Sunday, January 3, 2016

Upgrading from VMware Horizon View 6.0.1 to 6.2.1 causes connections to throw the error: “Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.”

Problem

You attempt to upgrade your existing VMware Horizon View 6.0.1 infrastructure to 6.2.1 but noticed that after upgrading your View Connection and Security servers you receive the following error message when connecting to a virtual desktop:

Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.

image

Attempting to connect from an older VMware View client throws the following error:

The View Connection Server connection failed. The handle is in the wrong state for the requested operation.

image

Reviewing the Events log in th View Manager displays the following error message:

Severity: Audit failure

Message: Unable to launch from Pool <poolID> for user <domain\userID>: No co-management availability for protocol PCoIP

image

Solution

This isn’t the first VMware Horizon View 6.2.1 upgrade I’ve done but it is the first that I had to jump from 6.0.1 to 6.2.1 and because I worked on this upgrade during a small window and was unable to get connectivity to work even though I tried upgrading the View agent to a newer version, I ended up rolling back to 6.0.1 then opened up a ticket with VMware.

What I learned from the VMware support engineer was that older agents would not work with 6.2 or later versions because TLS 1.0 is disabled and since I had the View Connection and Security servers at 6.2.1 and the agents still at 6.0.1 FP2, these error messages were thrown (I’m not sure why the initial test I did when upgrading the agent didn’t work during the first window).

The following is what I learned after scheduling a second window to test performing the upgrade again:

1. Attempting to use the following KB to configure TLS 1.0 did not work for me: http://kb.vmware.com/kb/2130798

2. Disabling Use PCoIP Secure Gateway for PCoIP connects to machine fixed the issue:

image

This solution wasn’t practical for me as it would allow internal connections but external connections through the View Security Server would not work.

3. Upgrading the View Agent from 6.0.2.2331487:

image

… to 6.2 or higher would correct the issue:

6.2.1.3284564

image

6.2.0.3005627

image

4. If you have any View clients older than Horizon 3.3 (either on Windows, Windows Embedded, or any thin/zero client OS such as HP ThinPro) then you’ll also need to upgrade them or they won’t be able to connect to the desktop.

Update – January 6, 2015

I’m not sure if this was added at a later time because i did not see this note when I downloaded 6.2.1 in December but the Notes section on the download product page explains the potential issues you may face if you’re using an older Horizon Client:

To improve security, by default, View 6.2.1 does not support SSLv3 and does not accept incoming connections that use security protocol TLS 1.0. This will affect Horizon Client 3.3 and earlier versions, which can only use TLS 1.0. For instructions on how to enable TLS 1.0, see the View 6.2.1 release notes.

image

Here is an example of what happens if you connect with an older VMware View 5.0.0 build-481677 client externally through a security server:

image

image

The View Connection Server connection failed. A security error occurrred.

image

Another symptom I’ve noticed when attempting to connect with an older unsupported VMware Horizon View 3.1.0 build-285638 client internally through a connection server is that the authentication works and you are able to initiate the connection to the desktop but you are then quickly kicked off with the message:

The connection to the remote computer ended.

image

Update – January 14, 2015

I’ve managed to do tests with the registry keys that enable TLS 1.0 and the results can be found here:

Enabling TLS 1.0 for VMware Horizon View 6.2.1 to allow Horizon View 3.3 or older clients to connect
http://terenceluk.blogspot.com/2016/01/enabling-tls-10-for-vmware-horizon-view.html

4 comments:

Anonymous said...

Same problem here!
But I'm using Horizon Client included in a thinclient and I'm not able to upgrade :(

Terence Luk said...

Yup, I have a few clients who have thin clients that are old and out of support so no update is available for them.

I'm going to try and test the registry key to enable TLS 1.0 at some point and will update the post when I've completed the testing and managed to get it to work.

Adrian Moseley said...

We have the same issue as well. We need to allow for backwards compatibility until we can get all view agents up to 6.2.x.

Aquiline George Neville said...

HI Terence

I am having the same issue of no available gateway for the display protocol in VMware view version 6.2 and not all users have this issue and few are able connect.

We have a security server and its registered to a radius server . Which is registered to another security server in our old environment.

Please Advise