iforbes
Enthusiast
Enthusiast

remote connection sequence

Jump to solution

Hi. I realize a best practice architecture is to have a set of load balanced security servers that pair with connection servers for your external access connections, while having a different set of load balanced internal connection servers for your internal View connections.

For the external connections what happens if a connection server that is paired with a security server is unavailable? In the picture I've attached what happens if a user makes an external connection via security server SS1 and connection servfer CS1 is unavailable? My understanding is that a security server can only be paired to a single connection server.

Thanks

0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee

Ah - I recognise that diagram.

If the external load balancer is set up correctly and CS1 goes down, then trafic will be routed to SS2 and not SS1. That's because the load balancer polling will verify that SS1 and CS1 is up and if either are down, will avoid SS1.

Mark

View solution in original post

0 Kudos
9 Replies
mittim12
Immortal
Immortal

If you connect to a security server whose paired connection broker partner has failed then you will not be able to connect. 

0 Kudos
markbenson
VMware Employee
VMware Employee

Ah - I recognise that diagram.

If the external load balancer is set up correctly and CS1 goes down, then trafic will be routed to SS2 and not SS1. That's because the load balancer polling will verify that SS1 and CS1 is up and if either are down, will avoid SS1.

Mark

View solution in original post

0 Kudos
iforbes
Enthusiast
Enthusiast

Hehe. Hey, it was a good diagram :-). Ok. That makes sense now. I thought that the LB only had intelligence for on the health of the security server pool of load balanced security servers and not the associated connection servers. You're saying that the load balanced virtual pool would include the security servers AND their associated connection servers? I guess it's some health check that states 'use this security server only if it's healthy and it's associated connection server is healthy'.

Thanks

0 Kudos
mittim12
Immortal
Immortal

For clarificaiton sakes thats not something View offers and would require an external load balancer with enough intelligence to make that decision.  IF something was routed to the Security server with the bad CB then it would fail.

Mark, can we get a built in load balancing method Smiley Happy

0 Kudos
iforbes
Enthusiast
Enthusiast

Hi mittim12. Yup. I'm fully aware that an external load balancer with intelligence (i.e. F5 LTM) should be part of the architecture. I just didn't know what would happen if the connection server that was paired with a security server was dead what would happen to the connection. I provided that diagram to illustrate the architecture I was talking about. In any case Mr. Benson cleared things up.

Thanks

0 Kudos
markbenson
VMware Employee
VMware Employee

Ian Forbes wrote:

I guess it's some health check that states 'use this security server only if it's healthy and it's associated connection server is healthy'.

That's exactly right.

This was also clarified just recently here too - http://communities.vmware.com/thread/414320

It's also true that this poll needs to be done by the external load balancer and not by View. View doesn't include the load balancer but does make recommentations for the poll method to provide exactly what you require.

I shall be talking about some of this at one of my sessions at VMworld San Francisco next week, which I'm very excited about.

0 Kudos
iforbes
Enthusiast
Enthusiast

I'll be at VMworld. Which session will you be talking about this, Mark?

0 Kudos
mittim12
Immortal
Immortal

I think I'm signed up for one of your sessions. Can't wait to see it.

Sent from my iPhone

0 Kudos
markbenson
VMware Employee
VMware Employee

Ian Forbes wrote:

I'll be at VMworld. Which session will you be talking about this, Mark?

This particular one is the group discussion GD45 on Monday and repeated on Wednesday.

I am also jointly doing the View 5.1 Security Deep dive (EUC2792) which is also Monday and Wednesday (load balancing is only covered in this one for SSL server certificate placement reasons).

I will also be at the "Meet the Experts" sessions where people can talk to me about any aspects of View HA, global deployments and security. No hard questions though 🙂

[shameless plug now over!]

Mark

0 Kudos