I'm a long time user of Horizon but this is the first time I've deployed UAGs. I'm replacing a v7.3 environment that consists of the following:
2 x Connection Servers (Internal Tag - No Tunneling)
2 x Connection Servers (External Tag - Secure Tunneling)
2 x Security Servers (Paired with the External Connection Servers)
I run a Windows NLB on the Security Servers to achieve basic load balancing and use a SINGLE external IP with port translation. e.g. PCoIP uses x.x.x.x:4173 to 4172 on Server1 and x.x.x.x:4174 to 4172 on Server2.
My query around the UAG architecture and configuration:
Q: Am I able to do the same with 2 UAGs in HA mode and use a single external IP with 80/443 pointing to the HA Virtual IP and then configure the URLs and IPs on the UAGs accordingly and forward the ports to the relevant UAG via my firewall?
The documentation seems to suggest that each UAG needs an external IP and so does the VIP, so N + 1.
UAG HA require N+1 VIPs, and the secondary protocols need to be directed to the individual UAGs based on unique external URL values.Hence
Recommend to have N+1 VIPS ( N= number of UAG appliances) - Refer to https://communities.vmware.com/docs/DOC-32792 “Method 3 - Multiple VIPs”
Multiple Port number Groups. – Refer to https://communities.vmware.com/docs/DOC-32792 “Method 2 - Multiple Port number groups”
Or else you need to use real load balancer with UAG HA feature.
Just one additional comment, UAG HA will balance the traffic on 443 - for Horizon specific it will balance the authentication (XML-API), not the secondary protocol - reason of the VIP+1
Check out this video VMware Unified Access Gateway: High Availability - Feature Walk-through that explains in detail the use of UAG HA
Thank you Shreyskar & aguedesrocha for your replies.
I went down the Multiple Port Number Groups route, which was identical to my previous setup with Security Servers. I had an issue with HA initially where although the UAGs were in a Master & Backup state and appeared to be working they weren't serving anything on 443, so I couldn't actually login. I thought it was an issue with the URLs, but it was actually HA, as if I went to the UAG IP directly it worked fine but not via the HA Virtual IP. I disabled and re-enabled HA and the Horizon View configuration and then it started working.
So I've ended up with the following configuration:
IP Addresses & DNS
External IP: 220.127.116.11
UAG HA Virtual IP: 10.1.1.10
vdi.domain.com DNS A record pointing to 18.104.22.168
HA NAT: 22.214.171.124 to 10.1.1.10 (Port 80 & 443 - TCP only)
UAG1 - PCoIP External URL: 126.96.36.199:4173 (Translated to 4172 at my firewall and pointing to 10.1.1.11 - TCP & UDP)
UAG2 - PCoIP External URL: 188.8.131.52:4174 (Translated to 4172 at my firewall and pointing to 10.1.1.12 - TCP & UDP)
UAG1 - Blast External URL: vdi.domain.com:8444 (Translated to 8443 at my firewall and pointing to 10.1.1.11 - TCP & UDP)
UAG2 - Blast External URL: vdi.domain.com:8445 (Translated to 8443 at my firewall and pointing to 10.1.1.12 - TCP & UDP)
UAG1 - Tunnel External URL: vdi.domain.com: 444 (Translated to 433 at my firewall and pointing to 10.1.1.11 - TCP only)
UAG2 - Tunnel External URL: vdi.domain.com: 445 (Translated to 433 at my firewall and pointing to 10.1.1.12 - TCP only)