VMware Horizon Community
NelsonCandela
Enthusiast
Enthusiast
Jump to solution

Architecture question: two AD forests, no trust, UAG - CS - most simple setup

Hey guys,

I was wondering if you could help me with a question concerning a planning of a Horizon infrastructure.

There are two separate AD forest, let's say "external" and "internal". There is no trust relationship between those two and my wish is to be able to make use of the most simplistic setup in combination with UAG, Connection Servers, authentication, Instant Clones, etc.

Meaning: Do I need the same architecture individually like so?

External: UAG (external) > Connection Server (external) > Active Directory (external)
-------------------------------------------------------------------------------------
Internal: UAG (internal) > Connection Server (internal) > Active Directory (internal)

Is there a way to simplify this setup and maybe use the same UAG for both internal and external access having in mind the domains are not related, trusted and otherwise linked to each other?

Would I even need a separate vCenter instance for this to work or can all resources be managed by the same vCSA?

Thanks a ton!

BR
NC

Reply
0 Kudos
1 Solution

Accepted Solutions
NelsonCandela
Enthusiast
Enthusiast
Jump to solution

Hey @Mickeybyte,

thanks for your feedback – and apologies for my late feedback only today.

You are right: one Connection Server can be linked to only one UAG and vice versa. The approach I was going for was to somehow find a solution to unify required components to a bare minimum for ease of complexity and maintenance. But that's easier said than done and there are limitations, of course.

The structure I have built basically are two separate instances of all Horizon components with a common vCenter in the middle, to use my previous way of displaying it it would probably described best like so:

UAG EXT > Connection Server EXT > Active Directory EXT > vCenter < Active Directory INT < Connection Server INT < UAG INT

Everything that's external (EXT) doesn't know about anything about the components labelled as internal (INT). These are two environments, built more or less the same, but as mentioned in my initial post with no trusts between the domains and therefore standalone. What I needed to do was to add authentication sources to both domains in vCenter which I did by using LDAP.

I found a KB article that generally states that this idea is supported: https://kb.vmware.com/s/article/80673

View solution in original post

Reply
0 Kudos
3 Replies
Mickeybyte
Hot Shot
Hot Shot
Jump to solution

@NelsonCandela 

The UAG and the connection servers are connected to each other, so you can't connect a UAG to 2 connection servers. If you really need them separated, you'll need each component in double. 

I haven't done this before, but have you read this: Configuring Untrusted Domains (vmware.com)? Mabye this can be a solution to what you need.

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
NelsonCandela
Enthusiast
Enthusiast
Jump to solution

Hey @Mickeybyte,

thanks for your feedback – and apologies for my late feedback only today.

You are right: one Connection Server can be linked to only one UAG and vice versa. The approach I was going for was to somehow find a solution to unify required components to a bare minimum for ease of complexity and maintenance. But that's easier said than done and there are limitations, of course.

The structure I have built basically are two separate instances of all Horizon components with a common vCenter in the middle, to use my previous way of displaying it it would probably described best like so:

UAG EXT > Connection Server EXT > Active Directory EXT > vCenter < Active Directory INT < Connection Server INT < UAG INT

Everything that's external (EXT) doesn't know about anything about the components labelled as internal (INT). These are two environments, built more or less the same, but as mentioned in my initial post with no trusts between the domains and therefore standalone. What I needed to do was to add authentication sources to both domains in vCenter which I did by using LDAP.

I found a KB article that generally states that this idea is supported: https://kb.vmware.com/s/article/80673

Reply
0 Kudos
Mickeybyte
Hot Shot
Hot Shot
Jump to solution

@NelsonCandela 

Read the following KB article: Support Limitations when sharing a Single vCenter Server Across Multiple Horizon Pods (80673) (vmwar.... It seems like this matches your scenario.

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
Reply
0 Kudos