Forum Discussion

Zuke_254875's avatar
Zuke_254875
Icon for Altostratus rankAltostratus
Jun 13, 2016

USB redirect with Horizon View. 6.2.2

Recently I upgraded my vCMP guest to 12.1 to support USB redirect with VMware Horizon View (6.2.2). We are unable to get USB redirect working with our APM & LTM.

There's a page on F5 support that instructs you how to configure USB redirect "If Secure Tunnel is enabled". However we are running SSL offload. In the deployment guide on page 6, this is specifically turned off.

    On the General tab, clear the Use secure tunnel connection to desktop check box if selected. 

Is USB redirect a feature unavailable when performing SSL offloading?

10 Replies

  • hello i think the page 6 of deployement guide is refering to a LTM deployement only, not APM.

     

    for APM usb redirection you need to check the box, with the connectinon server address. if it's a fqdn you need to be sure that apm can resolve it.

     

    you need also to create a policy to allow usb redirection in the VPE.

     

    and keep in mind that is only working for windows, mac and linux, no mobile.

     

    if all that is ok we can move to next troubleshooting step ;)

     

    • Zuke_254875's avatar
      Zuke_254875
      Icon for Altostratus rankAltostratus
      I'm still getting either "USB unavailable" or "USB is not supported" when I sign in to a virtual desktop. Hopefully this will be resolved today, and if so I will let you know where our hangup is.
  • Zuke's avatar
    Zuke
    Icon for Cirrostratus rankCirrostratus

    We were able to get this working. A couple notes from my experience. First, the updated deployment guide can be found here: https://www.f5.com/pdf/deployment-guides/vmware-horizon-view-dg.pdf

     

    Next, the location of the VMware View Policy in the VPE is important. It needs to be just before the Advanced Resources Assign, after the AD or LDAP authorization agent. This was incorrect in the previously mentioned guide, which incorrectly stated: "Place the VMware View Policy action ahead of any logon and authentication actions for clients."

     

    What isn't explicitly said is that SSL offloading cannot be used when using APM in place of security servers. This is implied by the fact that secure tunnel needs to be enabled on the VMware connection servers. This was fixed by changing the pool members and applying the server SSL profile.

     

    According to our VMware resource, the important part is the pcoip-default-sni Server Name. The last part was under Access Policy > Application Access > Remote Desktops. On your remote desktop, ensure that Server Side SSL box is checked.

     

  • Could you provide a little more info on your setup, as I'm having issues when not using SSL Offload.

     

    Here's an example of the configuration, starting with the Connection Servers:

     

    • HTTPS: Use Secure Tunnel to Machine - checked / ticked
    • External URL: view.company.com:443 (resolves to F5 VIP)
    • PCoIP: Use PCoIP Secure Gateway (checked / ticked)
    • PCoIP External URL: 10.10.20.1 (F5 VIP)

    On F5:

     

    • Remote Desktops - Server Side SSL (checked / ticked)
    • SSL Bridging Mode: Deployed via iAPP, which includes the following:
    • Client SSL Profile: VDI_client_ssl
    • Server SSL Profile: VDI_server_ssl

    APM: As per your instructions.

     

    When I then try to connect using the View client directly, I receive the error "Tunnel reconnection is not permitted." When trying to use the F5 webtop, I receive a message the message "Your session could not be established."

     

    I'm sure this is something straightforward, but I'm struggling to see where. Unchecking the secure tunnel / gateway on the CSs fires things straight back into life as expected, only USB redirection doesn't work.

     

    • martek_58308's avatar
      martek_58308
      Icon for Nimbostratus rankNimbostratus
      Hi guys, Same here - we tested and have an issue as well message we can see is "could not establish tunnel connection" Q. Does certificate on CS and F5 need to be this same ? Q2 . Shouldn't External URL: view.company.com:443 (resolves to external IP )? Regards, Marcin
    • Zuke_254875's avatar
      Zuke_254875
      Icon for Altostratus rankAltostratus

      I thought I was subscribed to this thread but didn't receive any notifications. Sorry for that.

       

      Alex: Regarding the connection servers, I asked my coworker about how they are set up. Each HTTPS secure tunnel points to the IP address of the connection server it's on. We do not have PCoIP secure gateway enabled, or Blast Secure Gateway. These settings seem counter-intuitive to me, but that's how ours are set up.

       

      Marcin: Q1: The SSL certificate on your F5 does not need to be the same. Go to your Access Policy > Application Access > Remote Desktops. Select your Remote desktop and make sure Server Side SSL is checked. Q2: I assume you're talking about the HTTPS Secure Tunnel field External URL? If so, no. Ours are set up with the IP addresses of the Connection Servers. Like I said above, this doesn't fully make sense to me, but that's how ours are set up.

       

      Hope that helps, and again, sorry for the delay in responding to this thread.

       

  • Hi,

     

    Regarding your issue, Zuke, did you solve it ? I'm exactly in the same case, "Tunnel reconnection is not permitted" when Secure Tunnel is enable on Horizon. Without this option, Remote Desktop works but without USB redirect.

     

    Deployed with the last iApp "f5.vmware_view.v1.5.0rc1", version 12.1.0.

     

    I have followed all recommendation on this post and from F5. Tcpdump trafic capture (with ssldump) on client side, SSL Handshake on Server side, vdi debug, "packet" log on the Remote App and logs on the Horizon client didn't help me to find interesting clue.. Perhaps I missed something..

     

    Someone have a idea ?

     

    Thanks a lot.

     

    Jérémy.

     

    • Sebastian_Maniak's avatar
      Sebastian_Maniak
      Icon for MVP rankMVP

      Issue has been fixed.

       

      Make sure you use app make sure the VMware view Policy has USB redirection enabled. Image Text PCoIP Secure Gateway disabled Ensure that PCoIP Secure Gateway is disabled on the VMware Horizon View server.

       

      Secure Tunnel enabled To be able to use USB redirection or client drive redirection with a remote desktop, ensure that Secure Tunnel is enabled on the VMware View Horizon server. Also Make sure the hostname under vmware view configurations is the FQDN of the specific server

       

      Blast Secure Gateway disabled To be able to launch VMware View sessions from an APM webtop using an HTML5 client, ensure that Blast Secure Gateway is disabled on the VMware Horizon View server.

       

      Advanced authentication disabled Ensure that RSA authentication and other advanced authentication types are disabled on the VMware Horizon View server.

       

      Display a pre-login message disabled Disable the Display a pre-login message setting on the VMware Horizon View server. This prevents View Connection Server from displaying another login prompt in addition to the APM logon page. Also, if the setting is enabled, remote desktop connections fail to render on the APM web top for VMWare View.

       

      https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-12-1-0/4.htm

       

    • Jeremy_140196's avatar
      Jeremy_140196
      Icon for Nimbostratus rankNimbostratus

      Hi Sebastian,

       

      I didn't see your answer, thanks a lot. According to F5, the issue may related to the remote and the local FQDN which are not the same. Change the local FQDN needs to reinstall VMware Server (need to verify). So I didn't have the opportunity to try. Few customers had this kind of error and the issue has been resolved after the change.

       

      Regards,

       

      Jeremy.