Right, here is where I am:
Now, when I connect from outside the LAN to horizon.company.corp, the gateway is asking the client to talk to rsa.company.corp to authenticate. rsa.company.corp is a second identity provide we have installed to perform RSA authentication for external clients. Only trouble is, we have no external DNS record for rsa.company.corp, nor does it look like we should need one - we have configured horizon.company.corp as our external FQDN and the rsa.company.corp identity connector correctly displays this as the external URL under the section 'about'. As the external client is being asked to connect to a host it knows nothing about, it fails.
We then added a DNS entry for rsa.company.corp externally and put in a PAT rule for this too. Just to see what would happen. This time I get a login page from rsa.company.corp, and an successfully authenticate with our RSA server. However, as soon as we are authenticated, we get an error. I would guess because again the system is sending us off to some other host/appliance for which we have no external DNS entry.
Whats going on here? Why isn't the gateway 'masking' all this internal traffic instead of asking the remote client to connect to what are essentially internal server names? Reverse proxy won't help - I would still need an external DNS name for each host I wanted to talk to - negates the whole point of the single, non changeable external FQDN we are asked to decide on during initial install?
What have I failed to do? Something seems amiss on the gateway but unsure what. Am evaluating so VMware tech support say my best chance is on these forums...anyone have any clue?
Thanks.
Hi,
On your connector, can you check what is set of Identity Provider Url? This is the URL we will send to for authentication. If you expect this to be gateway and you want the gateway to route to this connector, then change this URL to FQDN. Also, in configurator, make sure that connector says useGatewayAsIDP to true.
Hi, yes external URL on connector to be used for external authentication is correct. Also UseGatewayAsIDP is set to true (y). I can authenticate but then get the page shown in the screenshot.
OK, finally fixed it. Two issues:
There's an awful lot of plates to keep in the air to keep this thing running and available. I now have about 8 appliances running, and this is to support 5 test users. My word, they could make it easier.