Setting up View 5.3 with iApp f5.vmware_view.v1.0.0rc6 - documentation vs. reality
Setting up View 5.3 with iApp f5.vmware_view.v1.0.0rc6 - documentation vs. reality, USB-R issues
I am trying to setup Horizon View through the F5 with the following environment:
- Horizon View 5.3
- F5 LTM v.11.2.1
- View iApp f5.vmware_view.v1.0.0rc6 (admittedly this version doesn't officially support View 5.3, but since VMware's own links to 5.3 refer to the 5.2 documentation, it seems a safe bet that it should work)
- 2 internal only connection servers on internal network
- 2 external only connection servers on internal network
- 2 security servers in DMZ connected to the above 2 external only connection servers
- Wildcard certs on all servers and used on the F5 VSs
The security servers work flawlessly when connecting to them directly (assuming correct View settings) from an external client
I was able the setup the internal connection servers without issue using the iApp, so my problem has been the security server -> external connection server setup. Despite some forum comments that the iApp will work to setup a security server/connection server environment I found this to be misleading (if not incorrect), as well as the documentation having holes in regards to this configuration.
Documentation (deployment guide for this iApp version) - while it does show on page 5 that LTM supports using security servers, the traffic flow and description is misleading since all traffic from outside the firewall is directed through the Security server and never around it. There is no option to select a security server setup in the iApp itself and when using it to create the service, it simply doesn't work. This is backed up by the documents own manual configuration definitions (which are not 100% accurate either) on page 59, which is nothing like what is created when using the iApp. The configuration guidance for using security servers states that it requires 3 virtual servers. This does not seem to be true. USB Redirection is encapsulated in SSL from the external client to the security server and does not require a separate VS. Not to mention that the security server does not keep port 32111 open, so the health monitor they say to create will never work. Additionally, VMware's own documentation for required firewall ports states that source port 32111 from the security servers should be open to destination port 4172 on the View desktop. In my own testing this FW rule did not work and I changed it to source: any, destination: 32111, which resolved USB-R functionality. Also, nowhere do VMware's docs list a requirement for port 32111 to be open to the security server from the View client. One other note, on page 60 in the guide, the first VS (TCP) for the Default Pool setting says: "Select the pool you created above". It should be specific about which pool. It's the UDP pool since it's using port 4172, but that should be named something more generic since it's for both the UDP and TCP VS.
Note: To complete the configuration you will also want to add a https redirect VS for the security server VIP and a VS for BLAST.
The issue I am now having is regarding USB Redirection through the F5.
Backtrack.... It seems there are 2 viable options to setup LB with the security servers: 1. LB both https and pcoip traffic, 2. LB only https. I have tested both options with these results regarding USB-R:
-
LB both https and pcoip - in this option the security servers are setup with the following View options: HTTPS Secure Tunnel: the URL that corresponds to the external IP that is NAT'd to the F5 VIP, PCoIP Secure Gateway = the external IP of the VIP, Blast Secure Gateway = the URL that corresponds to the external IP (same as HTTPS Secure Tunnel). With this setup all client traffic is passed through the F5. When using this method, the USB-R functionality is available, however it is EXTREMELY SLOOOOWWWWW.
-
LB only https - using this option, the security servers are setup with the following View options: HTTPS Secure Tunnel = the URL that corresponds to the external IP (NAT'd to the F5 VIP), PCoIP Secure Gateway = the security server's external IP (which is NAT'd on the FW), Blast Secure Gateway = the security server's URL that corresponds to it's external IP. With this setup the client contacts the VS, gets load balanced to one of the security servers which then respond with their own Secure Gateway settings and the sessions commence, one https session on the F5 and the remaining sessions directly to the security server. When using this method USB-R behaves as expected.
So, obviously I could just be satisfied with sticking to option 2. However, I am unclear whether or not I may gain any advantage with having PCoIP routed through the F5. If there are some WAN profile enhancements available via LTM, I'd like to take adavantage of them and resolve the USB-R slowness. If not, then I guess I'm done and will stick with option 2.
This has been a bit of rambling post, but I wanted to share some of my findinga in setting this up as well and the issue with USB-R.