Load Balancing for Horizon Environments in (n+1) Mode using 307 Solution

Overview

In an n+1 deployment only the primary protocol traffic (XML/API traffic) will go through Avi VIP. Blast and PCoIP traffic will go to UAG servers directly.

Prerequisites

Ensure the following prerequisites are met:

  1. Avi Controller is set up.
  2. The Avi cloud configuration is complete.
  3. DNS entries are configured properly as explained in the example below.
  4. UAG servers configured as per requirements along with other Horizon components for n+1 deployments.

Sample Topology

Consider the request flow with the sample topology:

Topology

Note: The sample topology illustrates UAG deployment in a DMZ network. However, Avi Vantage supports deployment in both DMZ and non-DMZ networks.

FQDN Entity Description IP Address used for DNS Entries Real IP
uagvip.site1.com FQDN of Avi LB VIP VIP 1 10.10.5.200
uag1.site1.com FQDN of UAG server 1 on site 1 UAG server1 IP on site 1 i.e. 10.58.17.163 10.58.17.163
uag2.site1.com FQDN of UAG server 2 on site 1 UAG server2 IP on site 1 i.e. 10.58.17.164 10.58.17.164

Note: The IP and FQDN used in the example are for illustration purposes only. Replace this with your real environment details.

Request Flow for load balancing UAG Servers for (n+1) Deployments

The request-flow this deployment is as shown below:

  1. User sends a request to access uagvip.site1.com over the internet.
  2. The request comes to Avi.
  3. The Avi load balancer does the load balancing and sends the request to one of the backend UAG servers. In this case, assume that Avi sent the request to UAG server 1 i.e. uag1.site1.com
  4. UAG sends 307 redirect to client with uag1.site1.com FQDN. UAG servers should be configured with the 307 feature as explained in Unified Access Gateway Support for HTTP Host Redirect. A sample UAG configuration is shown here.
  5. Client looks for location header and queries the host in the location header (uag1.site1.com ).
  6. Due to the DNS entries that were created (shown in the tables above), the FQDN (uag1.site1.com) will be resolved to UAG server IP.
  7. All further flows, including the ones for secondary protocol (Blast/PCoIP), will now go to uag1.site1.com directly, bypassing Avi LB.

Configurations for Load Balancing UAG servers

The configuration steps for load balancing UAG are as below:

  1. Creating Custom Health Monitor for UAG

  2. Creating Pools

  3. Creating SSL Profile and Install SSL Certificate

  4. Disabling Connection Multiplexing

  5. Creating an L7 Virtual Service

Follow the steps below to configure the site 1:

Creating Custom Health Monitor for UAG

To create a custom health monitor,

  1. From the Avi UI, navigate to Templates > Profiles > Health Monitors.

  2. Click on Create.

  3. Select the VMware cloud that was created for Horizon.

  4. Enter the following details in the New Health Monitor screen.

    Field Value
    Send Interval 30
    Receive Timeout 10
    Client Requested Data GET /favicon.ico HTTP/1.0
    Response Code 2xx

    The New Health Monitor screen is as shown below: Health Monitor
    Health Monitor
    Health Monitor

  5. Click on Save.

Creating Pools

Create an SSL Profile to be used in the UAG Pool

Creating SSL Profile for Pool

Create an SSL Profile for the UAG pool with the configuration given below:

  • Accepted Versions: 1.2
  • Cipher List:
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  1. Navigate to Templates > SSL/TLS Profile > Create
  2. Select Application Profile.
  3. Enter the details as shown below: SSL Profile
    SSL Profile
    SSL Profile
  4. Click on Save.

Creating the UAG L7 Pool

To create the pool,

  1. In Avi Vantage, navigate to Applications > Pools.

  2. Select the vCenter cloud from the Select Cloud sub-screen.

  3. Click on Next.

  4. Click on Create Pool.

  5. In the New Pool: screen, update the details as shown below:

    UAG L7 Pool

  6. Click on Next.

  7. In the Step 2: Servers tab, add the Server IP Address of the UAG servers created earlier and click on Add Server.
    UAG L7 Pool

  8. Click on Next.

  9. Navigate to Step 3: Advanced tab > Step 4: Review.

  10. Click on Next and then click on Save.

Installing the SSL certificate Required for L7 VIP

The SSL connection is being terminated at the Avi virtual service. Therefore, the SSL certificate must be assigned to the virtual service . It is recommended to install a certificate which is signed by a valid certificate authority instead of using self-signed certificates. Install the certificate in Avi Vantage, and ensure the CA certificate is imported and linked. For information, refer to Import Certificates.

Note: For this set up, a certificate named Horizon_Certificate has been installed.

Add the SAN certificate to UAG as explained in the Configuring TLS/SSL Certificates for Unified Access Gateway Appliances. Install the same certificate and key pair on Avi and bind it to the UAG L7 virtual service.

Disabling Connection Multiplexing

In case of UAG load balancing, disable connection multiplexing for the System-Secure-HTTP-VDI profile.

To disable connection multiplexing,

  1. Navigate to Templates > Profiles> Application > System-Secure-HTTP-VDI.

  2. Click on the edit icon.

  3. Disable the option Connection Multiplexing as shown below:
    Connection Multiplex

  4. Click on Save.

Creating an L7 Virtual Service

Create an SSL Profile for the virtual service with the configuration given below:

  • Accepted Versions: TLS 1.1, 1.2
  • Cipher List:
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

To create the SSL Profile,

  1. Navigate to Templates > SSL/TLS Profile > Create
  2. Select Application Profile.
  3. Enter the details as shown below: SSL Profile
    SSL Profile
  4. Click on Save.

To create the new L7 virtual service,

  1. From the Avi UI, navigate to Applications > Virtual Services.

  2. Click on Create Virtual Service > Advanced Setup.

  3. Use the System-Secure-HTTP-VDI as the Application Profile.

  4. Configure the virtual service as shown below:

L7 VS

  1. Click on Next.

  2. Click Save.

Important Configuration to Check on UAG for this Solution

Host Redirect mapping should be configured on all UAGs.
Configuration

Notes:

  • Ensure the following:
    • The source host is the LB FQDN. For example, uagvip.site1.com
    • The redirect host is the UAG’s FQDN. For example, uag1.site1.com
  • Upload the TLS server certificate for the internet interface on all the UAG servers

Other Considerations

  • If SAML authentication is used on UAG, all the host names/FQDNs must be added in SAML IDP as shown in the example below:
    Configuration

In some cases, when accessing the VMware Horizon Client, multiple icons for the same site can be displayed.

Horizon
This issue has been resolved in Horizon 2212 client release.
Since there is no workaround available, if you are on an earlier version of Horizon client, consider upgrading to Horizon 2212 to avoid encountering this issue.