VMware Horizon View 5.2 Load Balancing

mobinqasim786 · ‎04-22-2014

Hi Guys,

I've tried to configure my View 5.2 environment with 2 Security and 2 Connection Servers with Load Balancer as shown in the video in following link.

Setting up PCoIP Remote Access with View 4.6 and Newer

I've few questions it would be great if you guys could answer them please.

1- Users will connect to myview.mydomain.com through Load Balancer VIP but we're not giving any URLs in the External URL instead we're giving an IP Address. Due to which View Admin console giving error that "SSL Certificate doesn't match the External URL".

2- Do I need to configure HTTP to HTTPS redirection on Load Balancer end? Because after configuring myview.mydomain.com as VIP, HTTP doesn't work anymore but only HTTPS works.

3- Can I use View Security Internal IPs (which are in DMZ) on External URL and PCoIP External URL?

Please find the attached screenshotsof my current configurations for Security Servers which works fine using Source Hash. Only 2 issues as dicussed above
View Administrators shows SSL Certificate does not match the External URLs and HTTP to HTTPs redirection.

Looking forward for your answers.

Cheers

bayupw · ‎04-23-2014

Hi mobinqasim786

The video from the link Setting up PCoIP Remote Access with View 4.6 and Newer is really helpful.

1. If you have VIP with myview.domain.com, e.g. first view connection/security server1 myview1.domain.com, and second view connection/security server2 is myview2.domain.com, you would need SSL Certificate with Subject Alternative Name (UCC Certificate) so the SSL can accept multiple hostname SubjectAltName - Wikipedia, the free encyclopedia

To use the new certificate, you would need to import the certificate, follow the guide here "Configure View Connection Server, Security Server, or View Composer to Use a New SSL Certificate" VMware View 5.2 Documentation Library

2. To allow HTTP connections, you would need to edit the locked.properties file on the View Connection Server or Security Server, see the Horizon View Administration Guide here "Allow HTTP Connections to Intermediate Servers":

VMware View 5.2 Documentation Library

3. For External URL, on 1st security server: myview1.domain.com, 2nd security server: myview2.domain.com. External URL should not be load balanced

Similar for blast, 1st sec server: https://myview1.domain.com:8443, 2nd sec server: https://myview2.domain.com:8443

PCoIP Secure Gateway, 1st sec server: 10.20.30.10:4172, 2nd sec server: 10.20.30.11:4172

There is a good blog post on this too http://vmfocus.com/2014/01/14/load-balancing-horizon-view-design/

Don't forget to check the Load Balancer whitepaper or configuration guide for load balancing Horizon View

Hope this helps.

Thanks,

Bayu

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

RobBeekmans · ‎04-23-2014

Make sure the thumbprints of both certificates are the same, had an issue with that in the past.

Can't work with non-secure connections anymore in 5.2/3 , make sure the certificates are correct and add SAN names to accomodate for alternative names.

I once wrote a blog about it, due to an issue I was experiencing.. perhaps it might be of help vThoughts of IT: VMware View certificates and thumbprints - Man in the middle issue

That would help you with the first question you had.

The second question, I think you know my answer... you don't want http, you have to alter the clients and the servers to allow it. I think it's better to go secure.

Hope this helps

gr

Rob