Sample Topology

Consider the request flow with the sample topology:

Request Flow

The request flow for this deployment is as shown below:

1. User sends a request to access uagvip.site1.com over the internet.

2. The request comes to the NSX Advanced Load Balancer.

3. The NSX Advanced Load Balancer does the load balancing and sends the request to one of the backend UAG servers. In this case, let’s assume that NSX Advanced Load Balancer sent the request to UAG server 1 that is, uag1.site1.com

4. UAG sends 307 redirect to client with uag1.site1.com FQDN. UAG servers must be configured with the 307 feature as explained in Unified Access Gateway Support for HTTP Host Redirect. A sample UAG configuration is explained in Important Configurations to Check on UAG for this Solution.

5. Client looks for location header and queries the host in the location header (uag1.site1.com).

6. Using the DNS entries that were created (shown in the table above), the FQDN (uag1.site1.com) will be resolved to NSX Advanced Load Balancer VIP IP.

7. From the 307 redirect, all further flows will have the host header set.

8. Client starts authentication with new UAG FQDN (uag1.site1.com).

9. When the request comes to the NSX Advanced Load Balancer, the NSX Advanced Load Balancer virtual service parses the host header and forwards to UAG based on the host header (uag1.site1.com) using the HTTP policies.

10. UAG1.site1.com performs authentication, verifies entitlements and returns the secondary protocol information which includes the external URL’s for the protocols, along with their configured custom ports.

11. When the client launches the application, the L4 virtual service uses a DataScript to send the request to correct UAG server based on the incoming destination port that is, custom ports.

Configurations for Load Balancing

The steps to configure the load balance UAG are as below:

1. Create Custom Health Monitor for UAG

2. Create SSL Profile for Pool

3. Create a Pool

4. Install the SSL Certificate Required for L7 VIP

5. Deactivate Connection Multiplexing

6. Create an L7 virtual service and HTTP Request Policies

1. To add HTTP Request Policies, Click the Policies tab in the above created virtual service.

2. Click HTTP Request tab

3. Click the + plus icon to add the HTTP Request rules.

4. Save the configuration.

   Note:

   As mentioned in the request flow, the NSX Advanced Load Balancer L7 virtual service looks for host header in the incoming requests from client. Based on the host header, request is sent to one of the UAG servers.

   In the http policies shown above, the rules are created to look for the Host header and then route the request to one of the backend UAG servers based on the Host header.

   For example, if the host header is uag1.site1.com, send the request to UAG1 server. If host header is uag2.site1.com, send the request to UAG2 server

1. Create an L4 Virtual Service

   Note:

   The custom ports here, that is, 4001 and 4002 are used for Blast and 5001 and 5002 are used for PCoIP. These are configured on UAG. Note that there is no restriction to use only these port numbers. You can use any non standard port numbers here, but you need to ensure that configuration of these port numbers are same on UAG and on NSX Advanced Load Balancer.

   A sample configuration is explained in Important Configurations to Check on UAG for this Solution.

2. Create an L4 DataScript

   Note:

   1. This DataScript is to ensure that requests coming on specific ports are routed to the appropriate UAG server. The ports (4001/4002/5001/5002) are used to establish persistence logic using this DataScript. It is ensured that NSX Advanced Load Balancer translate the port to the standard blast/PCoIP ports that is, 8443/4172 while sending the requests to one of the UAG servers. This is important because UAG servers listen on ports 8443 and 4172 for Blast and PCoIP respectively. UAG servers do not understand the custom ports -4001/4002/5001/5002.

   2. If there more UAG servers, ensure all the server IP:port pairs are added to the L4 pool before creating the DataScript.

Important Configurations to Check on UAG for this Solution

1. Blast URL must point to the UAG hostname/FQDN with the correct port numbers as shown below, for example:

   1. Site 1 – UAG1 - https://<UAG1 FQDN>:4001/

   2. Site 1 – UAG2 - https://<UAG2 FQDN>:4002/

2. Similarly, PCoIP must point to NSX Advanced Load Balancer VIP with correct port numbers.

   1. Site 1 – UAG1 - https://<NSX Advanced Load Balancer VIP IP on site 1>:5001/

   2. Site 1 – UAG2 - https://<NSX Advanced Load Balancer VIP IP on site 1>:5002/

3. Host Redirect mapping must be configured on all UAGs.

   
   
   

Other Considerations

1. All the host names or FQDNs have to be added in SAML IDP.

2. Install the same certificate and key pair on NSX Advanced Load Balancer and bind it to the UAG L7 VS.

3. In some cases, when accessing the VMware Horizon Client, multiple icons for the same site can be displayed as shown below:

   
   
   

This issue will be resolved in the upcoming releases for Horizon Client.

Enabling WAF for UAG Traffic

For more information, see Enabling WAF For UAG Traffic.

Load Balancing Connection Server

Both L4 and L7 virtual services are supported to load balance traffic to connection servers. However, it is recommended to use L7 virtual services.

To know how to use L7 virtual service to load balance traffic to connection servers, see Load Balancing Traffic to Connection Servers.