Forum Discussion

potato_14's avatar
Icon for Nimbostratus rankNimbostratus
Oct 01, 2022

Horizon iApp does not allow for Blast over TCP when using APM

vSphere 7.0U3 / vCSA same / Horizon 8.x / F5-LTM-APM.v16.x

What {

When using the latest Horizon iApp (which is over two years old) , there are two options, with and without APM.

When not selecting APM in the iApp, the Blast sessions can by sent through the UAGs over 8443(TCP or UDP) or forwarded to the clients by the F5 via 22443.

When selecting APM in the iApp, that option menu does not exist since the F5 becomes the External Blast Secure Gateway. There is also not a menu to be able to choose for the Blast sessions to be proxied be either the Connection Servers, or just forwarded directly by the F5. The other issue is that the only virtual server that gets created Blast is for UDP.


Why {

We have to use the APM iApp portion since smart cards are in use in the environment. Our security folks do not allow UDP out of the edge, so we need that Blast virtual server to use TCP. 


Troubleshooting {

Changing the UDP virtual server to TCP does not work, neither does creating a standalone virtual server to complement the iApp, since APM is in use and some iRule is being left out somewhere. 

If we change the iApp to non APM and allow for either UAGs or F5 forwarding to handle the Blast sessions, everything works fine.  Since smart card redirection is only allowed with APM...when we select APM and sandbox with UDP everything works fine, just not with TCP-since the Blast TCP virtual server isn't a part of the iApp.

Any thoughts on what APM is doing under the covers for this iApp besides normal iRules that is preventing either proxied 8443 or forwarded 22443 from working??



3 Replies

  • Hey There potato_14,

    Let me help you out with this! 

    For the APM VDI side of the profile it creates 4 VIPs in the process (443 TCP, 8443 UDP, 4172 UDP, and 443 UDP)
    All of the TCP Connections (PCoIP [4172 TCP]/Blast [8443 TCP]/Authentication [443 TCP]) all flow within the 443 TCP stream so when connecting to Blast via TCP it will utilize the 443 port to do it.  

    I have attached 2 pictures (Dropbox) of an example of my lab showing this where i disabled UDP 8443 (Blast External) and still can establish an RDSH connection via Blast to the Desktop with the (Performance tracker app that identifies its connection as TCP not UDP) via the APM proxy.  I have also attached a diagram showing how it mutates from within the APM VDI Profile from 443 to 22443 within the APM VDI Profile to connect to the VDI.

    Originally when we supported Horizon the TCP usecase was the first we supported then we added the UDP functionality afterwards.  I tested with my environment using vSphere 7.0U3 + ESXi 7.0U3 + Horizon 2207 + BIGIP v16/17 with the iApp 1.5.9.


    Another thing i would mention is that i would highly recommend utilizing UDP and really pusing your Security team to utlize it.  Can you use VDI in TCP Yes, however there might be performance degridation of the VDI because of things like packet loss (WIFI/Internet/etc.).  Server side wont be impacted but because using TCP will force a retransmission of the packets and slow down the users experience.  This is why even VMware recomends the usage of UDP as it will provide the best performance during packet loss scenarios. 

    If you have more questions let me know!

  • hey there potato_14, I reached out to some internal people who might have had exposure to this iApp. I'll let you know when I hear something.