Tag Archives: security server

Load balancing Horizon View security servers

This question comes quite often in the forums, and since VMware’s documentation lacks in my opinion, i decided to give a brief explanation on how to do it.

What i will describe here is the use of load balancer and a group (2 or more) of security servers behind it (it can be implemented the same way for connection servers). I assume all servers are installed and paired with connection servers.

So here goes, first we need to understand how Horizon network flows work. When a user connects he first creates a session to one of the security servers, where he authenticates (ad/ RSA, smart card) if he authenticates another session is established between the user to the security server. This understanding of this is crucial because the all process is based on that.

So lets break the network flow a bit, first the load balancer should load balance just https, because it load balances just the authentication process (there is no load balancing of PCoIP / RDP/ Blast). So a user connects to the FQDN of the load balancer (done over https). The load balancer will direct it to one of the security servers for the authentication process. if he is authenticated, the security server will send to the client the fqdn for the second session (for the example lets say PCoIP) , the fqdn should be configured in the security server’s configuration in the administrator’s page. then the user connects directly to the security server based on the fqdn.

That means couple of things:

1. The sessions themselves are never load balanced. They are not going through the load balancer.

2. Each security server will have different fqdn’s configured in the administrator’s page.

3. the security servers must have FW rules allowing access from the internet and real public ip.

Lets say the load balancer address is lb.view.com, and we have 2 security servers ss1.view.com, ss2.view.com.

The ss1.view.com server configuration in the administrator’s page will be:

RDP: https://ss1.view.com


blast: https://ss1.view.com:8443

ss2.view.com configuration will be similar but with its fqdn and public ip.

Hope i made it a little bit clear.

Tagged , ,