Piszki Lab | EN

My case study in the clouds…

Horizon View 6: load balancing using BIG-IP F5 (without iApp)

| 0 comments

With so-ranking title, must immediately answer the question of why we have to balance traffic without so cool solution which is the iApp (for View)? The answer is simple, using iApp, do not do anything you did not anticipate its creator (for example, did not anticipate the use of security policies, and there is no BLAST protocol handler). The main advantage of iApp is the speed of implementation, a few clicks and you’re done. Manually takes a little longer but the effect is the same and the possibility is much larger. In the configuration I have described, I used the balancing of traffic at connection server level without security servers. I believe that balancing security servers does not make sense, in the end F5 has to replace them! Of course in our network are such servers, they are the traditional security gateway for privileged users (VIP), which is mainly Administrators. The same applies to the internal network, can simultaneously connect through F5 (User) or directly to the connection server (VIP). This configuration gives us a high degree of flexibility and resilience to potential failures and a lot of opportunities for Administrators.

Przechwytywanie

According to what is seen in the figure, first of all we must fulfill several conditions. On the external firewall must be open and redirect to the appropriate address in F5 (in my case 172.18.31.130) the following ports TCP: 80, 443, 8443, 4127 and UDP: 4127. We must create an external DNS record (view.pulab.pl) that in the LAN will be resolved as the local IP (NAT). Same configuration of the Horizon View does not deviate from the standard, in our case the connection to the machine is encrypted, we can connect via BLAST. Due to the load on the network, connections servers not function as a proxy for the PCoIP protocol (we use Thin terminals).

Connection Server configuration:

fv2

Security Server configuration:

fv3

F5 BIG-IP can be used for terminating SSL connections (offload). To run connection server on port 80, we must create in directory C: \Program Files\VMware\VMware View\Server\sslgateway\conf a file named locked.properties with content: serverProtocol = http (and restart service). An additional advantage of this configuration is also the fact that you do not need to create a virtual server (F5) on port 80 to redirect traffic. Port 80 is redirected to a 443 by the connection server (when we use browser). Now go to the F5, at the beginning we will create all the necessary profiles. We start from the Client-SSL, in our case we have a Wildcard certificate and one profile that we use for all virtual servers (PULAB):

fv6

In the described configuration, address view.pulab.pl (accessible via F5 from the outside and inside) will be used with the wildcard certificate, and all connections servers will have their own certificates issued by the local CA. In the next step we create a profile to maintain connections (persistence):

fv5

Create a HTTP connections profile on port 443:

fv4

We create a monitor for Connection Servers (according to the documentation of Horizon View):fv7

Now we create pools of server, we start from HTTPS, port 443, health monitor as above:

fv9

Pool HTTP, needed to perform SSL offload on F5, health monitor as above:

fv8

Pool PCoIP, port 4172, health monitor “gateway_icmp” (on the firewall at all the Connection Server add a rule ICMP/PING):

fv10

Pool BLAST, port 8443, monitor “gateway_icmp”:

fv11

In the next step we move to create virtual servers, start from Horizon-View-HTTPS (SNAT-> AutoMap). As seen in the drawings, do not use SSL for the server profile and a HTTP server pool, with this configuration is performed on F5 to SSL offloading:

fv22

fv20

Then create a virtual server responsible for handling BLAST / HTML (SNAT-> AutoMap), in this case the connection to the server is encrypted (SSL offload is not supported by BLAST):

fv14

fv17

The last step is to create virtual servers to support PCoIP protocol (UDP / TCP):

fv16

fv18

fv19

Map of our virtual servers is as follows:

fv1

This setup works very smoothly and efficiently. The described solution in the original version has been tested in F5 BIG-IP VE, however, due to capacity constraints, F5 VE version is suitable only for small test environments. I greet and wish you a successful test.

Rate this article:
[Total: 2    Average: 4.5/5]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.


.

Enjoyed the post? Support Piszki Lab | EN, click on the AD! :-)

.