Lab Manager, CAG and Firewall the challenge

Lab manager is a product that is not been made for a WAN connection and the security that you want for safety. But it can work. Don get me wrong. Yes the connection of lab manager is secure because it is over port 443. Is it? 

For internal use we have build a playground for testing new products and to use for demo’s. But as small as it is (2 ESX hosts) we like it to be secure and be able to use it at a customer site ( for the demo part ). And when you work at a company where most of the employees adore Citrix product the choice of a Citrix Access Gateway (CAG) was  easily made. So the setup for the environment in it simplistic form is looking like the drawing below


At the left side we have a employee that likes to make connection over the internet with the lab manager server ( then the employee hits the firewall and will be able to make connection to the CAG. and login for a VPN connection.

Why would we add a CAG to the environment? The firewall is able to connect to the Lab manager server. Now here is the part where we noticed that lab manager connection works fine over port 443 you can do everything adjust setting, add and deploy  workspaces and virtual machines. There is one slight problem you can not see the screen of the virtual machine when your firewall only allows you to make connection to the lab manager server

So yes the connection between your browser and your lab manager sever is over 443 ( HTTPS)  but when you like to see the screen content of your virtual machine you must have a connection to port 902 and 903 of the ESX(i) host where the virtual machine that is part of a lab manager workspace is hosted on. This all get clear when looking at the drawing below witch is part of the installation guide ( figure 1-1 page 8)



We did not like to open port 902 and 903 directly at the firewall So we implemented a CAG. This was done very quickly ( thank you Ingmar).

And at this moment we ran against a problem. The first thing was that the ESX host was not in the allow list of the network resources of the CAG. The next problem we ran in to was a option within the CAG which is called “ Enable split DNS “This is a option that has been discussed a lot!


Enable split DNS option is something you would like to have. because Enable split DNS – allows failover to a users local DNS if the remote DNS is not available. By default, Access Gateway checks a users remote DNS only.

But in our case our ESX host have a FQDN that ends with and when the browser wants to make a connection  to the system uses the local DNS, and this will not be resolved. How did my Labmanager session get the FQDN name of my host?

When configuring LabManager you will give it access to the resources ( Hosts, datastores networking e.q.) through vCenter. And the ESX host gets registered in lab manager the same way it was registered in vCenter. 


Within vCenter server it is a best practice to register the ESX(i) host with their FQDN. So this is why the session in the browser is looking for FQDN:902

This is the problem for not seeing the content of the virtual machine screen. There are several ways to work around this problem rename the domain to .local is one of them, but not our first choice (giving the VPN connection an internal IP address is not one of them )

The solution we used is to add the ESX(i) host to vCenter by IP. Then it is possible to use the option Enable split DNS. Now the system will look at IPaddress :902, and will find the host when it is in the allow list of the network resources of the CAG.

Make sure that the browser has the KMS plugin installed the correct way! or else do a manual install

Now make sure that at the firewall PPTP, HTTPS, GRE and Port 902 and 903 are allowed with the session and you have a secure Lab manager session!