Right, here is where I am:
- Deployed the default vApp.
- Configured a valid external FQDN, which is also the same name as my (single) gateway hostname.
- Running split DNS so internal clients can access all appliances on internal IP addresses (they are all valid external DNS names).
- Registered an external DNS A record for horizon.company.corp. This points to a public address configured on my firewall.
- Performed PAT on the firewall to forward packets through to the gateway internal IP.
- Page 7 of the install guide says I must either (a) install a reverse proxy server; or (b) do PAT to the gateway to enable external access. I've gone for B.
Now, when I connect from outside the LAN to horizon.company.corp, the gateway is asking the client to talk to rsa.company.corp to authenticate. rsa.company.corp is a second identity provide we have installed to perform RSA authentication for external clients. Only trouble is, we have no external DNS record for rsa.company.corp, nor does it look like we should need one - we have configured horizon.company.corp as our external FQDN and the rsa.company.corp identity connector correctly displays this as the external URL under the section 'about'. As the external client is being asked to connect to a host it knows nothing about, it fails.
We then added a DNS entry for rsa.company.corp externally and put in a PAT rule for this too. Just to see what would happen. This time I get a login page from rsa.company.corp, and an successfully authenticate with our RSA server. However, as soon as we are authenticated, we get an error. I would guess because again the system is sending us off to some other host/appliance for which we have no external DNS entry.
Whats going on here? Why isn't the gateway 'masking' all this internal traffic instead of asking the remote client to connect to what are essentially internal server names? Reverse proxy won't help - I would still need an external DNS name for each host I wanted to talk to - negates the whole point of the single, non changeable external FQDN we are asked to decide on during initial install?
What have I failed to do? Something seems amiss on the gateway but unsure what. Am evaluating so VMware tech support say my best chance is on these forums...anyone have any clue?
Thanks.