VMware Horizon View

 

1Introduction

VMware Horizon View (formerly VMware View) is a virtual desktop infrastructure solution that simplifies desktop management. It delivers personalized virtual desktops from a virtualized platform. This solution provides:

  • Reduction of complexity of PC management
  • Reduction of cost through virtualization
  • Increased PC uptime
  • Overall improved user experience
  • Simplified desktop security

The Horizon View server roles that require services from an Application Delivery Controller (ADC) for high availability are the Connection Server and the Security Server.

1.1Document Purpose

C:\Users\lisa.barry\Dropbox (Kemp Technologies)\documentation updates\VMware\vmwareready_logo_files\VMware Ready\VMware Ready\VMW_09Q3_LGO_VMwareReady_Metal.gif

Figure 1‑1: VMware Ready

The Virtual LoadMaster is VMware ready. This document is intended to provide guidance on how to configure KEMP LoadMaster products to provide high availability for a VMware Horizon View 5.2 environment. This document is not exclusively explicit to this version of VMware Horizon View nor does it claim explicit support for any or every other version of the application.

This documentation is created using a representative sample environment which is described later in the document. This document contains settings recommended by KEMP. This document does not to cover every possible deployment scenario; it may not address your unique setup, requirements, network layout or needs. In such an event that your infrastructure needs are not illustrated or reflected herein, the KEMP Engineering and Support Teams are available to provide guidance surrounding scenarios otherwise not explicitly defined.

1.2Intended Audience

It is assumed that the reader is a server or network administrator who is familiar with networking, virtualization technologies, VMware, Virtual Desktop Infrastructure (VDI), DNS, Active Directory and general computer and network terminology. It is further assumed that you have set up the VMware Horizon View environment, DNS, Active Directory and have installed the KEMP LoadMaster. You should have reviewed the LoadMaster documentation and VMware Horizon View 5.2 documentation.

http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.ICbase%2FPDF%2Fic_pdf.html

2Load Balancing VMware Horizon View

Descriptions of the VMware Horizon View server roles requiring high availability provided by an ADC and a descriptive VMware Horizon View diagram are described below.

2.1Horizon View Connection Server

Horizon View Connection Server is the broker for client connections. It authenticates users to Active Directory and directs incoming user desktop requests to the correct endpoint. It also assigns packaged applications to desktops and pools and manages desktop sessions. In the deployment architecture defined herein, the LoadMaster does not handle the load balancing of PC over IP (PCoIP) traffic for connection servers.

2.2Horizon View Security Server

Horizon View Security Server provides an extra layer of security for external Internet users who use a View Connection Server to access the internal network. Typically deployed in the DMZ, it proxies incoming connections to View Connection Servers on the trusted network. In the deployment architecture defined herein, LoadMaster does not handle the load balancing of PCoIP traffic for security servers.

To provide high availability and improved scalability, ADCs should be deployed to provide high availability and acceleration services for both security and connection servers.

Figure 2‑1: Typical VMware Horizon View Setup

2.3Load Balancing VMware Horizon View Connection Servers

The steps and diagram below depict a KEMP LoadMaster deployment with VMware View Connection Servers:

  1. The client establishes an SSL connection to the LoadMaster Virtual Service for the VMware View Connection Server pool.
  2. LoadMaster performs SSL decryption and load balances the connection to the most appropriate Connection Server.

If desired, the LoadMaster can re-encrypt the connection before sending the traffic to the Connection Server.

  1. Authentication, desktop entitlement and desktop selection all take place. Then, PCoIP connections are established directly to the selected View Desktop, bypassing the LoadMaster.

Figure 2‑2: LoadMaster deployment with VMware View Connection Servers

2.4Load Balancing VMware Horizon View Security Servers

The steps and diagram below depict a KEMP LoadMaster deployment with VMware View Security Servers:

  1. Client establishes SSL connection to the LoadMaster Virtual Service for the VMware View Security Server pool.
  1. The LoadMaster performs SSL decryption and load balances the connection to the most appropriate Security Server. The LoadMaster re-encrypts the connection before sending the traffic to the Security Server.
  2. Authentication, desktop entitlement and desktop selection take place. Then, PCoIP connections are established directly to the selected View Security Server, bypassing the KEMP LoadMaster.

Figure 2‑3: LoadMaster deployment with VMware View Security Servers

3Example Environment Setup

TestCompany has deployed VMware Horizon 5.2 in their environment to provide a VDI accessed both by internal and external clients. The deployment contains the following:

  • Two VMware Horizon View Connection Servers
  • Two VMware Horizon View Security Servers
  • Two KEMP LoadMaster HA Clusters

In the deployment architecture defined herein, the LoadMaster does not handle the load balancing of PCoIP traffic for Connection or Security servers. For this reason, the following should be noted:

  • Connectivity between external clients and the View Security servers is required
  • Connectivity between internal clients and the VMware infrastructure is required

The following scenarios are defined:

  • Access to the Horizon View environment using Connection Servers which are being load balanced and serviced by a KEMP LoadMaster ADC cluster
  • Access to Horizon View using Security servers which are being load balanced and serviced by a KEMP LoadMaster ADC cluster

4Prerequisites

Minimally, you should have:

  • Implemented Active Directory, DNS and other core requirements for Horizon View
  • Installed VMware ESXi servers, vCenter server, View Connection and Security servers
  • Configured SSL certificates for authentication of View Connection and Security servers
  • Installed the LoadMaster(s) on the same network(s) as the servers to be load balanced
  • Established administrative access to the LoadMaster Web User Interface (WUI)

4.1Allow HTTP Connections

To allow SSL-offloaded connections from the LoadMaster to the Connection Servers that are not re-encrypted, the Connection Servers must be configured to accept HTTP connections from intermediate devices. This is accomplished by modifying the locked.properties file on each Connection Server on which HTTP connections are desired. Steps on how to do this are outlined below. The servers will also continue to accept HTTPS connections.

  1. Navigate to the locked.properties file in the SSLGateway configuration folder on the Connection Server, for example <install_directory>\VMware\VMware View\Server\sslgateway\conf\locked.properties
  1. Add the serverProtocol property. Set it to http using lower case letters
  2. The next two steps are optional:

a)If desired, change the HTTP listening port from 80 to a non-default port by setting the serverPortNonSSL to an alternate port number on which the LoadMaster will communicate with the Connection Server for HTTP connections.

b)If the Connection Server has multiple network interfaces and you would like to designate a single interface for HTTP connections, set the server Host to the IP address of the desired interface.

  1. Save the locked.properties file.
  2. Restart the View Connection Server service on the server

SSL offloading is not supported with smart card authentication.

4.2Modify Secure Tunnel External URL

The following changes to the Secure Tunnel External URL parameters are required for the LoadMaster and the VMware Horizon View environment to interoperate correctly:

  1. Log in to the View Manager Administrator tool.
  1. Expand View Configuration and click Servers.
  2. Select the Connection Servers tab.
  3. Select each Connection server and click the Edit button after which the Edit View Connection Server Settings box will open.
  4. Navigate to the General tab. In the HTTP(S) Secure Tunnel External URL text box, enter the LoadMaster Virtual Service IP address or DNS FQDN to be used for the Security Server pool followed by a colon and the appropriate port number.
  5. Select the Use Secure Tunnel Connection to Desktop check box.
  6. Click OK.
  7. Next, select each Security Server and click the Edit button.
  8. On the General tab in the HTTP(S) Secure Tunnel External URL text box, enter the LoadMaster Virtual Service IP address or DNS FQDN to be used for the Security Server pool followed by a colon and the appropriate port number.
  9. Click OK.

Do not change the IP address configured in the PCoIP External URL field.

4.3DNS

Access to the DNS system used in the network environment must be available to set up name resolution of your Horizon View namespaces to the Virtual Service IP addresse(s) that will be configured on the LoadMaster.

4.4SSL Certificate Import on the LoadMaster

Follow the steps below to import the relevant View Connection and Security certificates on the KEMP LoadMaster:

  1. In the main menu of the LoadMaster WUI, go to Certificates & Security > SSL Certificates.
  1. Click Import Certificate.

Figure 4‑1: Certificate Added

  1. Click Choose File in the Certificate File field.
  2. Browse to and select the signed certificate file which is in use in the Horizon View infrastructure.

This must be a .pfx file containing private keys for the certificate used on the Horizon View servers.

  1. If relevant, click Choose File in the Key File (optional) field to browse to and select the key file.
  2. Enter the Pass Phrase.
  3. Enter a recognizable name in the Certificate Identifier text box.
  4. Click Save.
  5. If required, repeat the steps above to add a Security certificate.

5VMware Horizon View Templates

KEMP have developed templates containing our recommended settings for VMware Horizon View. This template can be installed on the LoadMaster and can be used when creating each of the Virtual Services. Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template.

Released templates can be downloaded from the KEMP documentation page: http://www.kemptechnologies.com/documentation/.

If you create another Virtual Service using the same template, ensure to change the Service Name to a unique name.

For more information and steps on how to import and use templates, refer to theVirtual Services and Templates, Feature Description.

For steps on how to manually add and configure each of the Virtual Services, refer to Section 6.

6Virtual Service Configuration

The sections below outline instructions on how to add Virtual Services for the View Connection and Security servers.

6.1View Connection Servers

To add a Virtual Service for the View Connection Servers, follow the steps below:

  1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

Figure 6‑1: Virtual Service Parameters

  1. Enter a valid IP address in the Virtual Address field.
  2. Enter 443 as the Port.
  3. Enter a recognizable Service Name, for example View Connection.
  4. Click Add this Virtual Service.

Figure 6‑2: SSL Acceleration

  1. Expand the SSL Properties section.
  2. Select the Enabled check box.
  3. Click OK.

Figure 6‑3: SSL Properties

  1. Click Manage Certificates.

Figure 6‑4: Add Certificate to Virtual Service

  1. In the relevant certificate, select the IP address of the View Connection Virtual Service in the Available VSs list and click the right arrow to assign the Virtual Service to the certificate.
  2. Click Save Changes.
  3. Expand the Standard Options section.

Figure 6‑5: Standard Options

  1. Remove the tick from the Transparency check box.
  2. Select Server Cookie as the Persistence Mode.
  3. Select 6 Minutes as the Timeout value.
  4. Enter JSESSIONID in the Cookie name field and click Set Cookie.
  5. Select least connection as the Scheduling Method.
  6. Expand the Real Servers section.

Figure 6‑6: Real Servers section

  1. Enter a forward-slash (/) in the URL text box and click Set URL.
  2. Select GET as the HTTP Method.
  3. Click Add New.

Figure 6‑7: Real Server Parameters

  1. Enter the relevant Real Server Address.
  2. Enter 80 as the Port.
  3. Click Add This Real Server.
  4. Click OK.
  5. Continue to add the remaining Real Servers by entering the Real Server Address and clicking Add This Real Server until all servers in the pool are added. When finished, click the Back button.
  6. In the main menu of the LoadMaster WUI, click View/Modify Services.
  7. Confirm that the newly created service is listed with a status of Up and that all of the added member servers are listed in black, non-bold font.

6.2View Security Servers

To add the Virtual Service for the View Security Servers, follow the steps below:

  1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

Figure 6‑8: Virtual Service Parameters

  1. Enter a valid IP address in the Virtual Address text box.
  2. Enter 443 as the Port.
  3. Enter a recognizable Service Name, for example View Security Pool.
  4. Click Add this Virtual Service.

Figure 6‑9: Virtual Service Parameters

  1. Expand the SSL Properties section.

Figure 6‑10: SSL Properties

  1. Select the Enabled check box.
  2. Click OK.
  3. Select the Reencrypt check box.
  4. Click Manage Certificates.

Figure 6‑11: Add View Security Certificate

  1. In the relevant row for the View Security certificate, in the Available VSs drop-down list, select the relevant IP address of the View Security Virtual Service. Click the right arrow to assign the Virtual Service to the certificate.
  2. Click Save Changes.
  3. Expand the Standard Options section.

Figure 6‑12: Standard Options

  1. Select Server Cookie as the Persistence Mode.
  2. Select 6 Minutes as the Timeout value.
  3. Enter JSESSIONID as the Cookie name and click Set Cookie.
  4. Select least connection as the Scheduling Method.
  5. Expand the Real Servers section.

Figure 6‑13: Real Servers section

  1. Enter a forward-slash (/) in the URL text box and click Set URL.
  2. Select GET as the HTTP Method.
  3. Click Add New.

Figure 6‑14: Real Server parameters

  1. Enter the relevant Real Server Address.
  2. Click Add This Real Server.
  3. Click OK.
  4. Continue to add Real Servers until every server in the pool has been added. Then, click the Back button.
  5. In the main menu of the LoadMaster WUI, select View/Modify Services.
  6. Confirm that the newly created service is listed with a status of UP. Ensure that all member servers are listed in black, non-bold font.

References

The below links contain further information.

VMware Horizon View Documentation

http://www.vmware.com/support/pubs/view_pubs.html

Web User Interface, Configuration Guide http://kemptechnologies.com/documentation. Virtual Services and Templates, Feature Description

http://kemptechnologies.com/documentation.

Document History

Date

Change

Reason for Change

Version

Resp.

Sep 2014

Minor change

Defect fixed

1.8

LB

Nov 2014

Minor change

Defect fixed

1.9

LB

Jan 2015

Minor change

Renamed document

1.10

LB

Sep 2015

Screenshot updates

LoadMaster WUI reskin

3.0

KG

Dec 2015

Release updates

Updates for 7.1-32

4.0

LB

Jan 2016

Minor change

Updated

5.0

LB

Mar 2016

Release updates

Updates for 7.1-34

6.0

LB

Jan 2017

Minor change

Enhancements made

7.0

LB

Was this article helpful?

1 out of 1 found this helpful

Comments