VMware View 6 Solution Guide

 

1Introduction

VMware Horizon (with View) delivers virtualized remote desktops and applications to remote users via desktop client and browser interfaces. This document describes how to balance client traffic in a VMware Horizon (with View) environment using the KEMP LoadMaster. For clarity, the VMware Horizon (with View) product will be referred to as View throughout this document.

1.1How VMware Horizon (with View) Works

A simple View environment consists of a Security server and a Connection server which authenticate and connect remote users to the virtual desktop/application environment. These servers act together and are deployed in 1:1 pairs. From a LoadMaster point of view, all connections are with the security server. The initial connection is made over HTTPS and once authenticated, the security server provides the client with connection details (URL for web connections and an IP address for PCoIP). The client then establishes a connection to the services on the URL/IP address provided in the authentication reply.

Only the initial (HTTPS) connection needs to be load-balanced as there is a 1:1 mapping between the URL/IP address provided and the security/connection server pair that will service the client session.

1.2Solution Environment

The LoadMaster is deployed in-line as a proxy for all services including PCoIP. Alternative deployment options could have PCoIP bypass the LoadMaster as it is only the initial session establishment (HTTPS) that needs to be load balanced.

Figure 1‑1: Example Setup

On the LoadMaster, the 10.154.11.31 Virtual IP (VIP) address is used to balance the client’s initial HTTPS connection between the two View instances which are represented by the 10.154.11.32/10.154.11.33 VIPs. Each of the View instance VIPs offers services on HTTPS, on port 4172 for PCoIP (UDP and TCP) and on port 8443 for View Blast.

1.3Product Versions and Platforms Tested

Product

Product Version

Deployment Platform

KEMP LoadMaster

7.1-20c

Applies to all virtual and physical platforms

View Client

3.1.0.21879

Windows 8.1 Enterprise

View Connection/Security server

6.0.0-1884746

Windows 2012 R2 Server

2Service Configuration

2.1Configuring LoadMaster for View 6

To support the environment outlined above, a number of Virtual Services need to be defined on the LoadMaster. The table below outlines example details that would need to be configured on the LoadMaster.

VIP

Real Server(s)

Purpose

10.154.11.31:443 (TCP)

10.154.201.2

10.154.201.3

Balance the initial SSL connection from the client between the View Connection/Security server instances

10.154.11.32:443 (TCP)

10.154.201.2

Accept load-balanced client connections on HTTPS

10.154.11.32:4172 (TCP)

10.154.201.2

PCoIP connections can be over UDP or TCP. These Virtual Services forward connections to the View Connection Server.

10.154.11.32:4172 (UDP)

10.154.201.2

10.154.11.32:8443 (TCP)

10.154.201.2

Blast is the View via a browser protocol which we deliver on port 8443

10.154.11.33:443 (TCP)

10.154.201.3

 

 

Second View instance of the above services

10.154.11.33:4172 (TCP)

10.154.201.3

10.154.11.33:4172 (UDP)

10.154.201.3

10.154.11.33:8443 (TCP)

10.154.201.3

Table 2‑1: Example Virtual Service Details

HTTPS is being offered on three Virtual Services in the configuration above. Each of these will require a certificate and associated private key for the Fully Qualified Domain Name (FQDN) of the VIP. In the example, we are using a wildcard certificate (*.viewlab.net) on all of the Virtual Services supporting HTTPS.

2.2Global LoadMaster Settings

KEMP recommends setting Always Check Persist to Yes – Accept Changes for a VMware View 6 environment. Follow the steps below to set this:

  1. In the main menu of the LoadMaster Web User Interface (WUI), select System Configuration > Miscellaneous Options > L7 Configuration.

Table 2‑2: Always Check Persist

  1. Select Yes – Accept Changes in the Always Check Persist drop-down menu.

2.3VMware Horizon View 6 Template

KEMP have developed a template containing our recommended settings for VMware Horizon View 6. This template can be installed on the LoadMaster and can be used when creating each of the Virtual Services. Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template.

Released templates can be downloaded from the KEMP documentation page: http://kemptechnologies.com/documentation.

If you create another Virtual Service using the same template, ensure to change the Service Name to a unique name.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description.

For steps on how to manually add and configure each of the Virtual Services, refer to the sections below.

2.4Virtual Service Settings on LoadMaster

Table 2‑3: Virtual Services

For clarity in the example, each of the services is explicitly defined giving a Virtual Services list as in the above screenshot.

2.5Configuring the Initial SSL Connection Virtual Service

To configure the initial SSL Virtual Service on the LoadMaster, follow the steps below in the WUI:

  1. In the main menu, select Virtual Services > Add New.

Table 2‑4: Virtual Service Parameters

  1. Enter a valid Virtual Address.
  2. Enter 443 as the Port.
  3. Enter a recognizable Service Name.
  4. Click Add this Virtual Service.
  5. Expand the SSL Properties section.

Table 2‑5: SSL Properties

  1. Select Enabled.
  2. Click OK.
  3. Select Reencrypt.
  4. Select and assign the appropriate certificate.
  5. Expand the Standard Options section.

Table 2‑6: Standard Options

  1. Select Server Cookie as the Mode.
  2. Enter JSESSIONID as the Cookie name and click Set Cookie.
  3. Set the Scheduling Method to whatever is appropriate for the particular View infrastructure deployed.
  4. Expand the Real Servers section.

Table 2‑7: Real Servers section

  1. Click Add New.

Table 2‑8: Real Server Parameters

  1. Enter the relevant Real Server Address, for example 10.154.201.3
  2. Click Add This Real Server.

In some environments, it may be appropriate to create a HTTP to HTTPS redirect to automatically forward unencrypted connection requests to the secure service. To add the redirect Virtual Service, follow the steps in the section below.

2.5.1Configuring the Redirect Virtual Service

To create and configure the Redirect Virtual Service, follow the steps below:

  1. In the main menu of the LoadMaster, go to Virtual Services > Add New.

Figure 2‑1: Virtual Service Parameters

  1. Enter the same IP address as the one used when creating the initial SSL connection Virtual Service in Section 2.5.
  2. Enter 80 as the Port.
  3. Click Add this Virtual Service.
  4. Expand the Advanced Properties section.

Figure 2‑2: Advanced Properties

  1. Select 302 Found as the Error Code.
  2. Enter https://%h%s as the Redirect URL.

Figure 2‑3: Standard Options

  1. Remove the tick from the Transparency check box.

2.6Configuring the Load-Balanced HTTPS Virtual Service

This Virtual Service needs to be defined for each security server in the View environment. There is a 1:1 relationship between this Virtual Service and the Security server so scheduling options can be left at default.

Figure 2‑4: Standard Options

The Persistence Mode should be set to Server Cookie. The Cookie name should be set to JSESSIONID.

Table 2‑9: SSL Properties

As with the initial connection, SSL Acceleration and Reencrypt should be enabled.

2.7Configuring the PCoIP Virtual Service

The PCoIP Virtual Service provides a simple Layer 4 reverse proxy connection to the security server on port 4172. Two variants are required to support both TCP and UDP connections.

Table 2‑10: Settings

SSL offloading is not required for this service. The service should have a Generic Service Type with default persistence and scheduling.

Figure 2‑51: Real Servers

In the TCP Virtual Service, the PCoIP system health check is performed by setting the health check to TCP Connection Only.

Figure 2‑6: Real Servers

In the UDP Virtual Service, the health check should be set to ICMP Ping.

2.8Configuring the Blast Virtual Service

The Blast Virtual Service provides a reverse HTTPS proxy on port 8443. This protocol may be SSL offloaded and reencrypted or passed directly to the server.

Figure 2‑7: Real Servers

The health check method should be set to TCP Connection Only.

3Configuring VMware Horizon (with View)

The connection points for the remote clients can be set to the relevant LoadMaster Virtual Services in the Connection Server Settings screen in VMware view.

Figure 3‑1: Connection Server Settings

The HTTP(S) and Blast URLs must be an FQDN and the PCoIP URL must be an IP address. The ports specified must match the Virtual Services ports defined in the LoadMaster.

In the context of the example, each Connection Server is configured with the URLs that point to the per-instance Virtual Services on the LoadMaster. The URLs resolve as follows:

URL

IP Address

Viewcon-01.viewlab.net

10.154.11.32

Viewcon-02.viewlab.net

10.154.11.33

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

Virtual Services and Templates, Feature Description

Document History

Date

Change

Reason for Change

Version

Resp.

Nov 2014

Initial draft

First draft of document

1.0

MMcM

Jan 2015

Minor change

Changed document type

1.1

LB

Apr 2015

Updates made

Consistency with template

1.2

LB

Sep 2015

Screenshot updates

LoadMaster reskin

3.0

KG

Dec 2015

Release updates

Updates for 7.1-32

4.0

LB

Jan 2016

Minor change

Updated

5.0

LB

Mar 2016

Release updates

Updates for 7.1-34

6.0

LB

Was this article helpful?

0 out of 0 found this helpful

Comments