Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

VMware Horizon View via Load-Balancer

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VMware Horizon View via Load-Balancer

L0 Member

Hi All, First time posting here. We have a fairly large deployment of VMware Horizon View and we're recently migrated from our old firewalls (Fortigate) to Palo Alto and since then inbound connections to our View Platform at this site have stopped working. The basic inbound connection follows this flow:

External Client --> Palo Alto External --> Palo NAT to VIP on F5 LB --> F5 LB balance traffic to VMware UAGs --> Internal F5 LB --> F5 LB Balance Traffic to VMware Connection servers --> VMware VDI Desktops.

I have done various packet captures and it looks as though traffic is being passed through the load balancers and the return traffic is going back through the load balancers so the session should still be open on the Palo. When we connect to VDI we are presented with an RSA login prompt, this goes through successfully, the next step is to add the username and password, this just hangs and then eventually errors out.

Packet captures on the client workstation show that there is 2-way communication until the point where the client errors out.

2x things to note here, the ISP where the inbound connections enter is not the default gateway, the default gateway is another firewall (soon to be migrated to the same Palo) so inbound source translation is needed for the return traffic to work. The other is the VMware UAG's are not in a DMZ they are on the LAN/ server network.

Has anyone experienced similar issues or know of a way around this?

3 REPLIES 3

L0 Member

The error that is shown on the client is 'Could not establish tunnel connection'.

 

Hello,

So lots of hops and different devices there. My mind goes to asymmetric routing somewhere. I would say follow the packet paths and see where they lead.

 

BTW good move on migrating away from the Forti's. 

 

Regards,

@evangoulden1990,

It definitely sounds like asymmetric routing as @OtakarKlier brought up. Just to verify though, have you gone through the firewall logs and verified that you aren't dropping any of the Horizon View traffic? The PCoIP connection doesn't always get identified correctly via app-id and you could be dropping the 4172 traffic if it's being identified as standard ssl. 

  • 4273 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!