Forum Discussion

Tim_Slogick_122's avatar
Tim_Slogick_122
Icon for Nimbostratus rankNimbostratus
Mar 18, 2013

Need Help with F5 and VMWare View 5.1

Ok...I am somewhat new to the F5, but I am trying to eliminate our View Security servers by replacing them with the F5. I have confirmed that View is working when I connect with the security servers and have downloaded the latest iApp, but I cannot get connected to my provisioned desktop from outside our network. I have the F5 configured in two arm mode with one NIC in the DMZ and one NIC on a trunked port in my internal network. My view connection server and the view desktops are on different networks, View server is on 10.1.96.X subnet and the desktops are on the 10.1.108.X subnet. I have the iApp configured to use SNAT for everything. The client is able to connect to the view environment and see the assigned desktop, but when I try to launch the desktop, I just get a black screen. After some packet captures I find that the view server is returning the internal 10.1.108.X ip address to the client for it to connect to, but the F5 is not forwarding this packet to that VLAN. What am I doing wrong? Any help is greatly appreciated.

 

 

Thanks,

 

Tim

 

cloud
vmware

2 Replies

Sort By
  • Paul_Pindell's avatar
    Paul_Pindell
    Icon for Employee rankEmployee
    Mar 19, 2013

    Tim,

     

     

    Do you have a route from your clients to the desktop subnet? If not, you will need one.

     

    One way to accomplish this is to reconfigure the iApp and answer yes to the Will PCoIP connections be routed through this BIG-IP, Then answer NO to the Will PCoIP connections be proxied.

     

    This will expand a new section "PCoIP Questions"

     

    In this section enter the Network on which the virtual desktops reside. In your case 10.1.108.0 (I'm assuming you are using 10.1.108.1-10.1.108.254 as the range of address) in the Network mask field enter 255.255.255.0

     

     

    That ought to do it for you.

     

  • Paul_Pindell's avatar
    Paul_Pindell
    Icon for Employee rankEmployee
    Mar 19, 2013
    I ought to add that this solution should be used when the Client is coming in from a trusted network. The above solution will allow all tcp 4172 and UDP 4172 traffic through the F5 without having first been verified as from a known source. This might be considered a security breach.

     

     

    If you want to remove the Security Servers and access your View environment from an untrusted network then I'd suggest you configure the iApp to utilize a DTLS VPN, by answering yes to the "Do you want to deploy Access Policy Manager (APM) at this time?"

     

     

    In a future release of APM we will have our full- PCoIP Proxy feature built in and we will be able to authorize and authenticate all PCoIP traffic, and only allow that traffic through to the internal Subnets that has been validated as from a known good source. This will allow for the removal of the Security Servers from the DMZ, Secure access from an untrusted network, without the use of a DTLS VPN.

     

     

    Paul