Load Balancing VMware Workspace Portal/Identity Manager

Similar documents
Load Balancing VMware Identity Manager

Load Balancing VMware App Volumes

APM Proxy with Workspace One

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Installing and Configuring vcloud Connector

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Installing and Configuring vcloud Connector

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

VMware Horizon View Deployment

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Table of Contents HOL-1757-MBL-6

PCoIP Connection Manager for Amazon WorkSpaces

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Table of Contents. VMware AirWatch: Technology Partner Integration

DEPLOYMENT GUIDE. DEPLOYING F5 WITH ORACLE APPLICATION SERVER 10g

Integrating AirWatch and VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

NetExtender for SSL-VPN

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Deploying the BIG-IP System v10 with Oracle s BEA WebLogic

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

vrealize Orchestrator Load Balancing

DEPLOYMENT GUIDE. Deploying F5 for High Availability and Scalability of Microsoft Dynamics 4.0

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager v with Oracle Access Manager

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP SYSTEM WITH BEA WEBLOGIC SERVER

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

How to Configure Guest Access with the Ticketing System

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with IBM WebSphere 7

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

App Orchestration 2.6

DEPLOYMENT GUIDE Version 1.0. Deploying F5 with Oracle Fusion Middleware WebCenter 11gR1

Deploying the BIG-IP LTM system and Microsoft Windows Server 2003 Terminal Services

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

VMware AirWatch: Directory and Certificate Authority

Best Practices for Security Certificates w/ Connect

Certificates for Live Data Standalone

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Deploying F5 with Microsoft Active Directory Federation Services

Deploying F5 with Microsoft Active Directory Federation Services

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Archived. For more information of IBM Maximo Asset Management system see:

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

TrafficShield Installation and Configuration Manual. version 3.2 MAN

Hands-on Lab Exercise Guide

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Agility 2018 Hands-on Lab Guide. VDI the F5 Way. F5 Networks, Inc.

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager with Oracle Access Manager

vrealize Orchestrator Load Balancing

Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

Configuring the SMA 500v Virtual Appliance

PCoIP Connection Manager for Amazon WorkSpaces

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Building Block Installation - Admins

Installing the Is2 Onsite Version - HVAC Office System

SCHOOL COLLABORATION SITES Reference Guide

VMware Identity Manager Administration

XenMobile 10 Cluster installation. Here is the task that would be completed in order to implement a XenMobile 10 Cluster.

Load Balancing Censornet USS Gateway. Deployment Guide v Copyright Loadbalancer.org

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Secure Web Appliance. SSL Intercept

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

System Setup. Accessing the Administration Interface CHAPTER

Okta Integration Guide for Web Access Management with F5 BIG-IP

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Deploying F5 with Microsoft Remote Desktop Services

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

AT&T Cloud Web Security Service

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

Deploying the BIG-IP System with Oracle Hyperion Applications

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware Horizon View 5.2 Reviewer s Guide REVIEWER S GUIDE

Microsoft Unified Access Gateway 2010

INSTALLING LYNC SERVER 2013 EE POOL ON WINDOWS SERVER 2012

User guide NotifySCM Installer

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

Installing and Configuring vcenter Support Assistant

Microsoft Exchange Server 2013 and 2016 Deployment

InControl 2 Software Appliance Setup Guide

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

Setting up Certificate Authentication for SonicWall SRA / SMA 100 Series

Using SSL/TLS with Active Directory / LDAP

VMware AirWatch Content Gateway Guide for Linux For Linux

Transcription:

Load Balancing VMware Workspace Portal/Identity Manager Overview VMware Workspace Portal/Identity Manager combines applications and desktops in a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based. With fewer management points and flexible access, Workspace Portal/Identity Manager reduces the complexity of IT administration. Workspace Portal/Identity Manager is delivered as a virtual appliance (VA) that is easy to deploy onsite and integrate with existing enterprise services. Organizations can centralize assets, devices, and applications and manage users and data securely behind the firewall. Users can share and collaborate with external partners and customers securely when policy allows. This document provides step-by-step instructions for load balancing two (2) virtual appliances. The same directions can be used for adding additional virtual appliances to the load-balanced pool. Prerequisites There are a couple steps you will need to perform before proceeding with the configuration. Step-by-step instructions for prerequisites are not included in this document.

Create an SSL Certificate that contains the load-balanced FQDN that will be used for Workspace Portal/Identity Manager access. The SSL Certificate will need to be uploaded to the BIG-IP. You will also need the Primary CA or Root CA for the SSL Certificate. These will also be uploaded and chained on the BIG- IP and is required to be loaded on each Workspace Portal/Identity Manager appliance. The private key used for the load-balanced FQDN certificate will also be uploaded to the BIG-IP Workspace/Identity Manager should already be integrated with Active Directory (or application authentication source). Ensure the new FQDN for Workspace/Identity Manager is in DNS and points to the virtual server IP on the BIG-IP that will be used for load balancing the Workspace/Identity Manager appliances. Create Client SSL Profile From the BIG-IP Admin Screen:

(1) Click on Local Traffic (2) Hover over to Profiles >> (3) SSL >> (4) Client (5) Click the Plus symbol (+) to the right of "Client" to create a new SSL Client Profile. Create a new SSL Client profile with the following properties: (1) Name: workspace-ssl (or whatever you wish to name it) (2) Parent Profile: clientssl **NOTE** You must "check" the Custom check box before editing the values. (3) Certificate: Select the Certificate with the FQDN that was uploaded to the BIG-IP (4) Key: Select the Certificate Key that corresponds with the Certificate in step #3 and was previously uploaded to the BIG-IP.

(5) Chain: Select the Primary or Root CA/Certificate Chain that corresponds with the Certificate in step #3 and was previously uploaded to the BIG-IP (6) Then click the "Add" button to add the certificate key chain to the SSL profile. Scroll to the bottom of the page and click "Finished" Create HTTP Profile After creating the SSL Client profile, we must create an HTTP Profile. (1) Browse to the HTTP Service, from the top Menu bar, by clicking Services, then (2) HTTP (3) Then click the "Create" button in the upper right hand corner of the HTTP Profiles table.

Create HTTP Profile (continued) Create a new HTTP Profile with the following settings: (1) Name: workspace-http (or whatever you want to name the profile) (2) Insert X-Forward-For: Enabled **NOTE** You must "check" the Custom check box before editing the values. After applying the settings above, scroll to the bottom and click "Finished" ** X-Forwarded-For Header ** You must enable X-Forwarded-For headers on your load balancer. Workspace Portal/Identity Manager identifies the source IP address in the X-Forwarded-For headers. Workspace Portal/Identity Manager determines which authentication method to based on this IP address.

Create Persistence Profile After creating the HTTP profile, we must create a Persistence Profile. (1) Browse to the Persistence page, from the top Menu bar, by clicking the Persistence button. (2) Then click the "Create" button in the upper right hand corner of the Persistence Profiles table. Create HTTP Profile (continued)

Create a Persistence Profile with the following settings: (1) Name: workspace-persistence (or whatever you want to name the object) (2) Persistence Type: Cookie (3) Then scroll to the bottom of the page and click "Finished" Create Workspace Portal/Identity Manager Pool We must now create the Workspace Portal/Identity Manager pool for the BIG-IP Appliance to monitor. (1) From the left-hand menu, Under Local Traffic (2) Hover over Pools >> (3) Pool List (Do not click yet!) Click the plus symbol (+) to create a new pool.

Create Workspace Portal/Identity Manager Pools (continued) - Pool Configuration Create a Pool with the following settings: Name: workspace-pool (or whatever you wish to name the object) Health Monitors: https_head_f5 Create Workspace Portal/Identity Manager Pool (continued) - Resources Node 1 Under Resources, add a new member with the following settings: (1) Load Balancing Method: Least Connections (node) Create new member nodes for each Workspace Portal/Identity Manager appliance:

(2) Select the "New Node" radio button (3) Node Name: workspace-01.corp.local (or whatever you wish to name the object) (4) Address: Enter the IP address of Workspace #1 (5) Service Port: 443 [HTTPS] (6) Click the "Add" button. Create Workspace Portal/Identity Manager Pool (continued) - Resources Node 2 Repeat the steps from the last section to create an entry for the second Workspace Portal/Identity Manager appliance. (1) Node Name: workspace-02.corp.local (or whatever you wish to name the object) (2) Address: Enter the IP Address of Workspace #2 (3) Service Port: 443 [HTTPS] (4) Click the "Add" button. (5) After you have added the second node, scroll to the bottom of the page and click "Finished"

Create a Virtual Server After we have configured our Pool, we can continue and create a Virtual Server. (1) From the left-hand menu, Under Local Traffic: (2) Hover over Virtual Servers >> (3) Virtual Server List (Do not click yet!) Click the plus symbol (+) to create a new Virtual Server. Create a Virtual Server (continued) - General Properties Under the General Properties of the Virtual Server, enter the following settings:

Name: workspace (or whatever you wish to name the object) Destination Address: Enter the IP Address of the Virtual Server Service Port: 443 [HTTPS] Create a Virtual Server (continued) - Configuration Under the Configuration properties of the Virtual Server, enter the following settings: (1) HTTP Profile: workspace-http (or whatever you named the profile when it was created) (2) SSL Profile (Client): workspace-ssl (or whatever you named the SSL Client Profile when it was created) (3) SSL Profile (Server): serverssl-insecure-compatible (4) Source Address Translation: Auto Map Continue to the next step...

Create a Virtual Server (continued) - Resources Under the Resource properties of the Virtual Server, enter the following settings: (1) Default Pool: workspace-pool (or whatever you named the Pool when it was created) (2) Default Persistence Profile: workspace-persistence (or whatever you named the persistence profile when it was created) (3) Once you have completed all the steps, scroll to the bottom of the page and click the "Finished" button.

Configuring Root/Primary CA s on BIG-IP and Workspace Portal/Identity Manager After we have configured the F5 BIG-IP appliance to load balance the Workspace Portal/Identity Manager appliances, we must upload the appliance s Primary or Root CA certificate to the BIG-IP. Log onto the Workspace Portal/Identity Manager #1 s Portal Appliance Configuration Page In a browser, type the FQDN of the first Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-01.corp.local:8443/cfg/login). Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance.

Load the Workspace Portal/Identity Manager s Root CA on the BIG-IP In this step, we ll copy and load the Workspace Portal/Identity Manager s Appliance Root CA to the BIG-IP. This example uses the appliance s self-signed Root CA generated during the installation. If you have replaced the original self-signed certificates with other certificates, all you have to do is ensure the Root CA for the replacement certificates used for Workspace/Identity Manager are uploaded to the BIG-IP. Even though there may be two or more Identity Manager appliances, you will only need to import ONE Appliance Root CA. When you clone the Identity Manager appliances for redundancy, The Appliance Root CA does not change. Click on Install Certificate on the left side of the screen. Click on the Terminate SSL on a Load Balancer tab at the top right of the screen. Click on the link next to Appliance Root CA Certificate. A browser window will open with the Root CA s content.

Highlight the certificate as shown in the above image and copy to your clipboard. Go to the BIG-IP and click on System >> File Management >> SSL Certificate List >> Import.

For import type, click the down-arrow and select Certificate. Select Create New radio button for the Certificate Name. Also next to Certificate Name, type a unique name for the Identity Manager Certificate below Create New. For Certificate Source, check the Paste Text radio button. In the box below, paste the Appliance Root CA (or the CA used for the appliance certificate). Click Import.

Load the FQDN Root/Primary CA Certificate into Workspace Portal/Identity Manager #1 Access Workspace/Identity Manager appliance #1 s appliance configuration interface, if you have not already done so. From the appliance configuration page on Workspace Appliance #1: Click on Install Certificate from the menu on the left side of the screen. Click on the Terminate SSL on a Load Balancer tab at the top right of the screen. Open the FQDN s Root/Primary Certificate in WordPad or other text editing utility. Copy and paste the contents of this certificate into the Root CA Certificate window as shown in the above picture. Click Save.

If prompted, click OK to continue. The service will restart in order for the certificate to be successfully added to the Workspace/Identity Manager. You will be returned to the VMware Workspace/Identity Manager Install Certificate screen once the process is completed. Load the FQDN Root/Primary CA Certificate into Workspace Portal/Identity Manager #2 In a browser, type the FQDN of the second Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-02.corp.local:8443/cfg/login).

Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance.

From the appliance configuration page on Workspace Appliance #2: Click on Install Certificate from the menu on the left side of the screen. Click on the Terminate SSL on a Load Balancer tab at the top right of the screen. Open the FQDN s Root/Primary Certificate in WordPad or other text editing utility. Copy and paste the contents of this certificate into the Root CA Certificate window as shown in the above picture. Click Save. If prompted, click OK to continue. The service will restart in order for the certificate to be successfully added to the Workspace/Identity Manager. You will be returned to the VMware Workspace/Identity Manager Install Certificate screen once the process is completed.

Configuring The FQDN for Workspace Portal/Identity Manager After we have configured the appliance s root certificates on the F5 BIG-IP appliance, we must change the FQDN of each appliance to point to the new load-balanced FQDN. Temporarily Disabling the Workspace Portal/Identity Manager Nodes In order to change the FQDN of a load balanced pair, we must temporarily only have one active node in each pool to prevent the other node from responding to the FQDN check initiated by the other appliance. Disable 2 nd Workspace Portal/Identity Manager Node (1) To accomplish this, we must go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List.

(2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool. (1) From the "workspace-pool" (or whatever you named the pool when it was created) page, click on the "Members" button on the top menu. (2) From the "Current Members" table, select "workspace- 02.corp.local:443" (or whatever you named the 2 nd node when it was created) (3) Click the "Disable" button. You are now ready to move onto update the 1 st Workspace Portal/Identity Manager appliance FQDN. Log onto the Workspace Portal/Identity Manager #1 s Portal Appliance Configuration Page In a browser, type the FQDN of the first Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-01.corp.local:8443/cfg/login).

Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance. Change Workspace Portal/Identity Manager #1 FQDN Once in the Workspace Portal/Identity Manager Appliance Configuration Page: 1. Select "Workspace FQDN" from the left-hand menu 2. Enter the Workspace Portal/Identity Manager FQDN: (i.e. https://workspace.corp.local) 3. Click "Save"

Confirming the FQDN Name change Once the FQDN update starts, we should be prompted with a pop-up screen that displays the progress. If we've completed every step successfully then we should be prompted with four (4) green checkmarks. If that is the case, please continue to the next step.

Enable 2 nd and Disable 1 st Workspace Portal/Identity Manager Node (1) To accomplish this, we must go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List. (2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool.

Return to the previously open BIG-IP admin page, and disable the first node and enable the second. 1. From the "Current Members" table, select "workspace- 02.corp.local:443" or whatever the 2 nd Workspace/Identity manger node is. 2. Click the "Enable" button 3. Then, select "workspace-01.corp.local:443" or whatever the 1 st Workspace/Identity Manager node is. 4. Click the "Disable" button Now proceed to the next step... Log onto the Workspace Portal/Identity Manager Portal Appliance #2 Configuration Page In a browser, type the FQDN of the second Workspace Portal/Identity Manager appliance you are configuring (for example, https://workspace-02.corp.local:8443/cfg/login).

Login to the administrator interface with the password configured during the setup of the Workspace Portal/Identity Manager appliance. Change the Workspace Portal/Identity Manager FQDN Once in the Workspace Portal/Identity Manager Appliance Configuration Page: 1. Select "Workspace FQDN" from the left-hand menu 2. Enter the Workspace Portal/Identity Manager FQDN: (i.e. https://workspace.corp.local) 3. Click "Save"

Confirming the FQDN Name change Once the FQDN update starts, we should be prompted with a pop-up screen that displays the progress. If we've completed every step successfully then we should be prompted with four (4) green checkmarks. If that is the case, please continue to the next step.

Enable all nodes in Workspace Portal/Identity Manager Pool (1) To accomplish this, we must go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List. (2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool. Return to the previously open BIG-IP admin page, and enable all nodes of the pool

1. From the "Current Members" table, select "workspace- 01.corp.local:443" and "workspace-02.corp.local:443" (or whatever you pool member names are) 2. Click the "Enable" button Test and Validate Access to Workspace/Identity Manager Open a browser and go to the new FQDN for Workspace/Identity Manager. Login to Workspace/Identity Manager you should see your applications. Open a 2 nd browser window (NOT a tab) and go to the new FQDN for Workspace/Identity Manager. If you open a tab and not a new browser instance, you are going to use the same cookie as the original session and be automatically logged into the same Workspace/Identity Manager instance Login to Workspace/Identity Manager you should see your applications.

(1) Go to the Pool List by browsing the left-hand menu under Local Traffic and browsing to the Pools >> Pool List. (2) Once in the Pool List, click on the "workspace-pool" (or whatever you named the pool when it was created) link to browse the contents of the pool. Click on Statistics at the top of the page. If your configuration is successful, you will see traffic being routed to both Workspace/Identity Manager nodes.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback