D81 Posted Monday at 07:47 PM Share Posted Monday at 07:47 PM (edited) Hi Im deploying a pair of UAG for external connections to a new horizon 8 farm with the las version 2406 The customer is using F5 as load balancer, they are still configuring it to point into the UAGs as well as the horizon connection servers. So meanwhile they are doing the configurations I have temporary configured each UAG to point into one Connection server. UAG1 --> Connection server 1 UAG2 --> Connection server 2 By the way, Im following this guide: https://www.carlstalhood.com/vmware-unified-access-gateway/ Notice that I have still not configured is the certificates of the UAGs cause the customer has still not provide them, but the rest of the configs are like it is mentioned on the guide. So right now my main doubt is focused on the UAG ports. If you check the guide it sais: Quote Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP: TCP and UDP 443 TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP) TCP and UDP 8443 (for HTML Blast) Open these ports from the Unified Access Gateways to internal: TCP 443 to internal Connection Servers (through a load balancer) TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions. TCP 32111 (USB Redirection) to all internal Horizon View Agents. TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents. TCP 9427 (MMR and CDR) to all internal Horizon View Agents. Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs: TCP 9443 (REST API) TCP 80/443 (Edge Gateway) However when I enter the UAG by console and I launch a nestat command I see this: As you can see there isnt any 443 port opened... Is that normal? I assume that the external connections should be done by that port, but it will not be opened until the SSL certificates will be installed. Thanks Edited Tuesday at 06:53 AM by D81 typos Quote Link to comment Share on other sites More sharing options...
Dominik Posted Tuesday at 09:10 AM Share Posted Tuesday at 09:10 AM Hi @D81 as you can see this is open ports on my working UAG with certs: On UAG you have open port 9443 for admin portal, but for 443 port is redirect to connection server. When you put address https://youruagip you will be redirect to portal HTML from connection server. 1 Quote Dominik Jakubowski EUC Expert | vExpert ⭐️⭐️⭐️ VDI Ninja https://vdesktop.ninja Link to comment Share on other sites More sharing options...
D81 Posted Tuesday at 09:17 AM Author Share Posted Tuesday at 09:17 AM Hi @Dominik Thanks for the clarifications, however it is still a bit confusing cause the firewall should be opened on port 443 at the "internet" NIC so why should we open that port in the firewall if it is actualy not used due to the 9443 --> 443 redirection? Quote Link to comment Share on other sites More sharing options...
Dominik Posted Tuesday at 09:21 AM Share Posted Tuesday at 09:21 AM @D81 is not redirection 9443 -> 443. UAG is working as reverse proxy, you have to put CS address in UAG config and UAG redirect to CS. Quote Dominik Jakubowski EUC Expert | vExpert ⭐️⭐️⭐️ VDI Ninja https://vdesktop.ninja Link to comment Share on other sites More sharing options...
D81 Posted Tuesday at 09:23 AM Author Share Posted Tuesday at 09:23 AM OK sorry I missunderstood the previous explanation. So I should open the 443 on the firewall at the internet side? Quote Link to comment Share on other sites More sharing options...
Dominik Posted Tuesday at 09:35 AM Share Posted Tuesday at 09:35 AM Yes, port 443 is need to open from internet to UAG. 1 Quote Dominik Jakubowski EUC Expert | vExpert ⭐️⭐️⭐️ VDI Ninja https://vdesktop.ninja Link to comment Share on other sites More sharing options...
Hans Kraaijeveld Posted Tuesday at 08:25 PM Share Posted Tuesday at 08:25 PM The pictures of all network flows in https://techzone.omnissa.com/resource/network-ports-horizon-8 will probably help. To determine which ports actually need to be open in you environment, for your specific situation, you first have to determine what you are going to use as a remoting protocol, among other things. Also, configuration depends on if and how you are going to load balance your uag's: https://techzone.omnissa.com/resource/load-balancing-unified-access-gateway-horizon 1 1 Quote Hans Kraaijeveld Technical Architect @ PQR vExpert ******** Link to comment Share on other sites More sharing options...
Employee Victor León Posted Wednesday at 05:25 AM Employee Share Posted Wednesday at 05:25 AM Hello, The authentication via UAG will be through port 443 as follows. Regardless of having a certificate installed in the UAG or not. client> 443 > UAG > 443 > CS. So, yes 443 has to be open in the external firewall for incoming connection request. Once the user is authenticated the network flow for the session protocol is as follows in a default configuration scenario: client > 8443 > UAG > 22443 > VDI_desktop Just to confirm, you may want to try with this command.. perhaps you are just missing parameters. try: netstat -ano | findstr 443 1 Quote Link to comment Share on other sites More sharing options...
Hans Kraaijeveld Posted Wednesday at 06:36 AM Share Posted Wednesday at 06:36 AM The blast protocol can actually be configured to also use 443, for both tcp and udp traffic externally. 22443 tcp/udp from uag to agent will always be used. https://docs.omnissa.com/bundle/UnifiedAccessGatewayDeployandConfigureV2312/page/BlastTCPandUDPExternalURLConfigurationOptions.html Quote Hans Kraaijeveld Technical Architect @ PQR vExpert ******** Link to comment Share on other sites More sharing options...
D81 Posted Wednesday at 07:13 AM Author Share Posted Wednesday at 07:13 AM 1 hour ago, Victor León said: Hello, The authentication via UAG will be through port 443 as follows. Regardless of having a certificate installed in the UAG or not. client> 443 > UAG > 443 > CS. So, yes 443 has to be open in the external firewall for incoming connection request. Once the user is authenticated the network flow for the session protocol is as follows in a default configuration scenario: client > 8443 > UAG > 22443 > VDI_desktop Just to confirm, you may want to try with this command.. perhaps you are just missing parameters. try: netstat -ano | findstr 443 Hi @Victor León Thanks for the clarifications! That's the idea I have regarding the external communications workflow. However I still dont see the 443 port opened. On my first post I was using the netstat -tln command and it shows this: If I launch your command it shows this: So for me it is still a mistery why the 443 port is not shown as opened and LISTEN. The ony thing I still haven't done is the configuration of the certificates on the UAG. Quote Link to comment Share on other sites More sharing options...
D81 Posted Wednesday at 07:17 AM Author Share Posted Wednesday at 07:17 AM 10 hours ago, Hans Kraaijeveld said: The pictures of all network flows in https://techzone.omnissa.com/resource/network-ports-horizon-8 will probably help. To determine which ports actually need to be open in you environment, for your specific situation, you first have to determine what you are going to use as a remoting protocol, among other things. Also, configuration depends on if and how you are going to load balance your uag's: https://techzone.omnissa.com/resource/load-balancing-unified-access-gateway-horizon Thanks for the links, I already knew the first one but I didnt knew about the second one. It is very illustrative! In our case we are planing to use the F5 load balance of the customer for load balancing the UAGs, the Connection servers and the App volumes. Quote Link to comment Share on other sites More sharing options...
Hans Kraaijeveld Posted Wednesday at 07:43 AM Share Posted Wednesday at 07:43 AM Did you know? F5's can actually be used (if properly licensed) to replace UAG's altogether. As I have seen many times though, you do need to have a decent amount of knowledge about F5 configuration. Quote Hans Kraaijeveld Technical Architect @ PQR vExpert ******** Link to comment Share on other sites More sharing options...
D81 Posted Wednesday at 07:52 AM Author Share Posted Wednesday at 07:52 AM 7 minutes ago, Hans Kraaijeveld said: Did you know? F5's can actually be used (if properly licensed) to replace UAG's altogether. As I have seen many times though, you do need to have a decent amount of knowledge about F5 configuration. Yeah I know, actually the customer is configuring that based on this info: https://www.f5.com/pdf/partners/f5-load-balancing-vmware-unified-access-gateway-servers.pdf However this is the first time I build a UAG infrastructure and Im a bit lost on some concepts. Quote Link to comment Share on other sites More sharing options...
Hans Kraaijeveld Posted Wednesday at 07:54 AM Share Posted Wednesday at 07:54 AM Is that the most recent they have? I would be careful using something that outdated. Things changed quite a bit since 2020... Quote Hans Kraaijeveld Technical Architect @ PQR vExpert ******** Link to comment Share on other sites More sharing options...
D81 Posted Wednesday at 07:59 AM Author Share Posted Wednesday at 07:59 AM Not sure, probably they have a newer one. But its the info that I found on the net. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.