Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

VMWARE VIEW health monitor SG/Connection broker mapping

We have F5 Big IP 3600 LTM running verision 11.1 HF2


The F5 currently is acting as a front-end for the VMWare security servers which do the authentication. Let’s say 2 physical servers per VIP. A client connects to the VIP (and a security server) and then the security server authenticates the client and pushes them to a Connection Broker (also 2 of them) with a 1:1 mapping of a security server interacts only with its assigned connection broker.

So the problem we’re having is that the node in F5 is still marked up (box and services are responding) even when it’s paired connection broker is down. Would it be possible to configure a health monitor on the F5 to monitor a node other than the ones that it’s assigned to use in the load balancing pool?

Quick mock-up of our setup…

(there’s 3 VIPs for each IP… tcp/443, udp/4172 and tcp/4172)

VIP: 10.2.1.101
VS: view.example.com_sslvpn_tcp_443
                VMView_sslvpn_pool
                                Nodes
                                                172.26.15.20:0
                                                172.26.15.31:0
                                Health Monitors
                                                tcp/443
                                                tcp/4172
                                                udp/4172

172.26.15.20 is “paired” with connection broker 10.26.15.20
likewise for .31

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Testing the View Servers
One of the best methods to test and make sure the servers are working is test run the following command from a client machin.

echo -en "GET /view/ HTTP/1.1\r\nHost: example.server.com\r\nConnection: Close\r\n\r\n" | nc 10.133.84.120 80

Success will return the following:
HTTP/1.1 200 OK
cache-control: no-cache
Content-Length: 1268
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=16692AA68187DB39E1D5B69F3CBFCD6E; Path=/
Content-Type: text/html;charset=UTF-8
pragma: no-cache
Connection: close
Vary: Accept-Encoding




VMware View Portal

If you are testing against HTTPS (443) servers it’s best to use openssl like this.

openssl s_client -crlf -connect 10.133.84.52:443

Success will return something like this:
CONNECTED(00000003)
depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com
i:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com
---
 
Once you get this you’ll use the same string we used before.
GET / HTTP/1.1\r\nHost: view.view.tc.f5net.com\r\nConnection: Close\r\n\r\n

Success will return something like this:
HTTP/1.1 200 OK
cache-control: no-cache
Content-Length: 1268
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=36941E985BCD22421591BD52FA6CA0BC; Path=/; Secure; HttpOnly
Content-Type: text/html;charset=UTF-8
pragma: no-cache

VMware View Portal
In the end your monitor would look like this:

GET /view/ HTTP/1.1\r\nHost: HOSTFQDN\r\nConnection: Close\r\n\r\n

and you would expect a response string of

VMware View Portal
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In VMware View 5.1 the receive string for the HTTPS Monitor needs to be updated to "VMware.*View Portal". (without he quote marks) This string will work for versions 4.6-5.1

We had to add the regex .* between VMware and View because the version 5.1 success page title changed to VMwareView Portal.

This receive string will test to make sure that both the security server and the paired connection server are both up and functioning. If either of them are not functioning then the monitor will fail.

Paul
0