VMware Horizon Client (PCoIP & Blast) Connection Workflow
Posted on 12 Aug 2016 by Ray Heffer
Since I published the Horizon 7 Network Ports diagram with the latest release of Horizon 7, I’ve been frequently asked about the connection flow between the Horizon Client and the virtual desktop. VMware Horizon supports RDP, PCoIP and now Blast Extreme. I’ll start with PCoIP and then we’ll look at Blast Extreme. I’d also like to reference this excellent article by Mark Benson, Load Balancing with VMware Access Point.
The connection flow of the Horizon Client is mostly the same with Horizon 7, Horizon Air or Horizon DaaS. There may be differences in external load-balancing, Security Server or Access Point, and external URL configuration, but for this post I’ll focus on the Horizon Client itself and the aforementioned protocols.
A colleague asked me a very good question which I’d also like to address. How does Access Point know which VM to connect to?
Access Point doesn’t need to know which ESXi host is running the VM. When the entitled desktops are returned to the client(see 1b below) it also receives the external URL of the Access Point appliance, this is where the Horizon Client > Access Point connection is established on HTTPS (TCP 443). This could be a VIP on the load-balancer, or an external facing IP for each of the Access Point appliances, depending on the configuration (see Method 3 here).
When the user launches the chosen desktop pool, Access Point will communicate on HTTPS (TCP 443) to receive the desktop IP from the Connection server. The role of the PCoIP Gateway on the Access Point appliance is to then forward the PCoIP connection to the IP address of the Horizon Agent.
**Note: **In the past, Security Server used JMS, IPsec and AJP13, but Access Point doesn’t use these protocols (JMS is still used on the Connection Servers). If you refer to my Horizon 7 Network Ports diagram, you’ll see I’ve put these in a dotted line to show this.
Tunneled Connections (PCoIP)
1a) The Horizon Client sends authentication credentials using XML-API over HTTPS to the PCoIP external URL on the Access Point appliance (or Security Server). This is typically via a load-balancer VIP (Virtual IP).
1b) HTTPS Authentication data is passed-through from Access Point to the Tenant Appliance (Horizon DaaS). In the case of Security Server, it will use AJP13-forwarded traffic, which is IPsec protected, from the Security Server to a paired Connection Server. Any entitled desktop pool(s) are returned back to client.
Note: If there are multiple Access Point appliances, which is often the case, a load-balancer VIP (Virtual IP address) will be used to load balance Access Point appliances. Security Servers are slightly different, in that each Security Server is paired with a Connection Server. No such pairing exists for Access Point.
2) The user selects a desktop or application, and the connection is initiated on TCP 4172 to Access Point / Security Server. This is the PCoIP session handshake.
3) A bi-directional PCoIP connection is then established on UDP 4172 for the session data between the Horizon Client and the pcoipExternalUrl for Access Point / Security Server. The PCoIP session is forwarded between Access Point / Security Server, to the brokered virtual desktop (Horizon Agent).
Note: pcoipExternalUrl is used for Access Point. When Security Servers are used in a Horizon solution, the PCoIP External URL configured on the paired Connection server will be used. Access Point just rocks :)
Tunneled Connections (Blast Extreme)
Blast Extreme is an enhanced remote session experience introduced with Horizon for Linux desktops, Horizon 7 and Horizon DaaS. In this case the connection flow from the Horizon Client differs to PCoIP.
1a) As before, the Horizon Client sends authentication credentials using XML-API over HTTPS to the external URL on the Access Point appliance (or Security Server). This is typically via a load-balancer VIP (Virtual IP).
1b) HTTPS Authentication data is passed-through from Access Point to the Tenant Appliance (Horizon DaaS). In the case of Security Server, it will use AJP13-forwarded traffic, which is IPsec protected, from the Security Server to a paired Connection Server. Any entitled desktop pool(s) are returned back to client.
Note: If there are multiple Access Point appliances, which is often the case, a load-balancer VIP (Virtual IP address) will be used to load balance Access Point appliances. Security Servers are slightly different, in that each Security Server is paired with a Connection Server. No such pairing exists for Access Point.
2) The user selects a desktop or application, and a session handshake occurs over HTTPS (TCP 443) to Access Point / Security Server.
3) A secure WebSocket is established (TCP 443) for the session data between the Horizon Client and the Access Point / Security Server.
4) The Blast Secure Gateway service (Access Point or Security Server) will attempt to establish a UDP WebSocket connection on 443. This is preferred, but if this fails due to a (E.g. firewall blocking it) then the initial WebSocket TCP 443 connection will be used.
Client Drive Redirection (CDR), Multimedia Redirection (MMR)
Since I’m describing tunneled connections (via Access Point or Security Server), both CDR and MMR are encapsulated as HTTPS (443) from the Horizon Client to Access Point / Security Server. The HTTPS Secure Tunnel service (see the Horizon 7 Network Ports diagram) connects to the Horizon Agent on TCP 9427 for MMR and CDR traffic.
However, with Blast Extreme it is possible to configure CDR and MMR to use a TCP side-channel which uses TCP 9427. To do this you need to change the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware TSDR\tcpSidechannel
You have the following options:
Option | Description |
---|---|
tcp | CDR over TCP Sidechannel |
vvc | CDR over VVC sidechannel in Blast & PCoIP – Default (Horizon Agent 7.0.2) |
PCoIP | CDR over TCP sidechannel in Blast & PCoIP |
vchan | CDR over VVC/PCoIP sidechannel |
none | CDR over main channel |
Tagged with: vmware networking euc vdi