Security

Hello Guys, 

 

I am wondering if somone can help me with this. I am working on resolving an issue, where users connected to the Guest network are having issues accessing VDI's which are hosted in company's internale network. I have added the vmaware predefined acl for the Guest profile. I can get to the logon portal, but once I have signed in the VDI does not come up. 

 

I am pretty sure that I am missing some config here, any help will be appreciated!

 

Thanks 

Ali

If you haven't opened a TAC case, please open one in parallel.  The VDI acl is for optimizing VDI traffic, not allowing it, so you need to look at your routing infrastructure and Vmware documentation about what ports are needed to be allowed to run VDI successfully.

Hi Colin, 

 

Thanks for your comment. I will open the TAC case shortly. I am able to access the VDI through internal network/SSID's. The issue only appears when I am connected to Guest network. I have allowed the address/url and IP for the terminal servers in the acl. I am able to login to the vmware portal and select the VM pool but thats where i am stuck at this point VM should load up but I am just getting a blank screen. 

 

Thanks

 

Ali

 

 

Is the guest network natted? What is allowed from your guest network back into your network for vdi?

Hi, 

 

Guest network is going out to the internet from a different gateway then the internal network. I only have access to the controllers at the moment so cant check the firewall to confirm what is allowed from the guest network to internal/VDI network. But i think it should work because Guest is accessing the VDI port from outside. 

 

Ali

 

 

Without knowing the firewall configuration, we might be at a significant disadvantage. Why don't you change your guest role to allow everything, to rule out blocked ports?

Hi, 

 

so changed Guest role and added allow all and can access the VDI now. But I dont want to the Guest traffic to all internal resources..Is there any way for me to check which port the connection is using? or to figure out which port to allow?

 

Ali

The command below will show you all of the traffic for that client:

 

show datapath session table <client-ip>

okkk.I have the IP which I have to allow now, it is using port 8443. How can I allow a specifci port on the controller? 

 

Thanks for your help!

Ali

You configure firewall policies in the user role (in this case guest).  A chapter on how to configure them is here:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Roles/Policies.htm

Thanks for your help cjospeh, managed to solve the issue. 

 

Kind Regards, 

A

Can u please send me VDI  configuration or which u tested in your environment. I am not understand where we start VDI and clearpass integration.

 

my Mail id is --devendrapsat@gmail.com