VMware Workspace ONE Community
DarrenBull
Contributor
Contributor
‎04-26-2013 03:35 AM

External access - confused!

Right, here is where I am:

  1. Deployed the default vApp.
  2. Configured a valid external FQDN, which is also the same name as my (single) gateway hostname.
  3. Running split DNS so internal clients can access all appliances on internal IP addresses (they are all valid external DNS names).
  4. Registered an external DNS A record for horizon.company.corp. This points to a public address configured on my firewall.
  5. Performed PAT on the firewall to forward packets through to the gateway internal IP.
  6. Page 7 of the install guide says I must either (a) install a reverse proxy server; or (b) do PAT to the gateway to enable external access. I've gone for B.

Now, when I connect from outside the LAN to horizon.company.corp, the gateway is asking the client to talk to rsa.company.corp to authenticate. rsa.company.corp is a second identity provide we have installed to perform RSA authentication for external clients. Only trouble is, we have no external DNS record for rsa.company.corp, nor does it look like we should need one - we have configured horizon.company.corp as our external FQDN and the rsa.company.corp identity connector correctly displays this as the external URL under the section 'about'. As the external client is being asked to connect to a host it knows nothing about, it fails.

We then added a DNS entry for rsa.company.corp externally and put in a PAT rule for this too. Just to see what would happen. This time I get a login page from rsa.company.corp, and an successfully authenticate with our RSA server. However, as soon as we are authenticated, we get an error. I would guess because again the system is sending us off to some other host/appliance for which we have no external DNS entry.

Whats going on here? Why isn't the gateway 'masking' all this internal traffic instead of asking the remote client to connect to what are essentially internal server names? Reverse proxy won't help - I would still need an external DNS name for each host I wanted to talk to - negates the whole point of the single, non changeable external FQDN we are asked to decide on during initial install?

What have I failed to do? Something seems amiss on the gateway but unsure what. Am evaluating so VMware tech support say my best chance is on these forums...anyone have any clue?

Thanks.

0 Kudos
3 Replies
sravuri
VMware Employee
VMware Employee
‎04-26-2013 03:34 PM

Hi,

On your connector, can you check what is set of Identity Provider Url? This is the URL we will send to for authentication. If you expect this to be gateway and you want the gateway to route to this connector, then change this URL to FQDN. Also, in configurator, make sure that connector says useGatewayAsIDP to true.

0 Kudos
DarrenBull
Contributor
Contributor
‎04-29-2013 05:02 AM

Hi, yes external URL on connector to be used for external authentication is correct. Also UseGatewayAsIDP is set to true (y). I can authenticate but then get the page shown in the screenshot.

hzn6.jpg

0 Kudos
DarrenBull
Contributor
Contributor
‎04-30-2013 01:02 AM

OK, finally fixed it. Two issues:

  1. The example given in the bit of the manual I was looking at uses 'UseGatewayAsIDP=N' when adding a secondary connector. For my use case, this was wrong. This needed to be Y to channel everything through it.
  2. Also, and more importantly, I was trying to cut corners. Given that this is an eval I didn't want to set up two gateways, load balancing, etc. I though a quick NAT rule through to my single gateway would work. It won't. You need to set it up exactly as it says (obviously for some, but I often find when doing an eval you can 'get away with' certain things!).

There's an awful lot of plates to keep in the air to keep this thing running and available. I now have about 8 appliances running, and this is to support 5 test users. My word, they could make it easier. 

0 Kudos