VMware Horizon Workspace

 

1Introduction

VMware Horizon Workspace provides a single workspace for easy and secure access to applications, files and desktops on virtually any device. It is delivered as a SUSE Linux-based vApp (an Open Virtual Appliance (.OVA) file) consisting of multiple Virtual Appliances (VA) that are deployed through VMware vCenter in a VMware infrastructure. The various deployed Virtual Appliances are used by the Workspace solution to provide:

  • A centralized workspace for application and data access
  • Cloud-Identity management
  • Compliance requirements support
  • Data and file synchronization
  • Data leak prevention through separation of corporate and personal data
  • Secure file sharing both internally and externally for collaboration enablement
  • Simplified administrative management of resource entitlement and policy control

Figure 1‑1: VMware Horizon Workspace Overview

1.1Document Purpose

C:\Users\lisa.barry\Dropbox (Kemp Technologies)\documentation updates\VMware\vmwareready_logo_files\VMware Ready\VMware Ready\VMW_09Q3_LGO_VMwareReady_Metal.gif

Figure 1‑2: VMware Ready

The Virtual LoadMaster is VMware ready. This document is intended to provide guidance on how to configure the KEMP LoadMaster to provide High Availability (HA) for a VMware Horizon Workspace 1.5 environment. This document is not exclusively restricted to this version of VMware Horizon Workspace nor does it claim explicit support for any or every other version of the application.

This documentation is created using a representative sample environment which is described later in the document. As the intent of this document is not to cover every possible deployment scenario, it may not address your unique setup, requirements, network layout or needs. In such an event that your infrastructure needs are not illustrated or reflected herein, the KEMP Engineering and Support Teams are available to provide guidance surrounding scenarios otherwise not explicitly defined.

1.2Intended Audience

It is assumed that the reader is a server or network administrator who is familiar with networking, virtualization technologies, Windows and Linux Operating systems, VMware and the Horizon suite, DNS, Active Directory and general computer and network terminology. It is further assumed that the VMware Horizon Workspace environment, DNS and Active Directory have all been set up and that the KEMP LoadMaster is installed. KEMP recommends reviewing the LoadMaster documentation and VMware Horizon Workspace 1.5 documentation.

https://www.vmware.com/support/pubs/horizon-workspace-pubs.html

2VMware Horizon Workspace Overview

This section provides:

  • A description of the VMware Horizon Workspace Virtual Appliances that require high availability provided by an Application Delivery Controller (ADC), that is, the KEMP LoadMaster
  • A description of some other Workspace components
  • A reference diagram of the VMware Horizon Workspace architecture

2.1Horizon Connector Virtual Appliance (Connector-VA)

The Horizon Connector provides capabilities for local user authentication and Active Directory binding and synchronization services. Additional services provided by the Connector-VA are ThinApp catalog loading and View pool synchronization.

To provide high availability and improved scalability, multiple Connector virtual appliances should be deployed behind an internal load balancer/reverse proxy.

2.2Horizon Gateway Virtual Appliance (Gateway-VA)

The Horizon Gateway serves as the single namespace for all Horizon Workspace interaction and enables a user-facing domain for access to Horizon Workspace. It serves as the central aggregation point for all client connections, routes client traffic to the correct destination and proxies all requests. Horizon Workspace requires one Gateway-VA for every two data virtual appliances or one Gateway-VA for every 2,000 users.

To provide high availability and improved scalability, multiple Gateway virtual appliances should be deployed behind a load balancer/reverse proxy. It is not supported to place Gateway virtual appliances in the DMZ.

2.3Other Horizon Workspace Components

Other virtual appliances included in the Horizon Workspace vApp are:

Horizon Configurator (Configurator-VA) – An administrative console and web user interface for central SSL management as well as network, Gateway, vCenter and SMTP configuration of the virtual appliances in the Horizon vApp.

Horizon Manager (Service-VA) – A web-based administrative interface allowing configuration of the application catalog, user entitlement management and systems reporting.

VMware Horizon Data (Data-VA) – Serves as a datastore for user files, controls file sharing policies, provides file preview services and acts as the Horizon Workspace web interface for end-users.

Figure 2‑2: Horizon Workspace Reference Architecture Design*

Internal and external Gateway load balancing can be handled either by two separate load balancers or a single load balancer with connections to both the DMZ and internal trusted local area network segments.

Connector load balancing is handled by the internal load balancer.

*Based on: http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reference-architecture.pdf

2.4Load Balancing VMware Horizon Gateway-VAs

The steps and diagram below depict a KEMP LoadMaster deployment with a VMware Horizon Workspace environment:

  1. The client establishes an SSL connection to the LoadMaster Virtual Service for the VMware Horizon Workspace URL and the LoadMaster performs SSL decryption.

If desired, the LoadMaster can be configured to deny external access to the administrative section of Horizon Workspace for added security.

  1. The X-Forwarded-For header with the requestor’s client IP address is inserted.
  2. The LoadMaster re-encrypts the connection and continues communication with Gateway Virtual Appliance(s).
  3. The client request is load balanced to the most appropriate Gateway Virtual Appliance based on health check and persistence validation.

Traffic initiated by internal clients behaves in the same manner aside from restricting access to the administrative virtual directory.

Figure 2‑3: Gateway Virtual Appliances Load Balanced by LoadMaster ADCs

2.5Load Balancing VMware Horizon Connector-VAs

The steps and diagram below depict a KEMP LoadMaster deployment with a VMware Horizon Workspace environment:

  1. After client traffic is passed through the LoadMaster to the appropriate Gateway-VA as detailed in Section2.4, the Gateway looks at the X-Forwarded-For header to determine which Connectors to use for authentication.
  2. The client request is then redirected to the appropriate Connector iDP URL. The LoadMaster hosting the Connector Virtual Service sends the response to the best suited Connector-VA.
  3. The Connector sends an HTTPS redirect to the client so that the client now connects directly to its FQDN.
  4. Using Kerberos, the Connector authenticates the client request against Active Directory.

Figure 2‑4: Connector Virtual Appliances Load Balanced by LoadMaster ADC

3Example Environment Setup

TestCompany has deployed VMware Horizon Workspace 1.5 in their environment to provide centralized workspace access from a variety of devices by their workforce. The infrastructure is accessed by clients both internally and externally. Among other supporting components, the deployment contains the following:

  • Two VMware Horizon Gateway-VAs
  • Two VMware Horizon Connector-VAs
  • One KEMP LoadMaster HA cluster deployed in the DMZ
  • One KEMP LoadMaster HA Ccuster deployed in the trusted corporate LAN

In the deployment architecture defined herein, the LoadMaster handles internal and external HTTPS connectivity to the Gateway-VAs as well as connectivity for the Connector-VAs. The LoadMaster provides the following for Workspace deployments:

  • Scheduling and health check algorithms which ensure that requests are sent to the best target
  • L7 content matching capabilities which minimize attack vectors for added security
  • Header injection functionality which ensures that client IPs are detected by Gateway-VAs
  • SSL overlay functions ensure L7 processing and an end-to-end secure traffic stream

4Prerequisites

Minimally, the following prerequisites should be complete:

  • Implemented Active Directory, DNS and other core requirements for Horizon Workspace
  • Installed VMware ESXi servers, vCenter server, and Workspace virtual appliances
  • Configured Certificate Authority (CA)-signed SSL certificates for the Workspace infrastructure
  • Installed LoadMaster(s) with interfaces on the same network(s) as the virtual appliances
  • Established administrative access to the LoadMaster Web User Interface (WUI)

4.1Configure Gateway-VA NGINX Components

4.1.1Horizon Workspace 1.5 X-Forwarded-For Configuration

To allow LoadMaster to request web services that are deployed behind the Gateway-VAs in Horizon Workspace 1.5, the following change must be made:

  1. Navigate to the Configurator-VA URL and log in.

Figure 4‑1: Connector Virtual Appliances Load Balanced by LoadMaster ADC

  1. In the menu on the left, click X-Forwarded-For.
  2. Enter the load balancer IP address(es) with descriptive comments (one per line).
  3. Click Save and reboot all Gateway-VAs if changes do not take effect within a few minutes.

This X-Forwarded-For modification also sets the real_ip_header value in /opt/vmware/nginx/conf/nginx.conf.

4.1.2Horizon Workspace 1.0 X-Forwarded-For Configuration

To allow LoadMaster to request web services that are deployed behind the Gateway-VAs in Horizon Workspace 1.0, the following change must be made:

  1. SSH into each gateway-VA with the sshuser and su to root.
  1. Edit /opt/vmware/nginx/conf/nginx.conf using VI, or another screen editor.
  2. Find the section of the file that reads similar to the following:

real_ip_headerX-Forwarded-For; real_ip_recursive off;include gen/real_ip.conf;

  1. Below the line that reads include gen/real_ip.conf; add a line - set_real_ip_from <LoadMaster IP Address> as shown in the example below:

real_ip_headerX-Forwarded-For; real_ip_recursive off;include gen/real_ip.conf; set_real_ip_from 172.16.5.100

  1. Commit the changes that have just been made and restart the nginx service:

a)If using VI to edit the file, type ZZ or :wq!.

b)To restart the nginx service type service nginx restart.

4.2Create a Content Matching Rule

Follow the steps below to create a content matching rule on the LoadMaster that is used later to block external access to the administrative portion of the Workspace environment:

  1. Log in to the LoadMaster WUI.
  1. In the menu on the left select Rules & Checking and select Content Rules.
  2. Click the Create New… button.

Figure 4-4: Create Rule Screen

  1. Enter the Rule Name, for example vmworkspace.
  2. Ensure the Rule Type is set to Content Matching.
  3. Ensure the Match Type is set to Regular Expression.
  4. Enter ^/admin* as the pattern in the Match String text box.
  5. Tick the Ignore Case check box.
  6. Tick the Fail on Match check box.
  7. Click the Create Rule button.

4.3DNS

Access to the DNS system(s) used in the network environment must be available to configure name resolution (A and PTR records) for the Horizon Workspace Gateway and Connector namespaces to point to the Virtual Service IP address(es) that is configured on the LoadMaster.

The FQDN configured for the Horizon Workspace environment cannot be changed after installation. In the event that the namespace requires changing post-installation, the Horizon Workspace vApp must be re-deployed. The same namespace should be used for both internal and external access.

4.4SSL Certificate Import on the LoadMaster

Follow the steps below to import the relevant Horizon Workspace certificate on the KEMP LoadMaster:

  1. In the main menu of the LoadMaster WUI, go to Certificates > Security >SSL Certificates.
  1. Click Import Certificate.

Figure 4‑6: Certificate Being Added

  1. Click Choose File in the Certificate File field.
  2. Browse to and select the certificate in use in the Horizon Workspace infrastructure.

This must be a .PFX or .PEM file containing private keys for the certificate used on the Horizon Workspace servers.

  1. If relevant, click Choose File in the Key File (optional) field to browse to and select the key file.
  2. Enter the Pass Phrase.
  3. Enter a recognizable name in the Certificate Identifier text box.
  4. Click Save.
  5. Click OK.

Figure 4‑1: Add Intermediate

  1. If additional intermediate certificate(s) are required to complete the certificate chain, click Add Intermediate.

Figure 4‑8: Intermediate Certificate Being Added

  1. Click Choose File in the Intermediate Certificate field.
  2. Browse to and select the appropriate intermediate certificate.
  3. Enter a recognizable name in the Desired File Name text box.
  4. Click Add Certificate.

4.5Update Connector iDP Hostname

To change the iDP hostname on the Connector-VAs, take the following steps:

  1. Log in to the web admin console of each Connector-VA.
  2. Navigate to Identity Provider.

Change the iDP hostname to the FQDN corresponding to the IP address that is used for the Virtual Service that is created in Section 6.3 for load balancing the Connector-VAs and click Save.

5VMware Horizon Workspace Templates

KEMP have developed templates containing our recommended settings for VMware Horizon Workspace. This template can be installed on the LoadMaster and can be used when creating each of the Virtual Services. Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template.

Released templates can be downloaded from the KEMP documentation page: http://www.kemptechnologies.com/documentation/.

If you create another Virtual Service using the same template, ensure to change the Service Name to a unique name.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description.

For steps on how to manually add and configure each of the Virtual Services, refer to Section 6.

6Virtual Service Configuration

This section outlines instructions on adding and configuring the required Workspace Virtual Services to the LoadMaster.

6.1Gateway-VAs (External Virtual Service)

To add an External Virtual Service for the Gateway-VAs, follow the steps below:

  1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

Figure 6‑1: Virtual Service Parameters

  1. Enter a valid IP address in the Virtual Address field.
  2. Enter 443 as the Port.
  3. Enter a recognizable Service Name, for example Workspace Ext.
  4. Click Add this Virtual Service.

Figure 6‑2: SSL Properties

  1. Expand the SSL Properties section.
  2. Select the Enabled check box.
  3. Click OK.
  4. Select the Reencrypt check box.
  5. Select the relevant certificate from the Available Certificates list.
  6. Click the right arrow.
  7. Click Set Certificates.
  8. Expand the Standard Options section.

Figure 6‑3: Standard Options

  1. Select Super HTTP as the Persistence Mode.
  2. Select 30 Minutes as the Timeout value

Be sure to set the persistence timeout to no less than 30 minutes. A value lower than this may result in an error 502, “The service is currently unavailable” for clients attempting to connect.

  1. Select least connection as the Scheduling Method.
  2. Expand the Real Servers section.

Figure 6‑4: Real Servers section

  1. Ensure that HTTPS Protocol is selected as the health check type.
  2. Enter a forward-slash (/) in the URL text box and click Set URL.
  3. Select GET as the HTTP Method.
  4. Click Add New.

Figure 6‑5: Real Server Parameters

  1. Enter a Gateway-VA address in the Real Server Address field.
  2. Ensure that 443 is enteredas the Port.
  3. Click Add This Real Server.
  4. Click OK.
  5. Continue to add the remaining Real Servers by entering the Real Server Address of each Gateway-VAand clicking Add This Real Server until all servers in the pool are added. When finished, click the Back button.
  6. Expand the Advanced Properties section.

Figure 6‑8: Advanced Options

  1. Select the Enable button in the Content Switching section.
  2. Select X-Forwarded-For from the Add HTTP Headers drop down menu.
  3. Click the Add HTTP Redirector button.
  1. Expand the Real Servers section.

Figure 6-9: Real Servers Section

  1. Click None in the Rules column for the first listed Real Server.

Figure 6‑10: Content Rules Assignment Menu

  1. Select the content matching rule created in Section4.2.
  2. Click Add.
  3. Click the Back button.
  4. Repeat for each Real Server to add the content matchingrule to all pool members.
  5. In the main menu of the LoadMaster WUI, click View/Modify Services.
  6. Confirm that the newly created service is listed with a status of Up and that all of the added member servers are listed in black, non-bold font.

6.2Gateway-VAs (Internal Virtual Service)

To add an Internal Virtual Service for the Gateway-VAs, either on the same LoadMaster or another cluster, repeat Steps 1 to 29 of Section 6.1, but give the Virtual Service a different name.

6.3Connector-VAs

To add a Virtual Service for the Connector-VAs, follow the steps below:

  1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

Figure 6‑11: Virtual Service Parameters

  1. Enter a valid IP address in the Virtual Address text box.
  2. Enter 443 as the Port.
  3. Enter a recognizable Service Name, for example Horizon-Connector.
  4. Click Add this Virtual Service.
  5. Expand the Standard Options section.

Figure 6‑12: Standard Options

  1. Ensure the Force L4 check box is clear.

Keep this option cleared unless your deployment scheme dictates otherwise.

  1. Ensure the Transparency check box is clear.

Keep this option selected unless your deployment scheme dictates otherwise).

  1. Select Source IP Address as the Persistence Mode.
  2. Select 30 Minutes as the Timeout value.

Ensure to set the persistence timeout to no less than 30 minutes. A value lower than this may result in 502 error, “The service is currently unavailable” for users attempting to reconnect.

  1. Select least connection as the Scheduling Method.
  2. Expand the Real Servers section.

Figure 6‑13: Real Servers section

  1. Use HTTPS Protocol as the health check type
  2. Enter a forward-slash (/) in the URL text box and click Set URL.
  3. Select GET as the HTTP Method.
  4. Click Add New.

Figure 6‑14: Real Server Parameters

  1. Enter a Connector-VA address in the Real Server Address text box.
  2. Enter 443 as the Port.
  3. Click Add This Real Server.
  4. Click OK.
  5. Continue to add the remaining Real Servers by entering the Real Server Address of each Connector-VA and clicking Add This Real Server until all servers in the pool are added. When finished, click the Back button.
  6. In the main menu of the LoadMaster WUI, click View/Modify Services.
  7. Confirm that the newly created service is listed with a status of Up and that all of the added member servers are listed in black, non-bold font.

References

KEMP Technologies product documentation can be found at http://kemptechnologies.com/documentation.

Virtual Services and Templates, Feature Description WUI, Configuration Guide VMware Horizon Workspace Documentation

http://www.vmware.com/support/pubs/horizon-workspace-pubs.html

Document History

Date

Change

Reason for Change

Version

Resp.

Feb 2014

Initial draft

First draft of document

1.0

JD

Mar 2014

Updates made

Updates relating to templates

1.1

LB

July 2014

Release updates

Updates for 7.1-18a release

1.2

LB

Aug 2014

Minor change

Defect resolved

1.3

LB

Aug 2014

Minor changes

Defects resolved

1.4

LB

Sep 2014

Minor changes

Defects resolved

1.5

LB

Nov 2014

Minor changes

Defects resolved

1.6

LB

Sep 2015

Release updates

Update for 7.1-30 release

3.0

LB

Dec 2015

Release updates

Update for 7.1-32 release

4.0

LB

Jan 2016

Minor changes

Updated

5.0

LB

Mar 2016

Release updates

Update for 7.1-34 release

6.0

LB

July 2016

Release updates

Update for 7.1.35 release

7.0

LB

Oct 2016

Release updates

Update for 7.2.36 release

8.0

LB

Jan 2017

Minor changes

Enhancements made

9.0

LB

Was this article helpful?

0 out of 0 found this helpful

Comments