Configuring Vworkspace Secure-IT

Question

Hi everybody, I´ve got a situation here in a lab enviroment that need to be solved before go to production the soon as posible. I know that it´s nothing complicated but I still can´t get it work, so need your advise to detect what am doing wrong. I succesfully configured Vworkspace with some apps on TS and VDI. I´m also able to use this apps and desktops trough the appPortal and the website on the local network so an axeption on the firewall was made to publish the webportal on the internet. After that, the portal is accesible by going to http://x.x.x.x(public ip)/provision/web-it/default.aspx and I´m still able to connect to my apps and desktops but only on the local network. When I´m trying to connect since other place trough the webportal I´ve got this error: Escritorio remoto no puede conecarse al equipo remoto por una de las siguientes razones: 1)No esta habilitado el acceso remoto al servidor 2)El equipo remoto esta apagado 3)El equipo remoto noesta disponible en la red Asegurese de que el equipo remoto esta encendido y conectado a la red, el acceso remoto esta habilitado. This is caused because the broker IP can´t be routing properly (as shown on thread 2282) So, on my WebAcces Server, where the webportal and the Secure Gateway were installed, went to Control Panel and open Quest Secure-IT to configure it as recomend on thread 11872 but unfortunately the Video Tutorial on SOL58849 doesn´t exist any more so I tried to figured out how, and here is whereI  probably mess up. Trying to recreate the scenario described on PDF´s SOL76217 page 3, I did the folowing on Proxies tab on Quesst Secure-IT Properties: Enabled RDP Proxy using the WebAcces Server´s local IP on port 443. Use a self signed certificate. Enabled Web Interface Proxy using the WebAcces Server´s local IP on port 443, and destination used the same WebAcces Server´s local IP on port 80. I tried with and with out Enable SSL and using the same certificate with the same results. Enabled Connection Broker Proxy using the WebAcces Server´s local IP on port 9443, and destination used the Broker Server´s local IP on port 8080 I tried with and with out Enable SSL and using the same certificate with the same results. Then, on the Admin WebPortal, on the Firewall/SSL VPN section, I did the following: Select SSL Getway. On SSL Gateway filled: External SSL Gateway ... Address: x.x.x.x (the public IP that is pointing to the WebAcces Server) TCP Port: 443 SSL Gateway Local Adrees List: x.x.x.x (the intenal  WebAcces Server´s IP) NAT support is NOT enabled Web URL external: http://x.x.x.x(public ip)/provision/web-it/default.aspx Web URL internal: http://x.x.x.x(public ip)/provision/web-it/default.aspx Once seted up those configurations, I attempt to connect to my apps/desktops using the web portal but when the .pit file comes out, it immediately show the error: Archivo de Conexion no valido (c:\......\*.pit) especificado. (Conection file specified invalid) Is it wrong my Secure-IT configuration? Do I need a therd party certificate? Do I need a domain name? Any help would be highly appreciated.

javi1 · Accepted Answer

Hi David, thanks a lot for your answer, it was very useful.

Well I finally get my WebPortal and my AppPortal working properly through internet. It seem like my Secure-IT configuration was not right plus that this scenario had a particular limitations like using an IP instead a domain name and the fact that the web portal and the secure gateway were working under a Windows 2008 enviroment and that had two network interfaces, one for local, and other facing internet.

The corrections I made were the following:

Mount the web portal and the secure gateway on a Windows 2003
1. Create a self certificate and installed on clients as discribed on this post
Secure-IT Configuration:
1. RDP Proxy enabled using WebAcces Server´s external IP on port 443
2. Web Proxy enabled using WebAcces Server´s external IP on port 443, destination WebAcces Server´s internal IP on port 80. Enabled SSL using the self certificate
3. Broker Proxy enabled using WebAcces Server´s external IP on port 9443, destination Broker Server´s internal IP on port 8080. Enebled SSL using the self certificate
Restart Quest SSL Service.
Modify Firewall/SSL settings on administrator´s web portal:
1. External SSL: WebAcces Server´s external IP
2. TCP Port: 443
3. SSL Gateway: WebAcces Server´s internal IP
4. NAT not enabled
5. URL external: https://(WebAcces Server´s external IP)
6. URL intenal: http://(WebAcces Server´s internal IP)

Trying again I successfully connect and launch my aplications an desktops.

I want to thank you again for the advice.

Saludos.

DELL-David Y · Answer

Hello Javier,

I have read through the notes above and have some suggestions for you that will help to identify the cause of the problem.

There is no problem using a self-signed certificate, you just have to ensure that all the client devices have this certificate installed and trusted. Have you done this?

For the certificate itself, have you created it in such a way that the IssuedTo name and the FriendlyName are exactly the same, as this is required?

The certificate should use the fully qualified domain name format, remote.vworkspace.co.uk, and not a short NetBIOS name, such as remote.

Your configuration for Secure-IT looks to be correct so long as Secure-IT is also installed on the WebAccess server. You will need to check the Enable SSL check box and select the certifcate for each proxy that you are using. If you make any changes to the Secure-IT settings you must restart the Secure-IT service for these to take effect.

On the WebAccess Server configuration your external and Internal URL’s are not correct, these should be as follows:

External: https://remote.vworkspace.co.uk/ (note https for external)

Internal: http://remote.vworkspace.co.uk

Where you substitue remote.vworkspace.co.uk for your certificate name or the URL that is set in your external DNS. You do not need to add the /provision/web-it/default.aspx part.

Are your client devices using Internet Explorer 8, or later?

If so you will need to edit the Internet Explorer options since you will not have published a certificate revocation list. We have published this solution in the knowledgebase for this issue, https://support.quest.com/Search/SolutionDetail.aspx?id=SOL58145&category=Solutions&SKB=1

Please let me know if you need further assistance

Regards

David

vWorkspace

Was this post helpful?