VMware Horizon Community
dmuligan
Enthusiast
Enthusiast

UAG cookie persistence

Hi,

it is supported using SSL offload in the load balancer for external connections in front of the UAG to be able to use cookie persistence instead of source ip ?

Thank you.

Reply
0 Kudos
9 Replies
BenFB
Virtuoso
Virtuoso

There are three supported methods for maintaining session affinity with the UAG but cookies is not one of them. Assuming you are using an F5 you should be using the latest Horizon View iApp which will help with UAG configuration.

Load Balancing across VMware Unified Access Gateway Appliances

Reply
0 Kudos
dmuligan
Enthusiast
Enthusiast

Hi BenFB​,

Could you please help me to understand why session affinity using cookies is not supported ?

Just trying to understand it.

Thank you.

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso

Why do you specifically need to use cookies? Can you help us understand your architecture and what you are trying to accomplish.

Reply
0 Kudos
sjesse
Leadership
Leadership

I have no idea, but I'm guessing since thin clients and possible other can't set cookies because of client restrictions or limitations, cookie persistence won't work. I don't think cookie persistence will work for the display protocols specifically, which are secondary connections I believe. Again this is just me trying to think of reasons.

Reply
0 Kudos
dmuligan
Enthusiast
Enthusiast

Hi BenFB​, we cannot use source IP because we have a SNAT rule.

Asking for more public ips for multiple VIP method will take time and multiple ports will not be authorised by security team.

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso

I'm assuming you are using an F5 load balancer? Are you using the Horizon View iApp to configure load balancing of the UAG and Connection Servers?

Reply
0 Kudos
dmuligan
Enthusiast
Enthusiast

No, it is an open source load balancer, but it could be any other.

Is there any difference using the F5 ?

Thank you.

Reply
0 Kudos
sjesse
Leadership
Leadership

public ips for multiple VIP method will take time and multiple ports

What are you trying to accomplish. On our f5 we have one external ip, these then point to different pools with the unified access gateways in them, and we only allow 443,8443,4172 though. 80 is a direct redirect to 443, and there are udp and tcp versions of all the ports so the display protocols can do what they need to. I specifically followed the following f5 guide to set up our

https://www.f5.com/pdf/solution-center/load-balancing-vmware-unified-access-gateway-servers-deployme...

the only change we made is I have pairs of uags for different purposes so we use an irule to rout traffic to the correct ones.

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso

We are using an F5 but we have SNAT configured using the Horizon View iApp for our UAG. I know you are using a different load balancer but why is it that SNAT will not work for you?

Reply
0 Kudos