client <---> DMZ Security Server <--> VM running Agent

            but it never attempts to switch over to UDP 4172 like it does internally. It just errors out.

            • 3. Re: PCoIP Gateway Connection Issues
              joshopper Hot Shot

              If you are using tunneling then the PCoIP traffic needs to pass through the internal connection manager, that port needs to be open between the security server and the internal connection broker.

              • 4. Re: PCoIP Gateway Connection Issues
                larsonm Expert
                vExpert

                When using a security server, PCoIP communication occurs directly between the security server and the VDI desktop.  Does your security server have multiple network adapters?  Also, are the secure tunnel settings correct on the security server?

                • 5. Re: PCoIP Gateway Connection Issues
                  KKitzulSEI Lurker

                  I see TCP 4172 traffic between the security server and the connection server both ways however it never attempts to switch to UDP.

                  My PCoIP Secure Gateway external URL is set to the externalip:4172 so that is right. I have verified the secure tunnel settings as well.

                   

                  Thanks in advance

                  • 6. Re: PCoIP Gateway Connection Issues
                    whibr Novice

                    I ran into a similar issue after Horizon 6.2.1 upgrade recently.  After upgrading our Windows users to latest Horizon Client, they were then able to successfully connect to their desktops externally (via security server).  Internal access still seemed to work with the older clients, however.  I think it is related to TLS 1.0 being disabled in the newer security server.

                    • 7. Re: PCoIP Gateway Connection Issues
                      markbenson Master
                      VMware Employees

                      I see TCP 4172 traffic between the security server and the connection server both ways

                       

                      That's not correct. The PCoIP flow is from Client > Security Server and then Security Server to Virtual Desktop. PCoIP does not flow from Security Server to Connection Server. Same flow with Access Point in place of Security Server.

                       

                      I would double check this analysis and also the firewall rules to make sure TCP and UDP 4172 is open between Internet and Security Server and also Security Server to any virtual desktop.

                       

                      Blocking UDP 4172 is the most common cause of this error.

                       

                      Mark

                      • 8. Re: PCoIP Gateway Connection Issues
                        BungeBash Novice

                        Read Carl's blog. Like the whole thing. It's good stuff.

                         

                        www.carlstalhood.com/vmware-access-point/

                        • 9. Re: PCoIP Gateway Connection Issues
                          GaryMclean Novice

                          According to your FW Rules you have listed,

                           

                          You are missing communication from your DMZ Security server --> Anybody External Clients (INTERNET) 4172 UDP

                           

                          REF:https://kb.vmware.com/kb/1026766

                          • 4172 (TCP/UDP)

                            Used for PCoIP in a VMware View 4.5 and later environment. This port is required for the PCoIP display protocol.
                            The port 4172 UDP must be open in both inbound and outbound directions.
                            The port 4172 TCP must be open in only the inbound direction.