Piszki Lab | EN

My case study in the clouds…

BIG-IP F5 – Synchronize loadbalanced Workspace Portal 2.1 with loadbalanced Horizon View 6

| 2 Comments

One of the possibilities offered by Horizon Workspace Portal is the ability to run the assigned Horizon View workstation directly from the portal (eg. a browser tab using BLAST protocol). In this way, we can simplify access to services for our customers and employees (especially when accessing from outside our organization). This post is an extension and a summary of the topics described here and here (of course, reading them is a must). The process is as always simple and requires only a few additional steps.

workspace

Horizon View loadbalacing forces us to create a new domain in the DNS server with which we connect to the View environment. When adding the View POD to Horizon Workspace Portal, server permissions are checked using Kerberos. Of course, new View domain (in my case: view.pulab.pl) has nothing to do with the account in the AD server. Trying to add such an environment in the Workspace Portal always fails (Unable to authenticate to View Connection Server):

hp1

Messages in the log :/opt/vmware/horizon/workspace/logs/connector.log:

Unable to authenticate to View Broker: view.pulab.pl. :Client not found in Kerberos database.

GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database.

The solution to this problem is to create a SPN record for View Connection Server (only one in the pool, SPN may not be duplicated, setspn -x shows duplicate records) with the parameter service = ldap, it gets a command (on any server that is a AD member, domain Admin privileges):

setspn –A ldap/view.pulab.pl UGVIEWCM1 (Of course this is my server UGVIEWCM1)

This command is the first step in what we need to do, without the synchronization is not possible. The next step is to define the SAML authentication between Horizon Workspace Portal (in my case: portal.pulab.pl) and Horizon View. We do this in the Administration Console View, the settings for each Connection Server:

hp2

At this point, we can go to the BIG-IP console and define two new virtual servers. Horizon Workspace communicates with the View through two more ports, 389 and 4001. First create two new pools:

hp3

hp4

hp5

hp6

The last step is to create two new virtual servers, start from LDAP (SNAT Auto Map):

hp7

hp8

JMS server settings as above. Generally, you can see that these are standard settings:

hp9

hp11

Full map of our servers participating in load balancing Horizon Workspace Portal and Horizon View:

hp0

At this point, we are ready to make a call, you can log in to the administrative panel of the Connector-VA (https: // IP: 8443 / hc / admin /) and in section View Pools add our server:

hp12

In this configuration, we have access to the portal from within the organization and outside (via the Internet). In both cases, we are free to run View stations from the portal.

Rate this article:
[Total: 0    Average: 0/5]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

2 Comments

  1. Thanks for your blog posts, they’ve been very helpful. I am looking to move from using View Security Servers in the DMZ to using Workspace Portal and without labbing it out yet I’ve had one question that maybe you can help with! Can I simply just have a pair of View Connection Servers load balanced on the internal network (no external access) and connect those to the Workspace Portal and publish the portal into the DMZ and allow access to both internal and external users without publishing the View Connection Servers into the DMZ? Thanks

  2. Hi Chad!

    Very beautiful idea, but the answer is: no. Machine running from Workspace is simple redirected (and authenticated via SAML) to Connection Server. If you run it from external, Connection Server must be in DMZ. May in future versions Workspace will run as a PCOIP/BLAST gateway, but not now.

    Regards,
    Piotr

Leave a Reply

Required fields are marked *.


.

Enjoyed the post? Support Piszki Lab | EN, click on the AD! :-)

.