VMware Client IP Transparency Explained
In certain industries, like banking and healthcare, it is not uncommon to find backend application servers configured with the client IP address from where the connection originates.
A couple good examples of this are a nurse station in the healthcare industry, where Epic software is the backend, or a mainframe emulator, where the backend infrastructure is configured to validate the client IP address to authorize certain functionality.
This is not an issue when you’re using physical endpoints, such as kiosk terminals or fixed workstations, as these IP addresses are always fixed and can be hardcoded into the backend application. But in the case of a shared, server-based computing environment, such as Remote Desktop Services (RDS) with VMware Horizon Apps, this model will not work due to the following reasons:
- Users can land on any RDS server, so the client IP address changes depending on the RDS server the user lands on.
- The RDS server IP address is shared by all users on that server. Although there are workarounds (such as DHCP-based IP virtualization, which provides unique IP addresses for every user session, along with dedicated desktops that provide a fixed IP address), the design, implementation and day two operations become cumbersome, and the overall design becomes clunky.
In the example above, the application backend is configured with the client IP address. When a user launches Horizon-published Internet Explorer (IE), the backend application receives the RDS server IP address instead of the expected client IP address, and hence, it does not work.
For this application to work, the RDS server deployed by Horizon should pass the client IP address through instead of the RDS server IP address.
Introducing VMware Client IP Transparency
In VMware Horizon 7, a new feature called VMware Client IP Transparency is introduced to solve this issue for web-based applications. This directly passes the client IP address to the backend application server. (Currently, the feature supports only IE.)
This feature enables IE to expose the client IP address, instead of the RDS IP address while connecting to the backend infrastructure.
In the above illustration, you may notice IE is published on the RDS server, but the IP address that is received by the application infrastructure is that of the client machine.
To implement this feature, all you need to do are the following two things:
- Select the custom setup option VMware Client IP Transparency during the installation of the Horizon Agent on the remote desktop machine.
- If this setting is selected in the Group Policy Management Editor, it is enabled by default.
[Read more: Horizon Agent Custom Setup Options for an RDS Host]
Testing Client IP Transparency
Test Case 1: Client IP Transparency Not Enabled
As you can see, when Client IP Transparency is not enabled, the IP address captured at the application backend is that of the RDS server. In this case, netstat shows the hostname of the RDS server, “rds1,” for the application server (192.168.1.12).
Test Case 2: Client IP Transparency Enabled
When Client IP Transparency is enabled, the client IP address (192.168.1.9) is seen at the application server (192.168.1.12).
With this new feature, you now have an option to use IE to expose the client IP address to the application backend.