Unified Access Gateway for end-user computing products and services needs high availability for Workspace ONE and VMware Horizon on-prem deployments. However, using third-party load balancers adds to the complexity of the deployment and troubleshooting process. This solution reduces the need for a third-party load balancer in the DMZ front-ending Unified Access Gateway .
Implementation
Unified Access Gateway requires the IPv4 virtual IP address and a group ID from the administrator. Unified Access Gateway assigns the virtual IP address to only one of the nodes in the cluster that is configured with the same Virtual IP address and Group ID. If the Unified Access Gateway holding the virtual IP address fails, the Virtual IP address gets reassigned automatically to one of the nodes available in the cluster. The HA and load distribution occurs among the nodes in the cluster that is configured with the same Group ID.
Mode and Affinity
Different Unified Access Gateway services require different algorithms.
- For VMware Horizon and Web Reverse Proxy - Source IP Affinity is used with the round robin algorithm for distribution.
- For VMware Tunnel (Per-App VPN) and Content Gateway - There is no session affinity and least connection algorithm is used for distribution.
-
Source IP Affinity: Maintains the affinity between the client connection and Unified Access Gateway node. All connections with the same source IP address are sent to the same Unified Access Gateway node.
-
Round Robin mode with high availability: Incoming connection requests are distributed across the group of Unified Access Gateway nodes sequentially.
-
Least Connection mode with high availability: A new connection request is sent to the Unified Access Gateway node with the fewest number of current connections from the clients.
Prerequisites
- The Virtual IP address used for HA must be unique and available. Unified Access Gateway does not validate if it is unique during configuration. The IP address might show as assigned but it might not be reachable if a VM or physical machine is associated to the IP address.
- The Group ID must be unique in a given subnet. If the Group ID is not unique, an inconsistent virtual IP address might get assigned in the group. For example, two or more Unified Access Gateway nodes might end up trying to acquire the same virtual IP address. It might cause the Virtual IP address to get toggled between multiple Unified Access Gateway nodes.
- To set up HA for Horizon or web reverse proxy, ensure that the TLS server certificate on all the nodes of Unified Access Gateway are same.
- If HA is configured, ensure that VIP is accessed using FQDN on port 443.
Limitations
- IPv4 is supported for floating Virtual IP address. IPv6 is not supported.
- Only TCP high availability is supported.
- UDP high availability is not supported.
- With the VMware Horizon use case, only XML API traffic to Horizon Connection Server uses high availability. High availability is not used to distribute load for the protocol (display) traffic such as Blast, PCoIP, RDP. Therefore, the individual IP addresses of Unified Access Gateway nodes must also be accessible to VMware Horizon clients in addition to the Virtual IP address.
Required Configuration for HA on each Unified Access Gateway
For configuring HA on Unified Access Gateway, see, Configure High Availability Settings.