04-09-2021 01:29 AM
Hi All, First time posting here. We have a fairly large deployment of VMware Horizon View and we're recently migrated from our old firewalls (Fortigate) to Palo Alto and since then inbound connections to our View Platform at this site have stopped working. The basic inbound connection follows this flow:
External Client --> Palo Alto External --> Palo NAT to VIP on F5 LB --> F5 LB balance traffic to VMware UAGs --> Internal F5 LB --> F5 LB Balance Traffic to VMware Connection servers --> VMware VDI Desktops.
I have done various packet captures and it looks as though traffic is being passed through the load balancers and the return traffic is going back through the load balancers so the session should still be open on the Palo. When we connect to VDI we are presented with an RSA login prompt, this goes through successfully, the next step is to add the username and password, this just hangs and then eventually errors out.
Packet captures on the client workstation show that there is 2-way communication until the point where the client errors out.
2x things to note here, the ISP where the inbound connections enter is not the default gateway, the default gateway is another firewall (soon to be migrated to the same Palo) so inbound source translation is needed for the return traffic to work. The other is the VMware UAG's are not in a DMZ they are on the LAN/ server network.
Has anyone experienced similar issues or know of a way around this?
04-09-2021 01:30 AM
04-09-2021 08:06 AM
So lots of hops and different devices there. My mind goes to asymmetric routing somewhere. I would say follow the packet paths and see where they lead.
BTW good move on migrating away from the Forti's.
04-09-2021 09:47 AM
It definitely sounds like asymmetric routing as @OtakarKlier brought up. Just to verify though, have you gone through the firewall logs and verified that you aren't dropping any of the Horizon View traffic? The PCoIP connection doesn't always get identified correctly via app-id and you could be dropping the 4172 traffic if it's being identified as standard ssl.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!