VMware View Agent Direct-Connection Plugin NAT/PNAT

Since my article “VMware View Agent Direct-Connection Plugin Explained” I have received several questions about the use of the plug-in with NAT/PNAT. Most of the questions came from VMware employees, but also from partners.

As you may know NAT/PNAT is supported between the VMware View Client and the PSG component of a Security Server. However, PCoIP will fail and give you a black screen if there is a NAT/PNAT device near the PCoIP Server (on the View Desktop).

The picture below demonstrate that a TCP channel is correctly opened, but when the UDP addresses and ports are negotiated over this TCP channel, the destination UDP IP address and port number given to the PCoIP Client to send its UDP packets to the PCoIP Server uses the local address and UDP port number of the PCoIP Server machine. It should give it the NAT’d address as used in the TCP Connection. The following diagram shows that the UDP packets sent by the PCoIP client therefore never make it to the PCoIP Server and the user just gets a black screen.



With the new “VMware View Agent Direct-Connection Plugin” If there is a NAT device for IP address translation and/or port mapping between the VMware View Client and View Agent Connect, then this is fully supported.

Configuration of this is supported through an innovative method of base port detection to allow simple setup for IP address sharing amongst thousands of virtual desktops. As an example, with 5 ports allocated per VM, over 20,000 Virtual desktops can be supported through a single IP address.

This feature is particularly important for virtual desktop environment built on top of vCloud Director where vApps are protected with vCNS Edge isolation technologies.

With VMware View 5.1, it is necessary to use the PCoIP Secure Gateway (PSG) component on each virtual desktop to support NAT for PCoIP and port mapping but this is automatically handled by the plug-in.

VMware View Agent Direct-Connection Plugin has the PSG component integrated on the View Desktop. This is shown in the following diagram. Note that the port numbers for TCP and UDP on which the PCoIP Server listens are adjusted to 4173 so that the PSG component can coexist and use the standard ports (4172) for View client connections coming via the Security Server when required. The plug-in does this port number adjustment automatically when PSG is in use.




This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net.

1 comment

2 pings

    • Dan Laney on 06/30/2014 at 8:56 am

    This is great post however i am getting an error ” remote connection has ended” i have check firewall and all ports seem to be unblocked. any ideas how i can over come this error

    many thanks


  1. […] VMware View Agent Direct-Connection Plugin NAT/PNAT […]

  2. […] VMware Sr. Staff Engineer, Mark Benson, has just published a very informative blog post about using View Agent Direct-Connection in  Horizon View 5.3; here is the link to the article. I have also previously written about VADC in details, VMware View Agent Direct-Connection Plugin Explained (here) and VMware View Agent Direct-Connection Plugin NAT/PNAT (here). […]

Leave a Reply