topic Re: VMware Horizon View via Load-Balancer in General Topics

VMware Horizon View via Load-Balancer

evangoulden1990 — Fri, 09 Apr 2021 08:29:01 GMT

Hi All, First time posting here. We have a fairly large deployment of VMware Horizon View and we're recently migrated from our old firewalls (Fortigate) to Palo Alto and since then inbound connections to our View Platform at this site have stopped working. The basic inbound connection follows this flow:

External Client --> Palo Alto External --> Palo NAT to VIP on F5 LB --> F5 LB balance traffic to VMware UAGs --> Internal F5 LB --> F5 LB Balance Traffic to VMware Connection servers --> VMware VDI Desktops.

I have done various packet captures and it looks as though traffic is being passed through the load balancers and the return traffic is going back through the load balancers so the session should still be open on the Palo. When we connect to VDI we are presented with an RSA login prompt, this goes through successfully, the next step is to add the username and password, this just hangs and then eventually errors out.

Packet captures on the client workstation show that there is 2-way communication until the point where the client errors out.

2x things to note here, the ISP where the inbound connections enter is not the default gateway, the default gateway is another firewall (soon to be migrated to the same Palo) so inbound source translation is needed for the return traffic to work. The other is the VMware UAG's are not in a DMZ they are on the LAN/ server network.

Has anyone experienced similar issues or know of a way around this?

Re: VMware Horizon View via Load-Balancer

evangoulden1990 — Fri, 09 Apr 2021 08:30:50 GMT

The error that is shown on the client is 'Could not establish tunnel connection'.

Re: VMware Horizon View via Load-Balancer

OtakarKlier — Fri, 09 Apr 2021 15:06:19 GMT

Hello,

So lots of hops and different devices there. My mind goes to asymmetric routing somewhere. I would say follow the packet paths and see where they lead.

BTW good move on migrating away from the Forti's.

Regards,

Re: VMware Horizon View via Load-Balancer

BPry — Fri, 09 Apr 2021 16:47:00 GMT

@evangoulden1990,

It definitely sounds like asymmetric routing as @OtakarKlier brought up. Just to verify though, have you gone through the firewall logs and verified that you aren't dropping any of the Horizon View traffic? The PCoIP connection doesn't always get identified correctly via app-id and you could be dropping the 4172 traffic if it's being identified as standard ssl.