Horizon Workspace 1.0 Using F5 for Load Balancing

Publish in

Documents

176 views

Please download to get full document.

View again

of 15
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Description
...
Tags
Transcript
  Introduction This paper details the setup of F5 BIG IP 11.3 with Horizon Workspace 1.0 to load balancegateway-VAs for internal and external access. Objective When setting up Horizon Workspace 1.0 for production usage a typical requirement is to haveservice level reduncancy for the different virtual appliances that makes up Horizon Workspace.This setup requires load balancers in front of the Gateway Virtual Appliance(s).If the Horizon Workspace will be used externally a Load Balancer also needs to be placed inthe DMZ. It is not supported to place Gateway VA(s) the DMZ. Solution F5 offers load balancing solutions that covers the criterias above which means they can coverthe load balancing requirements for multiple gateway-VAs and external access to HorizonWorkspace by placing F5 in the DMZ and routing those requests to the internal gateway-VAs.Below a brief solutions overview with a description of the flow.1. A user goes to the Horizon Workspace URL - Which points to the F5 LTM VIP - SSL(HTTPS 433) traffic terminates at the F5 LTM.2. If accessing the Horizon Workspace URL externally an iRule denies access to the adminpart of Horizon Workspace ( Optional )3. F5 LTM continues to use SSL (HTTPS 443) against Horizon Workspace gateway-va(s)4. X-Forwarded-For header is inserted with the requesting clients IP address5. The users request is taken to an available gateway-va. This validation is based on asuccessful HTTPS header response.  NOTE:  In the above diagram 2 F5 LTM appliances are pictured but they can be the samephysical/virtual appliance with 2 logical configurations. In such a setup the VIP for providingexternal access would typically be defined on the 'Public' VLAN and the VIP for internal accessto would be defined on the 'Private' VLAN.The F5 deployment scenario does not matter in the case of using it for providing externalaccess to Horizon Workspace meaning that both In-Line and One-Arm deployments wouldwork equilly well.  This document discusses the following:1. Configuration of F5 BIG IP 11.0 and Horizon Workspace 1.0 to support:Load balancing gateway-VAs2. Using proper CA signed certificates (not self-signed supplied with Horizon Workspace)This tech-note assumes a requirement for using CA signed certificates and not the self-signedcertificates by Horizon Workspace.The Horizon Workspace FQDN (Namespace) cannot be changed post installation. The nameinitially specified during deployment has to be used. If this needs changing the HorizonWorkspace vApp needs to be re-deployed.If providing external access to Horizon Workspace the FQDN needs to be the same bothinternally and externally. Eg. workspace.company.com NOTE:  This tech-note does not cover installation or deployment of any F5 BIG IP products.For F5 BIG IP deployment and configuration options please refer to the BIG-IP LTM / VE11.3.0 Documentation Pre-reqs All pre-reqs to meet a successfull Horizon Workspace deployment (Installing HorizonWorkspace 1.0)F5 BIG IP 11.3 setup to integrate with your existing environmentCertificates to be used with the Horizon Workspace deploymentAdmin access to F5 BIG IP 11.3 used for the deploymentDNS A and PTR records pointing to the Horizon Workspace FQDN URL - The VIPconfigured on the F5 LTM Import certificates on F5 BIG IP This guides assumes the usage of a proper CA signed certificate that matches the FQDN ofthe Horizon Workspace URL eg. workspace.company.com including the full certificate chain(root, subordinate, issuing etc.) imported on the F5 BIG IP 11.3 as well.Just as would be required for Horizon Workspace the following is needed:Certificate to match Horizon Workspace URL / FQDNIncluding Private KeyRoot, and/or any issuing/subordinate certificate to build full trust chain  Go to System ›› File Management : SSL Certificate List ›› Import SSL Certificates and Keysand click Import Here you have the options for importing your certificate, private key and certificate chain.Everything can be imported as PKCS12 if such a keystore is available containing all requiredcertificates and private keys. If this is not available import the required certificates, keys andCA certificates individually. Create Client SSL profile Go to Local Traffic ›› Profiles : SSL : Client and click Create .Chose Advanced and click Custom to enable making changes.Type a name thats going to be associated with the Client SSL profile and chose the Certificate,Private Key and ChainScroll to the bottom and click Finished
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks