VMware Horizon Community
ctcbod
Enthusiast
Enthusiast
‎05-21-2021 03:35 AM
Jump to solution

Moving from security server to UAG - trying to minimise downtime on a shoe string.

I’ve taken my eye off the ball a bit here as we’re still running View Horizon 7.11, which is now EOL.

So we need t upgrade, probably to 7.13, but before doing so, we are going to install a UAG (v3.8) with our 7.11  just to get that out of the way.

We only have a single security server, with a paired connection server, authenticated with RSA secure ID. But because our workforce is now 80% remote, I need to keep downtime to a minimum.

Can we not add the UAG to View before removing the old security server?

It appears not, because VMware doc https://docs.vmware.com/en/VMware-Horizon-7/7.11/horizon-upgrades/GUID-C0CCC8D1-5E53-4190-B809-7D293...  Suggests: removing the security server first so we already will have some downtime here. 

I have the UAG installed, but not yet fully configured  - i.e. I’ve not pointed it at any connection servers, installed the SSL cert or configured RSA authentication and I don’t want to interfere with anything (by the way, our connection servers that we will use are on a Microsoft NLB cluster, so not sure how this will work with cert thumbprints as yet)  

Anyone else been in this boat or has any recommendations on how to proceed?

Thanks in advance.

Reply
0 Kudos
1 Solution

Accepted Solutions
sjesse
Leadership
Leadership
‎05-21-2021 05:15 AM
Jump to solution

To connect a UAG and use the secure gateways(pcoip,blast), you need to turn off security gateways on the connection server, which will break the security servers. The only way to do both is to add at least one more connection server and point the UAG to that, they can both in the same environment just not pointed at the same connection server.

View solution in original post

Reply
7 Replies
Mickeybyte
Hot Shot
Hot Shot
‎05-21-2021 04:11 AM
Jump to solution

Hi @ctcbod 

As you said, you already installed the UAG so that's a good start. 

You can now start configuring your UAG and test to be sure everything works as it should. You can connect the UAG to your load balancer address. 

Once you've confirmed everything is working as it should, you can redirect your external hostname/IP to the UAG in stead of the Security server. You can keep the security server for a while in case you would need to revert, but once everything is working through the UAG, you can remove the security server afterwards. 

I don't know why they are suggesting to first remove the security server and then install the UAG. I see no reason they cannot exist together. 

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
Reply
ctcbod
Enthusiast
Enthusiast
‎05-21-2021 04:23 AM
Jump to solution

Thanks Mickey

I appreciate the response, but when you say "I see no reason they cannot exist together."  does this mean they definately can?    I dont want to be adding the new UAG to View whislt the old security serevr is in place just in case it breaks anything, which will cause more downtime.  

Reply
0 Kudos
sjesse
Leadership
Leadership
‎05-21-2021 05:15 AM
Jump to solution

To connect a UAG and use the secure gateways(pcoip,blast), you need to turn off security gateways on the connection server, which will break the security servers. The only way to do both is to add at least one more connection server and point the UAG to that, they can both in the same environment just not pointed at the same connection server.

Reply
vmmaj
Enthusiast
Enthusiast
‎05-21-2021 05:36 AM
Jump to solution

why not create another connection server to work with your new UAG, Get the new UAG and connection server working then when you're satisfied all is ok you can cut over to the new UAG\Connection server and still leave the old Security Server\Connection server in place in case of emergency. If you are using a NAT you will just have to get your FW admin to change the NAT address for your remote View access to the UAG, takes one push of policy. 

Reply
ctcbod
Enthusiast
Enthusiast
‎05-21-2021 08:39 AM
Jump to solution

Thanks. 

So to clarify what you’re saying, create another 7.11 connection server (not a replica of existing), enable it in the horizon console, point the new UAG to this and test. 

I’ve allocated the new UAG a different public IP address that will NAT to the internal address, so all the network team need to do when we’re ready is change the DNS record so the external URL will resolve to the new address when we’re ready. 

I’ll pick this back up next week, but thanks for the replies – have a good weekend all.

Reply
0 Kudos
sjesse
Leadership
Leadership
‎05-21-2021 08:45 AM
Jump to solution

No a replica is fine, you just can't use an existing one because of the differences in how the secure gateways work with UAGs compared to security servers. When you go into the horizon admin interface, you can see the replicas under servers, and here under the new one uncheck the secure gateways but you need to leave the other ones alone.

Reply
ctcbod
Enthusiast
Enthusiast
‎07-09-2021 07:14 AM
Jump to solution

Thanks all,  Had to take my eye off this, but finally got the UAG installed along side the security server.   We just need to figure out how\if you can get UAG to talk to a MS NLB clsuster or 2 connection servers as it seems the thumbprint pulled off the cluster address is for just one of the connection servers.  I know I'm off point, but if anyone had got this working in their environment, I'd appreciate a few pointers - otherwise I'll re-post.   Thanks again.  

Reply
0 Kudos