medvmwadm
Enthusiast
Enthusiast

Best practice with UAG HA for internal VDI access

Hello:

I am working on a project where we are implementing a new Horizon environment.  Right now I'm focusing on the internal connection servers and if they can be highly available with just UAG appliances in front of them, without a 3rd party load balancer involved.  It appears that the answer to this is no, as the UAG documentation I've been looking at says to put a 3rd party load balancer between the UAGs and in front of the connection servers.  Plus, in the Horizon configuration of the UAGs, it only has one entry for the connection server (or one VIP for the 3rd party load balancer).

My main question is, if we did try to use the HA feature of the UAGs, and each UAG is pointed at its own connection server so that there's no 3rd party load balancer involved, if a connection server goes down what will happen?  Is the UAG smart enough to fail over to the UAG that still pointed at a working connection server?    I'm guessing the answer to this is also no, but I would like to confirm, if anybody knows.

Thanks in advance!

Chris

Reply
0 Kudos
cbaptiste
Hot Shot
Hot Shot

My main question is, if we did try to use the HA feature of the UAGs, and each UAG is pointed at its own connection server so that there's no 3rd party load balancer involved, if a connection server goes down what will happen? 

Two things. 1) Don't do that. I highly doubt VMware would support it because this is not their best practice for Horizon View. But I am sure you knew that already. 2) To answer your question, any connections to that connection server or access points connected to it wouldl be dropped. However, the users would be able to retrieved the sessions by reconnected if the brokers are configured as a POD.

Is the UAG smart enough to fail over to the UAG that still pointed at a working connection server?

Theoretically speaking no. It would not be automatic. The user will have to reconnect but again the comment I made above holds true. If it is a POD the users can retrieve their sessions from another connection broker and pick up their work on their desktops where they left off.

If you don't have a load balancer, just leverage NSX. Speak with your VMware resources and see if you can acquire that. I do not know much about NSX but I do know it is capable of doing load balancing.

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

Reply
0 Kudos
medvmwadm
Enthusiast
Enthusiast

Hello and thanks for the reply.  We do have a load balancer (F5) available, but our goal is to try and keep the infrastructure on all VMware platforms if possible and avoid the use of 3rd party products in the mix.  In the scenario provided in the UAG documentation, they mention to use a 3rd party load balancer in front of the Connection Servers, and point each UAG at the VIP of the load balancer, to get around the issue of one Connection Server going down. I was just hoping that the HA feature of the UAG could get around this but I'm not seeing that the case.

I have one more question then that is somewhat related. If we use two UAGs in our DMZ configured with UAG HA, can we then point the external connections at the VIP of the UAGs (and avoid a 3rd party load balancer there as well?).  I was told by a VMware engineer that this is OK to do, but I am looking for additional feedback.  Again, our goal is not to have load balancing but just HA (we are well under the 10,000 connection limit per node).

Thanks again in advance.

Chris

Reply
0 Kudos
cbaptiste
Hot Shot
Hot Shot

Hello and thanks for the reply.  We do have a load balancer (F5) available, but our goal is to try and keep the infrastructure on all VMware platforms if possible and avoid the use of 3rd party products in the mix.  In the scenario provided in the UAG documentation, they mention to use a 3rd party load balancer in front of the Connection Servers, and point each UAG at the VIP of the load balancer, to get around the issue of one Connection Server going down. I was just hoping that the HA feature of the UAG could get around this but I'm not seeing that the case..

NSX is a VMware product so that would solve your issue of not using third party software/hardware even though vmware itself is 3rd party since it does not belong to your organization but I understand what you are saying. You want to be more of a specific vendor centric

I have one more question then that is somewhat related. If we use two UAGs in our DMZ configured with UAG HA, can we then point the external connections at the VIP of the UAGs (and avoid a 3rd party load balancer there as well?).  I was told by a VMware engineer that this is OK to do, but I am looking for additional feedback.  Again, our goal is not to have load balancing but just HA (we are well under the 10,000 connection limit per node).

If you plan on having connection brokers on your DMZ, why do you need UAGs? You can have both but it seems to defeat the purpose. You use connection servers on your LAN network and UAGs on your DMZ. You then configure your UAGs to route connections to your connection servers. Again yes you can but unless you have a specific use case as to why you wish to do that, i would highly advised against it. Lastly, you do not use connection servers in DMZ. Use security servers.

Reply
0 Kudos
medvmwadm
Enthusiast
Enthusiast

If you plan on having connection brokers on your DMZ, why do you need UAGs? You can have both but it seems to defeat the purpose. You use connection servers on your LAN network and UAGs on your DMZ. You then configure your UAGs to route connections to your connection servers. Again yes you can but unless you have a specific use case as to why you wish to do that, i would highly advised against it. Lastly, you do not use connection servers in DMZ. Use security servers.

Just to clarify, I meant we would be deploying two UAGs in the DMZ and that is it there.  We would then have the two Connection Servers on the internal network.  So my question was, for the two UAGs in the DMZ, is it OK to use the HA feature of the UAG there (with its own VIP), and point external connections at that VIP and not have a 3rd party load balancer in the DMZ.  Then... we would put the load balancer just in front of the two Connection Servers on the internal network.  Basically then we would only be using the 3rd party load balancer in one place.

Thank you!

Reply
0 Kudos
cbaptiste
Hot Shot
Hot Shot

Ah ok. Yeah that would work.

Reply
0 Kudos