Today we get further. The VMWare guys enabled debugging on the logs. It seemed to be complaing about invalid client certs...
We aren't using client certs...
So I added one to the serverssl of the VS at APM (Not the layered on mind you). And it sprang into life via the layered VS (Not direct). It's not got the desktop. But gets weirder, because I have NO idea why the layered stuff now works, but direct doesn't when it's VMWare Broker that's complaining about clientside certs...
It's all very strange... The VMWare VDI daemon seems to ignore the SNAT settign on the APM VirtualServer too. It uses the APM's inside IP address to connect to the brokers... Always... So why would changing the serverssl profile of that VS change anything? Very weird... Seems inconsistent to me (Especially since the whitepapers all say to enable AutoSNAT. But it doesn't seem to matter WHAT you set SNAT too. It always seem to us auto (I use a pool by preference to separate different VS's), which works for the citrix stuff. Just not vmware).