VMware Horizon Community
Tibmeister
Expert
Expert
‎11-16-2023 08:30 AM

Odd Issue

I have a small PoC type environment going, or trying to.  I have a UAG with a single NIC, two Connection Servers, the second one being a replica, and a single VM desktop with the Agent installed.

All of the VMs are on the same network, and Connection Server 1 is configured for internal access and Connection Server 2 is configured for the UAG.

When internal, connecting to Connection Server 1, no issues.  When external, I can get logged in and have desktop selection, but then I get the vdpconnect_gateway_error and dead in the water.

I am at a loss on what's going on.  The VM's firewall is wide open, and everything's on the same subnet.  I can connect internally, just not externally, and judging by being able to log in and see my desktop, the UAG is talking to the second Connection server, and NAT is working just fine.  I'm at a loss here.

Labels (1)
Labels
0 Kudos
5 Replies
nashers1
Contributor
Contributor
‎11-19-2023 01:40 PM

I've seen this before 

I see the firewall is open

but have you worked trough this KB? 

do you have full DNS set up

Horizon Client Blast Error Troubleshooting: VDPCONNECT_GATEWAY_ERROR (91017) (vmware.com)

Tibmeister
Expert
Expert
‎11-19-2023 06:05 PM

So it boiled down to a misconfiguration on my part that isn't very clear in the docs.  In the Connection Server settings, there's a section called Blast Secure Gateway that I had put the external URL of the UAG.  In fact, this needs to be set to Do not use Blast Secure Gateway, as well as all the other gateway settings set to nothing.  After that, everything worked as expected and I only need the one Connection Server for both internal and external connections and all is well.

I am not really sure what this gateway setting is even for, and the docs are not very clear on the matter.  I just figured I would try it and see what would happen.

Mickeybyte
Hot Shot
Hot Shot
‎11-19-2023 10:58 PM

@Tibmeister 

Some background info:

The Gateway configuration on the Connection servers is meant to tunnel the display protocol through the connection servers if needed. If you enable this, the BLAS/PCoIP display session will be tunneled through the connection server instead of being setup directly between endpoint (or UAG) and VDI/RDSH. 

It's not recommended to enable this if you use an UAG that connects to that CS, as the connections would be tunneled twice, once through the UAG and then again through the CS. 

It could be that tunneling the display session through the CS might be required in some environments for security reasons or if there's no direct connection possible between endpoint and VDI/RDSH.

The URL you enter in the Gateway URL field is the hostname the endpoint needs to connect to to tunnel the session, so if you entered the UAG name there, the client would have been constantly redirected to the UAG which indeed caused your issue.


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
Tibmeister
Expert
Expert
‎11-20-2023 04:55 PM

Still not sure of the use case where an external URL would be used here.

0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎11-20-2023 10:43 PM

It's not really an "external" URL as in your UAG URL, but the CS URL that you want to use to tunnel the connections through. This can either be a specific CS or a VIP from a load-balanced connection server configuration.

Only on the UAG, you enter a "public" reachable URL for the gateway URL.


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos