VMware Horizon Workspace. VMware Horizon Workspace 1.5. Deployment Guide

Similar documents
VMware vcenter Log Insight Manager. Deployment Guide

LoadMaster VMware Horizon (with View) 6. Deployment Guide

Moodle. Moodle. Deployment Guide

Splunk. Splunk. Deployment Guide

Epic. Epic Systems. Deployment Guide

Adobe Connect. Adobe Connect. Deployment Guide

RSA Two Factor Authentication

NTLM NTLM. Feature Description

Packet Trace Guide. Packet Trace Guide. Technical Note

Migration Tool. Migration Tool (Beta) Technical Note

KEMP Driver for Red Hat OpenStack. KEMP LBaaS Red Hat OpenStack Driver. Installation Guide

LoadMaster Clustering

Hyper-V - Windows 2012 and 8. Virtual LoadMaster for Microsoft Hyper-V on Windows Server 2012, 2012 R2 and Windows 8. Installation Guide

LoadMaster for Azure (Marketplace Classic Interface)

LoadMaster VMware Horizon Access Point Gateway

Edge Security Pack (ESP)

MS Lync MS Lync Deployment Guide

SDN Adaptive Load Balancing. Feature Description

MS Skype for Business. Microsoft Skype for Business Deployment Guide

Configuring Real Servers for DSR

LoadMaster Clustering (Beta)

Content Switching with Exchange and Lync-related Workloads

Web Application Firewall (WAF) Feature Description

Health Checking. Health Checking. Feature Description

SSL Accelerated Services. SSL Accelerated Services for the LM FIPS. Feature Description

GEO. Feature Description GEO VERSION: 1.4 UPDATED: MARCH Feature Description

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

DirectAccess. Windows Server 2012 R2 DirectAccess. Deployment Guide

Condor for Cisco UCS B-Series Blade Servers

Virtual LoadMaster for Xen (Para Virtualized)

Virtual LoadMaster for KVM (Para Virtualized)

Exchange 2016 Deployment Guide. Exchange Deployment Guide

Web User Interface (WUI) LM5305 FIPS

AD FS v3. Deployment Guide

Web User Interface (WUI) LM FIPS

Apache Tomcat Deployment Guide

Web User Interface (WUI)

Bar Code Discovery. Administrator's Guide

Microsoft Exchange Microsoft Exchange Deployment Guide

LoadMaster Deployment Guide

Tenable Hardware Appliance Upgrade Guide

MS Skype For Business. Deployment Guide

MS Lync Deployment Guide

Open Source Used In Cisco Configuration Professional for Catalyst 1.0

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

iwrite technical manual iwrite authors and contributors Revision: 0.00 (Draft/WIP)

Microsoft Dynamics. Deployment Guide

IETF TRUST. Legal Provisions Relating to IETF Documents. Approved November 6, Effective Date: November 10, 2008

Remote Desktop Services Deployment Guide

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Documentation Roadmap for Cisco Prime LAN Management Solution 4.2

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Polycom RealPresence Resource Manager System

IETF TRUST. Legal Provisions Relating to IETF Documents. February 12, Effective Date: February 15, 2009

IIS. Deployment Guide

Open Source Used In TSP

Pearson PowerSchool. Deployment Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Command Line Interface (CLI)

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

RADIUS Authentication and Authorization Technical Note

Cover Page. Video Manager User Guide 10g Release 3 ( )

Enterprise Payment Solutions. Scanner Installation April EPS Scanner Installation: Quick Start for Remote Deposit Complete TM

Microsoft Print Server. Deployment Guide

Simba Cassandra ODBC Driver with SQL Connector

Ecma International Policy on Submission, Inclusion and Licensing of Software

US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Polycom RealPresence Access Director System, Virtual Edition

Ecma International Policy on Submission, Inclusion and Licensing of Software

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Cisco WebEx Meetings Server Administration Guide

This file includes important notes on this product and also the additional information not included in the manuals.

OnCommand Unified Manager 7.2: Best Practices Guide

Additional License Authorizations for HPE OneView for Microsoft Azure Log Analytics

NetApp Cloud Volumes Service for AWS

Customer Support: For more information or support, please visit or at Product Release Information...

MagicInfo Express Content Creator

SkyPilot OS Installation: Fedora Core 5

KEMP LoadMaster. KEMP LoadMaster. Product Overview

SafeNet Authentication Service

PageScope Box Operator Ver. 3.2 User s Guide

Encrypted Object Extension

CA File Master Plus. Release Notes. Version

Videoscape Distribution Suite Software Installation Guide

XEP-0099: IQ Query Action Protocol

Cisco WebEx Meetings Server Administration Guide Release 1.5

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Cloud Link Configuration Guide. March 2014

Installing and Configuring vcloud Connector

HCI File Services Powered by ONTAP Select

Installing the Shrew Soft VPN Client

SafeNet Authentication Service

This file includes important notes on this product and also the additional information not included in the manuals.

Intel Stress Bitstreams and Encoder (Intel SBE) 2017 AVS2 Release Notes (Version 2.3)

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Trimble. ecognition. Release Notes

RealPresence Platform Director

SafeNet Authentication Service

Transcription:

VMware Horizon Workspace 1.5 Deployment Guide VERSION: 7.0 UPDATED: JULY 2016

Copyright Notices Copyright 2002-2016 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP Technologies logo are registered trademarks of KEMP Technologies, Inc.. KEMP Technologies, Inc. reserves all ownership rights for the LoadMaster product line including software and documentation. The use of the LoadMaster Exchange appliance is subject to the license agreement. Information in this guide may be modified at any time without prior notice. Microsoft Windows is a registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks and service marks are the property of their respective owners. Limitations: This document and all of its contents are provided as-is. KEMP Technologies has made efforts to ensure that the information presented herein are correct, but makes no warranty, express or implied, about the accuracy of this information. If any material errors or inaccuracies should occur in this document, KEMP Technologies will, if feasible, furnish appropriate correctional notices which Users will accept as the sole and exclusive remedy at law or in equity. Users of the information in this document acknowledge that KEMP Technologies cannot be held liable for any loss, injury or damage of any kind, present or prospective, including without limitation any direct, special, incidental or consequential damages (including without limitation lost profits and loss of damage to goodwill) whether suffered by recipient or third party or from any action or inaction whether or not negligent, in the compiling or in delivering or communicating or publishing this document. Any Internet Protocol (IP) addresses, phone numbers or other data that may resemble actual contact information used in this document are not intended to be actual addresses, phone numbers or contact information. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual addressing or contact information in illustrative content is unintentional and coincidental. Portions of this software are; copyright (c) 2004-2006 Frank Denis. All rights reserved; copyright (c) 2002 Michael Shalayeff. All rights reserved; copyright (c) 2003 Ryan McBride. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE ABOVE COPYRIGHT HOLDERS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of the above copyright holders.. Portions of the LoadMaster software are copyright (C) 1989, 1991 Free Software Foundation, Inc. -51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA- and KEMP Technologies Inc. is in full compliance of the GNU license requirements, Version 2, June 1991. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 2

Portions of this software are Copyright (C) 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Portions of this software are Copyright (C) 1998, Massachusetts Institute of Technology Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Portions of this software are Copyright (C) 1995-2004, Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Portions of this software are Copyright (C) 2003, Internet Systems Consortium Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912, 7,346,695, 7,287,084 and 6,970,933 Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 3

Table of Contents 1 Introduction... 5 1.1 Document Purpose... 6 1.2 Intended Audience... 6 2 VMware Horizon Workspace Overview... 7 2.1 Horizon Connector Virtual Appliance (Connector-VA)... 7 2.2 Horizon Gateway Virtual Appliance (Gateway-VA)... 7 2.3 Other Horizon Workspace Components... 7 2.4 Load Balancing VMware Horizon Gateway-VAs... 9 2.5 Load Balancing VMware Horizon Connector-VAs... 11 3 Example Environment Setup... 13 4 Prerequisites... 14 4.1 Configure Gateway-VA NGINX Components... 14 4.1.1 Horizon Workspace 1.5 X-Forwarded-For Configuration... 14 4.1.2 Horizon Workspace 1.0 X-Forwarded-For Configuration... 14 4.2 Create a Content Matching Rule... 15 4.3 DNS... 16 4.4 SSL Certificate Import on the LoadMaster... 16 4.5 Update Connector idp Hostname... 17 5 VMware Horizon Workspace Templates... 18 6 Virtual Service Configuration... 19 6.1 Gateway-VAs (External Virtual Service)... 19 6.2 Gateway-VAs (Internal Virtual Service)... 22 6.3 Connector-VAs... 22 References... 25 Document History... 26 Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 4

Introduction 1 Introduction VMware Horizon Workspace provides a single workspace for easy and secure access to applications, files and desktops on virtually any device. It is delivered as a SUSE Linux-based vapp (an Open Virtual Appliance (.OVA) file) consisting of multiple Virtual Appliances (VA) that are deployed through VMware vcenter in a VMware infrastructure. The various deployed Virtual Appliances are used by the Workspace solution to provide: A centralized workspace for application and data access Cloud-Identity management Compliance requirements support Data and file synchronization Data leak prevention through separation of corporate and personal data Secure file sharing both internally and externally for collaboration enablement Simplified administrative management of resource entitlement and policy control Figure 1-1: VMware Horizon Workspace Overview Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 5

Introduction 1.1 Document Purpose Figure 1-2: VMware Ready The Virtual LoadMaster is VMware ready. This document is intended to provide guidance on how to configure the KEMP LoadMaster to provide High Availability (HA) for a VMware Horizon Workspace 1.5 environment. This document is not exclusively restricted to this version of VMware Horizon Workspace nor does it claim explicit support for any or every other version of the application. This documentation is created using a representative sample environment which is described later in the document. As the intent of this document is not to cover every possible deployment scenario, it may not address your unique setup, requirements, network layout or needs. In such an event that your infrastructure needs are not illustrated or reflected herein, the KEMP Engineering and Support Teams are available to provide guidance surrounding scenarios otherwise not explicitly defined. 1.2 Intended Audience It is assumed that the reader is a server or network administrator who is familiar with networking, virtualization technologies, Windows and Linux Operating systems, VMware and the Horizon suite, DNS, Active Directory and general computer and network terminology. It is further assumed that the VMware Horizon Workspace environment, DNS and Active Directory have all been set up and that the KEMP LoadMaster is installed. KEMP recommends reviewing the LoadMaster documentation and VMware Horizon Workspace 1.5 documentation. LoadMaster documentation is available at http://www.kemptechnologies.com/documentation VMware Horizon Workspace documentation is available at https://www.vmware.com/support/pubs/horizon-workspace-pubs.html Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 6

VMware Horizon Workspace Overview 2 VMware Horizon Workspace Overview This section provides: A description of the VMware Horizon Workspace Virtual Appliances that require high availability provided by an Application Delivery Controller (ADC), i.e. the KEMP LoadMaster A description of some other Workspace components A reference diagram of the VMware Horizon Workspace architecture 2.1 Horizon Connector Virtual Appliance (Connector-VA) The Horizon Connector provides capabilities for local user authentication and Active Directory binding and synchronization services. Additional services provided by the Connector-VA are ThinApp catalog loading and View pool synchronization. To provide high availability and improved scalability, multiple Connector virtual appliances should be deployed behind an internal load balancer/reverse proxy. 2.2 Horizon Gateway Virtual Appliance (Gateway-VA) The Horizon Gateway serves as the single namespace for all Horizon Workspace interaction and enables a user-facing domain for access to Horizon Workspace. It serves as the central aggregation point for all client connections, routes client traffic to the correct destination and proxies all requests. Horizon Workspace requires one Gateway-VA for every two data virtual appliances or one Gateway-VA for every 2,000 users. To provide high availability and improved scalability, multiple Gateway virtual appliances should be deployed behind a load balancer/reverse proxy. It is not supported to place Gateway virtual appliances in the DMZ. 2.3 Other Horizon Workspace Components Other virtual appliances included in the Horizon Workspace vapp are: Horizon Configurator (Configurator-VA) An administrative console and web user interface for central SSL management as well as network, Gateway, vcenter and SMTP configuration of the virtual appliances in the Horizon vapp. Horizon Manager (Service-VA) A web-based administrative interface allowing configuration of the application catalog, user entitlement management and systems reporting. VMware Horizon Data (Data-VA) Serves as a datastore for user files, controls file sharing policies, provides file preview services and acts as the Horizon Workspace web interface for endusers. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 7

VMware Horizon Workspace Overview Figure 2-2: Horizon Workspace Reference Architecture Design* Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 8

VMware Horizon Workspace Overview Internal and external Gateway load balancing can be handled either by two separate load balancers or a single load balancer with connections to both the DMZ and internal trusted local area network segments. Connector load balancing is handled by the internal load balancer. *Based on: http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reference-architecture.pdf 2.4 Load Balancing VMware Horizon Gateway-VAs The steps and diagram below depict a KEMP LoadMaster deployment with a VMware Horizon Workspace environment: 1. The client establishes an SSL connection to the LoadMaster Virtual Service for the VMware Horizon Workspace URL and the LoadMaster performs SSL decryption. If desired, the LoadMaster can be configured to deny external access to the administrative section of Horizon Workspace for added security. 2. The X-Forwarded-For header with the requestor s client IP address is inserted. 3. The LoadMaster re-encrypts the connection and continues communication with Gateway Virtual Appliance(s). 4. The client request is load balanced to the most appropriate Gateway Virtual Appliance based on health check and persistence validation. Traffic initiated by internal clients behaves in the same manner aside from restricting access to the administrative virtual directory. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 9

VMware Horizon Workspace Overview Figure 2-3: Gateway Virtual Appliances Load Balanced by LoadMaster ADCs Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 10

VMware Horizon Workspace Overview 2.5 Load Balancing VMware Horizon Connector-VAs The steps and diagram below depict a KEMP LoadMaster deployment with a VMware Horizon Workspace environment: 1. After client traffic is passed through the LoadMaster to the appropriate Gateway-VA as detailed in Section 2.4, the Gateway looks at the X-Forwarded-For header to determine which Connectors to use for authentication. 2. The client request is then redirected to the appropriate Connector idp URL. The LoadMaster hosting the Connector Virtual Service sends the response to the best suited Connector-VA. 3. The Connector sends an HTTPS redirect to the client so that the client now connects directly to its FQDN. 4. Using Kerberos, the Connector authenticates the client request against Active Directory. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 11

VMware Horizon Workspace Overview Figure 2-4: Connector Virtual Appliances Load Balanced by LoadMaster ADC Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 12

Example Environment Setup 3 Example Environment Setup TestCompany has deployed VMware Horizon Workspace 1.5 in their environment to provide centralized workspace access from a variety of devices by their workforce. The infrastructure is accessed by clients both internally and externally. Among other supporting components, the deployment contains the following: Two VMware Horizon Gateway-VAs Two VMware Horizon Connector-VAs One KEMP LoadMaster HA cluster deployed in the DMZ One KEMP LoadMaster HA Ccuster deployed in the trusted corporate LAN In the deployment architecture defined herein, the LoadMaster handles internal and external HTTPS connectivity to the Gateway-VAs as well as connectivity for the Connector-VAs. The LoadMaster provides the following for Workspace deployments: Scheduling and health check algorithms which ensure that requests are sent to the best target L7 content matching capabilities which minimize attack vectors for added security Header injection functionality which ensures that client IPs are detected by Gateway-VAs SSL overlay functions ensure L7 processing and an end-to-end secure traffic stream Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 13

Prerequisites 4 Prerequisites Minimally, the following prerequisites should be complete: Implemented Active Directory, DNS and other core requirements for Horizon Workspace Installed VMware ESXi servers, vcenter server, and Workspace virtual appliances Configured Certificate Authority (CA)-signed SSL certificates for the Workspace infrastructure Installed LoadMaster(s) with interfaces on the same network(s) as the virtual appliances Established administrative access to the LoadMaster Web User Interface (WUI) 4.1 Configure Gateway-VA NGINX Components 4.1.1 Horizon Workspace 1.5 X-Forwarded-For Configuration To allow LoadMaster to request web services that are deployed behind the Gateway-VAs in Horizon Workspace 1.5, the following change must be made: 1. Navigate to the Configurator-VA URL and log in. Figure 4-1: Connector Virtual Appliances Load Balanced by LoadMaster ADC 2. In the menu on the left, click X-Forwarded-For. 3. Enter the load balancer IP address(es) with descriptive comments (one per line). 4. Click Save and reboot all Gateway-VAs if changes do not take effect within a few minutes. This X-Forwarded-For modification also sets the real_ip_header value in /opt/vmware/nginx/conf/nginx.conf. 4.1.2 Horizon Workspace 1.0 X-Forwarded-For Configuration To allow LoadMaster to request web services that are deployed behind the Gateway-VAs in Horizon Workspace 1.0, the following change must be made: 1. SSH into each gateway-va with the sshuser and su to root. 2. Edit /opt/vmware/nginx/conf/nginx.conf using VI, or another screen editor. 3. Find the section of the file that reads similar to the following: Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 14

Prerequisites real_ip_header X-Forwarded-For; real_ip_recursive off; include gen/real_ip.conf; 4. Below the line that reads include gen/real_ip.conf; add a line - set_real_ip_from <LoadMaster IP Address> as shown in the example below: real_ip_header X-Forwarded-For; real_ip_recursive off; include gen/real_ip.conf; set_real_ip_from 172.16.5.100 5. Commit the changes that have just been made and restart the nginx service: a) If using VI to edit the file, type ZZ or :wq!. b) To restart the nginx service type service nginx restart. 4.2 Create a Content Matching Rule Follow the steps below to create a content matching rule on the LoadMaster that will be used later to block external access to the administrative portion of the Workspace environment: 1. Log in to the LoadMaster WUI. 2. In the menu on the left select Rules & Checking and select Content Rules. 3. Click the Create New button. Figure 4-4: Create Rule Screen 4. Enter the Rule Name, for example vmworkspace. 5. Ensure the Rule Type is set to Content Matching. 6. Ensure the Match Type is set to Regular Expression. 7. Enter ^/admin* as the pattern in the Match String text box. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 15

Prerequisites 8. Tick the Ignore Case check box. 9. Tick the Fail on Match check box. 10. Click the Create Rule button. 4.3 DNS Access to the DNS system(s) used in the network environment must be available in order to configure name resolution (A and PTR records) for the Horizon Workspace Gateway and Connector namespaces to point to the Virtual Service IP address(es) that will be configured on the LoadMaster. The FQDN configured for the Horizon Workspace environment cannot be changed after installation. In the event that the namespace requires changing post-installation, the Horizon Workspace vapp must be redeployed. The same namespace should be used for both internal and external access. 4.4 SSL Certificate Import on the LoadMaster Follow the steps below to import the relevant Horizon Workspace certificate on the KEMP LoadMaster: 1. In the main menu of the LoadMaster WUI, go to Certificates > Security > SSL Certificates. 2. Click Import Certificate. Figure 4-6: Certificate Being Added 3. Click Choose File in the Certificate File field. 4. Browse to and select the certificate in use in the Horizon Workspace infrastructure. This must be a.pfx or.pem file containing private keys for the certificate used on the Horizon Workspace servers. 5. If relevant, click Choose File in the Key File (optional) field to browse to and select the key file. 6. Enter the Pass Phrase. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 16

Prerequisites 7. Enter a recognizable name in the Certificate Identifier text box. 8. Click Save. 9. Click OK. Figure 4-1: Add Intermediate 10. If additional intermediate certificate(s) are required to complete the certificate chain, click Add Intermediate. Figure 4-8: Intermediate Certificate Being Added 11. Click Choose File in the Intermediate Certificate field. 12. Browse to and select the appropriate intermediate certificate. 13. Enter a recognizable name in the Desired File Name text box. 14. Click Add Certificate. 4.5 Update Connector idp Hostname To change the idp hostname on the Connector-VAs, take the following steps: 1. Log in to the web admin console of each Connector-VA. 2. Navigate to Identity Provider. Change the idp hostname to the FQDN corresponding to the IP address that will be used for the Virtual Service that will be created in Section 6.3 for load balancing the Connector-VAs and click Save. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 17

VMware Horizon Workspace Templates 5 VMware Horizon Workspace Templates KEMP have developed templates containing our recommended settings for VMware Horizon Workspace. This template can be installed on the LoadMaster and can be used when creating each of the Virtual Services. Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template. Released templates can be downloaded from the KEMP documentation page: http://www.kemptechnologies.com/documentation/. If you create another Virtual Service using the same template, ensure to change the Service Name to a unique name. For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description. For steps on how to manually add and configure each of the Virtual Services, refer to Section 6. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 18

Virtual Service Configuration 6 Virtual Service Configuration This section outlines instructions on adding and configuring the required Workspace Virtual Services to the LoadMaster. 6.1 Gateway-VAs (External Virtual Service) To add an External Virtual Service for the Gateway-VAs, follow the steps below: 1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New. Figure 6-1: Virtual Service Parameters 2. Enter a valid IP address in the Virtual Address field. 3. Enter 443 as the Port. 4. Enter a recognizable Service Name, for example Workspace Ext. 5. Click Add this Virtual Service. 6. Expand the SSL Properties section. 7. Select the Enabled check box. Figure 6-2: SSL Properties Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 19

Virtual Service Configuration 8. Click OK. 9. Select the Reencrypt check box. 10. Select the relevant certificate from the Available Certificates list. 11. Click the right arrow. 12. Click Set Certificates. 13. Expand the Standard Options section. Figure 6-3: Standard Options 14. Select Super HTTP as the Persistence Mode. 15. Select 30 Minutes as the Timeout value Be sure to set the persistence timeout to no less than 30 minutes. A value lower than this may result in an error 502, The service is currently unavailable for clients attempting to connect. 16. Select least connection as the Scheduling Method. 17. Expand the Real Servers section. Figure 6-4: Real Servers section 18. Ensure that HTTPS Protocol is selected as the health check type. 19. Enter a forward-slash (/) in the URL text box and click Set URL. 20. Select GET as the HTTP Method. 21. Click Add New. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 20

Virtual Service Configuration Figure 6-5: Real Server Parameters 22. Enter a Gateway-VA address in the Real Server Address field. 23. Ensure that 443 is entered as the Port. 24. Click Add This Real Server. 25. Click OK. 26. Continue to add the remaining Real Servers by entering the Real Server Address of each Gateway-VA and clicking Add This Real Server until all servers in the pool are added. When finished, click the Back button. 27. Expand the Advanced Properties section. Figure 6-8: Advanced Options 28. Select the Enable button in the Content Switching section. 29. Select X-Forwarded-For from the Add HTTP Headers drop down menu. 30. Click the Add HTTP Redirector button. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 21

Virtual Service Configuration 31. Expand the Real Servers section. Figure 6-9: Real Servers Section 32. Click None in the Rules column for the first listed Real Server. Figure 6-10: Content Rules Assignment Menu 33. Select the content matching rule created in Section 4.2. 34. Click Add. 35. Click the Back button. 36. Repeat for each Real Server to add the content matching rule to all pool members. 37. In the main menu of the LoadMaster WUI, click View/Modify Services. 38. Confirm that the newly created service is listed with a status of Up and that all of the added member servers are listed in black, non-bold font. 6.2 Gateway-VAs (Internal Virtual Service) To add an Internal Virtual Service for the Gateway-VAs, either on the same LoadMaster or another cluster, repeat Steps 1 to 29 of Section 6.1, but give the Virtual Service a different name. 6.3 Connector-VAs To add a Virtual Service for the Connector-VAs, follow the steps below: 1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New. Figure 6-11: Virtual Service Parameters 2. Enter a valid IP address in the Virtual Address text box. 3. Enter 443 as the Port. 4. Enter a recognizable Service Name, for example Horizon-Connector. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 22

Virtual Service Configuration 5. Click Add this Virtual Service. 6. Expand the Standard Options section. Figure 6-12: Standard Options 7. The Force L7 check box is selected by default. Keep this option selected unless your deployment scheme dictates otherwise). 8. The Transparency check box is checked by default. Keep this option selected unless your deployment scheme dictates otherwise). 9. Select Source IP Address as the Persistence Mode. 10. Select 30 Minutes as the Timeout value. Ensure to set the persistence timeout to no less than 30 minutes. A value lower than this may result in 502 error, The service is currently unavailable for users attempting to reconnect. 11. Select least connection as the Scheduling Method. 12. Expand the Real Servers section. Figure 6-13: Real Servers section Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 23

Virtual Service Configuration 13. Use HTTPS Protocol as the health check type 14. Enter a forward-slash (/) in the URL text box and click Set URL. 15. Select GET as the HTTP Method. 16. Click Add New. Figure 6-14: Real Server Parameters 17. Enter a Connector-VA address in the Real Server Address text box. 18. Enter 443 as the Port. 19. Click Add This Real Server. 20. Click OK. 21. Continue to add the remaining Real Servers by entering the Real Server Address of each Connector-VA and clicking Add This Real Server until all servers in the pool are added. When finished, click the Back button. 22. In the main menu of the LoadMaster WUI, click View/Modify Services. 23. Confirm that the newly created service is listed with a status of Up and that all of the added member servers are listed in black, non-bold font. Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 24

References References KEMP Technologies product documentation can be found at http://kemptechnologies.com/documentation. Virtual Services and Templates, Feature Description WUI, Configuration Guide VMware Horizon Workspace Documentation http://www.vmware.com/support/pubs/horizon-workspace-pubs.html Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 25

Document History Document History Date Change Reason for Change Version Resp. Feb 2014 Initial draft First draft of document 1.0 JD Mar 2014 Updates made Updates relating to templates 1.1 LB July 2014 Release updates Updates for 7.1-18a release 1.2 LB Aug 2014 Minor change Defect resolved 1.3 LB Aug 2014 Minor changes Defects resolved 1.4 LB Sep 2014 Minor changes Defects resolved 1.5 LB Nov 2014 Minor changes Defects resolved 1.6 LB Sep 2015 Release updates Update for 7.1-30 release 3.0 LB Dec 2015 Release updates Update for 7.1-32 release 4.0 LB Jan 2016 Minor changes Updated Copyright Notices 5.0 LB Mar 2016 Release updates Update for 7.1-34 release 6.0 LB July 2016 Release updates Update for 7.1.35 release 7.0 LB Copyright 2002-2016 KEMP Technologies, Inc. All Rights Reserved. 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback