One of the possibilities offered by Horizon Workspace Portal is the ability to run the assigned Horizon View workstation directly from the portal (eg. a browser tab using BLAST protocol). In this way, we can simplify access to services for our customers and employees (especially when accessing from outside our organization). This post is an extension and a summary of the topics described here and here (of course, reading them is a must). The process is as always simple and requires only a few additional steps.
Horizon View loadbalacing forces us to create a new domain in the DNS server with which we connect to the View environment. When adding the View POD to Horizon Workspace Portal, server permissions are checked using Kerberos. Of course, new View domain (in my case: view.pulab.pl) has nothing to do with the account in the AD server. Trying to add such an environment in the Workspace Portal always fails (Unable to authenticate to View Connection Server):
Messages in the log :/opt/vmware/horizon/workspace/logs/connector.log:
Unable to authenticate to View Broker: view.pulab.pl. :Client not found in Kerberos database.
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database.
The solution to this problem is to create a SPN record for View Connection Server (only one in the pool, SPN may not be duplicated, setspn -x shows duplicate records) with the parameter service = ldap, it gets a command (on any server that is a AD member, domain Admin privileges):
setspn –A ldap/view.pulab.pl UGVIEWCM1 (Of course this is my server UGVIEWCM1)
This command is the first step in what we need to do, without the synchronization is not possible. The next step is to define the SAML authentication between Horizon Workspace Portal (in my case: portal.pulab.pl) and Horizon View. We do this in the Administration Console View, the settings for each Connection Server:
At this point, we can go to the BIG-IP console and define two new virtual servers. Horizon Workspace communicates with the View through two more ports, 389 and 4001. First create two new pools:
The last step is to create two new virtual servers, start from LDAP (SNAT Auto Map):
JMS server settings as above. Generally, you can see that these are standard settings:
Full map of our servers participating in load balancing Horizon Workspace Portal and Horizon View:
At this point, we are ready to make a call, you can log in to the administrative panel of the Connector-VA (https: // IP: 8443 / hc / admin /) and in section View Pools add our server:
In this configuration, we have access to the portal from within the organization and outside (via the Internet). In both cases, we are free to run View stations from the portal.