This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VMware Horizon View via Load-Balancer

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VMware Horizon View via Load-Balancer

evangoulden1990
L0 Member

‎04-09-2021 01:29 AM

Hi All, First time posting here. We have a fairly large deployment of VMware Horizon View and we're recently migrated from our old firewalls (Fortigate) to Palo Alto and since then inbound connections to our View Platform at this site have stopped working. The basic inbound connection follows this flow:

External Client --> Palo Alto External --> Palo NAT to VIP on F5 LB --> F5 LB balance traffic to VMware UAGs --> Internal F5 LB --> F5 LB Balance Traffic to VMware Connection servers --> VMware VDI Desktops.

I have done various packet captures and it looks as though traffic is being passed through the load balancers and the return traffic is going back through the load balancers so the session should still be open on the Palo. When we connect to VDI we are presented with an RSA login prompt, this goes through successfully, the next step is to add the username and password, this just hangs and then eventually errors out.

Packet captures on the client workstation show that there is 2-way communication until the point where the client errors out.

2x things to note here, the ISP where the inbound connections enter is not the default gateway, the default gateway is another firewall (soon to be migrated to the same Palo) so inbound source translation is needed for the return traffic to work. The other is the VMware UAG's are not in a DMZ they are on the LAN/ server network.

Has anyone experienced similar issues or know of a way around this?

0 Likes Likes
3 REPLIES 3

evangoulden1990
L0 Member

‎04-09-2021 01:30 AM

The error that is shown on the client is 'Could not establish tunnel connection'.

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to evangoulden1990

‎04-09-2021 08:06 AM

Hello,

So lots of hops and different devices there. My mind goes to asymmetric routing somewhere. I would say follow the packet paths and see where they lead.

 

BTW good move on migrating away from the Forti's. 

 

Regards,

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎04-09-2021 09:47 AM

@evangoulden1990,

It definitely sounds like asymmetric routing as @OtakarKlier brought up. Just to verify though, have you gone through the firewall logs and verified that you aren't dropping any of the Horizon View traffic? The PCoIP connection doesn't always get identified correctly via app-id and you could be dropping the 4172 traffic if it's being identified as standard ssl. 

0 Likes Likes
  • 3489 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks