Tag Archives: horizon

Load balancing Horizon View security servers

This question comes quite often in the forums, and since VMware’s documentation lacks in my opinion, i decided to give a brief explanation on how to do it.

What i will describe here is the use of load balancer and a group (2 or more) of security servers behind it (it can be implemented the same way for connection servers). I assume all servers are installed and paired with connection servers.

So here goes, first we need to understand how Horizon network flows work. When a user connects he first creates a session to one of the security servers, where he authenticates (ad/ RSA, smart card) if he authenticates another session is established between the user to the security server. This understanding of this is crucial because the all process is based on that.

So lets break the network flow a bit, first the load balancer should load balance just https, because it load balances just the authentication process (there is no load balancing of PCoIP / RDP/ Blast). So a user connects to the FQDN of the load balancer (done over https). The load balancer will direct it to one of the security servers for the authentication process. if he is authenticated, the security server will send to the client the fqdn for the second session (for the example lets say PCoIP) , the fqdn should be configured in the security server’s configuration in the administrator’s page. then the user connects directly to the security server based on the fqdn.

That means couple of things:

1. The sessions themselves are never load balanced. They are not going through the load balancer.

2. Each security server will have different fqdn’s configured in the administrator’s page.

3. the security servers must have FW rules allowing access from the internet and real public ip.

Lets say the load balancer address is lb.view.com, and we have 2 security servers ss1.view.com, ss2.view.com.

The ss1.view.com server configuration in the administrator’s page will be:

RDP: https://ss1.view.com

pcoip: 80.80.80.80

blast: https://ss1.view.com:8443

ss2.view.com configuration will be similar but with its fqdn and public ip.

Hope i made it a little bit clear.

Advertisements
Tagged , ,

VMware view and RSA integration

I have been using vmware view for several years now, but this is the first time that i had the opportunity to integrate it with RSA Authentication Manager.

The documentation is very limited, and you would expect it to just work with 2 clicks of a button. It seems that it does not for RSA version 8 and up, the administrator page does not support its sdconf.rec file.

But there is a kb that explains what needs to be done to work around that.

This is not enough, that process just uploads the file to the connection server, you still have to go to the GUI administrator page and enable the 2 factor authentication to RSA secureID.

rsagui

And its pretty cool, you have it integrated into the horizon client nicely.

rsaclient

Tagged ,