VMware Horizon Community
qlnyo
Contributor
Contributor
‎08-15-2018 02:11 AM
Jump to solution

VDI Enviroment HA

Hey Guys,

i have to size a new VDI Enviroment and i´m not sure how i configure this.

If i install two Unified Access Gateway in our DMZ .

Is it still needed that i configure two Horizon View Connection Server for External purpose and two for internal?

I want to work with UEM Profiles (i think its better than windows roaming profiles to hold our userprofiles smaller)- how can i make this HA? Is there any best practices guides for this?

What i would do:

2 Access Unified Gateway in our DMZ with a Loadbalancer in front

2 Connection View Server in our LAN with a Loadbalancer in front

2 Appvolume Server with a SQL Cluster in our LAN with a Loadbalancer in front

UEM Profiles unclear

Thanks for your help!

Regards

Reply
0 Kudos
1 Solution

Accepted Solutions
techguy129
Expert
Expert
‎08-15-2018 04:32 AM
Jump to solution

UEM profiles are stored on a file share. I highly recommend it over roaming profiles. You just need to make your file shares highly available. For windows, you can setup WSFC to provide the shares or use some type of NAS device.

Your "what I would do" is a great way to make your environment HA. That is how I deploy environments with everything has a load balancer in front of it. Its recommended to forward all traffic (internal and external) to your UAGs. They can handle the load thus only having two CS internally.

Without knowing little about your environment, if you are trying to span two data centers, you should look at using a Pod architecture.

For best practices:

VMware Knowledge Base

http://blogs.vmware.com/euc/2018/06/workspace-one-on-premises-reference-architecture.html

View solution in original post

Reply
0 Kudos
10 Replies
techguy129
Expert
Expert
‎08-15-2018 04:32 AM
Jump to solution

UEM profiles are stored on a file share. I highly recommend it over roaming profiles. You just need to make your file shares highly available. For windows, you can setup WSFC to provide the shares or use some type of NAS device.

Your "what I would do" is a great way to make your environment HA. That is how I deploy environments with everything has a load balancer in front of it. Its recommended to forward all traffic (internal and external) to your UAGs. They can handle the load thus only having two CS internally.

Without knowing little about your environment, if you are trying to span two data centers, you should look at using a Pod architecture.

For best practices:

VMware Knowledge Base

http://blogs.vmware.com/euc/2018/06/workspace-one-on-premises-reference-architecture.html

Reply
0 Kudos
qlnyo
Contributor
Contributor
‎08-15-2018 04:55 AM
Jump to solution

Thanks for your answer.

Sorry i forgot an important thing.

I want to implement 2FA with SMS Passcode for external access.

As far as i know i have to activate 2FA on our View Connection Server  - so i have to configure 4 Connectionserver , because i don´t want  2FA  for internal purpose.

If its recommended to forward internal traffic to our UAG´s too i have to configure 4 UAG´s?

2 UAGs with a load balancer in front which points to the 2 connectionserver where 2FA is activated.

2 UAG´s with a load balancer in front which points to the 2 connectionserver for internal access?

Regards, Daniel

Reply
0 Kudos
techguy129
Expert
Expert
‎08-15-2018 06:00 AM
Jump to solution

MFA does change things up a bit.

If you're not worried about the extra layer of security then I would send internal traffic to the load balanced connection servers. You can configure RADIUS settings (or whatever you use) on the UAG and have external users going through that.

Another architecture designed that I use for my large deployment is to use Workspace to provide MFA and front Horizon. Its more complex but better for larger environments. It has network policies that allows you forward to different IDPs based on IP range. For Horizon login, we enable TrueSSO for seamless integration.

Reply
0 Kudos
qlnyo
Contributor
Contributor
‎08-15-2018 06:55 AM
Jump to solution

So no matter if i configure my enviroment with workspace or with UAG´s for external and internal access i have to use 2 view connection server with MFA and 2 without MFA?

Reply
0 Kudos
techguy129
Expert
Expert
‎08-15-2018 07:43 AM
Jump to solution

UAG will handle the MFA so you only need two connection servers.

Reply
0 Kudos
qlnyo
Contributor
Contributor
‎08-15-2018 08:04 AM
Jump to solution

OK - Thanks a lot for your help!

Reply
0 Kudos
sjesse
Leadership
Leadership
‎08-15-2018 08:37 AM
Jump to solution

There is one instance where you may want to have another set of connect servers, thats if you want to separate desktop pools that are available internally and ones that are available externally. If that seems like something you may want to do, you would need to have a pair of connection servers for the external connections as well. They can be replicas, but you can use the connect server tagging feature to label them external connection servers. Its a requirement I had with our environment,  we didn't want to have some desktop pools available anywhere, and we didn't want to use workspace yet.

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso
‎08-22-2018 04:17 PM
Jump to solution

This is the reason we have a pair of internal and a pair of external connection servers. Keep this in mind.

Reply
0 Kudos
qlnyo
Contributor
Contributor
‎08-31-2018 05:54 AM
Jump to solution

sorry for the late response.

Is the VMware Identity Manager not a better Option for those scenarios?

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso
‎09-10-2018 12:40 PM
Jump to solution

I think it depends on your environment and needs. We already have a identity management/MFA platform that is managed by different teams so I'm just a consumer. If we didn't already have something in place and I was going to have to deploy/manage it I would look at VMware Identity Manager (VIDM).

Reply
0 Kudos