Load balancing VMware View connection servers with Citrix NetScaler

vmware

Load balancing VMware View connection servers with Citrix NetScaler is a great way to provide high availability within your internal network.

VMware view connection servers are your internal gateways to your virtual desktop or server based computing apps and desktops however at the moment they have a major drawback. There is no native load balancing which generally means a one to one relationship between connection server and VMware Horizon View client configurations.

The issue being if you have a number of connection servers staff could soon have their client resembling the below:

VMwareViewClient

Load balancing is a great way to reduce the confusion for the staff and also to improve resiliency within the Horizon View environment.

Citrix bring extra to the party by allowing increased monitoring flexibility which is well over and above other technologies. I’ve blogged about load balancing VMware Horizon View before for external access which you can read HERE luckily though load balancing internal traffic is much simpler to configure as all we are interested in balancing is HTTPS 443 for the web traffic and 8443 for the blast HTML5 view traffic. The outline of the solution is depicted below.

 

VMwareViewConnectionServerLB

 

PCOIP traffic which runs from ports 4172 TCP/UDP will circumvent the load balancer as its not necessary to load balance the actual virtual desktop traffic unless theres an overly complex firewall or corporate policy in place and is in fact the default configuration for VMware Horizon View connection servers during installation.

Now I have created a video on the procedure so if you want to have a look at how its done click by click HERE or read the post and watch the video at the bottom.

Before you make a start you will need to decide two key pieces of information.

What is the load balanced url going to be? In my instance i’m using view.vhorizon.local its important for DNS and for the SSL certificate creation process.

What is the load balanced IPV4 address going to be? In my instance its an address in the 192.168.122.x range.

 

.

Adding Servers

The first step is to add the connection servers into your NetScaler traffic management configuration so login to your Citrix NetScaler administration console and navigate to Traffic Management/Load Balancing/Servers and click Add.

VMwareViewNetScaler

 

Enter the details of your first connection server and click Create, then repeat the process for the remaining servers. Once completed your connection servers should be listed as below.

 

Screen Shot 2015-02-21 at 23.51.58

 

SSL Certificates

SSL certificates must be imported into the NetScaler to offload SSL duties for the standard HTTPS authentication traffic. Now theres quite a few ways you can do this based upon whether you are creating the SSL certificate within the NetScaler itself or whether its coming from another external source and its format. The important thing to note is that the NetScaler REQUIRES the private key to be imported along with the certificate if its coming from an external source otherwise the certificate will not be allowed to be bound to a Virtual Server.

Please f0llow the guides below to give you an idea of the steps involved as unfortunately this blog post is lengthy enough and will not cover getting the certificate into the NetScaler however the video accompanying this post will go into some detail on the process.

Importing an External PFX

Creating and completing a Certificate request within the NetScaler 

 

Service Groups

Service Groups are utilised within NetScaler to bind together the servers entered above with ports and protocols that those servers utilise. Within a load balancing VMware Horizon View connection server environment we are only interested in the HTTPS 443 web page traffic for web and client authentication and 8443 Blast HTML5 display protocol so only two service groups are required.

Navigate to Traffic Management/Load Balancing.Service Groups and click Add.

Enter a friendly name for the service group which in this instance I’m creating the Service Group for HTTPS authentication traffic. Then select SSL from the Protocol drop down list and select continue.

VMwareViewserviceGroup

 

Now we need to add the servers created previously to the service group so click Members from the right hand side which will add another row at the bottom of the configuration screen.

Click on the No Service Group Member area and on the next screen that pop’s up select the Server Based radio button.

 

Screen Shot 2015-02-22 at 19.17.20

 

Now click the Select Server drop down list and tick the servers we have added previously for use with the connection server load balancing and click OK.

Screen Shot 2015-02-22 at 19.20.41

Now enter the port number within the Port dialogue box which in this case is the standard 443 (with the blast protocol service group this should be change to 8443) and click Create.

 

Screen Shot 2015-02-22 at 19.21.59

 

Now we need to add a monitor into the service group which will be used to regularly check that the back end services are running. As this is a simple HTTPS Service Group we only need to use a standard HTTPS monitor. So again from the right hand menu click the monitors button which will add the option to the configuration window.

Click in the No Service Group to Monitor Binding bar which will take you too the monitor selection dialog and click the Click to select monitor option.

 

Screen Shot 2015-02-22 at 19.31.39

 

Screen Shot 2015-02-22 at 19.34.03

 

From the list select the HTTPS monitor radio button and click Add. Then Click Bind on the next screen which will take you back to the HTTPS Service Group main configuration page.

 

Screen Shot 2015-02-22 at 19.35.11

 

Finally for the HTTPS service group click the Certificates button on the right hand side to add to the configuration.

Now select the No Server Certificate to choose the recently imported SSL certificate from the Select Server Certificate wizard by selecting Click to Select.

 

Screen Shot 2015-02-22 at 19.38.12

 

NetScaler SSL

 

Next select the certificate you have imported and click OK and then Continue.

 

View NetScaler SSL

 

Finally your HTTPS Service Group is complete, click Done at the bottom of the screen which will then add in the options you have just configured for the Service Group and take you back to the parent Service Group page.

 

VMware View Service Group

 

 

Blast Protocol Service Group

Configuring the Blast Service Group is the same except you will need to use the SSL_BRIDGE option instead of SSL for most  deployments at this time. The reason being is the version of TLS used by default by the Blast protocol authentication is not yet supported within the virtual appliance versions of NetScaler. I have heard that this is coming in Q2 of 2015 but for now SSL bridging is the way forward. Also as SSL_Bridging is not conditioning or inspecting the traffic in any way as it passes through you do not need to specify a SSL certificate within the service group or virtual server (discussed later). Full TLS support is provided with the physical MPX NetScaler appliances so in that instance a SSL Service Group with SSL certificate can be utilised.

In addition a different monitor should be used to ensure the availability of the blast protocol and even strangely enough an error state within the 8443 traffic is used as a successful monitor check. When you navigate to your view url on port 8443 (view.horizon.local:8443 in this example) you’ll get either a 404 error or  a Missing route token in request message. This is not an actual error as any attempt to directly access the connection servers on this port will generate this message so in this instance a response code within blast monitoring of 404 is actually a good thing.

Custom Monitor

 

To create a customer monitor navigate to Traffic Management/Load Balancing/Monitors and click Add.

 

Custom-Monitor

 

Give your monitor a friendly name and select HTTP as the type then scroll down to the destination port.

 

Custom-Monitor1

 

Type in the Blast port of 8443 and scroll down to the bottom of the monitor page.

 

Custom-Monitor 2

 

Tick the Secure checkbox and then scroll back up to the top of the page.

 

Custom-Monitor 3

 

Now select the Special Parameters tab and within Response Codes enter 404 and click the + sign to add it to the monitor and finally click create.

 

Custom-Monitor 4

 

 

Creating VIP’s and configuring VMware Horizon View

So we are now at the exciting bit where all the things previously configured are bound together and presented through the Virtual IP’s to service staff’s virtual desktop needs!

The first thing we need to do is create 2 VIP’s on the NetScaler with the same IP address but utilising the Blast and straight SSL protocol to service the VMware Horizon View Client. Click on Traffic Management/Load Balancing/Virtual Servers and Click Add.

 

NetScaler Virtual Server

 

 

Give the first virtual server a friendly name and select SSL from the Protocol drop down list and enter the load balanced IP address you have chosen for your URL (view.vhorizon.local). Port 443 is filled in for you so click OK.

 

Virtual Server 2

 

Now click in the No Load Balancing Virtual Server ServiceGroup Binding option to select the HTTPS Service Group we have created previously.

virtual server 3

 

 

Check the https radio button the Service Group screen and click OK.

 

virtual server 5

 

 

Then Click Bind

 

virtual server 6

 

Now click on the No Server Certificate option in the virtual server configurator screen to select the previously imported SSL certificate.

 

virtual server 7

 

Click in the Click to select option box.

 

virtual server 8

 

Now select the certificate for VMware Horizon View and then click OK and finally click Bind to bind the certificate to the virtual server.

 

virtual server 9

 

 

Finally click Done to create the virtual server.

 

virtual server 10

 

Once created your virtual server should be showing as up and look similar to the below.

 

virtual server 11

 

Repeat the process for creating the virtual server but this time binding the Blast service group utilising the SSL_Bridge Protocol and port 8443.

 

Persistency Groups

Persistency Groups are a feature of NetScalers that tie separate Virtual Servers together in a couple of ways. Firstly it ties all the virtual servers to a uniform type of persistence so as in this instance we are going to use the Source IP as a persistence setting so that a client connecting to a virtual server will always be directed to the same back end server for the during of an idle connection based in the clients source IP.

The second way Persistency Groups help us in a load balancing VMware Horizon View connection servers task is that it ensures a client is directed to the same back end server despite the fact that the client may be connecting in across multiple virtual IP’s. For instance in this case if we did not set a Persistency Group across our two virtual IP’s our client may goto “connectionserver1” for its https connection and once authenticated and the user has clicked on the Blast connection icon is directed to “connectionserver2″which will cause us a problem because connectionserver2 is not necessarily going to know that the user has authenticated properly.

 

To create a Persistency Group navigate to Traffic Management/Load Balancing/Persistency Groups and click the Add button.

 

persistencyGroups1

 

Give your Persistency Group a friendly name and in the persistence type click the drop down list and choose source IP. Leave the defaults for IPv4 Netmask etc but I would recommend changing the time out from the default 2 minutes to 20 minutes.

Under the virtual server Name box click the Add button on the right hand site.

 

PersistencyGroup2

 

 

 

Move the two virtual servers from the left hand box to the right by clicking the plus sign next to each virtual server name. Once moved click the Create button.

 

 

PersistencyGroups4

 

Now click the Save button on the NetScaler to ensure your running configuration is committed to the nsconf file and persists after a reboot.

***TREAT THE NETSCALER AS A SWITCH IF YOU DO NOT SAVE THE CONFIG AND THEN REBOOT IT THE CONFIG WILL BE LOST***

virtual server 14

Now switching to a VMware Horizon View admin console you need to navigate to View Configuration/Servers/Connection Servers. Right Click on on of your connection servers and click Edit.

virtual server 12

 

 

 

Ensure that Secure Tunnel connection to machine is select along with Blast Secure Gateway and ensure the URL’s are modified to the load balanced DNS name you have selected.

virtual server 13

 

Repeat this process for each connection server within your environment that you have included within the NetScaler configuration. Once the View administration console configuration has been completed that is all you need to do you should now be able to log into your load balanced URL with either the full VMware Horizon View client or through HTML5 access with greatly improved usability and resilience.

Complete

 

 

Author: Dale Scriven

3 thoughts on “Load balancing VMware View connection servers with Citrix NetScaler

  1. Very nice Article! Good Job!
    Am I right, that I couldn’t loadbalance two Security Connection Server from View in the DMZ via NetScaler, because there the loadbalancing from 4172 UDP is required, but NetScaler couldn’t do that. Right? So for loadbalancing my Security Connection Server I need another Loadbalancer Software / Hardware… :/
    Thanks and best Regards,
    Julian

Leave a Reply to PreetamCancel reply