7 Replies Latest reply on Feb 10, 2017 5:12 AM by garymansell

    VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue

    garymansell Novice



      I have a view connection server which we have been using internally that I now want to use externally as well - I would like workers to be able to re-connect to their workplace daytime sessions from home and continue working.


      To this end I have setup an Access Point Server in our DMZ (with the rules to/from the Internet and LAN as per online docs) and can login from an Internet based client as a user OK, but when it tries to initiate the PCOIP session, I just get a black screen and then the connection terminates.


      Firewall Rules:


      Internet to the Access Point machine in DMZ (machine has a 192.x.x.x. address in the DMZ NAT'd to an external RIPE IP)


                443 TCP & UDP

                4172 TCP an UDP (UDP 4172 must be allowed outbound too)


      Access Point machine in the DMZ to internal LAN (view connection server stc-vmconn-01.stc.ricplc.com and view vm's are located on the LAN):


                443 TCP to stc-vmconn-01.stc.ricplc.com

                4172 TCP and UDP to stc-vmconn-01.stc.ricplc.com and UDP 4172 back

                32111 TCP to stc-vmconn-01.stc.ricplc.com


      I am presuming that as I am using Access Point instead of a Security server - there is nothing to add in the Security Servers Tab on the view connection server, is that correct?


      As I am running through the Access Point server in the DMZ and don't want to add routes from all the horizon view agent VM's out to the Internet, I want to tunnel PCOIP via the View Connection server so that all conversations go via the AP and the View Connection server - I think I need to enable and set a PCOIP Secure Gateway <IP Address>:4172 on the View Connection Servers Tab of the Connection Server / Servers page - I am a little unsure as to which IP to set here. Should it be the external Internet IP address of the AP (in which case, it seems to break internal clients from being able to connect when they could before), or should I set it to the internal View Connection Server's IP (in which case internal clients work OK, but externals still get the black screen).


      When running a wireshark trace on the internal View Connection Server, I can see a couple of PCOIP (4172) packets going to/from the remote client on the Internet before the connection is droppped.


      If I look at the debug logs on the external client machine, I see this error, that might be the problem?


      2017-02-08T16:13:54.702Z WARN  (0C44-026C) <NodeManagerWatcher> [vmware-view-usbd] SocketChannel: Unable to connect to


      Now, this is a machine on the Internet, so there is obviously going to be a problem accessing (which is the VDI VM internal IP) as this is non-routable over the Internet - why am I seeing this?


      Any ideas what may be wrong here, cos I am stumped!!





        • 1. Re: VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue
          pari2k3 Enthusiast
          VMware Employees


          Disable Tunnel and BSG/PSG at View Connection Server settings if the same has been configured with AccessPoint.

          • 2. Re: VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue
            garymansell Novice

            Hi thanks for getting back to me.


            I was under the impression that I needed to tunnel / use PSG to ensure that the traffic between the client on the Internet and the VM's on the internal LAN went via both the AP in the DMZ and the View Connection Server on the LAN?


            Otherwise there will need to be firewall rules to allow all the individual VM's (with dynamic IP's) access through the internal LAN/DMZ firewall interface, so that there is a path from the VM's to the AP and back out to the client on the Internet.


            Is this not the case? Am I missing something here, can you explain?





            • 3. Re: VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue
              acmcomputers Enthusiast

              Hi Gary,


              As per the previous post, it is recommended that you disable tunnelling on the Connection Servers (otherwise you're tunnelling internally too, which will mean if you patch the View Connections, you will sever desktop connectivity). You will then need to change your Firewall rules to permit access from the DMZ Access Point appliance to the LAN Subnet hosting the VDI clients on TCP/UDP 4172.


              To do this, replace the following rule you have defined:

              4172 TCP and UDP to stc-vmconn-01.stc.ricplc.com and UDP 4172 back


              4172 TCP and UDP to VDISubnet/XX (replace /XX with whatever the subnet mask is i.e. /23 or /24) and UDP 4172 back


              Hope that helps!





              • 4. Re: VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue
                garymansell Novice

                OK, thanks both, I will give that a go

                • 5. Re: VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue
                  markbenson Master
                  VMware Employees

                  Those firewall rules are not quite correct, and on Access Point you need to enable Tunnel, PCoIP gateway and Blast Gateway and set the 3 external URLs correctly.


                  On Access Point:


                  tunnelExternalUrl should be set to https://fqdn:443

                  blastExternalUrl should also be set to https://fqdn:443

                  pcoipExternalUrl should be set to ip_addr:4172


                  fqdn is the fully qualified DNS hostname that a client on the Internet will use to connect to Access Point. It should be resolvable on Internet DNS.

                  ip_addr is the IPv4 address of that fqdn. These values are used by the client to connect respective protocols from client to Access Point.


                  You can make these settings in your .ini file, then you just need to rerun the apdeploy command and all your original settings will also be reapplied. See Using PowerShell to Deploy VMware Unified Access Gateway

                  You can also key them in manually through the admin UI, but then they would be lost next time you rerun apdeploy command.


                  Disable Blast Secure Gateway on Connection Server.


                  For the firewall, your rules are correct from Internet to Access Point. You also need to allow the following from Access Point to your virtual desktops/RDS Hosts: TCP and UDP 4172 (also with UDP reply datagrams out), TCP 32111, TCP 22443. You also need to open TCP 443 from Access Point to your Connection Server (but it sounds like that has already been done).


                  The error "Unable to connect to" is seen because the tunnel is not enabled on Access Point and therefore the client is attempting to connect the framework channel (TCP32111) directly from the client to virtual desktop which will rightly fail.


                  PCoIP is resulting in a black screen either because the PCoIP external URL IP address is wrong in Access Point or because your inner firewall is blocking PCoIP from Access Point to your virtual desktop. Either of these config errors will result in a black screen.


                  Post back when you have it working.



                  • 6. Re: VMware View 7.0.3 and Access Point 2.8 - PCOIP Black Screen issue
                    garymansell Novice

                    That was it - I had completely missed the part where I had to configure the tunneling on the Access Point !!!


                    Once I had done that and disabled the Tunneling and Secure Gateways on the internal View Connection server, I was up and running


                    At least I was until, I started tightening up all the firewall rules that I had been loosening and tweaking in order to try and get it working !!!


                    I think I will be OK now, just need to tweak the rules to get it working securely again