PaoloV
Contributor
Contributor

How to setup VDI to use it through a Juniper VPN appliance

Hi,

I am trying to use VDI through a Juniper VPN appliance but the connection to my VDM server fails.

Here are the details:

I login into my VPN using a Radius server for authentication.

Once in a Java application starts and create a tunnel to my office network where the VDM server is.

Through the VPN appliance I browse to the VDM Web Access, I login into VDM but at this point VDM fails and cannot create a tunnel. (SSL failed to initalize)

The VDM server connection broker is allowed to route through the VPN appliance

The VDM server has https/http/RDP protocols opened on our firewall that sits between the VPN appliance and the external network.

Is there anything you can think of that can help me with this situation?

VDI works perfectly within my LAN.

Thanks

Paolo

0 Kudos
12 Replies
Jon_Holloway
VMware Employee
VMware Employee

Hi Paulo

What is the exact error message you receive? Are you using VDM Web Access on Windows, Linux or Mac? If on Windows, what does the log report? (under C:\Documents and Settings\All Users\Application Data\VMware\VDM\logs)

Thanks

Jon

0 Kudos
markbenson
VMware Employee
VMware Employee

This happens if your VDM Web Access client (or VDM Client) can't connect to the VDM Connection Server using the servers fully qualified host name. The secure tunnel connection uses that by default to establish the secure HTTPS connection after you log in.

You can override this by setting an External URL on the VDM Connection Server (using VDM Administrator). This is described in th admin guide in the section on "Setting an Externally Resolvable Name on a Connection Server" See http://www.vmware.com/pdf/vdm20_manual.pdf

You might want to set this to the same URL you use to connect from VDM Web Access. Make sure the URL resolves on the internal network too. If you set the external URL you need to restart the service for it to take effect.

The alternative is to ensure your VDM Client can resolve the fully qualified host name of each VDM Connection Server. Test this by pinging your VDM Connection Server's FQHN through your VPN to ensure the routes are open. This connection is made on the standard HTTPS TCP port 443.

We use a similar setup to yours all the time and it works fine.

Mark.

PaoloV
Contributor
Contributor

Hi Jon,

I am using VDM web access on Windows XP with IE6

Here is the error message:

A connection to the VDM Server could not be established.

The SSL initiation failed.

and the log report:

10:18:39,843 INFO Windows Client started as ComServer

10:18:40,671 ERROR Socket: recv FAILED, size read = 16384, size received = 0

10:18:40,687 INFO Tunnel Unnamed: Could not start server hfeavdm01, reason: Socket: recv FAILED, size read = 16384, size received = 0

10:18:54,515 INFO VMware Silverstone Windows Client stopped

11:50:59,015 INFO Windows Client started as ComServer

11:50:59,265 ERROR Socket: recv FAILED, size read = 16384, size received = 0

11:50:59,312 INFO Tunnel Unnamed: Could not start server hfeavdm01, reason: Socket: recv FAILED, size read = 16384, size received = 0

12:02:44,812 INFO VMware Silverstone Windows Client stopped

12:03:22,750 INFO Windows Client started as ComServer

12:03:22,890 ERROR Socket: recv FAILED, size read = 16384, size received = 0

12:03:22,890 INFO Tunnel Unnamed: Could not start server hfeavdm01, reason: Socket: recv FAILED, size read = 16384, size received = 0

12:03:48,015 INFO VMware Silverstone Windows Client stopped

The VPN appliance is allowing the VDM server to route through port 443, is that the correct port for VDM to create a tunnel?

Regards

0 Kudos
markbenson
VMware Employee
VMware Employee

OK. Doesn't look like an External URL/routing issue then.

Some people have reported needing to modify MTU sizes for the VPN connection for this. I don't know how effective this is for this problem. It does look like a data transfer problem through the VPN. e.g. see some Juniper forum posts on this such as http://forums.juniper.net/jnet/board/message?board.id=SSL_VPN&message.id=333

Mark.

PaoloV
Contributor
Contributor

Hi Mark,

that implies using a public facing IP address.

I though the point of using a VPN was to avoid that

Also with an Internet resolvable address anybody can access it even without the VPN

Paolo

0 Kudos
markbenson
VMware Employee
VMware Employee

If you can ping the internal VDM Connection Server using its fully qualified host name then you won't need to set up an External URL. You only need to do that if you need to use a different hostname from the client. That depends on your routing. Externally resolvable names won't be required in your environment if you are using a VPN which allows full access to the VDM environment and name resolution etc. as though you were internal.

From the logs, it doesn't look like the initial connection failed. It failed while transfering data as part of the SSL negotiation. It looks like a data transfer problem when going through the VPN. This could be an MTU setting problem or it could be something else. It would be useful to compare the logs when going through the VPN with the logs from a direct internal connection to see if you can see a difference. In theory, using the VPN should make no difference but clearly there is an issue here.

Thanks.

Mark.

0 Kudos
PaoloV
Contributor
Contributor

Hi Mark,

I can ping the connection server within the VPN, also did a nslookup and I can resolve the FQDN of the connection server

Here is the log from the internal network connection:

13:14:16,973 INFO Windows Client started as ComServer

13:14:17,645 INFO Tunnel Unnamed: connected to server 'hfeavdm01.hfea.gov.uk', start tunnel protocol

13:14:17,692 INFO Tunnel Unnamed authenticated Ok, set state = running

13:14:22,096 INFO RDP control version = 5.1.2600.2180

I will upgrade the OS on my juniper VPN appliance as the thread you sent me suggest that the newer version resolved the MTU issue

Hopefully that will be it

Thanks

0 Kudos
JohnMNZ
Contributor
Contributor

Hi Mark

Would you mind elaborating on your end to end configuration?

Specifically the Juniper setup and the DNS / host entries required to access a VDM session via Juniper?

We are looking at setting this up.

Thanks

John

0 Kudos
TomHowarth
Leadership
Leadership

Moved to the more appropiate VDM forum

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
juice13
Contributor
Contributor

I have used the Juniper SSL VPN "Network Connect" functionality to provide access to the VDM environment. I couldn't get it working with the regular Web access feature (I think it was having some issues with the ActiveX re-writing), and the Juniper tech suggested that I try Network Connect.

Network Connect sets up a virtual network adapter on your client pc, and then based on the rules you configure, it will open an ssl tunnel to your corporate network via that virtual adapter and IP address. So, my rules specify that http/https traffic destined for my VDM servers IP address should be re-directed over this vitrual adapter tunnel.

Seems to be working well so far. Is a little bit of a pain to setup the first time as you have to assign a range of IP's on your corporate network that can be used for the Virtual Adapter etc.

Regards

0 Kudos
JohnMNZ
Contributor
Contributor

Thanks Juice13.

I also got this running yesterday as a JSAM resource - Juniper Java Secure Application Proxy. This is a POC environment so this may not be the best way, but it works and doesn't require the Network Connect install which can be an issue on non trusted / no admin access machines!

Some details...Juniper Authentication realm was already setup.. Let me know if you'd like more details there.

A.DNS / Hosts - I set up an externally and internally resolvable name eg. vdi.ras.net. This allows the JSAM to advertise the

1. External DNS as a client loopback address vdi.ras.net 127.0.10.1 (refer Step C.6. and D.2 for relevance to you).

2. Internally (set via Hosts on the Juniper) vdi.ras.net resolves to the Internal VDM server ip address.

3. Set these properties on the VDM server in file

C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf\locked.properties

clientHost=vdi.ras.net

clientPort=443

clientProtocol=https

4. Restart your VDM server.

B. Create a User Role which has a bookmark to your VDM server

1. URL vdi.ras.net

2. The Juniper must be able to resolve this to the internal name (set via Juniper host entry).

3. Juniper must also have 443 connectivity through your backend firewall to the VDM server.

Test - at this stage you should be able to access and login to the VDM server home page via this Role. (the tunnel wont work until after Step C).

C. Setup the JSAM App resource as per the 'Defining resource profiles: JSAM' in the Juniper help (which i summarise here).

1. Users > Resource Profiles > SAM > Client Applications - New Profile

2. Type = JSAM

3. Application = Custom

4. Servername = vdi.ras.net (I installed a 1 box install so no security server since Juniper does the 2FA etc).

5. Serverport = 443

6. Client Loopback = 127.0.10.1

7. Client Port = dynamic (which ends up being 443 - same as server resource)

8. Select - Allow the JSAM to dynamically select a port.

9. Select - Create an access control policy allowing SAM access to these servers.

D. Assign the JSAM to the User Role which has the Web Bookmark back to your VDM server created in Step B.

Set the JSAM User Role Options - User Roles -> <your-role> -> SAM -> Options ->

1. Select Auto Launch SAM

2. Select Automatic host-mapping this will auto create a host entry (you can bypass this by using the DNS Step A, I have left this here if you don't have external DNS control and wish to test on a machine the user will have access to update the hosts on).

3. Select Auto-close JSAM window on sign out

Basic system flow.

User Browser <443 Front FW> Juniper <443 Back FW> VDM Server.
VDM Client <443> JSAM Loopback <443 Front FW> Juniper <443 Back FW> VDM Server.

1. User Browser hits Juniper Realm and logs in. eg. URL virtualdesktop.ras.net

2. JSAM starts and waits for client to access external DNS name vdi.ras.net on loopback address eg 127.0.10.1

3. User opens bookmark to Internal server vdi.ras.net Juniper resolves internally for this part.

4. User logs in to VDM.

5. VDM Client attempts to establish a tunnel, VDM client uses the external address which JSAM is listening on, JSAM forwards traffic to the internal vdi.ras.net IP - Tunnel connection established.

Hope this helps.. Cheers John.

0 Kudos
juice13
Contributor
Contributor

John,

Great step by step posting there. I'm relateively new to using the SSL VPN, and have not used WSAM/JSAM yet. I agree that the installation of Network Connect is a definate issue.

If I recall correctly, when I looked at the JSAM/WSAM avenue it requires the addition of a digital certificate for the new dns name that you are publishing. I think that is why I didn't look into it further as I didn't want to have to get another cert. I too am at the POC stage with the VDM, and want to use it via the Juniper and avoid the VDM security servers. I'm trying to make the Juniper our single entry point for remote access, and as you mentioned it can use 2 factor authentication as well.

Now that you've provided the details for JSAM I may give it a try.

Thanks

Justin

0 Kudos