KFM
Enthusiast
Enthusiast
‎04-18-2019 07:04 AM

The intention was to have two UAGs in an active/active setup. This requires a load-balancer in front to distribute the incoming sessions to the UAG with the least connections.

As I was deploying the UAG for a Horizon DaaS deployment, I didn't need to put another LB in front of the tenant appliances since these are natively HA out of the box - no further configuration or LB required. I haven't worked with Horizon View for many years so I can't say if putting a LB in front of the connection server is a supported topology.

As for the HAProxy config, here it is below. Note that the design I came up with was to have one public IP address upon which all tenant portal URLs would resolve to. HAProxy would then use SNI to forward the request to that particular tenant's UAG pair. This allowed me to scale out the number of tenant appliances whilst LB the connections through a pair of pfSense/HAProxy appliances. There are obviously a number of different ways you could design this - each with their respective pros and cons.

Hope that helps!

# Automaticaly generated, dont edit manually.

# Generated on: 2019-04-19 08:26

global

    maxconn            1000

    log            /var/run/log    local0    info

    stats socket /tmp/haproxy.socket level admin

    uid            80

    gid            80

    nbproc            1

    hard-stop-after        15m

    chroot                /tmp/haproxy_chroot

    daemon

    server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats

    bind 127.0.0.1:2200 name localstats

    mode http

    stats enable

    stats refresh 2

    stats admin if TRUE

    stats show-legends

    stats uri /haproxy/haproxy_stats.php?haproxystats=1

    timeout client 5000

    timeout connect 5000

    timeout server 5000

frontend Universal_UAG_Frontend

    bind            publicIP:443 name publicIP:443  

    mode            tcp

    log            global

    option            tcplog

    timeout client        30000

    tcp-request inspect-delay    5s

    acl            TenantA    req.ssl_sni -i daas.TenantA.com

    acl            TenantB    req.ssl_sni -i daas.TenantB.com

    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend TenantA_UAG_Pool_ipvANY  if  TenantA

    use_backend TenantB_UAG_Pool_ipvANY  if  TenantB

backend TenantA_UAG_Pool_ipvANY

    mode            tcp

    id            100

    log            global

    stick-table type ip size 50k expire 1h

    stick on src

    balance            leastconn

    timeout connect        30000

    timeout server        30000

    retries            3

    option            httpchk GET /favicon.ico

    server            TenantA-UAG1 TenantA_UAG1_PrivateIP:443 id 106 check-ssl check inter 1000  verify none

    server            TenantA-UAG2 TenantA_UAG2_PrivateIP:443 id 102 check-ssl check inter 1000  verify none

backend TenantB_UAG_Pool_ipvANY

    mode            tcp

    id            103

    log            global

    stick-table type ip size 50k expire 1h

    stick on src

    balance            leastconn

    timeout connect        30000

    timeout server        30000

    retries            3

    option            httpchk GET /favicon.ico

    server            TenantB-UAG1 TenantB_UAG1_PrivateIP:443 id 101 check-ssl check inter 1000  verify none

    server            TenantB-UAG2 TenantB_UAG2_PrivateIP:443 id 102 check-ssl check inter 1000  verify none

Reply
0 Kudos