Load balancing VMware View connection servers with Citrix NetScaler is a great way to provide high availability within your internal network.
VMware view connection servers are your internal gateways to your virtual desktop or server based computing apps and desktops however at the moment they have a major drawback. There is no native load balancing which generally means a one to one relationship between connection server and VMware Horizon View client configurations.
The issue being if you have a number of connection servers staff could soon have their client resembling the below:
Load balancing is a great way to reduce the confusion for the staff and also to improve resiliency within the Horizon View environment.
Citrix bring extra to the party by allowing increased monitoring flexibility which is well over and above other technologies. I’ve blogged about load balancing VMware Horizon View before for external access which you can read HERE luckily though load balancing internal traffic is much simpler to configure as all we are interested in balancing is HTTPS 443 for the web traffic and 8443 for the blast HTML5 view traffic. The outline of the solution is depicted below.
PCOIP traffic which runs from ports 4172 TCP/UDP will circumvent the load balancer as its not necessary to load balance the actual virtual desktop traffic unless theres an overly complex firewall or corporate policy in place and is in fact the default configuration for VMware Horizon View connection servers during installation.
Now I have created a video on the procedure so if you want to have a look at how its done click by click HERE or read the post and watch the video at the bottom.
Before you make a start you will need to decide two key pieces of information.
What is the load balanced url going to be? In my instance i’m using view.vhorizon.local its important for DNS and for the SSL certificate creation process.
What is the load balanced IPV4 address going to be? In my instance its an address in the 192.168.122.x range.
The first step is to add the connection servers into your NetScaler traffic management configuration so login to your Citrix NetScaler administration console and navigate to Traffic Management/Load Balancing/Servers and click Add.
Enter the details of your first connection server and click Create, then repeat the process for the remaining servers. Once completed your connection servers should be listed as below.
SSL certificates must be imported into the NetScaler to offload SSL duties for the standard HTTPS authentication traffic. Now theres quite a few ways you can do this based upon whether you are creating the SSL certificate within the NetScaler itself or whether its coming from another external source and its format. The important thing to note is that the NetScaler REQUIRES the private key to be imported along with the certificate if its coming from an external source otherwise the certificate will not be allowed to be bound to a Virtual Server.
Please f0llow the guides below to give you an idea of the steps involved as unfortunately this blog post is lengthy enough and will not cover getting the certificate into the NetScaler however the video accompanying this post will go into some detail on the process.
Service Groups are utilised within NetScaler to bind together the servers entered above with ports and protocols that those servers utilise. Within a load balancing VMware Horizon View connection server environment we are only interested in the HTTPS 443 web page traffic for web and client authentication and 8443 Blast HTML5 display protocol so only two service groups are required.
Navigate to Traffic Management/Load Balancing.Service Groups and click Add.
Enter a friendly name for the service group which in this instance I’m creating the Service Group for HTTPS authentication traffic. Then select SSL from the Protocol drop down list and select continue.
Now we need to add the servers created previously to the service group so click Members from the right hand side which will add another row at the bottom of the configuration screen.
Click on the No Service Group Member area and on the next screen that pop’s up select the Server Based radio button.
Now click the Select Server drop down list and tick the servers we have added previously for use with the connection server load balancing and click OK.
Now enter the port number within the Port dialogue box which in this case is the standard 443 (with the blast protocol service group this should be change to 8443) and click Create.
Now we need to add a monitor into the service group which will be used to regularly check that the back end services are running. As this is a simple HTTPS Service Group we only need to use a standard HTTPS monitor. So again from the right hand menu click the monitors button which will add the option to the configuration window.
Click in the No Service Group to Monitor Binding bar which will take you too the monitor selection dialog and click the Click to select monitor option.
From the list select the HTTPS monitor radio button and click Add. Then Click Bind on the next screen which will take you back to the HTTPS Service Group main configuration page.
Finally for the HTTPS service group click the Certificates button on the right hand side to add to the configuration.
Now select the No Server Certificate to choose the recently imported SSL certificate from the Select Server Certificate wizard by selecting Click to Select.
Next select the certificate you have imported and click OK and then Continue.
Finally your HTTPS Service Group is complete, click Done at the bottom of the screen which will then add in the options you have just configured for the Service Group and take you back to the parent Service Group page.
Blast Protocol Service Group
Configuring the Blast Service Group is the same except you will need to use the SSL_BRIDGE option instead of SSL for most deployments at this time. The reason being is the version of TLS used by default by the Blast protocol authentication is not yet supported within the virtual appliance versions of NetScaler. I have heard that this is coming in Q2 of 2015 but for now SSL bridging is the way forward. Also as SSL_Bridging is not conditioning or inspecting the traffic in any way as it passes through you do not need to specify a SSL certificate within the service group or virtual server (discussed later). Full TLS support is provided with the physical MPX NetScaler appliances so in that instance a SSL Service Group with SSL certificate can be utilised.
In addition a different monitor should be used to ensure the availability of the blast protocol and even strangely enough an error state within the 8443 traffic is used as a successful monitor check. When you navigate to your view url on port 8443 (view.horizon.local:8443 in this example) you’ll get either a 404 error or a Missing route token in request message. This is not an actual error as any attempt to directly access the connection servers on this port will generate this message so in this instance a response code within blast monitoring of 404 is actually a good thing.
To create a customer monitor navigate to Traffic Management/Load Balancing/Monitors and click Add.
Give your monitor a friendly name and select HTTP as the type then scroll down to the destination port.
Type in the Blast port of 8443 and scroll down to the bottom of the monitor page.
Tick the Secure checkbox and then scroll back up to the top of the page.
Now select the Special Parameters tab and within Response Codes enter 404 and click the + sign to add it to the monitor and finally click create.
Creating VIP’s and configuring VMware Horizon View
So we are now at the exciting bit where all the things previously configured are bound together and presented through the Virtual IP’s to service staff’s virtual desktop needs!
The first thing we need to do is create 2 VIP’s on the NetScaler with the same IP address but utilising the Blast and straight SSL protocol to service the VMware Horizon View Client. Click on Traffic Management/Load Balancing/Virtual Servers and Click Add.
Give the first virtual server a friendly name and select SSL from the Protocol drop down list and enter the load balanced IP address you have chosen for your URL (view.vhorizon.local). Port 443 is filled in for you so click OK.
Now click in the No Load Balancing Virtual Server ServiceGroup Binding option to select the HTTPS Service Group we have created previously.
Check the https radio button the Service Group screen and click OK.
Then Click Bind
Now click on the No Server Certificate option in the virtual server configurator screen to select the previously imported SSL certificate.
Click in the Click to select option box.
Now select the certificate for VMware Horizon View and then click OK and finally click Bind to bind the certificate to the virtual server.
Finally click Done to create the virtual server.
Once created your virtual server should be showing as up and look similar to the below.
Repeat the process for creating the virtual server but this time binding the Blast service group utilising the SSL_Bridge Protocol and port 8443.
Persistency Groups are a feature of NetScalers that tie separate Virtual Servers together in a couple of ways. Firstly it ties all the virtual servers to a uniform type of persistence so as in this instance we are going to use the Source IP as a persistence setting so that a client connecting to a virtual server will always be directed to the same back end server for the during of an idle connection based in the clients source IP.
The second way Persistency Groups help us in a load balancing VMware Horizon View connection servers task is that it ensures a client is directed to the same back end server despite the fact that the client may be connecting in across multiple virtual IP’s. For instance in this case if we did not set a Persistency Group across our two virtual IP’s our client may goto “connectionserver1” for its https connection and once authenticated and the user has clicked on the Blast connection icon is directed to “connectionserver2″which will cause us a problem because connectionserver2 is not necessarily going to know that the user has authenticated properly.
To create a Persistency Group navigate to Traffic Management/Load Balancing/Persistency Groups and click the Add button.
Give your Persistency Group a friendly name and in the persistence type click the drop down list and choose source IP. Leave the defaults for IPv4 Netmask etc but I would recommend changing the time out from the default 2 minutes to 20 minutes.
Under the virtual server Name box click the Add button on the right hand site.
Move the two virtual servers from the left hand box to the right by clicking the plus sign next to each virtual server name. Once moved click the Create button.
Now click the Save button on the NetScaler to ensure your running configuration is committed to the nsconf file and persists after a reboot.
***TREAT THE NETSCALER AS A SWITCH IF YOU DO NOT SAVE THE CONFIG AND THEN REBOOT IT THE CONFIG WILL BE LOST***
Now switching to a VMware Horizon View admin console you need to navigate to View Configuration/Servers/Connection Servers. Right Click on on of your connection servers and click Edit.
Ensure that Secure Tunnel connection to machine is select along with Blast Secure Gateway and ensure the URL’s are modified to the load balanced DNS name you have selected.
Repeat this process for each connection server within your environment that you have included within the NetScaler configuration. Once the View administration console configuration has been completed that is all you need to do you should now be able to log into your load balanced URL with either the full VMware Horizon View client or through HTML5 access with greatly improved usability and resilience.
Author: Dale Scriven