Forum Discussion

veato's avatar
veato
Icon for Nimbostratus rankNimbostratus
Oct 04, 2017

Connection Server Options for Horizon View iApp

I have used the iApp to build a VDI solution with the following basic configuration:

 

  • Yes, deploy APM
  • Yes, support HTML 5 clientless connections
  • SSL bridging
  • One IP defined for untrusted clients
  • A different IP defined for local clients Of course I've also defined the SSL certificate, pool members, FQDN, etc

Reading the deployment guide for the View Connection servers (we're not using security servers) under the heading "Modifying your Connection Servers to support HTML 5 clients" it states:

 

Modify the Connection Servers to remove the Use Secure Tunnel connection to desktop and use Blast Secure Gateway for HTML.

 

a. From the View Configuration tab, select Servers, and then click Connection Servers.

 

b. Highlight one of the Connections servers and then click Edit.

 

c. Modify the HTTP External URL and BLAST External URL to match the URL of your SSL certificates.

 

d. Clear the check from Use Blast Secure Gateway for HTML access to desktop.

 

Important: If using a BIG-IP version prior to 12.1 only: Clear the check from Use Secure Tunnel connection to desktop after modifying the External URLs. If using a BIG-IP version 12.1 and later only: If using v12.1 or later, you can leave this box checked if necessary (for example, this box must be checked if using USB redirection).

 

If anyone can help my questions are as follows:

 

1) Why does it tell you populate the blast gateway and external URL fields only to then clear the checkboxes for thier use?

 

2) When testing from my internal network why can I only get a successful VDI desktop when the blast gateway field is ticked - going against what the deployment guide states?

 

1 Reply

  • Hello

     

    Here are the answers to your questions,

     

    1) The VMware Horizon Web Server that manages the connection servers, look at that name for proxying connections. even if you have a wildcard certificate and change that name to something that doesnt fit the wildcard the proxy errors out. so when the services are running those fields determine how the connection server will proxy. When using Connection Servers as a Direct Connect not Tunnel Customers would use Specific CN Named certificates myconnect.domain.org, and if it was set to server1.domain.local the connection server would actually error out against the cert providing a bad cert reference to the client. by checking the box fixing the name, saving it as myconnect.domain.org then going back and unchecking it allowed it to work appropriately. At least this was what happened a lot when i worked at VMware's GSS (Global Support Solutions) area way back in the day :)

     

    2) So when the boxes are checked on a connection server that means that the connection servers are tunneling all traffic, for HTTPs its (443) for PCoIP its (4172 TCP/UDP) For Blast its (22443 TCP/UDP)... Usually when a direct connect fails and a tunnel works there is a firewall between Client and Agent preventing the 22443 Traffic from connecting directly.. however there is a path for the connection servers to get to that subnet, Typically that is the cause of the issue, if you want to get deeper you could also install the Direct Connect Agent on the VMware Agent to see if you can connect Directly to the machine and remove the authentication of the broker out of the equation.

     

    Hope that helps.