VMware Horizon Community
LJMCP
Enthusiast
Enthusiast
‎10-19-2018 10:56 AM
Jump to solution

UAG to replace Security Servers and F5 APM

Hi,

Client uses a combination of technologies for remote access.  

F5 LTM and APM (reverse proxy)

Horizon Security Servers is DMZ.

They are interested in replacing the Windows Security Servers and possibly the F5 APM with UAG.

I assume (incorrectly?) that UAG provides reverse proxy functionality similar to F5 APM.

They also have 3-node vIDM pool implemented for RDS remoteapp and VDI access.   They had issues after an vIDM upgrade (single-sign on not working) and had to engage F5 support for custom SSO form for APM, which they would like to avoid.

Current -

     external user -> APM login -> vIDM -> Security Server -> Connection Server -> RDS farm/VDI pool

Desired -

     external user -> UAG -> vIDM -> Connection Server -> RDS farm/VDI pool

Can UAG be installed in-front of vIDM and provide reverse proxy?

UAG, vIDM and Connection Servers all load-balanced using F5 LTM.

They also require 2FA (AD, RADIUS) for external access.

Has anyone done something similar and cares to share experience?

Thanks!

0 Kudos
1 Solution

Accepted Solutions
techguy129
Expert
Expert
‎10-20-2018 09:22 PM
Jump to solution

You can use the UAG to reverse proxy both the vIDM and Horizon. It is recommended to use separate UAG for the vIDM reverse proxy and the connection server reverse proxy. One thing to note is that the UAG doesn't provide load balancing. That is what the F5 LTM is for.

I would use the F5 for doing the reverse proxy for the vIDM instead of a UAG. It doesn't provide much value using the UAG for the vIDM like when using the UAG for the connection servers. F5 is a reverse proxy when you apply an HTTP profile to the virtual server.

So my recommended solution:

F5 LTM -> vIDM -> F5 LTM (LB UAGs) -> UAG -> F5 LTM(LB Connection Servers) -> Connection Servers -> RDS Farm/Pool

In this case, you can scale out the vIDM, UAG, and Connection Servers horizontally if your environment grows.

If you want to not use the F5 at all, this is an updated version of your desired: You can use DNS RR if you want some type of load distribution.

external user -> UAG(vIDM) -> vIDM -> UAG -> Connection Server -> RDS farm/VDI pool

Note that you actually don't tunnel traffic through the vIDM. It simply redirects you to the UAG or Connection server for the application. You want the UAG as an edge entry point.

For 2FA, you can use vIDM for that or setup radius on the UAG. I recommend the vIDM as it works much better.

For using the vIDM with 2FA, you create a 3rd party IDP on the vIDM server. You will want to force the UAG/Connection servers to use vIDM. You will also need to setup TrueSSO if you want a seamless login.

View solution in original post

0 Kudos
2 Replies
techguy129
Expert
Expert
‎10-20-2018 09:22 PM
Jump to solution

You can use the UAG to reverse proxy both the vIDM and Horizon. It is recommended to use separate UAG for the vIDM reverse proxy and the connection server reverse proxy. One thing to note is that the UAG doesn't provide load balancing. That is what the F5 LTM is for.

I would use the F5 for doing the reverse proxy for the vIDM instead of a UAG. It doesn't provide much value using the UAG for the vIDM like when using the UAG for the connection servers. F5 is a reverse proxy when you apply an HTTP profile to the virtual server.

So my recommended solution:

F5 LTM -> vIDM -> F5 LTM (LB UAGs) -> UAG -> F5 LTM(LB Connection Servers) -> Connection Servers -> RDS Farm/Pool

In this case, you can scale out the vIDM, UAG, and Connection Servers horizontally if your environment grows.

If you want to not use the F5 at all, this is an updated version of your desired: You can use DNS RR if you want some type of load distribution.

external user -> UAG(vIDM) -> vIDM -> UAG -> Connection Server -> RDS farm/VDI pool

Note that you actually don't tunnel traffic through the vIDM. It simply redirects you to the UAG or Connection server for the application. You want the UAG as an edge entry point.

For 2FA, you can use vIDM for that or setup radius on the UAG. I recommend the vIDM as it works much better.

For using the vIDM with 2FA, you create a 3rd party IDP on the vIDM server. You will want to force the UAG/Connection servers to use vIDM. You will also need to setup TrueSSO if you want a seamless login.

0 Kudos