Unified Access Gateway for end-user computing products and services needs high availability for Workspace ONE and VMware Horizon on-prem deployments. However, using third-party load balancers adds to the complexity of the deployment and troubleshooting process. This solution reduces the need for a third-party load balancer in the DMZ front-ending Unified Access Gateway .

Note: This solution is not a generic purpose load balancer.
Unified Access Gateway continues to support third-party load balancers in front, for users who prefer this mode of deployment. For more information, see Unified Access Gateway Load Balancing Topologies. Unified Access Gateway High Availability is not supported for Amazon AWS and Microsoft Azure deployments.

Implementation

Unified Access Gateway requires the IPv4 virtual IP address and a group ID from the administrator. Unified Access Gateway assigns the virtual IP address to only one of the nodes in the cluster that is configured with the same Virtual IP address and Group ID. If the Unified Access Gateway holding the virtual IP address fails, the Virtual IP address gets reassigned automatically to one of the nodes available in the cluster. The HA and load distribution occurs among the nodes in the cluster that is configured with the same Group ID.

Multiple connections originating from the same source IP address are sent to the same Unified Access Gateway that processes the first connection from that client for Horizon and web reverse proxy. This solution supports 10,000 concurrent connections in the cluster.
Note: Session affinity is required for these cases.
For VMware Tunnel (Per-App VPN), Secure Email Gateway and Content Gateway services, HA and load distribution is done using least connection algorithm.
Note: These connections are stateless and session affinity is not required.

Mode and Affinity

Different Unified Access Gateway services require different algorithms.

  • For VMware Horizon and Web Reverse Proxy - Source IP Affinity is used with the round robin algorithm for distribution.
  • For VMware Tunnel (Per-App VPN) and Content Gateway - There is no session affinity and least connection algorithm is used for distribution.
Methods that are used for distributing the incoming traffic:

  1. Source IP Affinity: Maintains the affinity between the client connection and Unified Access Gateway node. All connections with the same source IP address are sent to the same Unified Access Gateway node.

  2. Round Robin mode with high availability: Incoming connection requests are distributed across the group of Unified Access Gateway nodes sequentially.

  3. Least Connection mode with high availability: A new connection request is sent to the Unified Access Gateway node with the fewest number of current connections from the clients.

Note: Source IP affinity works only if the IP of the incoming connection is unique for each client connection. Example: If there is a network component, like a SNAT gateway between the clients and Unified Access Gateway then the source IP affinity does not work as the incoming traffic from multiple different clients to Unified Access Gateway have the same source IP address.
Note: Virtual IP address must belong to same subnet as the eth0 interface.

Prerequisites

  • The Virtual IP address used for HA must be unique and available. Unified Access Gateway does not validate if it is unique during configuration. The IP address might show as assigned but it might not be reachable if a VM or physical machine is associated to the IP address.
  • The Group ID must be unique in a given subnet. If the Group ID is not unique, an inconsistent virtual IP address might get assigned in the group. For example, two or more Unified Access Gateway nodes might end up trying to acquire the same virtual IP address. It might cause the Virtual IP address to get toggled between multiple Unified Access Gateway nodes.
  • To set up HA for Horizon or web reverse proxy, ensure that the TLS server certificate on all the nodes of Unified Access Gateway are same.
  • If HA is configured, ensure that VIP is accessed using FQDN on port 443.

Limitations

  • IPv4 is supported for floating Virtual IP address. IPv6 is not supported.
  • Only TCP high availability is supported.
  • UDP high availability is not supported.
  • With the VMware Horizon use case, only XML API traffic to Horizon Connection Server uses high availability. High availability is not used to distribute load for the protocol (display) traffic such as Blast, PCoIP, RDP. Therefore, the individual IP addresses of Unified Access Gateway nodes must also be accessible to VMware Horizon clients in addition to the Virtual IP address.

Required Configuration for HA on each Unified Access Gateway

For configuring HA on Unified Access Gateway, see, Configure High Availability Settings.