Solved: Routing internet traffic to multiple View environm...

jeffaustin · ‎08-24-2012

Colleagues,

I have two separate View environments located in different physical locations 500 miles apart. I am looking to have a single internet DNS address as an entry point for both environments. This would prove to be uniform for install/configure and ease of deployment company wide, while also provide an invisible process for DR if needed.

For example:

In a non DR situation a user would be parsed through the entry point and delivered a virtual desktop from either site depending on what is listed in AD (or otherwise) as their home office.
In a DR situation either site can fail over to the other and receive a floating linked clone to continue working. (This could also prove to work as a maintenance window if needed).

That I am aware of, VMware View (5.0) does not currently have a solution for either scenario. Or am I mistaken? Has anyone deployed a similar architecture or a solution which would meet these desired requirements?

Thank you in advance,
~Jeff

mittim12 · ‎08-24-2012

I am not aware of anything built into View that could handle this. It seems that maybe some type of load balancer with intelligence regarding which site to route would be appropriate, possibly a F5 or something.

How do you handle the entitlements in the separate environments?

View solution in original post

mittim12 · ‎08-24-2012

I am not aware of anything built into View that could handle this. It seems that maybe some type of load balancer with intelligence regarding which site to route would be appropriate, possibly a F5 or something.

How do you handle the entitlements in the separate environments?

jeffaustin · ‎08-24-2012

Thank you...

A load balancing appliance should work.

However, if we wanted to sidestep that purchase, is there documentation out there on the communication between the Internet address to the security server? Perhaps we could build a small app to intercept and redirect accordingly?

Thank you in advance.

~Jeff

mittim12 · ‎08-24-2012

here is a KB that goes over the communication flow.

http://kb.vmware.com/kb/1027217

jeffaustin · ‎08-29-2012

We currently management entitlement via AD security groups. The security groups are global and region specific depending on the pool. The idea was to maybe have an ldap query prior to delivering the request to a security server, which would determine home office and profile location. From that point the request is sent onward to the appropriate region (unless a DR situation is in play).Then communication would be taken over and managed per usual client and View environment session instances. The offices are 500 miles apart, so replica servers are not recommended per best practices as I understand.

There is the idea of Geographical Load Balancing, but that's not 100% as it wouldn't cover travelers between sites. In which case we would then have View sessions available to them in both sites (like DR), but would be pulling profiles across the net. Not an optimal situation.

We'd like to see if we can build an app to poll AD and deliver the request to the appropriate region. I've read the suggested KB and its clear as to the port requirements, but not the sequence or what the requests are being made to (view iis, db, otherwise) and in what order based on successful authentication. Unless I am misunderstanding the document. Is there a document that goes through this request sequence process?

Or has this spawned another solution for my desired architecture?

Best regards,

Jeff

gmtx · ‎08-29-2012

Offhand I can't think of a way to have a single DNS record do what you want without help from a load balancer or custom redirector of some sort, but two DNS records isn't all that bad. Yes, a user has to pick the right one the first time, but in my experience once the connection server name is set on the View client or a zero client, users pretty much ignore it going forward so it's a one-time config.

In the event of a DR situation, just change the dead DNS record to point to the location that's still running. You'll need to be careful about the TTLs for those records, and use a wildcard or SAN cert on your security servers (since the DNS name wouldn't match the server name in a failover situation for users of the dead server), but that should get you pretty close to what you're looking to achieve.

Geoff

mikebarnett · ‎08-29-2012

I think what you recommend is a valid idea but nothing currently exists in View to accomplish what you're looking for. A load balancer with source IP based routing is your best bet but of course this doesn't handle users who are traveling.

Adding this as a feature request is probably a good idea but I'm not sure how much traction it would get in the near future. I think as we look towards the future of View and how we will handle large-scale environments this type of question is going to come up more and more.

To file this as a feature request head over to this page and fill out the Feature Request form:

https://www.vmware.com/support/policies/feature.html

Input from this form is reviewed and considered for future releases. Put as much detail as possible into your request so the reviewers have a clear idea of what you're looking for.

-Mike

Twitter: @MikeBarnett_

All

Routing internet traffic to multiple View environments