Dell Wyse vWorkspace
Contents
1 Introduction
Dell Wyse vWorkspace provides desktop and application virtualization to organizations. Workspace virtualization helps to group and deliver a list of applications or desktops together as a single complete virtual workspace. vWorkspace delivers secure, full-featured virtual workspaces from a centralized infrastructure, that consists of virtual and physical computers, and provisions new users quickly.
1.1 Document Purpose
This deployment guide provides instructions on how to configure the Kemp LoadMaster to load balance the various roles in the Dell Wyse vWorkspace environment.
1.2 Intended Audience
This document is intended to be read by anyone who is interested in finding out how to configure the LoadMaster to load balance Dell Wyse vWorkspace.
2 Load Balancing vWorkspace
The figure above shows a scenario where the Kemp LoadMaster can be used to load balance vWorkspace services. In this configuration, both Secure Access Services and Web Access are deployed in the DMZ. If your configuration differs from this configuration and there are issues deploying the LoadMaster, please contact the local Kemp Support Team for assistance: http://kemptechnologies.com/load-balancing-support/kemp-support
The figure above shows a different scenario where the Kemp LoadMaster can be used to load balance vWorkspace services. In this configuration the Secure Access Services are deployed in the DMZ and the Web Access is deployed in the corporate network. If your configuration differs from this configuration and there are issues deploying the LoadMaster, please contact the local Kemp Support Team for assistance: http://kemptechnologies.com/load-balancing-support/kemp-support
2.1 vWorkspace Roles
Wyse vWorkspace consists of various roles. The Kemp LoadMaster can be configured to load balance some of these roles. The sections below discuss the various scenarios in which the Kemp LoadMaster can be used load balance vWorkspace.
2.1.1 Load Balancing Web Access Services
Web Access is a web application that acts as a web-based portal to a vWorkspace farm. It provides users with a list of available applications and desktops using their web browser.
The Web Access role also authenticates users with multiple vWorkspace farms within the same Active Directory domain.
2.1.2 Load Balancing Secure Access Services
vWorkspace Secure Access Service is an SSL gateway that simplifies the deployment of applications over the Internet. The Secure Access Service allows access to published applications through the vWorkspace Web Access client and starts these applications over SSL connections.
The Secure Access Service provides a proxy connection to vWorkspace components such as RDP Sessions, the Web Access client and connection brokers.
3 General Configuration
3.1 Enable Subnet Originating Requests Globally
It is best practice to enable the Subnet Originating Requests option globally.
In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.
In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B, Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.
When Subnet Originating Requests is enabled, the Real Server sees traffic originating from 10.20.20.21 (LoadMaster eth1 address) and responds correctly in most scenarios.
With Subnet Originating Requests disabled, the Real Server sees traffic originating from 10.0.0.15 (LoadMaster Virtual Service address on eth0) and responds to eth0 which could cause asymmetric routing.
When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether to enable Subnet Originating Requests on a per-Virtual Service basis.
To enable Subnet Originating Requests globally, follow the steps below:
1. In the main menu of the LoadMaster User Interface (UI), go to System Configuration > Miscellaneous Options > Network Options.
2. Select the Subnet Originating Requests check box.
3.2 SSL Certificates
An SSL certificate is required to be installed on the LoadMaster to support load-balanced components such as the Secure Access Service.
The certificate needs to match the hostname which is used to connect to the load-balanced services of the LoadMaster and can be a single wildcard, for example *.domain.com, or multiple regular certificates, for example secure.domain.com.
To install an SSL certificate on the LoadMaster, follow the steps below in the LoadMaster Web User Interface (WUI):
1. In the main menu, select Certificates & Security > SSL Certificates.
2. Click Import Certificate.
3. Click Choose File or Browse.
4. Browse to and select the certificate.
5. Enter a Pass Phrase if needed.
6. Enter a name (preferably the DNS name of the service) in the Certificate Identifier field.
7. Click Save.
8. Click OK.
This certificate will be assigned to some of the Virtual Services in later steps.
It is also possible to use this certificate for administrative purposes (browsing the LoadMaster WUI). To do this, on the Manage Certificates screen, select the certificate in the Administrative Certificate drop-down list and click Use Certificate.
4 Configure Virtual Services for vWorkspace
4.1 Secure Access Prerequisites
As described in the SSL Certificates section, implementing load balancing for vWorkspace Secure Access Services requires connectivity over HTTPS protocol (port 443).
This document will cover an example of the settings required for vWorkspace. The vWorkspace administrator should follow the Deployment Guide provided by Dell to complete the configuration based on their unique topology.
Before adding Virtual Services to the Kemp LoadMaster, ensure to have the DNS names and IP addresses available for all Secure Access Service roles in your deployment. The DNS Names used must be included in the Certificate that was installed in the SSL Certificates section.
1. Install the Certificate that will be used to encrypt the traffic on each of the Secure Access Servers.
2. On each of the vWorkspace Secure Access Servers, launch the Secure Access configuration utility from the Windows Server 2012 Start Menu.
3. Under the properties of the Secure Access Service, configure the following settings:
a) In the RDP Proxy section:
i. Select the Local IP Address.
ii. Enter 443 as the Local Port.
iii. Select the SSL certificate to be used to encrypt traffic.
b) In the Web Interface Proxy section:
iv. Select the Local IP Address.
v. Enter 443 as the Local Port.
vi. Enter 80 as the Dest. Port.
vii. Enter the Destination Host URL for the Web Access Server.
This will point to the Kemp LoadMaster Virtual Service for the Web Access Role.
c) In the Connection Broker Proxy section:
viii. Select the Local IP Address.
ix. Enter 443 as the Local Port.
x. Enter 8080 as the Dest. Port.
xi. Enter the Destination Host(s) for the internal Connection Broker(s).
4. Click OK.
4.2 Virtual Services - Secure Access
Configure the LoadMaster settings by following the steps below in the LoadMaster WUI:
1. In the main menu, select Virtual Services and Add New.
2. Enter the relevant IP address in the Virtual Address text box.
3. Enter 443 as the Port.
4. Enter a recognizable Service Name, such as vWorkspace Secure Access Service.
5. Click Add this Virtual Service.
6. Enter the details shown in the following table:
|
Section |
Option |
Value |
Comments |
|---|---|---|---|
|
Standard Options |
Persistence Mode |
Source IP Address |
|
|
|
Timeout |
6 minutes |
|
|
|
Scheduling Method |
least connection |
|
|
SSL Properties |
SSL Acceleration |
Enabled |
|
|
|
Reencrypt |
Enabled |
|
| Assigned Certificates | Selected | Select the certificate in the Available Certificates box. Click the right arrow to move the certificate to the Assigned Certificates box then click Set Certificates | |
|
Real Servers |
Real Server Check Method |
HTTPS Protocol |
|
|
|
Checked Port |
443 |
Click Set Check PortNew. |
7. Select Reencrypt.
The LoadMaster will use this information to check if the Secure Access servers are reachable.
8. Add the Real Servers.
a) Click Add New to add the Secure Access servers as Real Servers.
b) Enter the Real Server Address.
c) Enter 443 as the Port.
d) Click Add This Real Server.
e) Repeat the three steps above until all Real Servers have been added.
4.3 Web Access Prerequisites
Before configuring the Kemp LoadMaster, ensure to have the DNS names and IP addresses available for all Web Access roles in your deployment.
This document will cover an example of the settings required for vWorkspace. The vWorkspace administrator should follow the Deployment Guide provided by Dell to complete the configuration based on their unique topology.
1. Configure the website on each of the Web Access Servers using the Web Access Site Manager.
2. Within the vWorkspace Management Console, select Web Access in the left-hand navigation, and add the website for each of the Web Access servers.
4.4 Virtual Services - Web Access
Configure the LoadMaster settings by following the steps below in the LoadMaster WUI:
1. In the main menu, select Virtual Services and Add New.
2. Enter the relevant IP address in the Virtual Address text box.
3. Enter 80 as the Port.
4. Enter a recognizable Service Name, such as vWorkspace Web Access.
5. Click Add this Virtual Service.
6. Enter the details shown in the following table:
|
Section |
Option |
Value |
Comments |
|---|---|---|---|
|
Standard Options |
Persistence Mode |
Source IP Address |
|
|
|
Timeout |
6 minutes |
|
|
|
Scheduling Method |
least connection |
|
|
Real Servers |
Real Server Check Method |
HTTP Protocol |
|
|
|
Checked Port |
80 |
Click Set Check Port. |
The LoadMaster will use this information to check if the Web Access servers are reachable.
7. Add the Real Servers.
a) Click Add New to add the Secure Access servers as Real Servers.
b) Enter the Real Server Address.
c) Enter 80 as the Port.
d) Click Add This Real Server.
e) Repeat the three steps above until all Real Servers have been added.
5 Testing
After following the implementation steps in the previous section, follow the steps below to test the load-balanced vWorkspace environment:
1. Open a web browser that is able to reach the load-balanced IP.
2. Browse to the configured DNS name for the load-balanced service, for example https://Secure.kempdemo.com/access. A web page should be presented with the vWorkspace login page. This indicates that the LoadMaster has redirected the session to a Real Server.
3. Enter a username and password with permissions to access the vWorkspace environment.
4. In the LoadMaster WUI, go to Statistics > Real Time Statistics.
5. Click the Real Servers button.
This overview shows the active sessions, sessions over the last hour, in addition to how many requests each Real Server handled.
6. Open another web browser on a different client and perform the first three steps above.
7. Refresh the LoadMaster statistics page. Notice that, based on the load balancing method we chose, load is spread over both Secure Access Servers (192.168.20.14 and 192.168.20.15).
References
Some resources on Dell Wyse vWorkspace are listed below:
Dell Wyse vWorkspace Datasheet
Dell Wyse Reference Architecture
Dell Wyse vWorkspace Administration Guide
http://documents.software.dell.com/vworkspace/8.6/administration-guide
Dell Wyse vWorkspace product documents
https://support.software.dell.com/vworkspace/release-notes-guides
Dell Wyse vWorkspace Community
http://en.community.dell.com/techcenter/virtualization/vworkspace
Last Updated Date
This document was last updated on 01 February 2022.