VMware Horizon View 6
Contents
1 Introduction
VMware Horizon (with View) delivers virtualized remote desktops and applications to remote users using desktop client and browser interfaces. This document describes how to balance client traffic in a VMware Horizon (with View) environment using the Kemp LoadMaster. For clarity, the VMware Horizon (with View) product will be referred to as View throughout this document.
1.1 How VMware Horizon (with View) Works
A simple View environment consists of a Security server and a Connection server which authenticate and connect remote users to the virtual desktop/application environment. These servers act together and are deployed in 1:1 pairs. From a LoadMaster point of view, all connections are with the security server. The initial connection is made over HTTPS and once authenticated, the security server provides the client with connection details (URL for web connections and an IP address for PCoIP). The client then establishes a connection to the services on the URL/IP address provided in the authentication reply.
Only the initial (HTTPS) connection needs to be load-balanced as there is a 1:1 mapping between the URL/IP address provided and the security/connection server pair that will service the client session.
1.2 Solution Environment
The LoadMaster is deployed in-line as a proxy for all services including PCoIP. Alternative deployment options could have PCoIP bypass the LoadMaster as it is only the initial session establishment (HTTPS) that needs to be load balanced.
On the LoadMaster, the 10.154.11.31 Virtual IP (VIP) address is used to balance the client's initial HTTPS connection between the two View instances which are represented by the 10.154.11.32/10.154.11.33 VIPs. Each of the View instance VIPs offers services on HTTPS, on port 4172 for PCoIP (UDP and TCP) and on port 8443 for View Blast.
1.3 Product Versions and Platforms Tested
Product |
Product Version |
Deployment Platform |
---|---|---|
Kemp LoadMaster |
7.1-20c |
Applies to all virtual and physical platforms |
View Client |
3.1.0.21879 |
Windows 8.1 Enterprise |
View Connection/Security server |
6.0.0-1884746 |
Windows 2012 R2 Server |
2 Service Configuration
2.1 Configuring LoadMaster for View 6
To support the environment outlined above, a number of Virtual Services need to be defined on the LoadMaster. The table below outlines example details that would need to be configured on the LoadMaster.
VIP |
Real Server(s) |
Purpose |
---|---|---|
10.154.11.31:443 (TCP) |
10.154.201.2 10.154.201.3 |
Balance the initial SSL connection from the client between the View Connection/Security server instances |
10.154.11.32:443 (TCP) |
10.154.201.2 |
Accept load-balanced client connections on HTTPS |
10.154.11.32:4172 (TCP) |
10.154.201.2 |
PCoIP connections can be over UDP or TCP. These Virtual Services forward connections to the View Connection Server. |
10.154.11.32:4172 (UDP) |
10.154.201.2 |
|
10.154.11.32:8443 (TCP) |
10.154.201.2 |
Blast is the View via a browser protocol which we deliver on port 8443 |
10.154.11.33:443 (TCP) |
10.154.201.3 |
Second View instance of the above services |
10.154.11.33:4172 (TCP) |
10.154.201.3 |
|
10.154.11.33:4172 (UDP) |
10.154.201.3 |
|
10.154.11.33:8443 (TCP) |
10.154.201.3 |
HTTPS is being offered on three Virtual Services in the configuration above. Each of these will require a certificate and associated private key for the Fully Qualified Domain Name (FQDN) of the VIP. In the example, we are using a wildcard certificate (*.viewlab.net) on all of the Virtual Services supporting HTTPS.
2.2 Enable Check Persist Globally
It is recommended that you change the Always Check Persist option to Yes - Accept Changes. Use the following steps:
1. Go to System Configuration > Miscellaneous Options > L7 Configuration.
2. Click the Always Check Persist drop-down arrow and select Yes - Accept Changes.
2.3 Template
Kemp has developed a template containing our recommended settings for this workload. You can install this template to help create Virtual Services (VSs) because it automatically populates the settings. You can use the template to easily create the required VSs with the recommended settings. For some workloads, additional manual steps may be required such as assigning a certificate or applying port following, these steps are covered in the document, if needed.
You can remove templates after use and this will not affect deployed services. If needed, you can make changes to any of the VS settings after using the template.
Download released templates from the following page: LoadMaster Templates.
For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the Kemp Documentation page.
2.4 Virtual Service Settings on LoadMaster
For clarity in the example, each of the services is explicitly defined giving a Virtual Services list as in the above screenshot.
2.5 Configuring the Initial SSL Connection Virtual Service
To configure the initial SSL Virtual Service on the LoadMaster, follow the steps below in the WUI:
1. In the main menu, select Virtual Services > Add New.
2. Enter a valid Virtual Address.
3. Enter 443 as the Port.
4. Enter a recognizable Service Name.
5. Click Add this Virtual Service.
6. Configure the settings as shown in the following table:
Section |
Option |
Value |
Comment |
---|---|---|---|
SSL Properties | SSL Acceleration | Enabled | |
Reencrypt | Enabled | ||
Certificates | Select the appropriate certificate. | Click > to assign the certificate. Click Set Certificates. | |
Standard Options |
Persistence Mode | Server Cookie | |
Cookie name | JSESSIONID | Click Set Cookie. | |
|
Scheduling Method | Select the appropriate method for the particular View infrastructure that is deployed. |
7. Expand the Real Servers section.
8. Click Add New.
9. Enter the relevant Real Server Address, for example 10.154.201.3.
10. Click Add This Real Server.
In some environments, it may be appropriate to create a HTTP to HTTPS redirect to automatically forward unencrypted connection requests to the secure service. To add the redirect Virtual Service, follow the steps in the section below.
2.5.1 Configuring the Redirect Virtual Service
To create and configure the Redirect Virtual Service, follow the steps below:
1. In the main menu of the LoadMaster, go to Virtual Services > Add New.
2. Enter the same IP address as the one used when creating the initial SSL connection Virtual Service in the Configuring the Initial SSL Connection Virtual Service section.
3. Enter 80 as the Port.
4. Click Add this Virtual Service.
5. Configure the settings as shown in the following table:
Section |
Option |
Value |
---|---|---|
Advanced Properties | Error Code | 302 Found |
Redirect URL | https://%h%s | |
Standard Options |
Transparency | Disabled |
2.6 Configuring the Load-Balanced HTTPS Virtual Service
This Virtual Service needs to be defined for each security server in the View environment. There is a 1:1 relationship between this Virtual Service and the Security server so scheduling options can be left at default.
Configure the settings as shown in the following table:
Section |
Option |
Value |
Comment |
---|---|---|---|
Standard Options |
Persistence Mode | Server Cookie | |
Cookie name | JSESSIONID | Click Set Cookie. | |
SSL Properties |
SSL Acceleration | Enabled | |
|
Reencrypt | Enabled |
2.7 Configuring the PCoIP Virtual Service
The PCoIP Virtual Service provides a simple Layer 4 reverse proxy connection to the security server on port 4172. Two variants are required to support both TCP and UDP connections.
SSL offloading is not required for this service. The service should have a Generic Service Type with default persistence and scheduling.
In the TCP Virtual Service, the PCoIP system health check is performed by setting the health check to TCP Connection Only.
In the UDP Virtual Service, the health check should be set to ICMP Ping.
2.8 Configuring the Blast Virtual Service
The Blast Virtual Service provides a reverse HTTPS proxy on port 8443. This protocol may be SSL offloaded and reencrypted or passed directly to the server.
The health check method should be set to TCP Connection Only.
3 Configuring VMware Horizon (with View)
The connection points for the remote clients can be set to the relevant LoadMaster Virtual Services in the Connection Server Settings screen in VMware view.
The HTTP(S) and Blast URLs must be an FQDN and the PCoIP URL must be an IP address. The ports specified must match the Virtual Services ports defined in the LoadMaster.
In the context of the example, each Connection Server is configured with the URLs that point to the per-instance Virtual Services on the LoadMaster. The URLs resolve as follows:
URL |
IP Address |
---|---|
Viewcon-01.viewlab.net |
10.154.11.32 |
Viewcon-02.viewlab.net |
10.154.11.33 |
References
Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.
Virtual Services and Templates, Feature Description
Last Updated Date
This document was last updated on 21 February 2022.