[Users] SPICE behind NAT

Michal Skrivanek michal.skrivanek at redhat.com
Fri Feb 14 13:46:57 UTC 2014 

On Feb 14, 2014, at 01:38 , Andrew Lau <andrew at andrewklau.com> wrote:

> You just need some proper DST and SRC Nat rules and you should be fine.
> 
> I use mikrotik so its slightly different but the same concept applies. For windows, I don't know, never really cared much as no one uses windows on our ovirt setup :)

the recent enough virt-viewer should work on Windows…if you're in fact talking about a client downloaded from http://virt-manager.org/download/ it should work…

for NAT vs non-NAT access ….for exactly that reason there is the "Enable SPICE Proxy" checkbox in Console Options dialog for each user, so you can check it when connecting from outside and uncheck from local net… 

Thanks,
michal

> 
> But the client tools you linked are for the client accessing the spice session.
> 
> On Feb 14, 2014 3:20 AM, "Alan Murrell" <alan at murrell.ca> wrote:
> Quoting "Andrew Lau" <andrew at andrewklau.com>:
> 
> Your value for SpiceDefaultProxy should be your external IP
> address/hostname otherwise external users will never know where to connect
> to.
> 
> So the spice proxy would be going out the firewall then looping back in (also known as "hairpinning"), which in my experience is usually a behaviour denied by many firewalls as standard, which is what I believe is happening here.
> 
> This then becomes more of a firewall issue as you're spice proxy is
> 
> I agree.  Would you be willing to share the current IPTables rules on your external firewall so I can confirm this? (sanitised appropriately for actual IPs and/or hostnames, of course)  You can contact me off-list if you prefer.  This is more for curiousity/confirmation than anything else.
> 
> I know that when I was on the same LAN as the oVirt box, I had to edit my local hosts file to point the proxy value to the oVirt box itself for the remote-viewer to connect to the Windows desktop.
> 
> If that is indeed what is happening here, I think a better (and more universal) solution would be to have a VPN connection from the remote end user to the network where the oVirt/RHEV server is (site-to-site if the users are in an office and "road warrior" for remote individuals).  Not sure how much of a performance hit that might make, though.  Will need to do some testing.
> 
> working. But just to confirm, if you open up console through chrome it
> should download a console.vv file rather than opening up remote-viewer
> natively, before you run it; open it with a text editor you'll see the
> proxy settings there.
> 
> I took a look and the proxy settings are correct.
> 
> The windows issue is probably just related to non proper drives installed.
> 
> On the machine I am connecting from or the virtual machine I am connecting to?  I downloaded the client from the link here:
> 
>  http://www.spice-space.org/download.html
> 
> Is there a different SPICE client for Windows that is recommended?
> 
> -Alan
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

More information about the Users mailing list