Load Balancing across VMware Access Point Appliances

     

    Introduction

    Access Point is a VMware virtual appliance designed to protect desktop and application resources to allow remote access from the Internet. For an overview of Access Point, refer to my earlier blog article. It is used with:


    • VMware Horizon View
    • VMware Horizon Air (DaaS)
    • VMware Horizon Air Hybrid Mode
    • VMware Identity Manager
    • Airwatch Tunnel Gateway/Proxy


    Access Point is typically deployed in a DMZ. For high availability and scaleability requirements in a production deployment, several Access Point appliances are usually setup behind a load balancer as shown in Figure 1.


    APLB1.png

    Figure 1 - Multiple Access Point appliances behind a load balancer.


    This article focuses on the load load balancing requirements for the Horizon use cases. It discusses the distinction between the primary and secondary Horizon protocols and describes the three methods for guaranteeing session affinity. The three methods ensure that all protocol traffic from a Horizon client session goes to the same Access Point appliance. This article also covers health monitoring and SSL offload/SSL bridging for load balancers.


    Transport Layer Security (TLS) and the predecessor Secure Sockets Layer (SSL) are both referred to in this document as just SSL. By default, SSL is disabled on Access Point and only TLS 1.1 and TLS 1.2 are enabled.


    Horizon Protocols

    When a Horizon Client user connects to a Horizon environment, several different protocols are used. The first connection is always the primary XML-API protocol over HTTPS. Following successful authentication, one or more secondary protocols are also made.


    Primary Horizon Protocol

    The user enters a hostname at the Horizon Client and this starts the primary Horizon protocol. This is a control protocol for authentication, authorization and session management. It uses XML structured messages over HTTPS (HTTP over SSL). This protocol is sometimes known as the Horizon XML-API control protocol. In a load balanced environment as shown above in figure 1, the load balancer will route this connection to one of the Access Point appliances. The load balancer will usually select the appliance based first on availability, and then out of the available appliances will route traffic based on the least number of current sessions. This has the effect of evenly distributing the traffic from different clients across the available set of Access Point appliances.


    Secondary Horizon Protocols

    After the Horizon Client has established secure communication to one of the Access Point appliances, the user authenticates. If this authentication attempt is successful, then one or more secondary connections are made from the Horizon client. These secondary connections can include:


    • HTTPS Tunnel used for encapsulating TCP protocols such as RDP, MMR/CDR and the client framework channel. (TCP 443).
    • Blast Extreme display protocol (TCP 443 and UDP 443).
    • PCoIP display protocol (TCP 4172 and UDP 4172).

     

    These secondary Horizon protocols must be routed to the same Access Point appliance to which the primary Horizon protocol was routed. The reason for this is so that Access Point can authorize the secondary protocols based on the authenticated user session. An important security capability of Access Point is that it will only forward traffic into the corporate datacenter if the traffic is on behalf of an authenticated user. If the secondary protocols were to be misrouted to a different Access Point appliance to the primary protocol one, they would not be authorized and would therefore be dropped in the DMZ and the connection would fail. Misrouting the secondary protocols is a common problem if the Load Balancer is not configured correctly.

     

    Session Affinity Options

    Method 1 - Source IP Affinity

    This is the simplest configuration for a load balancer as it uses standard port numbers and a single load balanced VIP. It relies on the load balancer to route secondary protocols to the same Access Point appliance as was selected for the primary Horizon protocol. It can do this on the basis of repeat connections coming from the same Horizon client IP address. Unfortunately, this method doesn't work in all situations. For example with certain Network Service Providers or NAT devices, the source IP address is not available for this affinity configuration. If source IP affinity can't be used in your environment, then one of the other two methods should be used as they don't rely on source IP affinity.


    In this example, the public IP address is 10.20.30.40 (ap.myco.com) and would be translated to 192.168.0.100 (the load balanced VIP DMZ IP address).


    Access Point Configuration for External URLs for this configuration would be as shown in this table.


     

    Access Point ApplianceConfiguration ItemValue
    AP01tunnelExternalURLhttps://ap.myco.com:443
    AP01blastExternalURLhttps://ap.myco.com:443
    AP01pcoipExternalURL10.20.30.40:4172
    AP02tunnelExternalURLhttps://ap.myco.com:443
    AP02blastExternalURLhttps://ap.myco.com:443
    AP02pcoipExternalURL10.20.30.40:4172

     

    Method 1 advantages:


    1. Uses standard port numbers.
    2. Does not require multiple public virtual IP addresses.

     

    Method 1 disadvantages:

     

    1. Relies on source IP address affinity which is not always possible.

     

    Method 1 is recommended for all environments where source IP address affinity is possible. Where it is not possible, then either method 2 or method 3 should be used.

     

    Method 2 - Multiple Port Number Groups

    Multiple port group affinity does not rely on source IP address for affinity. Instead the load balancer is configured to route the secondary Horizon protocols based on unique port numbers assigned to each Access Point appliance. The primary Horizon protocol on HTTPS port 443 is load balanced to allocate the session to a specific Access Point appliance based on health and least loaded. The secondary connections would then be routed to the correct Access Point appliance based on the following Load Balancer configuration table.

     

    Virtual IP AddressPrimary/SecondaryProtocolNameReal Servers
    192.168.0.100:443PrimaryTCPAPLB - HTTPS

    192.168.0.101:443

    192.168.0.102:443

    192.168.0.100:10143SecondaryTCPAP01 - HTTPS192.168.0.101:443
    192.168.0.100:10143SecondaryUDPAP01 - BLAST-UDP192.168.0.101:443
    192.168.0.100:10172SecondaryTCPAP01 - PCOIP192.168.0.101:4172
    192.168.0.100:10172SecondaryUDPAP01 - PCOIP-UDP192.168.0.101:4172
    192.168.0.100:10243SecondaryTCPAP02 - HTTPS192.168.0.102:443
    192.168.0.100:10243SecondaryUDPAP02 - BLAST-UDP192.168.0.102:443
    192.168.0.100:10272SecondaryTCPAP02 - PCOIP192.168.0.102:4172
    192.168.0.100:10272SecondaryUDPAP02 - PCOIP-UDP192.168.0.102:4172

     

    The same port mapping scheme can be used for additional Access Point appliances 03 > 99. The virtual IP address for the load balancer might be behind a NAT device. In this example, the public IP address is 10.20.30.40 (ap.myco.com) and would be translated to 192.168.0.100 (the load balanced VIP IP address).


    Access Point Configuration for External URLs for this configuration would be as shown in this table.


     

    Access Point ApplianceConfiguration ItemValue
    AP01tunnelExternalURLhttps://ap.myco.com:10143
    AP01blastExternalURLhttps://ap.myco.com:10143
    AP01pcoipExternalURL10.20.30.40:10172
    AP02tunnelExternalURLhttps://ap.myco.com:10243
    AP02blastExternalURLhttps://ap.myco.com:10243
    AP02pcoipExternalURL10.20.30.40:10272


    Method 2 advantages:

     

    1. Does not rely on source IP affinity.
    2. Does not require multiple public virtual IP addresses.

     

    Method 2 disadvantages:

     

    1. Uses non standard port numbers from the Internet although the port numbers on the Access Point appliances themselves are standard.

     

    Method 3 - Multiple VIPs

    This method is similar to the multiple port groups method except instead of dedicating port number to each Access Point appliance it dedicates an individual VIP to each appliance in addition to the primary load balanced VIP. If you have 2 Access Point appliances then you would set up 3 VIPs. The primary Horizon protocol on HTTPS port 443 is load balanced to allocate the session to a specific Access Point appliance based on health and least loaded. The secondary connections would then be routed to the correct Access Point appliance based on the following Load Balancer configuration table.

     

     

    Virtual IP AddressPrimary/SecondaryProtocolNameReal Servers
    192.168.0.100:443PrimaryTCPAPLB - HTTPS

    192.168.0.101:443

    192.168.0.102:443

    192.168.0.101:443SecondaryTCPAP01 - HTTPS192.168.0.101:443
    192.168.0.101:443SecondaryUDPAP01 - BLAST-UDP192.168.0.101:443
    192.168.0.101:4172SecondaryTCPAP01 - PCOIP192.168.0.101:4172
    192.168.0.101:4172SecondaryUDPAP01 - PCOIP-UDP192.168.0.101:4172
    192.168.0.102:443SecondaryTCPAP02 - HTTPS192.168.0.102:443
    192.168.0.102:443SecondaryUDPAP02 - BLAST-UDP192.168.0.102:443
    192.168.0.102:4172SecondaryTCPAP02 - PCOIP192.168.0.102:4172
    192.168.0.102:4172SecondaryUDPAP02 - PCOIP-UDP192.168.0.102:4172

     

    Note that the secondary protocols don't have to be routed via the load balancer. If required they can bypass the load balancer.

     

    In this example


    • the first Access Point appliance public IP address is 10.20.30.41 (ap1.myco.com) and would be translated to 192.168.0.101.
    • the second Access Point appliance public IP address is 10.20.30.42 (ap2.myco.com) and would be translated to 192.168.0.102.

     

    Access Point Configuration for External URLs for this configuration would be as shown in this table.


     

    Access Point ApplianceConfiguration ItemValue
    AP01tunnelExternalURLhttps://ap1.myco.com:443
    AP01blastExternalURLhttps://ap1.myco.com:443
    AP01pcoipExternalURL10.20.30.41:4172
    AP02tunnelExternalURLhttps://ap2.myco.com:443
    AP02blastExternalURLhttps://ap2.myco.com:4172
    AP02pcoipExternalURL10.20.30.42:4172


    Method 3 advantages:

     

    1. Does not rely on source IP affinity.
    2. Uses standard port numbers.


    Method 3 disadvantages:


    1. Requires an additional public facing VIP for each Access Point appliance in addition to the primary load balanced VIP.

     

    Health Monitoring

     

    A load balancer monitors the health of each Access Point appliance by periodically sending an HTTP GET /favicon.ico request. This is configured on the load balancer. It will perform this HTTP GET and expect a "200 OK" response from Access Point to know that it is healthy. If it gets a non "200 OK" response or doesn't get any response, it will mark the particular Access Point appliance as down and will not attempt to route client requests to it. It will continue to poll so that it can detect when it is available again.

     

    SSL Offloading or Bridging

     

    Many load balancers have the capability of SSL offloading where the SSL connection terminates at the load balancer. This can be useful for managing SSL server certificates and ciphers etc. at the load balancer.

     

    In order for the client connection to be secure right to Access Point, if the Load Balancer is configured to terminate SSL, then it is necessary to re-encrypt SSL traffic for communication between the load balancer and Access Point. This is often known as SSL bridging as nothing is actually offloaded from Access Point.

     

    Access Point supports load balancers that use SSL bridging and load balancers that pass through the SSL communication for termination at Access Point.