VMware Horizon Workspace

1 Introduction

VMware Horizon Workspace provides a single workspace for easy and secure access to applications, files and desktops on virtually any device. It is delivered as a SUSE Linux-based vApp (an Open Virtual Appliance (.OVA) file) consisting of multiple Virtual Appliances (VA) that are deployed through VMware vCenter in a VMware infrastructure. The various deployed Virtual Appliances are used by the Workspace solution to provide:

A centralized workspace for application and data access

Cloud-Identity management

Compliance requirements support

Data and file synchronization

Data leak prevention through separation of corporate and personal data

Secure file sharing both internally and externally for collaboration enablement

Simplified administrative management of resource entitlement and policy control

Deployment_Guide-VMware_Horizon_Workspace_1_1.png

1.1 Document Purpose

Document Purpose.gif

The Virtual LoadMaster is VMware ready. This document is intended to provide guidance on how to configure the KEMP LoadMaster to provide High Availability (HA) for a VMware Horizon Workspace 1.5 environment. This document is not exclusively restricted to this version of VMware Horizon Workspace nor does it claim explicit support for any or every other version of the application.

This documentation is created using a representative sample environment which is described later in the document. As the intent of this document is not to cover every possible deployment scenario, it may not address your unique setup, requirements, network layout or needs. In such an event that your infrastructure needs are not illustrated or reflected herein, the KEMP Engineering and Support Teams are available to provide guidance surrounding scenarios otherwise not explicitly defined.

1.2 Intended Audience

It is assumed that the reader is a server or network administrator who is familiar with networking, virtualization technologies, Windows and Linux Operating systems, VMware and the Horizon suite, DNS, Active Directory and general computer and network terminology. It is further assumed that the VMware Horizon Workspace environment, DNS and Active Directory have all been set up and that the KEMP LoadMaster is installed. KEMP recommends reviewing the LoadMaster documentation and VMware Horizon Workspace 1.5 documentation.

LoadMaster documentation is available at http://www.kemptechnologies.com/documentation

VMware Horizon Workspace documentation is available at https://www.vmware.com/support/pubs/horizon-workspace-pubs.html

2 VMware Horizon Workspace Overview

This section provides:

A description of the VMware Horizon Workspace Virtual Appliances that require high availability provided by an Application Delivery Controller (ADC), that is, the KEMP LoadMaster

A description of some other Workspace components

A reference diagram of the VMware Horizon Workspace architecture

2.1 Horizon Connector Virtual Appliance (Connector-VA)

The Horizon Connector provides capabilities for local user authentication and Active Directory binding and synchronization services. Additional services provided by the Connector-VA are ThinApp catalog loading and View pool synchronization.

To provide high availability and improved scalability, multiple Connector virtual appliances should be deployed behind an internal load balancer/reverse proxy.

2.2 Horizon Gateway Virtual Appliance (Gateway-VA)

The Horizon Gateway serves as the single namespace for all Horizon Workspace interaction and enables a user-facing domain for access to Horizon Workspace. It serves as the central aggregation point for all client connections, routes client traffic to the correct destination and proxies all requests. Horizon Workspace requires one Gateway-VA for every two data virtual appliances or one Gateway-VA for every 2,000 users.

To provide high availability and improved scalability, multiple Gateway virtual appliances should be deployed behind a load balancer/reverse proxy. It is not supported to place Gateway virtual appliances in the DMZ.

2.3 Other Horizon Workspace Components

Other virtual appliances included in the Horizon Workspace vApp are:

Horizon Configurator (Configurator-VA) – An administrative console and web user interface for central SSL management as well as network, Gateway, vCenter and SMTP configuration of the virtual appliances in the Horizon vApp.

Horizon Manager (Service-VA) – A web-based administrative interface allowing configuration of the application catalog, user entitlement management and systems reporting.

VMware Horizon Data (Data-VA) – Serves as a datastore for user files, controls file sharing policies, provides file preview services and acts as the Horizon Workspace web interface for end-users.

 

Internal and external Gateway load balancing can be handled either by two separate load balancers or a single load balancer with connections to both the DMZ and internal trusted local area network segments.

Connector load balancing is handled by the internal load balancer.

2.4 Load Balancing VMware Horizon Gateway-VAs

The steps and diagram below depict a KEMP LoadMaster deployment with a VMware Horizon Workspace environment:

1. The client establishes an SSL connection to the LoadMaster Virtual Service for the VMware Horizon Workspace URL and the LoadMaster performs SSL decryption.

If desired, the LoadMaster can be configured to deny external access to the administrative section of Horizon Workspace for added security.

2. The X-Forwarded-For header with the requestor’s client IP address is inserted.

3. The LoadMaster re-encrypts the connection and continues communication with Gateway Virtual Appliance(s).

4. The client request is load balanced to the most appropriate Gateway Virtual Appliance based on health check and persistence validation.

Traffic initiated by internal clients behaves in the same manner aside from restricting access to the administrative virtual directory.

Load Balancing VMware Horizon.png

2.5 Load Balancing VMware Horizon Connector-VAs

The steps and diagram below depict a KEMP LoadMaster deployment with a VMware Horizon Workspace environment:

1. After client traffic is passed through the LoadMaster to the appropriate Gateway-VA as detailed in the Load Balancing VMware Horizon Gateway-VAs section, the Gateway looks at the X-Forwarded-For header to determine which Connectors to use for authentication.

2. The client request is then redirected to the appropriate Connector iDP URL. The LoadMaster hosting the Connector Virtual Service sends the response to the best suited Connector-VA.

3. The Connector sends an HTTPS redirect to the client so that the client now connects directly to its FQDN.

4. Using Kerberos, the Connector authenticates the client request against Active Directory.

Load Balancing VMware Horizon_1.png

3 Example Environment Setup

TestCompany has deployed VMware Horizon Workspace 1.5 in their environment to provide centralized workspace access from a variety of devices by their workforce. The infrastructure is accessed by clients both internally and externally. Among other supporting components, the deployment contains the following:

Two VMware Horizon Gateway-VAs

Two VMware Horizon Connector-VAs

One KEMP LoadMaster HA cluster deployed in the DMZ

One KEMP LoadMaster HA Ccuster deployed in the trusted corporate LAN

In the deployment architecture defined herein, the LoadMaster handles internal and external HTTPS connectivity to the Gateway-VAs as well as connectivity for the Connector-VAs. The LoadMaster provides the following for Workspace deployments:

Scheduling and health check algorithms which ensure that requests are sent to the best target

L7 content matching capabilities which minimize attack vectors for added security

Header injection functionality which ensures that client IPs are detected by Gateway-VAs

SSL overlay functions ensure L7 processing and an end-to-end secure traffic stream

4 Prerequisites

Minimally, the following prerequisites should be complete:

Implemented Active Directory, DNS and other core requirements for Horizon Workspace

Installed VMware ESXi servers, vCenter server, and Workspace virtual appliances

Configured Certificate Authority (CA)-signed SSL certificates for the Workspace infrastructure

Installed LoadMaster(s) with interfaces on the same network(s) as the virtual appliances

Established administrative access to the LoadMaster Web User Interface (WUI)

4.1 Configure Gateway-VA NGINX Components

4.1.1 Horizon Workspace 1.5 X-Forwarded-For Configuration

To allow LoadMaster to request web services that are deployed behind the Gateway-VAs in Horizon Workspace 1.5, the following change must be made:

1. Navigate to the Configurator-VA URL and log in.

Horizon Workspace 1 5 X Forwarded.png

2. In the menu on the left, click X-Forwarded-For.

3. Enter the load balancer IP address(es) with descriptive comments (one per line).

4. Click Save and reboot all Gateway-VAs if changes do not take effect within a few minutes.

This X-Forwarded-For modification also sets the real_ip_header value in /opt/vmware/nginx/conf/nginx.conf.

4.1.2 Horizon Workspace 1.0 X-Forwarded-For Configuration

To allow LoadMaster to request web services that are deployed behind the Gateway-VAs in Horizon Workspace 1.0, the following change must be made:

1. SSH into each gateway-VA with the sshuser and su to root.

2. Edit /opt/vmware/nginx/conf/nginx.conf using VI, or another screen editor.

3. Find the section of the file that reads similar to the following:

real_ip_headerX-Forwarded-For;                  real_ip_recursive off;include gen/real_ip.conf;

4. Below the line that reads include gen/real_ip.conf; add a line - set_real_ip_from <LoadMaster IP Address> as shown in the example below:

real_ip_headerX-Forwarded-For;                  real_ip_recursive off;include gen/real_ip.conf;      
set_real_ip_from 172.16.5.100

5. Commit the changes that have just been made and restart the nginx service:

a) If using VI to edit the file, type ZZ or :wq!.

b) To restart the nginx service type service nginx restart.

4.2 Create a Content Matching Rule

Follow the steps below to create a content matching rule on the LoadMaster that is used later to block external access to the administrative portion of the Workspace environment:

1. Log in to the LoadMaster WUI.

2. In the menu on the left select Rules & Checking and select Content Rules.

3. Click the Create New… button.

Create a Content Matching.png

4. Enter the Rule Name, for example vmworkspace.

5. Ensure the Rule Type is set to Content Matching.

6. Ensure the Match Type is set to Regular Expression.

7. Enter ^/admin* as the pattern in the Match String text box.

8. Tick the Ignore Case check box.

9. Tick the Fail on Match check box.

10. Click the Create Rule button.

4.3 DNS

Access to the DNS system(s) used in the network environment must be available to configure name resolution (A and PTR records) for the Horizon Workspace Gateway and Connector namespaces to point to the Virtual Service IP address(es) that is configured on the LoadMaster.

The FQDN configured for the Horizon Workspace environment cannot be changed after installation. In the event that the namespace requires changing post-installation, the Horizon Workspace vApp must be re-deployed. The same namespace should be used for both internal and external access.

4.4 SSL Certificate Import on the LoadMaster

Follow the steps below to import the relevant Horizon Workspace certificate on the KEMP LoadMaster:

1. In the main menu of the LoadMaster WUI, go to Certificates > Security > SSL Certificates.

2. Click Import Certificate.

SSL Certificate Import on.png

3. Click Choose File in the Certificate File field.

4. Browse to and select the certificate in use in the Horizon Workspace infrastructure.

This must be a .PFX or .PEM file containing private keys for the certificate used on the Horizon Workspace servers.

5. If relevant, click Choose File in the Key File (optional) field to browse to and select the key file.

6. Enter the Pass Phrase.

7. Enter a recognizable name in the Certificate Identifier text box.

8. Click Save.

9. Click OK.

SSL Certificate Import on_1.png

10. If additional intermediate certificate(s) are required to complete the certificate chain, click Add Intermediate.

SSL Certificate Import on_2.png

11. Click Choose File in the Intermediate Certificate field.

12. Browse to and select the appropriate intermediate certificate.

13. Enter a recognizable name in the Desired File Name text box.

14. Click Add Certificate.

4.5 Update Connector iDP Hostname

To change the iDP hostname on the Connector-VAs, take the following steps:

1. Log in to the web admin console of each Connector-VA.

2. Navigate to Identity Provider.

3. Change the iDP hostname to the FQDN corresponding to the IP address that is used for the Virtual Service that is created in the Connector-VAs section for load balancing the Connector-VAs and click Save.

5 Template

KEMP has developed a template containing our recommended settings for this workload. You can install this template to help when creating Virtual Services, as it automatically populates the settings. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template.

Download released templates from the Templates section on the KEMP documentation page: http://kemptechnologies.com/documentation.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the KEMP Documentation Page.

For steps on how to manually add and configure each of the Virtual Services using the recommended settings, refer to the steps in this document.

6 Virtual Service Configuration

This section outlines instructions on adding and configuring the required Workspace Virtual Services to the LoadMaster.

6.1 Gateway-VAs (External Virtual Service)

To add an External Virtual Service for the Gateway-VAs, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

Gateway VAs External Virtual.png

2. Enter a valid IP address in the Virtual Address field.

3. Enter 443 as the Port.

4. Enter a recognizable Service Name, for example Workspace Ext.

5. Click Add this Virtual Service.

Gateway VAs External Virtual_1.png

6. Expand the SSL Properties section.

7. Select the Enabled check box.

8. Click OK.

9. Select the Reencrypt check box.

10. Select the relevant certificate from the Available Certificates list.

11. Click the right arrow.

12. Click Set Certificates.

13. Expand the Standard Options section.

Gateway VAs External Virtual_2.png

14. Select Super HTTP as the Persistence Mode.

15. Select 30 Minutes as the Timeout value

Be sure to set the persistence timeout to no less than 30 minutes. A value lower than this may result in an error 502, “The service is currently unavailable” for clients attempting to connect.

16. Select least connection as the Scheduling Method.

17. Expand the Real Servers section.

Gateway VAs External Virtual_3.png

18. Ensure that HTTPS Protocol is selected as the health check type.

19. Enter a forward-slash (/) in the URL text box and click Set URL.

20. Select GET as the HTTP Method.

21. Click Add New.

Gateway VAs External Virtual_4.png

22. Enter a Gateway-VA address in the Real Server Address field.

23. Ensure that 443 is entered as the Port.

24. Click Add This Real Server.

25. Click OK.

26. Continue to add the remaining Real Servers by entering the Real Server Address of each Gateway-VA and clicking Add This Real Server until all servers in the pool are added. When finished, click the Back button.

27. Expand the Advanced Properties section.

Gateway VAs External Virtual_5.png

28. Select the Enable button in the Content Switching section.

29. Select X-Forwarded-For from the Add HTTP Headers drop down menu.

30. Click the Add HTTP Redirector button.

31. Expand the Real Servers section.

Gateway VAs External Virtual_6.png

32. Click None in the Rules column for the first listed Real Server.

Gateway VAs External Virtual_7.png

33. Select the content matching rule created in the Create a Content Matching Rule section.

34. Click Add.

35. Click the Back button.

36. Repeat for each Real Server to add the content matching rule to all pool members.

37. In the main menu of the LoadMaster WUI, click View/Modify Services.

38. Confirm that the newly created service is listed with a status of Up and that all of the added member servers are listed in black, non-bold font.

6.2 Gateway-VAs (Internal Virtual Service)

To add an Internal Virtual Service for the Gateway-VAs, either on the same LoadMaster or another cluster, repeat Steps 1 to 29 of the Gateway-VAs (External Virtual Service) section, but give the Virtual Service a different name.

6.3 Connector-VAs

To add a Virtual Service for the Connector-VAs, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

Connector VAs.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 443 as the Port.

4. Enter a recognizable Service Name, for example Horizon-Connector.

5. Click Add this Virtual Service.

6. Expand the Standard Options section.

Connector VAs_1.png

7. Ensure the Force L4 check box is clear.

Keep this option cleared unless your deployment scheme dictates otherwise.

8. Ensure the Transparency check box is clear.

Keep this option selected unless your deployment scheme dictates otherwise).

9. Select Source IP Address as the Persistence Mode.

10. Select 30 Minutes as the Timeout value.

Ensure to set the persistence timeout to no less than 30 minutes. A value lower than this may result in 502 error, “The service is currently unavailable” for users attempting to reconnect.

11. Select least connection as the Scheduling Method.

12. Expand the Real Servers section.

Gateway VAs External Virtual_3.png

13. Use HTTPS Protocol as the health check type

14. Enter a forward-slash (/) in the URL text box and click Set URL.

15. Select GET as the HTTP Method.

16. Click Add New.

Connector VAs_2.png

17. Enter a Connector-VA address in the Real Server Address text box.

18. Enter 443 as the Port.

19. Click Add This Real Server.

20. Click OK.

21. Continue to add the remaining Real Servers by entering the Real Server Address of each Connector-VA and clicking Add This Real Server until all servers in the pool are added. When finished, click the Back button.

22. In the main menu of the LoadMaster WUI, click View/Modify Services.

23. Confirm that the newly created service is listed with a status of Up and that all of the added member servers are listed in black, non-bold font.

References

KEMP Technologies product documentation can be found at http://kemptechnologies.com/documentation.

Virtual Services and Templates, Feature Description

WUI, Configuration Guide

VMware Horizon Workspace Documentation

http://www.vmware.com/support/pubs/horizon-workspace-pubs.html

Document History

 

Date Change Reason for Change Version Resp.

July 2016

Release updates

Update for 7.1.35 release

7.0

LB

Oct 2016

Release updates

Update for 7.2.36 release

8.0

LB

Jan 2017

Minor changes

Enhancements made

9.0

LB

July 2017 Minor updates Enhancements made 10.0 CMC

 

Was this article helpful?

0 out of 0 found this helpful

Comments