VMware Horizon Community
ITTech2002
Contributor
Contributor
Jump to solution

VMware View load balancing

In the scenario that you have two View Security servers and two View Connection servers... What happens if one of the connection servers crashes – how does  the security server that it is paired with know to halt traffic on that  leg so that all the connections use the secondary security server and  connection server pair? Otherwise – it makes no sense to have two  security servers as you’re not getting true redundancy via the load-balancer.

Reply
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
Jump to solution

For the Load Balancer in front of the Security Servers, you should healthcheck the Security Servers with "GET /favicon.ico HTTP/1.0". That way, if a Security Server is down or its paired Connection Server is down, traffic will route to the other Security Server(s).

The documentation for the mainstream Load Balancer vendors has details on setting them up in this way to get complete fault tolerance.

Mark

View solution in original post

Reply
0 Kudos
12 Replies
mittim12
Immortal
Immortal
Jump to solution

I guess it depends on how you are doing your load balancing.  If your using something like DNS round robin then yes that would be a problem but if your using something that has more intelligence maybe it removes the bad pair from the equation and simply routes to the good security server/connection broker.

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

For the Load Balancer in front of the Security Servers, you should healthcheck the Security Servers with "GET /favicon.ico HTTP/1.0". That way, if a Security Server is down or its paired Connection Server is down, traffic will route to the other Security Server(s).

The documentation for the mainstream Load Balancer vendors has details on setting them up in this way to get complete fault tolerance.

Mark

Reply
0 Kudos
ITTech2002
Contributor
Contributor
Jump to solution

Thanks much!  Can you provide any details on how F5 might accomplish this?

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

ITTech2002 wrote:

Thanks much!  Can you provide any details on how F5 might accomplish this?

Well F5 certainly can 🙂

Try this - http://www.f5.com/pdf/white-papers/dell-f5-vmware-view-wp.pdf but contact F5 because depending on your F5 version, there is probably newer information. It is a very common deployment scenario.

Mark

Reply
0 Kudos
Mickelonis
Contributor
Contributor
Jump to solution

You should set your load balancer up to probe multiple items....

1. Probe that port 80 traffic is working on the security server.

2. Probe that the view connection server service is started on the view connection server that the security server is attached to.

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
Jump to solution

Mickelonis wrote:

You should set your load balancer up to probe multiple items....

1. Probe that port 80 traffic is working on the security server.

2. Probe that the view connection server service is started on the view connection server that the security server is attached to.

The advantage of the "GET /favicon.ico HTTP/1.0" to the Security Server is that it tests the health of the Security Server *and* paired Connection Server. This means that you don't have to poll the Connection Server directly in this case.

Mark

mpryor
Commander
Commander
Jump to solution

To expand on what Mark said, you have to explicitly ensure:

* Ensure you get a 200 response back, you will still get a response if the backend CS is down but it will be a 503.

* You test using HTTPS if it's enabled on the server, most of the time this is the case. When HTTPS is enabled, HTTP is simply a local status/redirect page served from the security server and so will give you a false positive.

FirstTennesseeB
Contributor
Contributor
Jump to solution

Can you give a little more detail on this setup? My firewall/F5 guy is not getting back a 200 like he would expect. He is able to see a response via the command line of 503 and 302 (443 is encrypted).

Regards,

Ben Mitchell

FTB Server Team

Reply
0 Kudos
mpryor
Commander
Commander
Jump to solution

FirstTennesseeBank wrote:

Can you give a little more detail on this setup? My firewall/F5 guy is not getting back a 200 like he would expect. He is able to see a response via the command line of 503 and 302 (443 is encrypted).

Regards,

Ben Mitchell

FTB Server Team

You are seeing 302 because you're testing the http port, as mentioned above this will either display a link or redirect you to https depending on the version of View you're using. You can only reliably test using an actual https connection on 443.

Reply
0 Kudos
FirstTennesseeB
Contributor
Contributor
Jump to solution

That is correct. I'm being told that we can't view HTTPS because it's encrypted. He is using the following command to check the server. I'm not sure I'm explaining what we want done to our F5/Firewall guy. But below is what he told me has in the F5.

Send String = GET / \r\n\r\n

Recieve String = view

Cipher List = DEFAULT+SHA+3DES+kEDH

Regards

Ben Mitchell

FTB Server Support

Reply
0 Kudos
mpryor
Commander
Commander
Jump to solution

I'm sorry, I don't have an F5 device so can't give you specific instructions. I'd hope you can tell it to do the SSL handshake then write the test inside the encryption layer. Your test is looking for "view" in the response, you should be explicitly looking for an HTTP status code of 200.

Reply
0 Kudos
FirstTennesseeB
Contributor
Contributor
Jump to solution

Once I was able to explain the goal to our Risk guy he was able to set it up and get it working. Thanks everyone!!

Regards,

Ben Mitchell

Reply
0 Kudos