EyKeule
Enthusiast
Enthusiast

Access for interal AND external users by means of a single Connection Server?

Jump to solution

Hey,

leaving redundancy aside, is it possible to have a single Connection Server that enables internal AND external users to access the virtual resources?

For external access I have a Security Server paired with my Connection Server. This works perfectly if I enable the PCoIP Secure Gateway option on my Connection Server and enter the public IP address of the Security Server.

But with this configuration internal users are not able to connect (enumeration of resources works, but connection fails).

If I disable the PCoIP Secure Gateway option, internal users can access, but not external users via the Security Server.

Any input is appreciated.

Thanks a lot!

1 Solution

Accepted Solutions
mpryor
Commander
Commander

No, that's the only way you can do it for both internal and external users to share the same connection server - enabling the PSG setting is per CS. If you want the PSG on for external users (and this is pretty much a requirement unless you're using a thirdparty VPN), but off for internal users, they will have to point to different connection servers and therefore you'll need two.

View solution in original post

5 Replies
mittim12
Immortal
Immortal

It should be doable.   So when connecting internally it seems that ad authentication and pool enumeration work but then you fail on the connecting to the desktop.    Does it go through if you switch the protocol to RDP?  

The clients have to be able to utilize the IP specified in the PCOIP External URL.     Why not use the external assigned IP on the security server side but on the paired (internal) connection broker use the internal IP as the PCOIP external URL?

0 Kudos
EyKeule
Enthusiast
Enthusiast

Just played with the PCoIP Secure Gateway option a bit more. If the PCoIP Secure Gateway option is enabled and configured with the IP of the Connection Server I can access applications internally as well as externally. If I disable the PCoIP Secure Gateway, only internal access works.

So I can have a single Connection Serer for internal and external access, but that means internal connections are channeled trough the Connection Server. This is a unnecessary hop for internal clients which can directly access the RDS host and it's also a scalability challenge. Furthermore redundancy becomes much more important, as the Connection Server not only brokers new user requests but handles the whole session. If it dies all users are affected.

So, is there a better configuration?

0 Kudos
mpryor
Commander
Commander

No, that's the only way you can do it for both internal and external users to share the same connection server - enabling the PSG setting is per CS. If you want the PSG on for external users (and this is pretty much a requirement unless you're using a thirdparty VPN), but off for internal users, they will have to point to different connection servers and therefore you'll need two.

EyKeule
Enthusiast
Enthusiast

Ok, thanks a lot of clarification.

0 Kudos
elgwhoppo
Hot Shot
Hot Shot

If you have a security server paired to a connection server, my experience is that the tunnel and gateway options on the connection server must match the security server settings. Hence the need for at least two connection servers to service external and internal traffic.

My preferred minimum config to provide internal direct access and secure external access with redundancy?

  • 4 connection servers, (2 internal, 2 paired with security servers)
  • 2 security servers
  • Internal load balancing between 2 internal connection servers
  • External load balancing between 2 external security servers

Keep in mind all the connectivity requirements as well.

VMware KB: Network connectivity requirements for VMware View Manager 4.5 and later

VCDX-Desktop