VMware Workspace ONE Community
txfree2
Enthusiast
Enthusiast
‎04-06-2021 09:34 AM

WS1 Load Balancing issue

I'm setting up WS1 Access (20.10.0.1) with Legacy Connector Version 19.03.0.1 connecting to Horizon 8.x I am using a 3rd party IDP (CAS from Apereo) for SSO. I Got WS1 working great with sso, when I put the DNS record (VDIDEV.byui.edu) in front of WS1 it broke.If you go to the DNS record it will point you over to our SSO (CAS) and allow you to sign in just fine, but it will timeout trying to get to the WS1 user portal page.

I think all I need to do is change the SP metadata to point to the DNS record but I can't find how to change the SP metadata can I change it? I think I need to change the entityID is that possible? I only have so far 1 WS1 appliance, 1 Connector server and an external SQL database.

0 Kudos
3 Replies
AlexAskin
Enthusiast
Enthusiast
‎04-18-2021 02:12 AM

Hi,

can you elaborate more on your setup?

 

Internet --|DMZ|--> Firewall -> Load Balancer -> WS1 Access <- Firewall <--|DMZ|-- Connector -> Horizon

 

Used External and/or Internal?

Public FQDN on WS1 Access set to VDIDEV.byui.edu?

External DNS pointing to LB?

Internal DNS (incl. PTR) pointing to LB?

SSL terminating at LB?

0 Kudos
txfree2
Enthusiast
Enthusiast
‎04-23-2021 08:42 AM

I'm using VMware Support as well they said it should all work, they don't understand why it's not working either that's not good.

 

Used External and/or Internal? External ony

Public FQDN on WS1 Access set to VDIDEV.byui.edu? I have VDIDEV.byui.edu (that's public) going to WS1 (not public sitting in the DMZ)

External DNS pointing to LB? the DNS record is sitting in the LB

Internal DNS (incl. PTR) pointing to LB? No Internal

SSL terminating at LB? Yes

 

agent goes to site https://vdidev.byui.edu then WS1 hands you off to our SSO you authenticate and it brakes trying to send you back to the WS1 catalog page.

 

0 Kudos
Jason742
Contributor
Contributor
‎04-23-2021 11:04 PM

What happens is: client sends request to the VIP on load balancer. Then load balancer forwards the traffic to the server, but because you are doing only destination NAT, the source IP remains the same. Server then sees that the request came from the same subnet as it is located on, so instead of sending data to default gateway, it sends data back to client directly. Client is unaware of any communication with the server directly (it was talking to load balancer), so it ignores that response.

What can you do: 1) do both source and destination NAT on load balancer, 2) instead of doing NAT, do TCP proxy, 3) don't use load balanced VIP for the servers on the same subnet.

0 Kudos