Forum Discussion

Roostermiester_'s avatar
Roostermiester_
Icon for Nimbostratus rankNimbostratus
Jan 16, 2014

Setting up View 5.3 with iApp f5.vmware_view.v1.0.0rc6 - documentation vs. reality

Setting up View 5.3 with iApp f5.vmware_view.v1.0.0rc6 - documentation vs. reality, USB-R issues

 

I am trying to setup Horizon View through the F5 with the following environment:

 

  • Horizon View 5.3
  • F5 LTM v.11.2.1
  • View iApp f5.vmware_view.v1.0.0rc6 (admittedly this version doesn't officially support View 5.3, but since VMware's own links to 5.3 refer to the 5.2 documentation, it seems a safe bet that it should work)
  • 2 internal only connection servers on internal network
  • 2 external only connection servers on internal network
  • 2 security servers in DMZ connected to the above 2 external only connection servers
  • Wildcard certs on all servers and used on the F5 VSs

The security servers work flawlessly when connecting to them directly (assuming correct View settings) from an external client

 

I was able the setup the internal connection servers without issue using the iApp, so my problem has been the security server -> external connection server setup. Despite some forum comments that the iApp will work to setup a security server/connection server environment I found this to be misleading (if not incorrect), as well as the documentation having holes in regards to this configuration.

 

Documentation (deployment guide for this iApp version) - while it does show on page 5 that LTM supports using security servers, the traffic flow and description is misleading since all traffic from outside the firewall is directed through the Security server and never around it. There is no option to select a security server setup in the iApp itself and when using it to create the service, it simply doesn't work. This is backed up by the documents own manual configuration definitions (which are not 100% accurate either) on page 59, which is nothing like what is created when using the iApp. The configuration guidance for using security servers states that it requires 3 virtual servers. This does not seem to be true. USB Redirection is encapsulated in SSL from the external client to the security server and does not require a separate VS. Not to mention that the security server does not keep port 32111 open, so the health monitor they say to create will never work. Additionally, VMware's own documentation for required firewall ports states that source port 32111 from the security servers should be open to destination port 4172 on the View desktop. In my own testing this FW rule did not work and I changed it to source: any, destination: 32111, which resolved USB-R functionality. Also, nowhere do VMware's docs list a requirement for port 32111 to be open to the security server from the View client. One other note, on page 60 in the guide, the first VS (TCP) for the Default Pool setting says: "Select the pool you created above". It should be specific about which pool. It's the UDP pool since it's using port 4172, but that should be named something more generic since it's for both the UDP and TCP VS.

 

Note: To complete the configuration you will also want to add a https redirect VS for the security server VIP and a VS for BLAST.

 

The issue I am now having is regarding USB Redirection through the F5.

 

Backtrack.... It seems there are 2 viable options to setup LB with the security servers: 1. LB both https and pcoip traffic, 2. LB only https. I have tested both options with these results regarding USB-R:

 

  1. LB both https and pcoip - in this option the security servers are setup with the following View options: HTTPS Secure Tunnel: the URL that corresponds to the external IP that is NAT'd to the F5 VIP, PCoIP Secure Gateway = the external IP of the VIP, Blast Secure Gateway = the URL that corresponds to the external IP (same as HTTPS Secure Tunnel). With this setup all client traffic is passed through the F5. When using this method, the USB-R functionality is available, however it is EXTREMELY SLOOOOWWWWW.

     

  2. LB only https - using this option, the security servers are setup with the following View options: HTTPS Secure Tunnel = the URL that corresponds to the external IP (NAT'd to the F5 VIP), PCoIP Secure Gateway = the security server's external IP (which is NAT'd on the FW), Blast Secure Gateway = the security server's URL that corresponds to it's external IP. With this setup the client contacts the VS, gets load balanced to one of the security servers which then respond with their own Secure Gateway settings and the sessions commence, one https session on the F5 and the remaining sessions directly to the security server. When using this method USB-R behaves as expected.

     

So, obviously I could just be satisfied with sticking to option 2. However, I am unclear whether or not I may gain any advantage with having PCoIP routed through the F5. If there are some WAN profile enhancements available via LTM, I'd like to take adavantage of them and resolve the USB-R slowness. If not, then I guess I'm done and will stick with option 2.

 

This has been a bit of rambling post, but I wanted to share some of my findinga in setting this up as well and the issue with USB-R.

 

7 Replies

  • After some more testing and diggin on the USB-R issue, I did find this article, which indicates performane issues with FAT32 formatted USB flash drives, which of course, is what I was using to test. I will test some more with FAT and NTFS formatted drives.

     

    To comment on the above, why would you even think about doing option 2 and bypass the security servers all together from an untrusted network for PCoIP sessions? You'd have to open up 6 ports from the internet to your View VM network vs. just 2 to the security servers that live in the DMZ. What's the point of using the security server to proxy only https and not PCoIP? Seems like more holes in the firewall = more security expoloitation oportuniites for bad guys.

     

    Any comments on whether or not routing PCoIP through the F5 has any performance gains?

     

  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account

    Good to see you found the potential issue, did reformatting the thumb drive to FAT or NTFS resolve your USB redirect latency?

     

    LTM only implementation does not offer a full proxy PCoIP solution like when using APM+LTM, however, LTM offers generic TCP and UDP optimizations.

     

    Option 2, in some cases, is used in conjunction with a separate APM deployment, were APM handles encrypting PCoIP from the client to the VDI (via SSL VPN).

     

  • Is it possible to use the native proxy function without view security server for USB redirecting? I tried that but usb redirect does not work. PCoIP connection works, but for usb deviced: i get the message "desktop initializing..."

     

    Any idea?

     

  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account

    Hi Florian,

     

    Currently USB redirecting is not supported while using APM's native PCoIP proxy function, however, it will be supported in a future hotfix (Date TBD - looks like late February, early March time frame).

     

    • Jim_Bill_164032's avatar
      Jim_Bill_164032
      Icon for Nimbostratus rankNimbostratus
      Agreed - we're anxiously awaiting this feature. Any idea as to status? Was there a bug id or kb associated?