Forum Discussion
VMware Horizon View iAPP VDI + HTML5
Greetings!
This is my first post and I am not an F5 guru but I am wondering if anyone has gotten all the ports working for VMware Horizon View and the latest iApp for Horizon View. I am specifically wondering if anyone has gotten HTML5 to the desktop working in their environment. We have 4 brokers all running View 5.2. Accessing the individual servers works fine using HTML5. When trying to add 8443 it appears like it will work but it looks like it failing on the connection to the Broker after Authentication. From a Network trace it appears we connect on 443 (authentication) to one broker and then when we try to connect to 8443 (HTML 5 access to the desktop) it fails. If I disable 3 of the 4 pool members it works every time. If I enable 2 of the 4 pool members if fails 50% of the time....
Any advice?
Thanks!
- Ryan_Harris_01_Nimbostratus
Hello,
I am in the same situation to Evon and I am wondering if this has ever been resolved?
We currently have Horizon View 5.3 and everything works for HTML5/Blast going directly to our security server before we introduce the F5 Big IP LTM.
When we login and select the desktop pool where the BLAST 8443 redirection takes place, we receive a 404 Error page not found message.
I have created a separate VS on the same VIP for 8443 and given it the same settings as the 443 server (http profile, persistence, pool member). I am unable to find any documentation anywhere on how to get it to work!
Cheers, Ryan
- Ryan_Harris_01_Nimbostratus
Hi,
I've managed to solve the above problem as I stated above. I created a new pool for the security servers using 8443. Previously it was set to use the same pool as our 443 nodes. (All nodes the same, just different port).
It seems obvious now I guess!
Cheers, Ryan
- Gary_Bright_120Nimbostratus
Hi there I'm trying to get the HTML5/BLAST config working with version 1.1.0 of the iApp. for the people that have this working did you get it working with just the APM or did you use all use a VMware view security server as well?
When I log on to the APM my webtop displays a message saying that "Logon to VMware server failed" (I know my username and password are correct as the APM authenticated me before the webtop) I can't see to find anything in the logs.
If I use my full view client through the iApp it does work or though it does ask my to authenticate twice.
Any thoughts, advice would be appreciated.
Best Regards
Gary
- aschaef_137607Nimbostratus
I too am trying to get the HTML5 Blast to work. I am running BIG IP 11.5.1 and View iAPP version 1.1.0. It says in the release notes that this iAPP supports the HTML5 blast, but it does not create a pool for the 8443 ports. I was able to confirm this works when bypassing the F5 LTMs. I have an open case with F5 support and will let you know what I find.
- Greg_Crosby_319Historic F5 Account
Port 8443 is not always used with HTML 5 clients. The iApp offers several ways to configure your BIG-IP based on your available BIG-IP modules and your specific View configuration. The only configuration produced by the iApp that supports HTML 5 (without modification), is the scenario were you use APM to "Securely proxy PCoIP traffic using APM as a PCoIP gateway". It is the default iApp option when using APM with software versions 11.4-11.5.1 (11.4 is required to support PCoIP proxyied connections). The question directly after in the iApp is whether or not you want to support HTML 5 client connections, select yes for this option.
Using these options in the iApp, once you connect to the big-ip using a supported browser, you will see the option to use html 5 clients when selecting virtual desktop pool (don't forget you have to have the "HTML Access" option enabled on the pools settings).
For those wanting to configure LTM only, or do not currently have the APM module, you have a couple modifications to make after running the iApp. Here is a brief description of the required changes after running the iApp:
If you are using security servers, create a virtual server using port 8443 and attach the security server pool created by the iApp to the virtual server. You will also need to modify the persistence profile created by the iApp to "match across services". For this setup the connection server will need to have "Blast Secure Gateway" enabled and set to the correct fqdn:port. Once the clients have successfully logged into the security server, they will attempt to make a 8443 connection to the same security server which proxys 443 connections to the correct virtual desktop.
If you are not using security servers, create a forwarding (ip) virtual server using the network your virtual desktops reside for the destination network, and port 443. Once clients have successfully logged into the View connection server, they will attempt to make a 443 connection directly to the assigned desktop. For this setup, you will need to have "Blast Secure Gateway" disabled on each connection server.
aschaef, let me know what configuration you are trying to use and I can assist further.
- APNimbostratusEdit: Nevermind. Choosing no in the iApp simply Deny's browser access full stop. So you never get to the remote desktop icon on the desktop to select view client or HTML access. It seems there are several threads on Devcentral looking to have users automatically go to HTML access or the view-client but it doesn't seem to be possible at present. Hi Greg, Could I trouble you to elaborate on exactly what configuration changes occur when the HTML Access option is chosen or not chosen in the iApp? I've looked through the iApp code and it's not immediately obvious to me. I've built a configuration from scratch and the HTML access option is available by default it seems. You mentioned that choosing "Yes" in the iApp is what allows this option to be presented to the user, so my question is: How do you turn it off when not using the iApp? Regards, Andrew
- Greg_Crosby_319Historic F5 AccountThe accompanying deployment guide has a section which discusses iApp created apm configurations. https://f5.com/solutions/deployment-guides/vmware-view-50-51-and-horizon-view-52-53-60-rc-iapp-big-ip-v11-ltm-apm The different iApp apm configurations begin on page 42. The option presented to user which allow the use of html 5 client connections occur when vdi resource (connection server setting) has html 5 enabled and apm policy allows "browser" based logon's. You can remove the option by eliminating the browser login branch within your apm policy or by removing the html 5 option on your resource pools.
- aschaef_137607Nimbostratus
Greg, thanks for the reply. I currently have 2 pairs of F5s, 1 sitting in the DMZ which is licensed for LTM/APM and another virtual pair of F5s licensed for LTM only. On the view side I have 2 security servers and 2 connection servers. I have been trying to figure out the best way to provide both internal and external connectivity for clients. Currently I have the internal LTMs setup and working to load balance PCoIP clients directly to the connection servers. I was reading some F5 deployment guides and it was showing that with the APM piece they had an optimized design which provided a PCoIP directly to the connection servers as well. At this point the security servers aren't doing anything. I would like to provide HTML5 access at least to external clients, so I may not set it up on the internal LTM side. We are using split DNS so I have all clients pointed to view.domain.com regardless if they are internal or external. Internal DNS will resolve to the LTM virtual IP and the external DNS will resolve to the public IP setup for view on the APM F5s.
- Greg_Crosby_319Historic F5 Account
There is a straight forward (meaning very few options) iApp on devcentral that supports the optimized solution you mentioned. The iApp assumes a single BIG-IP deployment were APM has access to your untrusted (public) network and trusted View networks. APM's trusted connection needs to be able to communicate to your View Connection servers (tcp 443) and to your virtual desktops (tcp 443 & udp 4172). The iApp creates 5 virtual servers; 2 for internal trusted client connections, and 3 for untrusted client connections.
Summary of iApp virtual server creation:
Untrusted ip1:tcp:443 vs - lb auth requests to connection servers and manages html 5 connections to virtual desktops.
Untrusted ip1:udp:4172 vs - manages pcoip connections to desktops
Untrusted ip1:tcp:80 vs - redirects 80 connections to 443
note: apm inserts untrusted vs ip1 into sta ticket on the way back to the client which forces all client desktop connections to APM. APM handles AD authentication and securely proxy's pcoip/html 5 connections, thus replacing the security servers role. Using your split dns, you would point all external/untrusted networks to this address.
trusted ip2:tcp:443 vs - lb auth requests to connection servers
trusted ip2:tcp:80 vs - redirects 80 to 443
Note trusted clients need to have access to virtual desktops via tcp 443 (html 5 client connections), and tcp/udp 4172 (pcoip connections) since apm is not managing/proxying trusted connections to the desktops. Using your split dns, you would point all trusted networks to this ip address.
Sorry for the long narration, I just thought i would give you a little context before jumping into using the optimized solution iapp on DC. There is also a DG noted in the link that you can read through for more through details.
-Greg
- aschaef_137607Nimbostratus
Greg,
Thanks for the overview, that actually helped me wrap my head around everything. I am going to remove the configuration on the internal LTM pair and just use the pair of F5s in the DMZ with APM. Do you know if there is much of a difference between the View 1.1.0 iApp and the Optimized 1.1.0rc1 iApp? I may try the original one first since I'm not using the virtual edition of BIG-IP on the pair which has APM.
Thanks again, Andrew
- Greg_Crosby_319Historic F5 AccountThe optimized solution really is just a very stream lined version of v1.1.0 (uses a single configuration variation that v1.1.0 produces). If you want, you can use the optimized iapp to start and later, if you decide you need more granularity, use the v1.1.0 iapp. The iapps are meant to be interchangeable, meaning you can deploy the optimized iapp, select the option to reconfigure the iapp, select "change" next to the "template" option, and select the v1.1.0 iapp. By doing so v1.1.0 will be populated with all the choices you made with the optimized iapp. The only thing that will be lost is the "trusted" virtual server, as v1.1.0 does not currently include and build the trusted virtual server configuration.
- aschaef_137607Nimbostratus
I had much better luck with the optimized iApp. Everything is working so far on the PCoIP side, but not quite like I'd expect on the HTML5 side. For example if I was using desktop.domain.com with split DNS and I open a web browser from an internal client and go to https://desktop.domain.com I am presented with the VMware View page where I can choose to install a view client or use HTML access. If I select HTML access I am presented with the login page and am able to successfully authenticate and see my View desktop. When I connect to the desktop, I am redirected to a URL which is actually the IP address of the desktop and receive an SSL certificate error. The connection works, but I would expect the url to remain desktop.domain.com so the SSL cert would be valid.
I tried going back to the connection server settings and checking the boxes next to "Use Secure Tunnel connection to desktop" and "Use Blast Secure Gateway for HTML access to desktop" and the URL remains desktop.domain.com but I get a page could not be found error. As it stands now, the only box which is checked under the view connection server settings is the Use PCoIP Secure Gateway for PCoIP connections to desktop with the IP address pointing back to the trusted F5 virtual server address.
Getting closer....
- Greg_Crosby_319Historic F5 AccountAPM handles PCoIP connections by inserting its virtual address rather then the assigned desktops address, so you should uncheck the "PCoIP Secure Gateway for PCoIP option"
- Greg_Crosby_319Historic F5 Accountslight correction to my response, apm inserts fqdn of APM address, which is required to match your ssl cert.
- aschaef_137607Nimbostratus
I currently have all boxes unchecked on both view connection servers.
I am trying the following tests to make sure the view machines are reachable both internally and externally with PCoIP and HTML5.
Internal PCoIP test using View Client - works great Internal HTML5 test using https://desktop.domain.com successfully authenticates and then brings me to the following URL where I get a security certificate warning "https://10.0.0.10:22443/d/499849BA-A092-44AB-8D7E-330903764E73/?vauth=tbQ5v%2FXNaAyQnXL0FRZbCJ%2BL" If I accept to continue then the desktop loads (my only issue is the certificate warning)
External PCoIP test using iPhone - works great External HTML5 test using iPhone - works with Chrome, but not Safari browser
External PCoIP test using domain laptop (not on VPN) - Successfully authenticate using the View Client but it sits and spins on "The Connection Server is preparing the desktop..." I then tried going to https://desktop.domain.com and choosing VMware View Client. The behavior is the same where the client sits and says "The connection server is preparing the desktop..." External HTML5 test using domain laptop (not on VPN) - works great.
- Greg_Crosby_319Historic F5 AccountIn this setup there is not a proxy handling certificates, which means you are going to connect to the desktop on port 22443 and use the default certificate installed when you installed the blast desktop agent onto the virtual desktop. The default certificate is self signed, so your client is not going to recognize the certificate as being issued by a trusted CA. This document discusses how to replace the default "blast" certificate with a trusted root CA:http://www.vmware.com/pdf/horizon-view/horizon-view-52-feature-pack-document.pdf. For "The connection server is preparing the desktop..." issue, I would confirm APM has the required ports open to the desktop pool, udp 4172, and that you are running View 5.2 or newer. You could run tcpdump on APM and filter for udp 4172 to see where PCoIP connections are destined. Maybe something like tcpdump -i 0.0 port 4172. If you see a connection attempt to a valid virtual desktop ip address but no response, then you might have something in the middle blocking udp 4172.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com