How to Fix Zscaler and VMware Horizon VDI Disconnection Loops

How to Fix Zscaler and VMware Horizon VDI Disconnection Loops

How to Fix Zscaler and VMware Horizon View Client Crashes & Disconnections

In modern enterprise environments, pairing Zscaler Client Connector with VMware Horizon View Client is a standard practice for secure remote work. However, many IT administrators and end-users frequently encounter frustrating issues, ranging from sudden application crashes to constant VDI disconnections.

Because both applications operate at a deep network driver level to intercept traffic and manage encrypted tunnels, they often cross paths and interfere with one another. In this article, we will break down the most common crash case studies, their root causes, and how to configure them to work together seamlessly.

1. Common Crash and Issue Symptoms

A. Sudden Horizon Client Crashes (Hang / Force Close)

Symptom: Immediately after launching the Horizon Client or logging into a VDI session, the application freezes and crashes with an event log indicating that vmware-view.exe has stopped responding.

Why it happens: This is typically caused by a driver-level conflict between the Zscaler Lightweight Filter (LWF) driver and VMware’s virtual acceleration drivers (such as USB redirection or virtual printing), leading to a memory address collision.

B. VDI Disconnection Loop

Symptom: The VDI session drops every 10 to 15 minutes, prompting an automatic reconnection loop.

Why it happens: Zscaler’s health check packets or aggressive firewall policies might misidentify the persistent UDP/TCP streams required by Horizon as anomalous behavior, sending an RST (reset) packet to terminate the connection.

C. Extreme Input Lag and Screen Stuttering

Symptom: Users experience severe mouse lag, pixelated screens, or sluggish 3D rendering inside the virtual desktop.

Why it happens: This is the notorious "Double Encapsulation" problem. The high-performance Blast Extreme or PCoIP protocol stream is forced inside the Zscaler Tunnel 2.0 (DTLS/TLS) envelope, creating massive packet overhead and latency.

2. Root Cause Analysis Table

Conflict Area Technical Explanation
Driver Interception Zscaler’s network filtering driver and Horizon’s virtual network adapters clash within the Windows network stack.
Protocol Overhead Horizon’s UDP-based real-time traffic gets re-encapsulated by Zscaler’s Tunnel 2.0, causing severe bottlenecking.
MTU Fragmentation The added headers from the Zscaler tunnel lower the effective MTU size, causing large video packets from Horizon to fragment and drop.

3. Step-by-Step Solutions to Prevent Crashes

To resolve these stability and performance problems, IT administrators should apply the following standard optimization practices:

Step 1: Implement Traffic Bypasses in Zscaler Admin Console

Since VMware Horizon traffic is already heavily encrypted (TLS/DTLS), there is no need for Zscaler to perform deep packet inspection (SSL Inspection) or tunnel it. Bypassing this traffic is the most effective solution.

  • Go to your Zscaler Admin Portal (ZIA/ZPA Application Segments).
  • Add the FQDNs or IP addresses of your VMware Unified Access Gateways (UAG) and Connection Servers to the Bypass/Exempt List.
  • Ensure standard Horizon ports are bypassed from tunneling:
    • TCP 443 (Authentication & XML API)
    • TCP/UDP 8443 / TCP/UDP 22443 (Blast Extreme)
    • UDP 4172 (PCoIP)

Step 2: Modify Zscaler Forwarding Profile Driver Type

Depending on the Windows environment, switching how Zscaler interacts with the network adapter can eliminate app crashes.

  • In the Zscaler Mobile Portal, navigate to the Forwarding Profile.
  • Try changing the driver type from Packet Filter Based to Route Based (or vice versa, depending on your organization’s baseline) to test compatibility with the Horizon Virtual Adapter.

Step 3: Adjust the Client MTU Size

To prevent packet drops caused by fragmentation, reduce the Maximum Transmission Unit (MTU) size on the client machine or via the Zscaler Client Connector profile to a value between 1350 and 1400 (down from the default 1500). This leaves enough headroom for tunnel headers without splitting the packets.

Conclusion

The conflict between Zscaler and VMware Horizon Client boils down to network driver competition and double encryption. By implementing a strict network bypass for UAG endpoints and fine-tuning the MTU size, enterprises can eliminate VDI disconnections and application crashes entirely, ensuring a smooth and secure digital workspace experience.

Comments

Post a Comment

Popular posts from this blog

Troubleshooting VMware Horizon Client vdpConnect_Failure Issue

  Introduction VMware Horizon Client is a widely used solution for virtual desktop infrastructure (VDI). However, users may encounter various connection issues, one of which is the vdpConnect_Failure error. This error often results in a black screen followed by a disconnection, preventing users from accessing their virtual desktop. In this article, we will explore the possible causes of this issue and provide step-by-step solutions to resolve it. Common Causes of vdpConnect_Failure 1. RPC Server Unavailable One of the most common reasons for vdpConnect_Failure is the unavailability of the Remote Procedure Call (RPC) server . This can occur due to: The RPC service being stopped or disabled Network issues preventing communication with the server Firewall blocking required ports 2. Display Protocol Issues (Blast/PCoIP/RDP) Horizon Client uses different display protocols such as Blast, PCoIP, or RDP . If there are misconfigurations or compatibility issues with the selected protocol, ...
Read more

VMware Horizon Agent “Protocol Error” — Fixed by Windows Firewall Configuration

  🖥️ VMware Horizon Agent “Protocol Error” — Fixed by Windows Firewall Configuration Overview Recently, I encountered an issue where several Horizon Agent–based virtual desktops in our environment showed the status “Starting other services” or “Protocol Error” in the Horizon Administrator console. Even after reinstalling the Agent (version 2206 ), the problem persisted. Symptoms Horizon Agent status: “Starting other services” → “Protocol error” Horizon main services appeared to be running normally Event Viewer showed Event ID 7000 for services such as: PASVC – failed to start LUFAV – not installed Reinstalling the Agent (even using Repair mode ) did not solve the issue Root Cause After deeper inspection, we discovered that on the affected VMs: Windows Defender Firewall (Domain Profile) → “Block all incoming connections, including those in the list of allowed apps” was checked (enabled). This setting silently blocks all inbound traffic , ev...
Read more

VMware / Omnissa Horizon Agent Unreachable – Causes and Fixes (Complete Troubleshooting Guide)

  Keywords: VMware Horizon Agent Unreachable, Omnissa Horizon Agent unreachable, Horizon View troubleshooting, Blast service issue, Horizon Agent not responding, VDI connectivity problem In VMware Horizon (now branded as Omnissa Horizon ), administrators frequently encounter the “Agent Unreachable” state in the Horizon Console. While a simple reboot often resolves the issue, persistent cases indicate deeper infrastructure, service, or network-layer problems. This guide provides a structured root-cause analysis and remediation checklist suitable for production VDI environments. What Does “Agent Unreachable” Mean? When a desktop shows Agent Unreachable , the Horizon Agent inside the VM cannot communicate with the Connection Server . The failure typically occurs in one of these control paths: Horizon Agent → Horizon Connection Server Blast Secure Gateway (BSG) → Agent Windows OS services → Horizon Agent service Firewall or network layer blocking agent heartbeat ...
Read more