Horizon iApp does not allow for Blast over TCP when using APM
vSphere 7.0U3 / vCSA same / Horizon 8.x / F5-LTM-APM.v16.x
What {
When using the latest Horizon iApp (which is over two years old) , there are two options, with and without APM.
When not selecting APM in the iApp, the Blast sessions can by sent through the UAGs over 8443(TCP or UDP) or forwarded to the clients by the F5 via 22443.
When selecting APM in the iApp, that option menu does not exist since the F5 becomes the External Blast Secure Gateway. There is also not a menu to be able to choose for the Blast sessions to be proxied be either the Connection Servers, or just forwarded directly by the F5. The other issue is that the only virtual server that gets created Blast is for UDP.
}
Why {
We have to use the APM iApp portion since smart cards are in use in the environment. Our security folks do not allow UDP out of the edge, so we need that Blast virtual server to use TCP.
}
Troubleshooting {
Changing the UDP virtual server to TCP does not work, neither does creating a standalone virtual server to complement the iApp, since APM is in use and some iRule is being left out somewhere.
If we change the iApp to non APM and allow for either UAGs or F5 forwarding to handle the Blast sessions, everything works fine. Since smart card redirection is only allowed with APM...when we select APM and sandbox with UDP everything works fine, just not with TCP-since the Blast TCP virtual server isn't a part of the iApp.
Any thoughts on what APM is doing under the covers for this iApp besides normal iRules that is preventing either proxied 8443 or forwarded 22443 from working??
}