Intrductin The cmpnents f UDS Enterprise (UDS Server and UDS Tunneler) can be cnfigured in high availability (HA) s that in case f drp any f these items, either due t a failure f the hypervisr that hsts r failure f the Virtual Appliance itself, a user r administratr des nt lse access t the system. UDS Enterprise HA can be cnfigured using any lad balancer that supprts TCP and HTTP mdes. This dcument is an example cnfiguratin using the HAPrxy sftware. Necessary elements Fr a successful deplyment f high-availability in UDS Enterprise, the fllwing items are needed: Server HAPrxy Server in charge f prviding users with access t several UDS Enterprise servers. Access will be in mde active - active. In this example a single HAPrxy server is cnfigured in standalne mde, but fr prductin deplyments it is recmmended t have multiple HAPrxy servers. MySQL Server Database server where UDS server keeps all yur recrds. In this example a single MySQL server is cnfigured, but fr prductin deplyments it is recmmended t have multiple MySQL servers in the cluster. UDS Server (brker) The main element f UDS Enterprise sftware. It supprts HA cnfiguratin f versin 1.9.1. Yu will need t deply at least tw UDS servers. Tunel UDS Server The element that prvides access t users frm a WAN t virtual desktps and applicatins, and HTML5 access t virtual desktps. Yu will need t deply at least tw Tunel UDS servers. Page 1 f 17
Requirements In this HA UDS Enterprise cnfiguratin example there have been used the fllwing resurces: HAPrxy: S.O. and resurces: Linux Server Debian 8.4.0 x64 with 1 GB f RAM, 15 GB f disk, 1 NIC IP Data: 1 IP address, netwrk mask, Gateway and DNS Internet access Certificate: It is necessary t have r generate a valid certificate in PEM frmat fr SSL cnnectins MySQL: Virtual Appliance UDS_MySQL (prvided by VirtualCable): 1 GB f vram, 8 GB f disk, 1 vnic IP Data: 1 IP Address, netwrk mask, Gateway and DNS DB Data: DB Instance, username and passwrd (by default, instance: uds, username: uds, passwrd: uds) UDS Server (brker): Virtual Appliance UDS_Server (prvided by VirtualCable): 1 GB f vram, 5 GB f disk, 1 vnic IP Data: 1 IP Address, netwrk mask, Gateway and DNS Valid serial number fr UDS Enterprie versin MySQL DB Cnnectin Data: IP Address, DB Instance, username and passwrd UDS Tunnel Server: Virtual Appliance UDS_Tunel (prvided by VirtualCable): 1 GB f vram, 5 GB f disk, 1 vnic IP Data: 1 IP address, netwrk mask, Gateway and DNS HAPrxy Service IP Address Page 2 f 17
Cnfiguratin 1. HAPrxy We wuld install a Linux Debian 8.4.0 x64 server with the fllwing cnfiguratin: Step 1 Machine name: HAPrxy IP: 192.168.11.100 Resurces: 1 vcpu, 1 GB f RAM, 15 GB f disk y 1 vnic (with internet access) Befre installing HAPrxy it is necessary t have a certificate (in.pem frmat) fr SSL cnnectins. If yu dn t have a ready ne yu can autgenerate it in the fllwing way: penssl req -x509 -ndes -days 3650 -newkey rsa:2048 -keyut /rt/ssl.key -ut /rt/ssl.crt Yu will be prmpted t prvide a set f data t cmplete the certificate: Page 3 f 17
Once created, yu will have t create the file.pem cat /rt/ssl.crt /rt/ssl.key > /etc/ssl/private/haprxy.pem Step 2 Yu wuld install HAPrxy sftware: apt-get install haprxy Page 4 f 17
Step 3 Edit HAPrxy cnfiguratin file: /etc/haprxy/haprxy.cfg Add redirectin rules t the end f the file: Page 5 f 17
Example f haprxy.cfg cntent: glbal lg /dev/lg lcal0 lg /dev/lg lcal1 ntice chrt /var/lib/haprxy stats scket /run/haprxy/admin.sck mde 660 level admin stats timeut 30s maxcnn 2000 user haprxy grup haprxy daemn # Default SSL material lcatins ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers t use n SSL-enabled listening sckets. # Fr mre infrmatin, see ciphers(1ssl). This list is frm: # https://hynek.me/articles/hardening-yur-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA +A$ ssl-default-bind-ptins n-sslv3 defaults lg glbal mde http ptin httplg ptin dntlgnull ptin frwardfr retries 3 ptin redispatch stats enable stats uri /haprxystats stats realm Strictly\ Private stats auth admin:tempral stats auth user:tempral timeut cnnect 5000 timeut client 50000 timeut server 50000 errrfile 400 /etc/haprxy/errrs/400.http errrfile 403 /etc/haprxy/errrs/403.http errrfile 408 /etc/haprxy/errrs/408.http errrfile 500 /etc/haprxy/errrs/500.http errrfile 502 /etc/haprxy/errrs/502.http errrfile 503 /etc/haprxy/errrs/503.http errrfile 504 /etc/haprxy/errrs/504.http frntend http-in bind *:80 mde http reqadd X-Frwarded-Prt:\ http default_backend uds-backend frntend https-in bind *:443 ssl crt /etc/ssl/private/haprxy.pem mde http reqadd X-Frwarded-Prt:\ https default_backend uds-backend frntend tunnel-in bind *:1443 mde tcp ptin tcplg default_backend tunnel-backend-ssl frntend tunnel-in-guacamle bind *:10443 mde tcp # HTML5 Page 6 f 17
ptin tcplg default_backend tunnel-backend-guacamle backend uds-backend # redirect scheme https if!{ ssl_fc } #redirect http t https balance surce ptin httpclse server uds1 192.168.11.102:80 check server uds2 192.168.11.103:80 check backend tunnel-backend-ssl mde tcp ptin tcplg balance surce server udsts1 192.168.11.104:443 check server udsts2 192.168.11.105:443 check backend tunnel-backend-guacamle mde tcp ptin tcplg balance surce server udstg1 192.168.11.104:10443 check server udstg2 192.168.11.105:10443 check Step 4 Start service haprxy and test it s in executin: service haprxy restart service haprxy status Make sure the service autstarts with the server. Page 7 f 17
2. MySQL Installatin f Virtual Appliance MySQL prvided by VirtualCable with the fllwing cnfiguratin: Step 1 Machine name: mysql IP: 192.168.11.101 Resurces: 1 vcpu, 1 GB f RAM, 8 GB f disk and 1 vnic Cnfigure a static IP: Step 2 Test cnnectivity with HAPrxy Server: Page 8 f 17
3. UDS Server (Brker) Install tw Virtual Appliances UDS Server (brker) prvided by VirtualCable fllwing this cnfiguratin: Step 1 Machines name: UDSServer01 and UDSServer02 IP: 192.168.11.102 (UDSServer01) and 192.168.11.103 (UDSServer02) Resurces: 2 vcpu, 1 GB f RAM, 5 GB f disk and 1 vnic (fr each Virtual Apliance UDS Server) Prvide a valid Serial Number f UDS Enterprise: Step 2 Intrduce cnfiguratin data f the Virtual Appliance: Page 9 f 17
Step 3 Cnfigure MySQL DB access data: Step 4 Cmplete access data f the administratr user f UDS platfrm by prviding username and passwrd f superuser f the virtual appliance UDS Server: Page 10 f 17
Step 5 Test and finalize the cnfiguratin f the Virtual Appliance: This is t be repeated fr the secnd UDS Server (UDSServer02) except fr IP field where yu shuld prvide IP f the secnd server. Page 11 f 17
4. UDS Tunnel Install tw Virtual Appliances UDS Tunnel, prvided by VirtualCable, with the fllwing cnfiguratin: Step 1 Machine names: UDSTunel01 and UDSTunel02 IP: 192.168.11.104 (UDSTunel01) and 192.168.11.105 (UDSTunel02) Resurces: 2 vcpu, 1 GB f RAM, 5 GB f disk and 1 vnic (fr each Virtual Appliance UDS Tunnel) Intrduce cnfiguratin data f the Virtual Appliance: Step 2 Prvide the IP f UDS Server, which in a High Availabality cnfiguratin, is the IP f HAPrxy Server: Page 12 f 17
Step 3 Define the rt user passwrd f the Virtual Appliance UDS Tunnel: Step 4 Test all data and finalize the cnfiguratin f the Virtual Appliance: This is t be repeated fr the secnd UDS Tunnel (UDSTunel02) except fr IP field where yu shuld prvide IP f the secnd server. Page 13 f 17
UDS Enterprise Web Access Once all the elements are cnfigured, yu can have access t UDS Enterprise lgin windw using the IP f HAPrxy Server: Access users will be autmatically balanced acrss the tw UDS servers, and if ne f them drps all requests will be redirected t the active server. When a user accesses a desktp r virtual applicatin thrugh the cmpnent UDS Tunnel, cnnectins will be divided between the tw servers, and if the active server t which the user is cnnected drps, the cnnectin is cut. But t perfrm new access t the service he will be cnnected thrugh anther tunnel active server. Page 14 f 17
UDS Enterprise Advanced Parameters When cnfiguring UDS Enterprise fr the access t be made thrugh a lad balancer, the system will detect the IP address f the client as Balancer IP: This can cause prblems when using an IP authenticatr r detecting netwrk cnfiguratins f transprt thrugh netwrk filter. T slve this prblem, we must tell the system that the UDS servers are behind a prxy by enabling the ptin "Behind a prxy" lcated in the sectin: Tls - Cnfiguratin - Security Page 15 f 17
Once this ptin is enabled, test if the detectin f client IP is perfrmed crrectly: Page 16 f 17
Supprt and Prfessinal Services VirtualCable markets UDS Enterprise thrugh a subscriptin mdel, including supprt and updates, as the number f users. In additin, VirtualCable prvides prfessinal services t install and cnfigure UDS Enterprise and ther virtualizatin technlgies. Fr mre infrmatin, visit r email us at inf@udsenterprise.cm Page 17 f 17