You might experience connection problems between Horizon Client and a security server or Horizon Connection Server host when the PCoIP Secure Gateway is configured to authenticate external users that communicate over PCoIP.

Problem

Clients that use PCoIP cannot connect to or display Horizon 7 desktops. The initial login to a security server or Connection Server instance succeeds, but the connection fails when the user selects a Horizon 7 desktop. This issue occurs when the PCoIP Secure Gateway is configured on a security server or Connection Server host.

Note: Typically, the PCoIP Secure Gateway is leveraged on a security server. In a network configuration in which external clients connect directly to a Horizon Connection Server host, the PCoIP Secure Gateway can also be configured on Connection Server.

Cause

Problems connecting to the PCoIP Secure Gateway can occur for different reasons.

  • Windows Firewall has closed a port that is required for the PCoIP Secure Gateway.
  • The PCoIP Secure Gateway is not enabled on the security server or Horizon Connection Server instance.
  • The PCoIP External URL setting is configured incorrectly. You must specify this setting as the external IP address that clients can access over the Internet.
  • The PCoIP External URL, secure tunnel External URL, Blast External URL, or another address is configured to point to a different security server or Connection Server host. When you configure these addresses on a security server or Connection Server host, all addresses must allow client systems to reach the current host.
  • The client is connecting through an external web proxy that has closed a port required for the PCoIP Secure Gateway. For example, a web proxy in a hotel network or public wireless connection might block the required ports.

Solution

  • Check that the following network ports are opened on the firewall for the security server or Connection Server host.
    Port Description
    TCP 4172 From Horizon Client to the security server or Connection Server host.
    UDP 4172 Between Horizon Client and the security server or Connection Server host, bidirectional.
    Note: The port number chosen by the client for sending and receiving UDP traffic is not predictable because it depends on which ports are free (see the Security guide for more information). When configuring a network firewall, rules need to be smart, allowing UDP traffic from any address and any port to 4172, and enabling the reverse flow from 4172 back to the initiating address and port. If your firewall does not support smart rules, you can configure either a bidirectional rule with the client end set to ANY, or a pair of unidirectional rules. See your firewall's documentation for guidance.
    TCP 4172 From the security server or Connection Server host to the Horizon 7 desktop.
    UDP 4172 Between the security server or Connection Server host and the Horizon 7 desktop, bidirectional.
    Note: PCoIP gateways on Connection Server, security server and UAG send and receive UDP traffic to desktops on port 55000. For more information, see the Horizon 7 Security document. When configuring a network firewall, you need either a bidirectional rule specifying both ports, or a pair of unidirectional rules. See your firewall's documentation for guidance.
  • In Horizon Administrator, make sure that the PCoIP Secure Gateway is enabled.
    1. Click View Configuration > Servers.
    2. Select the Connection Server instance on the Connection Servers tab and click Edit.
    3. Select Use PCoIP Secure Gateway for PCoIP connections to machine.
      The PCoIP Secure Gateway is disabled by default.
    4. Click OK.
  • In Horizon Administrator, make sure that the PCoIP External URL is configured correctly.
    1. Click View Configuration > Servers.
    2. Select the host to configure.
      • If your users connect to the PCoIP Secure Gateway on a security server, select the security server on the Security Servers tab.
      • If your users connect to the PCoIP Secure Gateway on a Connection Server instance, select that instance on the Connection Servers tab.
    3. Click Edit.
    4. In the PCoIP External URL text box, make sure that the URL contains the external IP address for the security server or Connection Server host that clients can access over the Internet.
      Specify port 4172. Do not include a protocol name.

      For example: 10.20.30.40:4172

    5. Make sure that all addresses in this dialog allow client systems to reach this host.

      All addresses in the Edit Security Server Settings dialog must allow client systems to reach this security server host. All addresses in the Edit Connection Server Settings dialog must allow client systems to reach this Connection Server instance.

    6. Click OK.
    Repeat these steps for each security server and Connection Server instance on which users connect to the PCoIP Secure Gateway.
  • If the user is connecting through a web proxy that is outside of your network, and the proxy is blocking a required port, direct the user to connect from a different network location.