Configure Avi Vantage for VMware Horizon

Overview

This article shows how Avi Vantage can be configured for load balancing in VMware Horizon deployments. Avi Vantage can be deployed in front of Unified Access Gateways (UAG) and/or in front of the connection servers as required.

avi horizon

Note: This article discusses the legacy way of configuring Avi Vantage. It is recommended to use Single VIP with two Virtual Services (Using 307 Redirect) and Load Balancing for Horizon Environments in (n+1) Mode using 307 Solution.

Prerequisites

To configure Avi Vantage for VMware Horizon deployments, ensure the following prerequisites are met:

Note: The sample topology illustrates UAG deployment in a DMZ network. However, Avi Vantage supports deployment in both DMZ and non-DMZ networks.

Avi Vantage for UAG Load Balancing

There are three ways to deploy Avi Vantage for UAG load balancing:

Avi Vantage for Connection Server Load Balancing

Avi Vantage can be used to load balance traffic to the connection servers as well. A single HTTPS virtual service can service both internal clients directly and external clients via UAG. Refer to the Connection Server Load Balancing section to know more.

Configuring UAG Load Balancing

The following steps are one-time configurations for UAG load balancing:

  1. Create custom health monitor for UAG
  2. Create SSL profile and install SSL certificate (required for L7 VIP)

Configuring Single VIP with Two Virtual Services

Note: This method is the legacy way of configuring Avi Vantage. It is recommended to use Single VIP with two Virtual Services (Using 307 Redirect) instead.

Single VIP with two virtual services can be configured as shown below:

  1. Create IP group with UAG as members
  2. Create custom Health Monitor for UAG
  3. Create pools
  4. Create SSL profile and install SSL certificate
  5. Disable Connection Multiplexing
  6. Create an L7 virtual service
  7. Create an L4 virtual service using the L7 virtual service as shared VIP and specify all the ports required for secondary protocols

Creating IP Group

IP groups are comma-separated lists of IP addresses that may be referenced by profiles, policies, and logs. Since same UAG servers are used as pool members in two different pools, IP groups can be attached to the pool instead of directly attaching servers to the pool. Any configuration change to the pool members like addition or removal of servers needs to be done at the IP Group level.

To create an IP group,

  1. From the Avi UI, navigate to Templates > Groups > IP Groups.
  2. Click on Create IP Group.
  3. Under IP Information, enter the IP Address to be added, and click on Add Server. IP Group
  4. Click on Save.

Creating Custom Health Monitor for Horizon

To create a custom health monitor,

  1. From the Avi UI, navigate to Templates > Profiles > Health Monitors.
  2. Click on Create.
  3. Select the vCenter cloud that was created for Horizon.
  4. Enter the following details in the New Health Monitor screen.
    Field Value
    Send Interval 30
    Receive Timeout 10
    Client Requested Data GET /favicon.ico HTTP/1.0
    Response Code 2xx

    The New Health Monitor screen is as shown below: Health Monitor
    Health Monitor
    Health Monitor

  5. Click on Save.

Creating Pools

Pools maintain the list of servers assigned to them and perform health monitoring, load balancing, persistence, and functions that involve Avi Vantage-to-server interaction. A typical virtual service will point to one pool.

A pool includes the IP address of the UAG servers i.e. UAG server01 and UAG server02.

Create two pools:

  • For L7 (HTTPS) i.e. Horizon-L7-pool
  • For secondary protocols named as Horizon-L4-pool

These two pools are required to attach to the two virtual services which will be created.

Consistent hash with source IP address as the key should be configured as the hash algorithm to maintain source IP affinity.

Creating SSL Profile for Pool

Create an SSL Profile for the UAG pool with the configuration given below:

  • Accepted Versions: 1.2
  • Cipher List:
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  1. Navigate to Templates > SSL/TLS Profile > Create
  2. Select Application Profile.
  3. Enter the details as shown below: SSL Profile
    SSL Profile
    SSL Profile
  4. Click on Save.

Creating the Horizon L7 Pool

To create the pool,

  1. In Avi Vantage, navigate to Applications > Pools.
  2. Select the vCenter cloud from the Select Cloud sub-screen.
  3. Click on Next.
  4. Click on Create Pool.
  5. In the New Pool: screen, update the details as shown below: create horizon 7 pool
  6. To bind the monitor, click on Add Active Monitor and select the HTTPS monitor that was created.
  7. Click on Next.
  8. Click on Enable SSL and select the SSL profile created for the pool, as shown below: create horizon 7 pool
  9. Click on Next.
  10. In the Step 2: Servers tab, add the IP Group of the UAG servers created earlier. UAG Servers
  11. Click on Next.
  12. Navigate to Step 3: Advanced tab > Step 4: Review.
  13. Click on Save.

Creating the Horizon L4 Pool

Create a pool with the name Horizon-l4-pool. Ensure that the pool configuration (port , UAG server IP , load balancing algorithm , health monitor etc.) is the same as the Horizon L7 Pool.

  1. Configure the default server port to 443 and the load balancing algorithm as Consistent Hash with Source IP Address.
  2. Set Append Port as Never.
  3. Click on Enable SSL and select the SSL profile created for the pool. create horizon 4 pool
  4. Under the Step 2: Servers tab, add the IP Group of the UAG servers created earlier.

    create horizon 4 pool

  5. Click on Save.

Install the SSL Certificate Required for L7 VIP

The SSL connection is being terminated at Avi virtual service. Therefore, the SSL certificate must be assigned to the virtual service . It is advised to install a certificate which is signed by a valid certificate authority instead of using self-signed certificates.

Install the certificate in Avi Vantage, and ensure the CA certificate is imported and linked. For instructions, refer to Import Certificates.

Note: For this set up, a certificate named Horizon_Certificate has been installed.

Disabling Connection Multiplexing

In case of UAG load balancing, disable connection multiplexing for the System-Secure-HTTP-VDI profile.

To disable connection multiplexing,

  1. Navigate to Templates > Profiles> Application > System-Secure-HTTP-VDI.
  2. Click on the edit icon.
  3. Disable the option Connection Multiplexing as shown below:

    Multiplexing

  4. Click on Save.

Creating L7 Virtual Service

The L7 virtual service requires an SSL profile.
To create the SSL Profile,

  1. Navigate to Templates > SSL/TLS Profile > Create
  2. Select Application Profile.
  3. Enter the details as shown below: SSL Profile
    SSL Profile
  4. Click on Save. After creating the SSL Profile, create the virtual service.
    To create the new L7 virtual service,

  5. From the Avi UI, navigate to Applications > Virtual Services.
  6. Click on Create Virtual Service > Advanced Setup.
  7. Use the System-Secure-HTTP-VDI as the Application Profile.
  8. Select the SSL Profile that was created for the virtual service. The virtual service is as shown below: create l7-vip

    create l7-vip

  9. Click on Next.
  10. Click on Next > Save.

Creating L4 Virtual Service

Create another virtual service which will share the same IP address as that of the L7 VIP. This will make sure that we need only one virtual IP address for both the primary and secondary protocols. L7 virtual service will handle the primary protocol and the tunnel whereas L4 virtual service will handle other secondary protocols.

To create an L4 virtual service,

  1. Click on Create Virtual Service > Advanced Setup.
  2. In the New Virtual Service screen, click on Switch to Advanced under VIP Address as shown below:
    create l4-vs
  3. Select the L7 virtual service that was created as the Virtual Service for VIP Sharing as shown below:
    create l4-vs
  4. Under Service Port > Services, click on Switch to Advanced.
  5. Add the port numbers for the secondary protocols as shown below:
    • 443 UDP to override TCP/UDP and use System-UDP-Fast-Path-VDI as the profile
    • Add 8443 for Blast
    • Add 8443 UDP to override TCP/UDP and use System-UDP-Fast-Path-VDI as the profile
    • Add 4172 for PCoIP
    • Add 4172 UDP to override TCP/UDP and use System-UDP-Fast-Path-VDI as the profile
      create l4-vs
  6. Select the SSL Profile created for the virtual service: create l4-vs
  7. Click on Next.
  8. Click on Next > Save.

With this, the configuration is complete and ready to use the Avi load balancer for Horizon.

Note: Ensure the following:

  • L4 and L7 pools have the same configuration.
  • The option Disable Port Translation is enabled under Advanced Settings for an L4 pool.

Configuring Single L4 Virtual Service on Avi Vantage

In this design, a single Virtual Service with an L4 profile services all protocols.

Configuring L4 Virtual Service on Avi Vantage

L4 virtual service configuration on Av Vantage is done in the following steps:

  1. Create custom health monitor for UAG.
  2. Create a Pool
  3. Create an L4 Virtual Service

Creating a Pool

  1. From the Avi UI, navigate to Applications > Pools.
  2. Click on Pool.
  3. Configure the pool as shown below:
    create pool
  4. Click on +Add Health Monitor and select the Horizon HTTPS Monitor that was created.
    create pool
  5. Navigate to Step 3: Advanced.
  6. Select Disable Port Translation as shown below:
    create pool
  7. Click on Next > Save.

Creating L4 Virtual Service

  1. From the Avi UI, navigate to Applications > Virtual Services.
  2. Click on Create Virtual Services > Advanced Setup.
  3. In the New Virtual Service: screen, enter the virtual service name and other details.
  4. Under Service Port, click on Switch to Advanced.
  5. Add the following port numbers for both the primary and secondary protocols:
    • 443 for primary HTTPS protocol
    • 443 UDP to override TCP/UDP and use System-UDP-Fast-Path-VDI as the profile
    • 8443 for Blast
    • 8443 UDP to override TCP/UDP and use System-UDP-Fast-Path-VDI as the profile
    • 4172 for PCoIP
    • 4172 UDP to override TCP/UDP and use System-UDP-Fast-Path-VDI as the profile
      ports
      Note: The application profile and the pool (Horizon-L4-pool)are bound to the virtual service.
      create pool
  6. Click on Next > Next> Save.

With this, the configuration is complete and ready to use the Avi Vantage load balancer for Horizon.

Configuration Automation

If required, use Ansible playbooks or Terraform to automate the configuration for shared VIP and L4 VIP.

Configuring (n+1) VIP in Avi Vantage

Note: This method is the legacy way of configuring Avi Vantage. It is recommended to use Load Balancing for Horizon Environments in (n+1) Mode using 307 Solution instead.

In this design, only the primary HTTPS protocol will be load balanced by Avi. UAGs have to be configured with public IPs and the Blast External URL and PCoIP External URL on each UAG will be configured to the same UAG.

Follow the steps below to configure (n+1)VIP in Avi Vantage:

  1. Create a custom health monitor for UAG
  2. Create a Pool
  3. Disable Connection Multiplexing for the System-Secure-HTTP-VDI profile.
  4. Create an L7 Virtual Service

Creating SSL Profile for Pool

Create an SSL Profile for the UAG pool with the configuration given below:

  • Accepted Versions: 1.2
  • Cipher List:
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  1. Navigate to Templates > SSL/TLS Profile > Create
  2. Select Application Profile.
  3. Enter the details as shown below: SSL Profile
    SSL Profile
    SSL Profile
  4. Click on Save.

Create a Pool

  1. From the Avi UI, navigate to Applications > Pools.
  2. Click on Create Pool.
  3. In the New Pool: screen enter details as shown below: create pool Note: HTTP-cookie is used for creating persistence. The persistence profile can be modified if required. For more information, read the Persistence Profile article.
  4. To bind the monitor, click on Add Active Monitor and select the HTTPS monitor that was created. Note: It is recommended to create a HTTPS type monitor with the required timers. Set the timeout interval to be more than six seconds to account for any delay caused by connection servers response to the health monitor probes, if connection servers are configured with full logging level (used for debugging).
  5. Click on Next.
  6. Click on Add Server.
  7. Add the IP address of UAG server01.
  8. Click on Add Server.
  9. Add the IP address of UAG server02.

    The New Pool: screen appears as shown below: create pool

  10. Click on Next > Save.

Creating L7 Virtual Service

Create an SSL Profile for the virtual service with the configuration given below: Accepted Versions TLS 1.1, 1.2 Cipher List
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  1. Navigate to Templates > SSL/TLS Profile > Create
  2. Select Application Profile.
  3. Enter the details as shown below: SSL Profile
    SSL Profile
  4. Click on Save.

To create the L7 virtual service,

  1. From the Avi UI, navigate to Applications > Virtual Services.
  2. Click on Create Virtual Service > Advanced Setup.
  3. Configure the virtual service as shown below:
    create pool
  4. Select the SSL Profile created for the virtual service: create pool
  5. Click on Next.

Note: Ensure that connection multiplexing is disabled for the System-Secure-HTTP-VDI profile. To know how to disable connection multiplexing, click here.

Load Balancing Traffic to Connection Servers

Both L4 and L7 virtual services are supported to Load balance traffic to connection servers. However, it is recommended to use L7 virtual services. This guide discussed using L7 virtual service to load balance traffic to connection servers.

Using an L7 Virtual Service

Create Custom Health Monitor for Connection Servers

  1. From the Avi UI, navigate to Templates > Profiles > Health Monitors.
  2. Click on Create.
  3. In the New Health Monitor screen, select the Type as HTTPS.
  4. Set the Send Interval to 30 seconds and Receive Timeout to 10 seconds. The New Health Monitor screen is as shown below:
    connection server health monitor
  5. Select the Response Code as 2xx.
  6. Select an appropriate SSL Profile.
    connection server health monitor
  7. Click on Save.

Create an SSL Profile

Create an SSL profile with session reuse disabled. Follow the steps shown below: To create a new SSL profile,

  1. In the Avi UI, navigate to Templates > Security > SSL/TLS Profile > Create > Application Profile.

  2. In the New SSL/TLS Profile screen, select the Ciphers and the TLS version.

  3. Enable TLS 1.2 for backward compatibility with older Horizon clients.

  4. Ensure the option Enable SSL Session Reuse is disabled.

  5. Under Ciphers, click Select From List to select the following ciphers:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


SSL Profile

  1. Click on Save.

Creating a Pool

If connection servers are configured in the replication mode then persistence on the connection server is not required. In the non-replication mode, use Consistent Hash - Source IP address as the load balancing algorithm.

Enable SSL to backend and select the appropriate SSL profile (Connection-Server-SSL-Profile used here). To create a pool, from the Avi UI,

  1. Navigate to Applications > Pools.
  2. Click on Create Pool.
  3. Enter the details as shown below:
    connection server pool
  4. Click on Next.
  5. Enter the Server IP Address and click on Add Server.
    connection server pool
  6. Click Next and enter the details as required under the Advanced tab.
  7. Click Next and click Save.

Creating an Application Profile

Use an HTTPS application profile, with Connection Multiplex and X-Forwarded-For disabled

connection server application profile

Create an SSL Profile

Create an SSL profile with session reuse disabled. Follow the steps shown below: To create a new SSL profile,

  1. In the Avi UI, navigate to Templates > Security > SSL/TLS Profile > Create > Application Profile.

  2. In the New SSL/TLS Profile screen, select the Ciphers and the TLS version.

  3. Enable TLS 1.2 for backward compatibility with older Horizon clients.

  4. Ensure the option Enable SSL Session Reuse is disabled.

  5. Under Ciphers, click Select From List to select the following ciphers:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


SSL Profile

  1. Click on Save.

Creating an L7 Virtual Service

To create the L7 virtual service,

  1. Navigate to Applications > Virtual Services.
  2. Click on Create Virtual Service > Advanced Setup.
  3. Enable SSL and choose the SSL profile that was created for the virtual service.
  4. Select the Connection Server Pool. The virtual service is as shown below: create virtual service
    create virtual service
  5. Click on Next and navigate to Step 4: Advanced.
  6. Click on Save.

The following are the changes in the UAG server when the load balancer is present between the UAG and connection server:

horizon settings

  • The connection server URL should point to the Avi load balancer.

  • The connection server URL thumb print:

    • For an L7 virtual service: The connection server URL thumbprint is taken from the certificate that is bound to the Avi load balancer.

    • For an L4 virtual service: The connection server URL thumbprint is be taken from the certificate that is present in the connection server itself.

    • For an L4 virtual service with SSL (System-SSL-Application) the connection server URL thumbprint is taken from the certificate that is bound to the Avi load balancer.

Note: In case of connection servers, connection multiplexing has to be disabled for the System-Secure-HTTP-VDI profile. To know how to disable connection multiplexing, click here.

Enabling WAF For UAG Traffic

Avi Vantage supports WAF for HTTP/HTTPS traffic for Horizon deployments. WAF rules are supported for L7 virtual service for primary protocol (XML/API) traffic.

Notes:

  • It is recommended to use System-WAF-Policy-VDI
  • It is recommended to use the default CRS rules. The other rules for response inspection are not required and these signatures or rules should not be enabled in CRS rules.
  • It is mandatory to add the WAF policy and allowed URI containing /ice/tunnel/ and /ice/reconnect to make sure the WAF feature works seamlessly with the horizon application. Similarly, allow other /ice/ related URIs, if any. Allowing all URIs beginning with /ice is a best practice.
  • Use the following to add a pre-CRS rule as shown below.

    
    SecRule REQUEST_METHOD "@streq POST" "phase:1,id:4099822,t:none,nolog,pass,chain"
    SecRule REQUEST_URI "@streq /broker/xml" "t:none,ctl:requestBodyProcessor=XML"
    
  • Response based rules should not be enabled.

  • The missing user-agent rule should be disabled.

  • It is recommended to disable command injection rule(932105).

Starting with Avi Vantage 21.1.3 version, the inbuilt WAF policy is supported for VDI, i.e., System-WAF-Policy-VDI. This includes all the required rule customisations. It is recommended to use System-WAF-Policy-VDI.

waf-policy-bound

Recommendations:

For the pre 21.1.3 versions, the following points needs to be considered while creating a WAF policy for VDI traffic:

  • It is recommended to use the default CRS rules. The other rules for response inspection are not required and these signatures or rules should not be enabled in CRS rules.
  • It is mandatory to add the WAF policy and allowed URI containing /ice/tunnel/ and /ice/reconnect to make sure the WAF feature works seamlessly with the horizon application. Similarly, allow other /ice/ related URIs, if any. Allowing all URIs beginning with /ice is a best practice.
  • Use the following to add a pre-CRS rule as shown below:
    • SecRule REQUEST_METHOD “@streq POST” “phase:1,id:4099822,t:none,nolog,pass,chain”
    • SecRule REQUEST_URI “@streq /broker/xml” “t:none,ctl:requestBodyProcessor=XML”
  • Response based rules should not be enabled.
  • The missing user-agent rule should be disabled.
  • It is recommended to disable command injection rule (932105).


Create a L7 virtual service (or use the existing virtual service) and follow the steps mentioned below:

  1. Creating a WAF profile
    Navigate to Template > WAF > WAF Profile. Click on create to create a new profile. Provide the desired name and leave the remaining fields as default as shown below. waf-profile

  2. Creating WAF policy
    Navigate to Template > WAF > WAF Policy. Select the WAF profile created in the previous step. The default profile can be used too. waf-policy

  3. Adding a allowlist rule
    This allowlist makes sure WAF does not block the request having URI which contains /ice/tunnel. This is a mandatory step. Select the Allowlist tab, click on Add Rule.

    add-rule
    Provide the following attributes:

    • Criteria: Contains
    • String Value: /ice/tunnel/
    • Action: ALLOW

    match-string

    To allow all URIs beginning with /ice, create the rule as shown below:

    match-string

    Similarly, you can create another allowlist rule for /ice/reconnect.

    To add pre-CRS rule, click Save and click on Signatures > Add PRE-CRS Rules as shown below.

    pre-crs

  4. Associating with the required virtual service
    Once the WAF profile is ready, navigate to Application > Virtual Service. Select the required L7 virtual service and associate the WAF policy created in the previous step as shown below.

    vs-with-waf

Load Balancing App Volume Manager

Load balancing for app volume manager is achieved by configuring an L7 virtual service with HTTPS application profile.

To configure an L7 virtual service with HTTPS application profile,

  1. Create a custom Health Monitor for App Volume Manager.

  2. Install the SSL certificate.

  3. Create a new SSL profile (Optional), if required. However, the default SSL profile can be used if the default configurations do not have to be modified.

    Note: For the purpose of this document, the default SSL profile is used.

  4. Create pools.

  5. Creating Application Profile.

  6. Create an L7 virtual service.

Creating a Custom Health Monitor for App Volume Manager

To create a custom health monitor,

  1. From the Avi UI, navigate to Templates > Profiles > Health Monitors.

  2. Click on Create.

  3. Select the vCenter cloud that was created for Horizon components.

  4. Enter the following details in the New Health Monitor screen:
    Field Value
    Send Interval 30
    Recieve Timeout 10
    Client Request Data GET /health_check HTTP/1.0
    Response Code 2xx

    The New Health Monitor screen is as shown below:

    appvolume

    appvolume

  5. Click on Save.

Install the SSL certificate Required for L7 VIP

The SSL connection is being terminated at Avi virtual service. Therefore, the SSL certificate must be assigned to the virtual service. It is recommended to install a certificate which is signed by a valid certificate authority instead of using self-signed certificates.

Install the certificate in Avi Vantage and ensure the CA certificate is imported and linked. For instructions, refer to Import Certificates

Note: For this set up, a certificate named Horizon_Certificate has been installed. You can install a different certificate for the app volume manager.

Creating the App Volume Manager Pool

To create the pool,

  1. From the Avi UI, navigate to Applications > Pools.

  2. Select the vCenter cloud from the Select Cloud sub-screen.

  3. Click on Next.

  4. Click on Create Pool.

  5. In the New Pool: screen, update the details as shown below:
    Field Value
    Default Server Port 443
    Persistence System-Persistence-Client-IP
    Load Balance Least Connections
    Analytics Profile Systems-Analytics-Profile
  6. To bind the monitor, click on Add Active Monitor and select the HTTPS Health Monitor that was created.

  7. Under SSL to Backend Servers, select Enable SSL.

  8. Select System-Standard as the SSL Profile.
    The New Pool screen appears as shown below:
    appvolume

  9. Click on Next.

  10. Enter the Server IP Address and click on Add Server.
    appvolume

  11. Click on Next and Save.

Creating Application Profile

  1. From the Avi UI, navigate to Templates > Profiles.

  2. Click on Create.

  3. Enter the Name of the profile.

  4. Select the Type as HTTP.

  5. Ensure Connection Multiplex is disabled.

    The New Application Profile screen is as shown below: appvolume

  6. Click on Save.

Creating L7 Virtual Service

To create the new L7 virtual service,

  1. From the Avi UI, navigate to Applications > Virtual Services.

  2. Click on Create Virtual Service > Advanced Setup.

  3. In the New Virtual Service screen, enter the virtual service Name.

  4. Under VIP Address, enter the IPv4 VIP Address.

  5. Select the Application Profile that was created.

  6. Under Service Port, click on Add Port, enter 443 as the Port and select SSL.

  7. Under Pool, select the pool that was created for app volumes.

  8. Under SSL Settings, select System-Standard as the SSL Profile and select the SSL Certificate.

    The New Virtual Service is as shown below:
    appvolume

  9. Click on Next.

  10. Navigate to Step4: Advanced and click on Save.

Suggested Reading

Document Revision History

Date Change Summary
December 20, 2021 Updated 'Enabling WAF For UAG Traffic' section with notes stating VDI is supported for 21.1.3