Jump to content

D81

Recommended Posts

Hi

Im deploying a pair of UAG for external connections to a new horizon 8 farm with the las version 2406

The customer is using F5 as load balancer, they are still configuring it to point into the UAGs as well as the horizon connection servers. So meanwhile they are doing the configurations I have temporary configured each UAG to point into one Connection server.

UAG1 --> Connection server 1

UAG2 --> Connection server 2

By the way, Im following this guide:

https://www.carlstalhood.com/vmware-unified-access-gateway/ 

Notice that I have still not configured is the certificates of the UAGs cause the customer has still not provide them, but the rest of the configs are like it is mentioned on the guide.

So right now my main doubt is focused on the UAG ports. If you check the guide it sais:

 

Quote

 

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

 

However when I enter the UAG by console and I launch a nestat command I see this:

image.thumb.png.0a81a1fbe0d04fec6c44468f318e6223.png

As you can see there isnt any 443 port opened... Is that normal?

I assume that the external connections should be done by that port, but it will not be opened until the SSL certificates will be installed.

Thanks

Edited by D81
typos
Link to comment
Share on other sites

Hi @D81 as you can see this is open ports on my working UAG with certs:

image.thumb.png.2d7ea3f63e13c92ceda8b4f310920477.png

On UAG you have open port 9443 for admin portal, but for 443 port is redirect to connection server. When you put address https://youruagip you will be redirect to portal HTML from connection server. 

  • Like 1

Dominik Jakubowski

EUC Expert  | vExpert
VDI Ninja

https://vdesktop.ninja

Link to comment
Share on other sites

The pictures of all network flows in https://techzone.omnissa.com/resource/network-ports-horizon-8 will probably help.

To determine which ports actually need to be open in you environment, for your specific situation, you first have to determine what you are going to use as a remoting protocol, among other things.

Also, configuration depends on if and how you are going to load balance your uag's:

https://techzone.omnissa.com/resource/load-balancing-unified-access-gateway-horizon

 

  • Like 1
  • Insightful 1

 

Hans Kraaijeveld

Technical Architect @ PQR

vExpert ********

Link to comment
Share on other sites

  • Employee

Hello,

The authentication via UAG will be through port 443 as follows. Regardless of having a certificate installed in the UAG or not.

client> 443 > UAG > 443 > CS. 

So, yes 443 has to be open in the external firewall for incoming connection request. Once the user is authenticated the network flow for the session protocol is as follows in a default configuration scenario: 

client > 8443 > UAG > 22443 > VDI_desktop


Just to confirm, you may want to try with this command.. perhaps you are just missing parameters. 
try:  netstat -ano | findstr 443

 

  • Insightful 1
Link to comment
Share on other sites

The blast protocol can actually be configured to also use 443, for both tcp and udp traffic externally. 22443 tcp/udp from uag to agent will always be used.

https://docs.omnissa.com/bundle/UnifiedAccessGatewayDeployandConfigureV2312/page/BlastTCPandUDPExternalURLConfigurationOptions.html

 

 

 

Hans Kraaijeveld

Technical Architect @ PQR

vExpert ********

Link to comment
Share on other sites

1 hour ago, Victor León said:

Hello,

The authentication via UAG will be through port 443 as follows. Regardless of having a certificate installed in the UAG or not.

client> 443 > UAG > 443 > CS. 

So, yes 443 has to be open in the external firewall for incoming connection request. Once the user is authenticated the network flow for the session protocol is as follows in a default configuration scenario: 

client > 8443 > UAG > 22443 > VDI_desktop


Just to confirm, you may want to try with this command.. perhaps you are just missing parameters. 
try:  netstat -ano | findstr 443

 

Hi @Victor León

Thanks for the clarifications! That's the idea I have regarding the external communications workflow. However I still dont see the 443 port opened. 

On my first post I was using the netstat -tln command and it shows this:

image.thumb.png.c8a3131c0e55bfcb7f2a2368a8947525.png

 

If I launch your command it shows this:

image.png.261b1d990aa3348024b49b3bd9f51b81.png

So for me it is still a mistery why the 443 port is not shown as opened and LISTEN. The ony thing I still haven't done is the configuration of the certificates on the UAG.

Link to comment
Share on other sites

10 hours ago, Hans Kraaijeveld said:

The pictures of all network flows in https://techzone.omnissa.com/resource/network-ports-horizon-8 will probably help.

To determine which ports actually need to be open in you environment, for your specific situation, you first have to determine what you are going to use as a remoting protocol, among other things.

Also, configuration depends on if and how you are going to load balance your uag's:

https://techzone.omnissa.com/resource/load-balancing-unified-access-gateway-horizon

 

Thanks for the links, I already knew the first one but I didnt knew about the second one. It is very illustrative!

In our case we are planing to use the F5 load balance of the customer for load balancing the UAGs, the Connection servers and the App volumes.
 

Link to comment
Share on other sites

7 minutes ago, Hans Kraaijeveld said:

Did you know? F5's can actually be used (if properly licensed) to replace UAG's altogether. As I have seen many times though, you do need to have a decent amount of knowledge about F5 configuration.

Yeah I know, actually the customer is configuring that based on this info:

https://www.f5.com/pdf/partners/f5-load-balancing-vmware-unified-access-gateway-servers.pdf

However this is the first time I build a UAG infrastructure and Im a bit lost on some concepts.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...