Configuring Virtual Services on L7 and L4 Virtual Service

After successful cloud configuration, create a virtual service on NSX Advanced Load Balancer. The recommended configuration is to have two virtual services(one L7 VS and one L4 VS) having the same virtual IP (VIP).

The following are the configuration steps for load balancing UAG.

Procedure

Create a custom health monitor for UAG.

From the UI, navigate to Templates > Profiles > Health Monitors.
Click Create.
Select the Azure Cloud that was created for Horizon.

Enter the following details in the New Health Monitor screen.


Field	Value
Send Interval	30
Receive Timeout	10
Client Requested Data	GET /favicon.ico HTTP/1.0
Response Code	2xx

Click Save.

Create Pools
Before creating the UAG L7 pool, create the SSL profile to be used for the UAG L7 pool.

Create an SSL Profile for the UAG pool with the configuration given below:
- Accepted Versions: 1.2
- Cipher List:
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
1. Navigate to Templates > SSL/TLS Profile > Create.
2. Select Application Profile.
3. Enter the required fields in the New SSL/TLS Profile screen.
4. Click Ciphers tab and select the following ciphers
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
5. Click Save.
  
  The following are the steps to create the UAG L7 Pool:
1. Navigate to Applications > Pools.
2. Select the Azure cloud from the Select Cloud sub-screen and click Next.
3. Click Create Pool.
4. In the New Pool screen, update the details as shown below:
5. Click Next.
6. In the Servers tab, add the Server IP Address of the UAG servers and click Add Server.
7. Click Save.
  
  To configure UAG L4 Pool:
  
  Follow the steps shown under UAG L7 Pool but with the configuration shown below:
Install SSL Certificate

The SSL connection is being terminated at NSX Advanced Load Balancer virtual service. Therefore, the SSL certificate must be assigned to the virtual service. It is advised to install a certificate which is signed by a valid certificate authority instead of using self-signed certificates. Install the certificate in NSX Advanced Load Balancer, and ensure the CA certificate is imported and linked. For instructions, see SSL Certificates topic in the VMware NSX Advanced Load Balancer Configuration Guide.
Disable Connection Multiplexing

In UAG load balancing, deactivate connection multiplexing for the System-Secure-HTTP-VDI profile.
1. Navigate to Templates > Profiles > Application > System-Secure-HTTP-VDI.
2. Click the edit icon.
3. Disable Connection Multiplex as shown below:
4. Click Save.
Create an SSL Profile for Virtual Service

Create an SSL Profile for the virtual service with the configuration given below:
1. Navigate to Templates > SSL/TLS Profile > Create.
2. Select Application Profile.
3. Enter the details below:
  - Accepted Versions: TLS 1.1, 1.2
  - Cipher List:
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
4. Click Save.
Create an L7 Virtual Service and HTTP request policies
1. Navigate to Applications > Virtual Services .
2. Click Create Virtual Service > Advanced Setup.
3. Use the System-Secure-HTTP-VDI as the Application Profile.
4. Select the SSL profile created in the previous step as SSL Profile.
5. Click Next.
6. Under Step 2: Policies, go to the HTTP Request policies and click on the green coloured + icon to add a policy rule.
7. Add the policies as shown below for host header match. Host header is the FQDN of UAG servers. As shown below, in first rule host header of uag server 1 is used and in action we have selected same server.
8. Click Save rule.
9. Similarly, create another rule. The rule host header of uag server2 is used in this rule and under action the same server is selected.
10. Click Next.
11. Click Next and save the configuration.
Create an L4 virtual service

Create another virtual service which will share the same IP address as that of the L7 VIP. This will make sure that we need only one virtual IP address for both the primary and secondary protocols. L7 virtual service will handle the primary protocol and the tunnel whereas L4 virtual service will handle other secondary protocols.

To create an L4 virtual service,
1. Click Create Virtual Service > Advanced Setup.
2. In the New Virtual Service screen, click Switch to Advanced under VIP Address.
3. Select the L7 virtual service that was created as the Virtual Service for VIP.
4. Under Service Port > Services, click Switch to Advanced.
5. Add the port numbers for the secondary protocols as shown below:
6. The virtual service is configured as shown below:
Create an L4 DataScript

To create the L4 DataScript,
1. Edit the L4 virtual service which was just created.
2. Navigate to Polices > DataScripts.
3. Click Add DataScript.
4. Click on the drop-down menu under Script to Execute and click Create DataScript.
5. Under L4 Events section, add the following DataScript for L4 Request Event Script field.
```
avi_port = avi.vs.port()
         if avi_port == "4001" then
          avi.pool.select("L4-pool", "UAG_server1_IP", 4172)
         elseif avi_port == "4002" then
          avi.pool.select("L4-pool", "UAG_server2_IP", 4172)
         elseif avi_port == "5001" then
          avi.pool.select("L4-pool", "UAG_server1_IP", 8443)
         elseif avi_port == "5002" then
          avi.pool.select("L4-pool", "UAG_server2_IP", 8443)
         end
```
6. In the DataScript pane, select the L4 pool from the Pools drop-down menu.
7. Click Save.
8. Click Save DataScript.
9. Save the configuration.