We have multiple Unified Access Gateways (UAG) deployed behind a load balancer for remote access to our Horizon View environment. Currently we only allow TCP 443 from the Internet to our UAG for Blast Extreme. We would like to explore adding Blast Extreme Adaptive Transport (BEAT) which defaults to UDP 8443. I looked at the documentation and it indicates that you can run BEAT over UDP 443 but I'm not clear on how to do that.

 

We have our Blast External URL configured for 443 per the documentation. However, when initiating a connection to the UAG we see that it is still attempting to use UDP 8443.

 

Blast TCP and UDP External URL Configuration Options

Blast uses the standard ports TCP 8443 and UDP 8443. UDP 443 can also be used to access a desktop through the UDP tunnel server. The port configuration is set through the Blast External URL property.

In addition do we need to configure IP forwarding rules? If so does anyone have an example of what that would look like?

To configure ports other than the default, an internal IP forwarding rule must be added for the respective protocol when deployed. The forwarding rules might be specified on the deployment in the OVF template or through the INI files that are input through the PowerShell commands.


The Horizon Tunnel on UDP 443 is not related to Blast/BEAT. Blast/BEAT is a display protocol and uses TCP 8443 and optionally, also BEAT on UDP 8443. Some people use TCP 443 instead of TCP 8443 when they have a requirement that if everything is blocked other than TCP 443, things will still work.

 

The Horizon Tunnel on UDP 443 is separate. It is not a display protocol but an alternative to the control/authentication protocol (XML-API) that normally runs on TCP 443. It is used in "poor mode clients" where the is no TCP at all. Everything is UDP. Those clients start with Horizon Tunnel (UDP 443) to perform authentication and get the list of entitled desktops, then they launch a BEAT session on UDP 8443.

 

Refer to the Horizon ports diagram - Network Ports in VMware Horizon 7: VMware Horizon 7 version 7.2 - Note the communication between client and UAG. You'll see that Horizon Tunnel on UDP 443 is separate to Blast Extreme (TCP 8443/UDP 8443). The diagram uses default port numbers.

 

The reason you won't see documentation in Horizon Connection Server or Security Server guides about Horizon Tunnel on UDP 443 is because they don't support it. It is only supported between Horizon Clients and UAG.

 

Your original question was "Can BEAT run over a different port that UDP 8443?". The answer is yes, but don't change it to a UDP port already in use such as UDP 443 or UDP 4172 etc. Pick an unused port. Better still, leave it as the default of UDP 8443.


I just deployed 3.3.1 and I'm still unable to make this work. I'm thinking I need something like.

 

forwardrules=udp/443/10.20.30.40:8443

 
# blastExternalUrl=https://ap1.myco.com:443 to blastExternalUrl=https://ap1.myco.com:443/?UDPPort=443