- VMware Technology Network
- :
- Digital Workspace
- :
- Horizon
- :
- Horizon Desktops and Apps
- :
- UAG Load Balancing using HAProxy
- :
- Reply to Message
Reply to Message
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UAG Load Balancing using HAProxy
Hi community, this problem has been bugging me for a while now so I figured I'd reach out to the community and hopefully get this thing working! Bear with me, this is a long one....
I work for a service provider and want to building out a scalable UAG-pair-per-tenant design behind a pair of HAProxy load-balancers for external (i.e. over the Internet) access. Note that we are using the Horizon DaaS product not the Horizon View product. Apart from the difference in name, I believe the UAG functions identically in both environments.
My final solution would be two pfSense (community edition) firewalls with the HAProxy package installed on both to provide HA and load-balancing functionality to the tenant UAGs behind them. As we onboard more tenants, I would add another pair of UAGs for each. HAProxy will selectively pick which UAG is required for the incoming connection based on SNI. For example:
- TenantA - external URL: daas.tenanta.com
- TenantB - external URL: daas.tenantb.com
- and so on....
Connections arriving at daas.tenanta.com will be directed to a UAG pair for tenantA. Connections arriving at daas.tenantb.com will be directed to a UAG pair for tenantB. And so on and so forth.
As this is my first attempt at building out a HAProxy solution I've decided to keep it simple and use just one pfSense/HAproxy load-balancer, one UAG and one tenant. This is what I have now:
- Single pfSense firewall with HAProxy package installed
- Single UAG (10.0.0.5) for tenantA
- external URL daas.tenanta.com with public IP address (1.1.1.1)
- One internal-facing VIP (10.0.0.1) which acts as the gateway for the UAG
- Firewall does 1:1 NAT from daas.tenanta.com to VIP (i.e. 1.1.1.1 -> 10.0.0.1)
- Firewall rules allowing any -> VIP for ports 443, 8443 and 4172.
- UAG is configured using apsetup.sh script. It configures the following settings:
- proxyDestinationURL: https://tenant_appliance_ip
- pcoipExternalUrl: 1.1.1.1:4172
- blastExternalUrl: daas.tenanta.com:8443
- tunnelExternalUrl: daas.tenanta.com:443
- UAG gateway is the VIP (10.0.0.1)
- HAProxy configuration:
- One frontend for ports 443, 8443, 4172
- Three backends for ports 443, 8443 and 4172 all with tenantA UAG as backend server
- I've also tried one backend for just port 443 with tenantA UAG as backend server as this seems to work for Blast connections via browser
- Frontend acl uses SNI for daas.tenanta.com to send to tenantA UAG backend
In this given configuration, I've observed the following:
- Browser access to both the user portal (daas.tenanta.com) and admin portal (daas.tenanta.com/admin) work fine
- Initiating a Blast connection to the desktop via the browser, works fine.
- Using the Horizon Client, I can authenticate successfully but then get the "could not establish tunnel connection" error message. This is what I ultimately need to get working!
Some things I'm not sure about:
- Should I be using layer 4 (tcp) or layer 7 (ssl/https) load balancing?
- Should I have multiple backends, one for each port
- I really want to use source IP affinity as per Load Balancing across VMware Unified Access Gateway Appliances as I think HAProxy can see the client IP address. (i.e. in the HAProxy logs I can see the client IP address.) I don't really want to go with the other two methods if I can help it.
- Why does Blast via a browser work when I just have one backend listening on 443? When I do a netstat on my client I can see an active connection to 1.1.1.1:8443.
Some things I've tried:
- Note that when I revert the solution to just a plain firewall bypassing the load-balancer, everything (browser and Horizon client) works fine. i.e. traditional port-forwarding/NAPT to the UAG with FW ACLs allowing any -> UAG:443,8443,4172.
- I've also used a second tenant to test the SNI ACL and that seems to work fine too. i.e. I can use blast via browser to both daas.tenanta.com and daas.tenantb.com.
- Collected debug logs on Horizon View client
- Analysed debug logs on tenant appliance
- Analysed UAG logs
- In the above three log collections, I saw nothing obvious to my untrained eyes
I'm really at my wits end here so any help would be much appreciated!