Home > Blogs > vCloud Architecture Toolkit (vCAT) Blog


VMware Horizon Client (PCoIP & Blast) Connection Workflow

Since I published the Horizon 7 Network Ports diagram with the latest release of Horizon 7, I’ve been frequently asked about the connection flow between the Horizon Client and the virtual desktop. VMware Horizon supports RDP, PCoIP and now Blast Extreme. I’ll start with PCoIP and then we’ll look at Blast Extreme.

The connection flow of the Horizon Client is largely the same with Horizon 7, Horizon Air or Horizon DaaS. There may be differences in external load-balancing, Security Server or Access Point, and external URL configuration, but for this post I’ll focus on the Horizon Client itself and the aforementioned protocols.

A colleague asked me a very good question which I’d also like to address. How does Access Point know which VM to connect to?

Access Point doesn’t need to know which ESXi host is running the VM. When the entitled desktops are returned to the client(see 1b below) it also receives the external URL of the Access Point appliance, this is where the Horizon Client > Access Point connection is established on HTTPS (TCP 443). This could be a VIP on the load-balancer, or an external facing IP for each of the Access Point appliances, depending on the configuration (see Method 3 of Mark’s article).

When the user launches the chosen desktop pool, Access Point will communicate on HTTPS (TCP 443) to receive the desktop IP from the Connection server. The role of the PCoIP Gateway on the Access Point appliance is to then forward the PCoIP connection to the IP address of the Horizon Agent.

Note: In the past, Security Server used JMS, IPsec and AJP13, but Access Point doesn’t use these protocols (JMS is still used on the Connection Servers). If you refer to my Horizon 7 Network Ports diagram, you’ll see I’ve put these in a dotted line to show this.

Tunneled Connections (PCoIP)

VMware Horizon PCoIP Connection Flow

1a. The Horizon Client sends authentication credentials using XML-API over HTTPS to the PCoIP external URL on the Access Point appliance (or Security Server). This is typically via a load-balancer VIP (Virtual IP).

1b. HTTPS Authentication data is passed-through from Access Point to the Tenant Appliance (Horizon DaaS). In the case of Security Server, it will use AJP13-forwarded traffic, which is IPsec protected, from the Security Server to a paired Connection Server. Any entitled desktop pool(s) are returned back to client.

Note: If there are multiple Access Point appliances, which is often the case, a load-balancer VIP (Virtual IP address) will be used to load balance Access Point appliances. Security Servers are slightly different, in that each Security Server is paired with a Connection Server. No such pairing exists for Access Point.

2. The user selects a desktop or application, and the connection is initiated on TCP 4172 to Access Point / Security Server. This is the PCoIP session handshake.

3. A bi-directional PCoIP connection is then established on UDP 4172 for the session data between the Horizon Client and the pcoipExternalUrl for Access Point / Security Server. The PCoIP session is forwarded between Access Point / Security Server, to the brokered virtual desktop (Horizon Agent).

NotepcoipExternalUrl is used for Access Point. When Security Servers are used in a Horizon solution, the PCoIP External URL configured on the paired Connection server will be used. Access Point just rocks 🙂

Tunneled Connections (Blast Extreme)

VMware Horizon Blast Extreme Connection Flow

 

Blast Extreme is an enhanced remote session experience introduced with Horizon for Linux desktops, Horizon  7 and Horizon DaaS. In this case the connection flow from the Horizon Client differs to PCoIP.

1a. As before, the Horizon Client sends authentication credentials using XML-API over HTTPS to the external URL on the Access Point appliance (or Security Server). This is typically via a load-balancer VIP (Virtual IP).

1b. HTTPS Authentication data is passed-through from Access Point to the Tenant Appliance (Horizon DaaS). In the case of Security Server, it will use AJP13-forwarded traffic, which is IPsec protected, from the Security Server to a paired Connection Server. Any entitled desktop pool(s) are returned back to client.

Note: If there are multiple Access Point appliances, which is often the case, a load-balancer VIP (Virtual IP address) will be used to load balance Access Point appliances. Security Servers are slightly different, in that each Security Server is paired with a Connection Server. No such pairing exists for Access Point.

2. The user selects a desktop or application, and a session handshake occurs over HTTPS (TCP 443) to Access Point / Security Server.

3. A secure WebSocket is established (TCP 443) for the session data between the Horizon Client and the Access Point / Security Server.

4. The Blast Secure Gateway service (Access Point or Security Server) will attempt to establish a UDP WebSocket connection on 443. This is preferred, but if this fails due to a (E.g. firewall blocking it) then the initial WebSocket TCP 443 connection will be used.

Client Drive Redirection (CDR), Multimedia Redirection (MMR)

Since I’m describing tunneled connections (via Access Point or Security Server), both CDR and MMR are encapsulated as HTTPS (443) from the Horizon Client to Access Point / Security Server. The HTTPS Secure Tunnel service (see the Horizon 7 Network Ports diagram) connects to the Horizon Agent on TCP 9427 for MMR and CDR traffic.

However, with Blast Extreme it is possible to configure CDR and MMR to use a TCP side-channel which uses TCP 9427. To do this you need to change the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware TSDR\tcpSidechannel

You have the following options:

tcp: CDR over TCP Sidechannel
vvc: CDR over VVC sidechannel in Blast & PCoIP – Default (Horizon Agent 7.0.2)
PCoIP: CDR over TCP sidechannel in Blast & PCoIP
vchan: CDR over VVC/PCoIP sidechannel.
none: CDR over main channel

This entry was posted in EUC, vCloud Air Network on by .

About Ray Heffer

Ray Heffer is Double VCDX #122 and a Global Cloud Architect leading End-User Computing (EUC) for the vCloud Air Network Global Cloud Practice. As a regular speaker at VMworld, Ray also produces technical documentation and architecture best practices for EUC specialist staff and partners around the globe. You can follow Ray on Twitter @rayheffer