Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

VMware Horizon View 6

1 Introduction

VMware Horizon (with View) delivers virtualized remote desktops and applications to remote users using desktop client and browser interfaces. This document describes how to balance client traffic in a VMware Horizon (with View) environment using the Kemp LoadMaster. For clarity, the VMware Horizon (with View) product will be referred to as View throughout this document.

1.1 How VMware Horizon (with View) Works

A simple View environment consists of a Security server and a Connection server which authenticate and connect remote users to the virtual desktop/application environment. These servers act together and are deployed in 1:1 pairs. From a LoadMaster point of view, all connections are with the security server. The initial connection is made over HTTPS and once authenticated, the security server provides the client with connection details (URL for web connections and an IP address for PCoIP). The client then establishes a connection to the services on the URL/IP address provided in the authentication reply.

Only the initial (HTTPS) connection needs to be load-balanced as there is a 1:1 mapping between the URL/IP address provided and the security/connection server pair that will service the client session.

1.2 Solution Environment

The LoadMaster is deployed in-line as a proxy for all services including PCoIP. Alternative deployment options could have PCoIP bypass the LoadMaster as it is only the initial session establishment (HTTPS) that needs to be load balanced.

Solution Environment.png

On the LoadMaster, the 10.154.11.31 Virtual IP (VIP) address is used to balance the client's initial HTTPS connection between the two View instances which are represented by the 10.154.11.32/10.154.11.33 VIPs. Each of the View instance VIPs offers services on HTTPS, on port 4172 for PCoIP (UDP and TCP) and on port 8443 for View Blast.

1.3 Product Versions and Platforms Tested

Product

Product Version

Deployment Platform

Kemp LoadMaster

7.1-20c

Applies to all virtual and physical platforms

View Client

3.1.0.21879

Windows 8.1 Enterprise

View Connection/Security server

6.0.0-1884746

Windows 2012 R2 Server

 

2 Service Configuration

2.1 Configuring LoadMaster for View 6

To support the environment outlined above, a number of Virtual Services need to be defined on the LoadMaster. The table below outlines example details that would need to be configured on the LoadMaster.

VIP

Real Server(s)

Purpose

10.154.11.31:443 (TCP)

10.154.201.2

10.154.201.3

Balance the initial SSL connection from the client between the View Connection/Security server instances

10.154.11.32:443 (TCP)

10.154.201.2

Accept load-balanced client connections on HTTPS

10.154.11.32:4172 (TCP)

10.154.201.2

PCoIP connections can be over UDP or TCP. These Virtual Services forward connections to the View Connection Server.

10.154.11.32:4172 (UDP)

10.154.201.2

10.154.11.32:8443 (TCP)

10.154.201.2

Blast is the View via a browser protocol which we deliver on port 8443

10.154.11.33:443 (TCP)

10.154.201.3

 

Second View instance of the above services

10.154.11.33:4172 (TCP)

10.154.201.3

10.154.11.33:4172 (UDP)

10.154.201.3

10.154.11.33:8443 (TCP)

10.154.201.3

HTTPS is being offered on three Virtual Services in the configuration above. Each of these will require a certificate and associated private key for the Fully Qualified Domain Name (FQDN) of the VIP. In the example, we are using a wildcard certificate (*.viewlab.net) on all of the Virtual Services supporting HTTPS.

2.2 Enable Check Persist Globally

It is recommended that you change the Always Check Persist option to Yes - Accept Changes. Use the following steps:

1. Go to System Configuration > Miscellaneous Options > L7 Configuration.

2. Click the Always Check Persist drop-down arrow and select Yes - Accept Changes.

2.3 Template

Kemp has developed a template containing our recommended settings for this workload. You can install this template to help create Virtual Services (VSs) because it automatically populates the settings. You can use the template to easily create the required VSs with the recommended settings. For some workloads, additional manual steps may be required such as assigning a certificate or applying port following, these steps are covered in the document, if needed.

You can remove templates after use and this will not affect deployed services. If needed, you can make changes to any of the VS settings after using the template.

Download released templates from the following page: LoadMaster Templates.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the Kemp Documentation page.

2.4 Virtual Service Settings on LoadMaster

Virtual Service Settings on.png

For clarity in the example, each of the services is explicitly defined giving a Virtual Services list as in the above screenshot.

2.5 Configuring the Initial SSL Connection Virtual Service

To configure the initial SSL Virtual Service on the LoadMaster, follow the steps below in the WUI:

1. In the main menu, select Virtual Services > Add New.

Configuring the Initial SSL.png

2. Enter a valid Virtual Address.

3. Enter 443 as the Port.

4. Enter a recognizable Service Name.

5. Click Add this Virtual Service.

6. Configure the settings as shown in the following table:

Section

Option

Value

Comment
SSL Properties SSL Acceleration Enabled  
  Reencrypt Enabled  
  Certificates Select the appropriate certificate. Click > to assign the certificate. Click Set Certificates.

Standard Options

Persistence Mode Server Cookie  
  Cookie name JSESSIONID Click Set Cookie.

 

Scheduling Method Select the appropriate method for the particular View infrastructure that is deployed.  

7. Expand the Real Servers section.

Configuring the Initial SSL_3.png

8. Click Add New.

Configuring the Initial SSL_4.png

9. Enter the relevant Real Server Address, for example 10.154.201.3.

10. Click Add This Real Server.

In some environments, it may be appropriate to create a HTTP to HTTPS redirect to automatically forward unencrypted connection requests to the secure service. To add the redirect Virtual Service, follow the steps in the section below.

2.5.1 Configuring the Redirect Virtual Service

To create and configure the Redirect Virtual Service, follow the steps below:

1. In the main menu of the LoadMaster, go to Virtual Services > Add New.

Configuring the Redirect Virtual.png

2. Enter the same IP address as the one used when creating the initial SSL connection Virtual Service in the Configuring the Initial SSL Connection Virtual Service section.

3. Enter 80 as the Port.

4. Click Add this Virtual Service.

5. Configure the settings as shown in the following table:

Section

Option

Value

Advanced Properties Error Code 302 Found
  Redirect URL https://%h%s

Standard Options

Transparency Disabled

2.6 Configuring the Load-Balanced HTTPS Virtual Service

This Virtual Service needs to be defined for each security server in the View environment. There is a 1:1 relationship between this Virtual Service and the Security server so scheduling options can be left at default.

Configure the settings as shown in the following table:

Section

Option

Value

Comment

Standard Options

Persistence Mode Server Cookie  
  Cookie name JSESSIONID Click Set Cookie.

SSL Properties

SSL Acceleration Enabled  

 

Reencrypt Enabled  

2.7 Configuring the PCoIP Virtual Service

The PCoIP Virtual Service provides a simple Layer 4 reverse proxy connection to the security server on port 4172. Two variants are required to support both TCP and UDP connections.

Configuring the PCoIP Virtual.png

SSL offloading is not required for this service. The service should have a Generic Service Type with default persistence and scheduling.

Configuring the PCoIP Virtual_1.png

In the TCP Virtual Service, the PCoIP system health check is performed by setting the health check to TCP Connection Only.

Configuring the PCoIP Virtual_2.png

In the UDP Virtual Service, the health check should be set to ICMP Ping.

2.8 Configuring the Blast Virtual Service

The Blast Virtual Service provides a reverse HTTPS proxy on port 8443. This protocol may be SSL offloaded and reencrypted or passed directly to the server.

Configuring the PCoIP Virtual_1.png

The health check method should be set to TCP Connection Only.

3 Configuring VMware Horizon (with View)

The connection points for the remote clients can be set to the relevant LoadMaster Virtual Services in the Connection Server Settings screen in VMware view.

Configuring VMware Horizon.png

The HTTP(S) and Blast URLs must be an FQDN and the PCoIP URL must be an IP address. The ports specified must match the Virtual Services ports defined in the LoadMaster.

In the context of the example, each Connection Server is configured with the URLs that point to the per-instance Virtual Services on the LoadMaster. The URLs resolve as follows:

URL

IP Address

Viewcon-01.viewlab.net

10.154.11.32

Viewcon-02.viewlab.net

10.154.11.33

 

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

Virtual Services and Templates, Feature Description

Last Updated Date

This document was last updated on 21 February 2022.


Was this article helpful?
0 out of 0 found this helpful

Comments