The Avi Load Balancer can be deployed in front of Unified Access Gateways (UAG), connection servers, app volume managers, and more as required. The recommended way to configure Avi Load Balancer for load balancing traffic to UAG servers in VMware Horizon deployments is discussed below.

In the new way of deployment for load balancing UAG servers, the Avi Load Balancer performs the 307 redirection instead of the UAG server, along with XML parsing and port translation. The advantages of this approach are:

  • Robust enough to handle the persistence issues

  • Works well in the environments where users come behind the NAT

  • Ease of configuration

  • Better visibility and logs



Note:

The sample topology illustrates UAG deployment in a DMZ network. However, Avi Load Balancer supports deployment in both DMZ and non-DMZ networks.

Note:

Currently this feature is under tech preview.

Request Flow



  1. The client initiates a request to Horizon FQDN (https://horizon.demo.com) on L7 TLS port 443.

  2. The Avi Load Balancer picks a UAG server from the pool’s server list using the LB algorithm. It then responds with a 307 redirect with location set to UAG VIP FQDN and with a custom L7 port meant for the selected UAG server.

Note:

Service ports in the range from 5001 through 5005 have been added as Horizon internal ports. Those ports are referred to as custom ports. All subsequent requests will come from the client with this hostname+L7 port and are sent to the mapped UAG server. An example is shown in the image below:



Ports from 5001 through 5005 are specified on the virtual service.

Assume that there are two backend UAG servers: UAG 1 and UAG 2. When the initial request comes on layer 7 virtual service on port 443, the Avi Load Balancer chooses one of these servers based on the configured load balancing algorithm - UAG 1 or UAG 2. If the Avi Load Balancer chooses UAG 1 server from the pool, then it responds with a 307 redirect with location header set to the VIP FQDN and 5001 port(meant for UAG server1).

Similarly, in the case of UAG server 2, port 5002 will be set by the Avi Load Balancer. To get custom port mapping to UAG servers, use show pool <pool-name> vs service server map kv as shown below:

admin:10-50-55-87]: > show pool UAG-MVP-pool vs service server map kv 
          
 +-------------------+---------------------------------------------------------+ 
    
 | Field             | Value                                                   | 
    
 +-------------------+---------------------------------------------------------+ 
    
 | uuid              | se-00505695c1f1                                         | 
    
 | keyval_entries[1] |                                                         | 
    
 |   key             | 10.98.17.153,47873,2                                    | 
    
 |   val             | fe_l7_port:5003,fe_blast_port:20003,fe_pcoip_port:30007 | 
    
 |   local_eol       | 1000                                                    | 
    
 |   version         | 0                                                       | 
    
 |   ishub           | False                                                   | 
    
 | keyval_entries[2] |                                                         | 
    
 |   key             | 10.130.172.191,47873,2                                  | 
    
 |   val             | fe_l7_port:5002,fe_blast_port:20002,fe_pcoip_port:30006 | 
    
 |   local_eol       | 1000                                                    | 
    
 |   version         | 0                                                       | 
    
 |   ishub           | False                                                   | 
    
 | keyval_entries[3] |                                                         | 
    
 |   key             | 10.130.172.192,47873,2                                  | 
    
 |   val             | fe_l7_port:5001,fe_blast_port:20001,fe_pcoip_port:30005 | 
    
 |   local_eol       | 1000                                                    | 
    
 |   version         | 0                                                       | 
    
 |   ishub           | False                                                   | 
    
 +-------------------+---------------------------------------------------------+ 
 

Use show pool <pool-name> vs service server map table:

 [admin:10-50-55-87]: > show pool UAG-MVP-pool vs service server map table 
    
 +--------------------------------+--------------------+ 
    
 | Field                          | Value              | 
    
 +--------------------------------+--------------------+ 
    
 | uuid                           | se-00505695c1f1    | 
    
 | vs_service_server_map_entry[1] |                    | 
    
 |   app_service_port             | 5001               | 
    
 |   app_service_type             | HORIZON_INTERNAL   | 
    
 |   ip_port_str                  | 10.130.172.192:443 | 
    
 | vs_service_server_map_entry[2] |                    | 
    
 |   app_service_port             | 5002               | 
    
 |   app_service_type             | HORIZON_INTERNAL   | 
    
 |   ip_port_str                  | 10.130.172.191:443 | 
    
 | vs_service_server_map_entry[3] |                    | 
    
 |   app_service_port             | 5003               | 
    
 |   app_service_type             | HORIZON_INTERNAL   | 
    
 |   ip_port_str                  | 10.98.17.153:443   | 
    
 | vs_service_server_map_entry[4] |                    | 
    
 |   app_service_port             | 20001              | 
    
 |   app_service_type             | HORIZON_BLAST      | 
    
 |   ip_port_str                  | 10.130.172.192:443 | 
    
 | vs_service_server_map_entry[5] |                    | 
    
 |   app_service_port             | 20002              | 
    
 |   app_service_type             | HORIZON_BLAST      | 
    
 |   ip_port_str                  | 10.130.172.191:443 | 
    
 | vs_service_server_map_entry[6] |                    | 
    
 |   app_service_port             | 20003              | 
    
 |   app_service_type             | HORIZON_BLAST      | 
    
 |   ip_port_str                  | 10.98.17.153:443   | 
    
 | vs_service_server_map_entry[7] |                    | 
    
 |   app_service_port             | 30005              | 
    
 |   app_service_type             | HORIZON_PCOIP      | 
    
 |   ip_port_str                  | 10.130.172.192:443 | 
    
 | vs_service_server_map_entry[8] |                    | 
    
 |   app_service_port             | 30006              | 
    
 |   app_service_type             | HORIZON_PCOIP      | 
    
 |   ip_port_str                  | 10.130.172.191:443 | 
    
 | vs_service_server_map_entry[9] |                    | 
    
 |   app_service_port             | 30007              | 
    
 |   app_service_type             | HORIZON_PCOIP      | 
    
 |   ip_port_str                  | 10.98.17.153:443   | 
    
 +--------------------------------+--------------------+
 
  1. If you have more UAG servers, add more ports like 5003, 5004, and so on, on the Avi Load Balancer virtual service.

    To summarize, the L7 VIP must have enough service ports, each dedicated to a UAG server in the pool. It is recommended to open enough ports in the beginning to accommodate expansion of UAG server pool in the future.

    With the above capability of the Avi Load Balancer performing 307 redirect, any new UAG server can be added to the server pool with minimal configuration changes on the Horizon server. Incoming client requests to a specific L7 service port (other than the base port) is content-switched to specific UAG servers in the pool.

  2. Client sends the request on the redirected FQDN https://demo.horizon.com:5001/.

  3. The Avi Load Balancer sends the request to one of the UAG servers. In this example, it is sent to UAG 1.

  4. UAG responds to the Avi Load Balancer with XML data. After a client completes authentication with a selected UAG server, the UAG response containing IP/FQDN is used for secondary protocols communication.

  5. The Avi Load Balancer parses this response, replaces the IP/FQDN and port XML tags with Avi Load Balancer FQDN and L4 Service port. For example, in the case of UAG 1, UAG IP/FQDN and port XML tags are replaced with the Avi Load Balancer VIP FQDN and 20001/30005 port (Blast/PCoIP respectively). Similarly, in the case of UAG 2, the Avi Load Balancer changes the FQDN and port to Avi Load Balancer VIP FQDN and 20002/30006 port (depending on it being Blast/PCoIP respectively).

  6. The L4 request with the custom port lands on the Avi Load Balancer virtual service FQDN.

  7. Using the custom port, the Avi Load Balancer knows to which UAG server the request must be sent to.

  8. The Avi Load Balancer sends the request to the appropriate UAG server. According to the example, it is sent to UAG 1.

  9. UAG responds to the Avi Load Balancer.

  10. The Avi Load Balancer sends the response to the client which will be able to render the apps/desktops successfully.

Configure Load Balancing

The steps to configure the load balancing of UAG are as below:

  1. Avi Load Balancer for Load Balancing UAG Servers

  2. Creating a Pool

  3. Installing the SSL certificate Required for L7 VIP

  4. Creating Virtual Service for UAG

  5. Binding DataScripts to the Virtual Service

Creating Custom Health Monitor for UAG

  1. To create a custom health monitor, navigate to Templates > Profiles > Health Monitors.

  2. Click Create.

  3. Select the VMware Cloud that was created for Horizon.

  4. Enter the following details in the New Health Monitor screen:

    Field

    Value

    Send Interval

    30

    Receive Timeout

    10

    Client Requested Data

    GET /favicon.ico HTTP/1.0

    Response Code

    2xx

The New Health Monitor screen is as shown below:







Save the configuration.

Creating a Pool

To create the pool,

  1. Navigate to Applications > Pools.

  2. Select the cloud from the Select Cloud window.

  3. Click Next.

  4. Click Create Pool.

  5. In the CREATE POOL screen, update the details as shown below:





  6. In SSL tab, select the appropriate SSL profile as shown below:



  7. In the Servers tab, add the Server IP Address of the UAG servers created earlier.



  8. Click Save.

Installing the SSL certificate Required for L7 VIP

If the SSL connection is being terminated at the virtual service, the SSL certificate must be assigned to the virtual service. It is recommended to install a certificate which is signed by a valid certificate authority instead of using self-signed certificates. Install the certificate in Avi Load Balancer and ensure that the CA certificate is imported and linked. For more information, see SSL Certificates topic in the VMware Avi Load Balancer Configuration Guide.

Note:

For this set up, a certificate named Horizon_Certificate has been installed.

Add the SAN certificate to UAG. For more details on adding the SAN certificate, see Configuring TLS/SSL Certificates for Unified Access Gateway Appliances.

Creating Virtual Service for UAG

To create the new virtual service,

  1. Navigate to Applications > Virtual Services.

  2. Click CREATE VIRTUAL SERVICE > Advanced Setup.

  3. Bind the virtual service VIP.

  4. Use the System-HTTP-Horizon-UAG as the Application Profile.

    Note:

    The system-HTTP-Horizon-UAG only works with Avi Load Balancer for load balancing UAG servers and VMware Horizon GSLB Configuration deployments. To use any other design or deployment option, or to switch from this deployment to another, you must change the Application Profile to system-secure-http-vdi.

  5. Configure the virtual service as shown below:



  6. In the Service Port section, click Switch to advanced and configure the service ports.





    Note:

    Ensure that enough ports are opened on the virtual service to accommodate any new UAG servers you add to the UAG pool.

    In this example, six ports are opened for primary and secondary traffic:

    • Port 443 – This is for XML API traffic

    • Ports 5001 to 5005 – Horizon internal ports opened for L7 primary XML traffic to handle redirected traffic

    • Ports 30001 to 30005 – Blast

    • Ports 20001 to 20005 - PcoIP

    These non-standard ports are required on the Avi Load Balancer virtual service only. These ports do not have to be opened for UAG servers. These ports need to be opened on the firewall that is placed in front of the load balancer.

  7. Bind the pool and the SSL certificate created.

  8. Click Next.

  9. Click Next and save the configuration.

Configuring Public IP for PCoIP in the NAT Use Case

For Horizon deployments using UAG virtual service, the client will by default use the UAG virtual service IP for PCoIP connections. This behavior is not desirable in NAT environments where external clients connect to a public IP that gets translated to the virtual service’s private IP. To change this behavior, configure the content rewrite rule on the virtual service to replace the PCoIP with the public IP that the external clients will use. In the following example, assume that the public IP is 11.11.11.11:

[admin:1234]: > configure virtualservice HORIZON-MVP-UAG-VS
[admin:1234]: virtualservice> content_rewrite
[admin:1234]: virtualservice:content_rewrite> rsp_rewrite_rules index 1
[admin:1234]: virtualservice:content_rewrite:rsp_rewrite_rules> pairs index 1
[admin:1234]: virtualservice:content_rewrite:rsp_rewrite_rules:pairs> replacement_string val "${1}11.11.11.11${2}"
[admin:1234]: virtualservice:content_rewrite:rsp_rewrite_rules:pairs:replacement_string> save
[admin:1234]: virtualservice:content_rewrite:rsp_rewrite_rules:pairs> save
[admin:1234]: virtualservice:content_rewrite:rsp_rewrite_rules> save
[admin:1234]: virtualservice:content_rewrite> save
[admin:1234]: virtualservice> save

Binding the DataScript to the Virtual Service

  1. From the UI, navigate to Applications > Virtual Services.

  2. Edit the virtual service that was created.

  3. Go to Policies > DataScripts.

  4. Click Add DataScripts.

  5. Under Script To Execute, select System-Standard-Horizon-UAG.

  6. Click Save DataScript and click Save.

Configuration Changes on UAG Servers

  1. Get the custom ports for Blast and PCoIP per UAG server after pool is created (Pool > Server page).



  2. Add the custom ports to the respective external URLs of UAG’s Blast and PCoIP

    1. The Blast URL must be in the format https://uag.site.com:xxxx/?UDPPort=xxxx for Blast UDP to work. For more information, see UAG.

    2. Modify each UAG’s Blast and PCoIP external URL fields to use the custom ports added in the Avi Load Balancer port map (From the UI, Edit Pool > Servers tab under New Pool or Edit Pool page). Modify the Blast external URL to include the custom port for UDP. For example, https://uag-vs.site1.com:<BLAST-CUSTOM-PORT>/?UDPPort=<BLAST-CUSTOM-PORT>. For more information, see Blast TCP and UDP External URL Configuration Options.



  3. If SAML auth is configured on the UAG, add each site’s UAG VS FQDN:port combination in the IDP’s SSO URL list (port here refers to the custom ports configured for the primary protocol. Use wildcard port if IDP provides this facility). For example, [uag-vs.site1.com:5001, uag-vs.site1.com:5002, uag-vs.site2.com:5001, uag-vs.site2.com:5002].

  4. Add each site’s UAG virtual service FQDN in the SAN list of the UAG virtual service certificate to avoid invalid certificate errors.

  5. The custom ports used on the UAG virtual service VIP for the primary / secondary connections can change for a UAG server if:

    1. The UAG server is deleted and added back to the UAG virtual service pool.

    2. All SEs go down at once. No single SE has the port map at this point, and port map will have to be rebuilt. In this case, redo the UAG external URL changes with the new port shown in the Avi Load Balancer port map.

  6. Port range determines the number of servers that can be added. For example, if 2000-2010 is added as the port range, only 10 servers can be added. If more are required, change the port range.

  7. For the custom port changes to take effect on UAG external URLs ensure that the Blast and PCoIP protocols are disabled after change. Save the changes and re-enable the protocols.

For details on Enabling WAF For UAG Traffic, see Configuring NSX Advanced Load Balancer for VMware Horizon.

Known Issues

  • For the custom port changes to take effect on UAG external URLs, disable the Blast and PCoIP protocols after change, save the changes, and enable the protocols again. For the issue with UAG port caching, toggle the protocol in UAG admin console.

  • Some ports can be blocked by browsers like Chrome. For example, port 6000 is used by X11, and if this is used for the primary / secondary custom ports, Chrome will block the connection with reason as restricted port in use).

  • In some cases, when accessing the VMware Horizon Client, server icons are created in the Horizon Client server list page as show below.



  • HTML client logout gets stuck after redirect with custom port.

  • If System-HTTP-Horizon-UAG or any application profile with App Service Type set to Horizon is configured in a virtual service, the respective virtual service will now be attached with the rewrite rules for Horizon use-case specific content:

     [admin:10-50-55-170]: > show virtualservice <UAG-L7-VS-Name>
     +------------------------------------+---------------------------------------------------------------------------+
     | Field                              | Value                                                                     |
     +------------------------------------+---------------------------------------------------------------------------+
     | uuid                               | virtualservice-23db86e6-d508-4120-aae4-f8da518a5dbe                       |
     | name                               | HORIZON-MVP-UAG-VS                                                        |
     | enabled                            | True                                                                      |
     |---------------------------Truncated Output---------------------------------------------------------------------|
     | content_rewrite                    |                                                                           |
     |   rewritable_content_ref           | System-Rewritable-Content-Types                                           |
     |   rsp_rewrite_rules[1]             |                                                                           |
     |     name                           | System-Standard-Horizon                                                   |
     |     enable                         | True                                                                      |
     |     index                          | 1                                                                         |
     |     pairs[1]                       |                                                                           |
     |       search_string                |                                                                           |
     |         type                       | SEARCH_REGEX                                                              |
     |         val                        | (<address>)[\s]*(?:[0-9]{1,3}\.){3}[0-9]{1,3}[\s]*(<address>) |
     |       replacement_string           |                                                                           |
     |         type                       | COMBINATION_STRING                                                        |
     |         val                        | ${1}${vs_ip}${2}                                                          |
     |---------------------------Truncated Output---------------------------------------------------------------------|  
     | allow_invalid_client_cert          | False                                                                     |
     | vh_type                            | VS_TYPE_VH_SNI                                                            |
     +------------------------------------+---------------------------------------------------------------------------+
     
    • These rules remain on the virtual service even if the application profile is changed to a non-Horizon service type. To remove the content rewrite rules in this case, run the following commands on the controller CLI (after removing App Service Type from the app profile):

     [admin:1234]: > configure virtualservice <UAG-L7-VS-Name>
     [admin:1234]: > no content_rewrite
     [admin:1234]: > save

    App Service Type can be seen in the Advanced settings of application profile, as shown below:



  • When there is a configuration change to pools (addition/deletion of pools), the first disable/enable of the virtual service causes the UAG port map to change on the pool server. However, subsequent changes (disable/enable) does not change them.