Load Balancing VMware Workspace Portal/Identity Manager Overview VMware Workspace Portal/Identity Manager combines applications and desktops in a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based. With fewer management points and flexible access, Workspace Portal/Identity Manager reduces the complexity of IT administration. Workspace Portal/Identity Manager is delivered as a virtual appliance (VA) that is easy to deploy onsite and integrate with existing enterprise services. Organizations can centralize assets, devices, and applications and manage users and data securely behind the firewall. Users can share and collaborate with external partners and customers securely when policy allows. This document provides step-by-step instructions for load balancing two (2) virtual appliances. The same directions can be used for adding additional virtual appliances to the load-balanced pool. Prerequisites There are a couple steps you will need to perform before proceeding with the configuration. Step-by-step instructions for prerequisites are not included in this document.
Create an SSL Certificate that contains the load-balanced FQDN that will be used for Workspace Portal/Identity Manager access. The SSL Certificate will need to be uploaded to the BIG-IP. You will also need the Primary CA or Root CA for the SSL Certificate. These will also be uploaded and chained on the BIG- IP and is required to be loaded on each Workspace Portal/Identity Manager appliance. The private key used for the load-balanced FQDN certificate will also be uploaded to the BIG-IP Workspace/Identity Manager should already be integrated with Active Directory (or application authentication source). Ensure the new FQDN for Workspace/Identity Manager is in DNS and points to the virtual server IP on the BIG-IP that will be used for load balancing the Workspace/Identity Manager appliances. Create Client SSL Profile From the BIG-IP Admin Screen:
(1) Click on Local Traffic (2) Hover over to Profiles >> (3) SSL >> (4) Client (5) Click the Plus symbol (+) to the right of "Client" to create a new SSL Client Profile. Create a new SSL Client profile with the following properties: (1) Name: workspace-ssl (or whatever you wish to name it) (2) Parent Profile: clientssl **NOTE** You must "check" the Custom check box before editing the values. (3) Certificate: Select the Certificate with the FQDN that was uploaded to the BIG-IP (4) Key: Select the Certificate Key that corresponds with the Certificate in step #3 and was previously uploaded to the BIG-IP.
(5) Chain: Select the Primary or Root CA/Certificate Chain that corresponds with the Certificate in step #3 and was previously uploaded to the BIG-IP (6) Then click the "Add" button to add the certificate key chain to the SSL profile. Scroll to the bottom of the page and click "Finished" Create HTTP Profile After creating the SSL Client profile, we must create an HTTP Profile. (1) Browse to the HTTP Service, from the top Menu bar, by clicking Services, then (2) HTTP (3) Then click the "Create" button in the upper right hand corner of the HTTP Profiles table.
Create HTTP Profile (continued) Create a new HTTP Profile with the following settings: (1) Name: workspace-http (or whatever you want to name the profile) (2) Insert X-Forward-For: Enabled **NOTE** You must "check" the Custom check box before editing the values. After applying the settings above, scroll to the bottom and click "Finished" ** X-Forwarded-For Header ** You must enable X-Forwarded-For headers on your load balancer. Workspace Portal/Identity Manager identifies the source IP address in the X-Forwarded-For headers. Workspace Portal/Identity Manager determines which authentication method to based on this IP address.
Create Persistence Profile After creating the HTTP profile, we must create a Persistence Profile. (1) Browse to the Persistence page, from the top Menu bar, by clicking the Persistence button. (2) Then click the "Create" button in the upper right hand corner of the Persistence Profiles table. Create HTTP Profile (continued)
Create a Persistence Profile with the following settings: (1) Name: workspace-persistence (or whatever you want to name the object) (2) Persistence Type: Cookie (3) Then scroll to the bottom of the page and click "Finished" Create Workspace Portal/Identity Manager Pool We must now create the Workspace Portal/Identity Manager pool for the BIG-IP Appliance to monitor. (1) From the left-hand menu, Under Local Traffic (2) Hover over Pools >> (3) Pool List (Do not click yet!) Click the plus symbol (+) to create a new pool.
Create Workspace Portal/Identity Manager Pools (continued) - Pool Configuration Create a Pool with the following settings: Name: workspace-pool (or whatever you wish to name the object) Health Monitors: https_head_f5 Create Workspace Portal/Identity Manager Pool (continued) - Resources Node 1 Under Resources, add a new member with the following settings: (1) Load Balancing Method: Least Connections (node) Create new member nodes for each Workspace Portal/Identity Manager appliance:
(2) Select the "New Node" radio button (3) Node Name: workspace-01.corp.local (or whatever you wish to name the object) (4) Address: Enter the IP address of Workspace #1 (5) Service Port: 443 [HTTPS] (6) Click the "Add" button. Create Workspace Portal/Identity Manager Pool (continued) - Resources Node 2 Repeat the steps from the last section to create an entry for the second Workspace Portal/Identity Manager appliance. (1) Node Name: workspace-02.corp.local (or whatever you wish to name the object) (2) Address: Enter the IP Address of Workspace #2 (3) Service Port: 443 [HTTPS] (4) Click the "Add" button. (5) After you have added the second node, scroll to the bottom of the page and click "Finished"
Create a Virtual Server After we have configured our Pool, we can continue and create a Virtual Server. (1) From the left-hand menu, Under Local Traffic: (2) Hover over Virtual Servers >> (3) Virtual Server List (Do not click yet!) Click the plus symbol (+) to create a new Virtual Server. Create a Virtual Server (continued) - General Properties Under the General Properties of the Virtual Server, enter the following settings:
Name: workspace (or whatever you wish to name the object) Destination Address: Enter the IP Address of the Virtual Server Service Port: 443 [HTTPS] Create a Virtual Server (continued) - Configuration Under the Configuration properties of the Virtual Server, enter the following settings: (1) HTTP Profile: workspace-http (or whatever you named the profile when it was created) (2) SSL Profile (Client): workspace-ssl (or whatever you named the SSL Client Profile when it was created) (3) SSL Profile (Server): serverssl-insecure-compatible (4) Source Address Translation: Auto Map Continue to the next step...
Create a Virtual Server (continued) - Resources Under the Resource properties of the Virtual Server, enter the following settings: (1) Default Pool: workspace-pool (or whatever you named the Pool when it was created) (2) Default Persistence Profile: workspace-persistence (or whatever you named the persistence profile when it was created) (3) Once you have completed all the steps, scroll to the bottom of the page and click the "Finished" button.
Configuring Root/Primary CA s on BIG-IP and Workspace Portal/Identity Manager After we have configured the F5 BIG-IP appliance to load balance the Workspace Portal/Identity Manager appliances, we must upload the appliance s Primary or Root CA certificate to the BIG-IP. Log onto the Workspace Portal/Identity Manager #1 s Portal Appliance Configuration Page In a browser, type the FQDN of the first Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-01.corp.local:8443/cfg/login). Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance.
Load the Workspace Portal/Identity Manager s Root CA on the BIG-IP In this step, we ll copy and load the Workspace Portal/Identity Manager s Appliance Root CA to the BIG-IP. This example uses the appliance s self-signed Root CA generated during the installation. If you have replaced the original self-signed certificates with other certificates, all you have to do is ensure the Root CA for the replacement certificates used for Workspace/Identity Manager are uploaded to the BIG-IP. Even though there may be two or more Identity Manager appliances, you will only need to import ONE Appliance Root CA. When you clone the Identity Manager appliances for redundancy, The Appliance Root CA does not change. Click on Install Certificate on the left side of the screen. Click on the Terminate SSL on a Load Balancer tab at the top right of the screen. Click on the link next to Appliance Root CA Certificate. A browser window will open with the Root CA s content.
Highlight the certificate as shown in the above image and copy to your clipboard. Go to the BIG-IP and click on System >> File Management >> SSL Certificate List >> Import.
For import type, click the down-arrow and select Certificate. Select Create New radio button for the Certificate Name. Also next to Certificate Name, type a unique name for the Identity Manager Certificate below Create New. For Certificate Source, check the Paste Text radio button. In the box below, paste the Appliance Root CA (or the CA used for the appliance certificate). Click Import.
Load the FQDN Root/Primary CA Certificate into Workspace Portal/Identity Manager #1 Access Workspace/Identity Manager appliance #1 s appliance configuration interface, if you have not already done so. From the appliance configuration page on Workspace Appliance #1: Click on Install Certificate from the menu on the left side of the screen. Click on the Terminate SSL on a Load Balancer tab at the top right of the screen. Open the FQDN s Root/Primary Certificate in WordPad or other text editing utility. Copy and paste the contents of this certificate into the Root CA Certificate window as shown in the above picture. Click Save.
If prompted, click OK to continue. The service will restart in order for the certificate to be successfully added to the Workspace/Identity Manager. You will be returned to the VMware Workspace/Identity Manager Install Certificate screen once the process is completed. Load the FQDN Root/Primary CA Certificate into Workspace Portal/Identity Manager #2 In a browser, type the FQDN of the second Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-02.corp.local:8443/cfg/login).
Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance.
From the appliance configuration page on Workspace Appliance #2: Click on Install Certificate from the menu on the left side of the screen. Click on the Terminate SSL on a Load Balancer tab at the top right of the screen. Open the FQDN s Root/Primary Certificate in WordPad or other text editing utility. Copy and paste the contents of this certificate into the Root CA Certificate window as shown in the above picture. Click Save. If prompted, click OK to continue. The service will restart in order for the certificate to be successfully added to the Workspace/Identity Manager. You will be returned to the VMware Workspace/Identity Manager Install Certificate screen once the process is completed.
Configuring The FQDN for Workspace Portal/Identity Manager After we have configured the appliance s root certificates on the F5 BIG-IP appliance, we must change the FQDN of each appliance to point to the new load-balanced FQDN. Temporarily Disabling the Workspace Portal/Identity Manager Nodes In order to change the FQDN of a load balanced pair, we must temporarily only have one active node in each pool to prevent the other node from responding to the FQDN check initiated by the other appliance. Disable 2 nd Workspace Portal/Identity Manager Node (1) To accomplish this, we must go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List.
(2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool. (1) From the "workspace-pool" (or whatever you named the pool when it was created) page, click on the "Members" button on the top menu. (2) From the "Current Members" table, select "workspace- 02.corp.local:443" (or whatever you named the 2 nd node when it was created) (3) Click the "Disable" button. You are now ready to move onto update the 1 st Workspace Portal/Identity Manager appliance FQDN. Log onto the Workspace Portal/Identity Manager #1 s Portal Appliance Configuration Page In a browser, type the FQDN of the first Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-01.corp.local:8443/cfg/login).
Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance. Change Workspace Portal/Identity Manager #1 FQDN Once in the Workspace Portal/Identity Manager Appliance Configuration Page: 1. Select "Workspace FQDN" from the left-hand menu 2. Enter the Workspace Portal/Identity Manager FQDN: (i.e. https://workspace.corp.local) 3. Click "Save"
Confirming the FQDN Name change Once the FQDN update starts, we should be prompted with a pop-up screen that displays the progress. If we've completed every step successfully then we should be prompted with four (4) green checkmarks. If that is the case, please continue to the next step.
Enable 2 nd and Disable 1 st Workspace Portal/Identity Manager Node (1) To accomplish this, we must go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List. (2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool.
Return to the previously open BIG-IP admin page, and disable the first node and enable the second. 1. From the "Current Members" table, select "workspace- 02.corp.local:443" or whatever the 2 nd Workspace/Identity manger node is. 2. Click the "Enable" button 3. Then, select "workspace-01.corp.local:443" or whatever the 1 st Workspace/Identity Manager node is. 4. Click the "Disable" button Now proceed to the next step... Log onto the Workspace Portal/Identity Manager Portal Appliance #2 Configuration Page In a browser, type the FQDN of the second Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-02.corp.local:8443/cfg/login).
Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance. Change the Workspace Portal/Identity Manager FQDN Once in the Workspace Portal/Identity Manager Appliance Configuration Page: 1. Select "Workspace FQDN" from the left-hand menu 2. Enter the Workspace Portal/Identity Manager FQDN: (i.e. https://workspace.corp.local) 3. Click "Save"
Confirming the FQDN Name change Once the FQDN update starts, we should be prompted with a pop-up screen that displays the progress. If we've completed every step successfully then we should be prompted with four (4) green checkmarks. If that is the case, please continue to the next step.
Enable all nodes in Workspace Portal/Identity Manager Pool (1) To accomplish this, we must go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List. (2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool. Return to the previously open BIG-IP admin page, and enable all nodes of the pool
1. From the "Current Members" table, select "workspace- 01.corp.local:443" and "workspace-02.corp.local:443" (or whatever you pool member names are) 2. Click the "Enable" button Test and Validate Access to Workspace/Identity Manager Open a browser and go to the new FQDN for Workspace/Identity Manager. Login to Workspace/Identity Manager you should see your applications. Open a 2 nd browser window (NOT a tab) and go to the new FQDN for Workspace/Identity Manager. If you open a tab and not a new browser instance, you are going to use the same cookie as the original session and be automatically logged into the same Workspace/Identity Manager instance Login to Workspace/Identity Manager you should see your applications.
(1) Go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List. (2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool. Click on Statistics at the top of the page. If your configuration is successful, you will see traffic being routed to both Workspace/Identity Manager nodes.