Professional Documents
Culture Documents
Table of Contents
Lab Overview - HOL-1859-01-ADV - F5 Integration with VMware Horizon 7 Enterprise..... 2
Lab Guidance .......................................................................................................... 3
Module 1 - F5 LTM with Horizon Connection Servers (45 min) .......................................... 9
Introduction........................................................................................................... 10
F5 LTM with Horizon Connection Servers .............................................................. 12
Conclusion............................................................................................................. 38
Module 2 - F5 LTM with Horizon Unified Access Gateways (45 min)................................ 40
Introduction........................................................................................................... 41
F5 LTM with Horizon Unified Access Gateways ...................................................... 43
Conclusion............................................................................................................. 70
Module 3 - F5 APM with Horizon Alternative Gateway (45 min) ...................................... 72
Introduction........................................................................................................... 73
F5 APM with Horizon Alternative Gateway ............................................................ 76
Conclusion........................................................................................................... 110
Module 4 - F5 DNS with Horizon for Multi-Site Deployments (45 min) .......................... 112
Introduction......................................................................................................... 113
F5 DNS with Horizon for Multi-Site Deployments ................................................ 114
Conclusion........................................................................................................... 163
Module 5 - F5 APM with VMware UEM Smart Policy Integration (30 min) ...................... 165
Introduction......................................................................................................... 166
F5 APM with VMware UEM Smart Policy Integration ............................................ 167
Conclusion........................................................................................................... 200
Module 6 - F5 LTM with AppVolumes (45 min)............................................................... 202
Introduction......................................................................................................... 203
F5 LTM with AppVolumes..................................................................................... 204
Conclusion........................................................................................................... 225
Module 7 - F5 LTM with VMware Identity Manager Integration (45 min) ....................... 227
Introduction......................................................................................................... 228
F5 LTM with VMware Identity Manager Integration.............................................. 230
Conclusion........................................................................................................... 259
HOL-1859-01-ADV Page 1
HOL-1859-01-ADV
Lab Overview -
HOL-1859-01-ADV - F5
Integration with VMware
Horizon 7 Enterprise
HOL-1859-01-ADV Page 2
HOL-1859-01-ADV
Lab Guidance
Note: It will take more than 90 minutes to complete this lab. You should
expect to only finish 2-3 of the modules during your time. The modules are
independent of each other so you can start at the beginning of any module
and proceed from there. You can use the Table of Contents to access any
module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the
Lab Manual.
This Hands on Lab will explore the use case and advantages for load balancing VMware
EUC Products with F5 BIG-IP Software. You will integrate the BIG-IP with VMware Horizon
7, VMware App Volumes, and VMware Identity Manager.
Lab Captains:
HOL-1859-01-ADV Page 3
HOL-1859-01-ADV
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.vmware.com
This lab may be available in other languages. To set your language preference and have
a localized manual deployed with your lab, you may utilize this document to help guide
you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
HOL-1859-01-ADV Page 4
HOL-1859-01-ADV
During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
HOL-1859-01-ADV Page 5
HOL-1859-01-ADV
In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.
HOL-1859-01-ADV Page 6
HOL-1859-01-ADV
When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.
HOL-1859-01-ADV Page 7
HOL-1859-01-ADV
Please check to see that your lab is finished all the startup routines and is ready for you
to start. If you see anything other than "Ready", please wait a few minutes. If after 5
minutes your lab has not changed to "Ready", please ask for assistance.
HOL-1859-01-ADV Page 8
HOL-1859-01-ADV
HOL-1859-01-ADV Page 9
HOL-1859-01-ADV
Introduction
In this module, we'll configure the BIG-IP to load balance authentication and
authorization connections across a pool of Horizon Connection Servers.
• Configure the iApp for View to support load balancing Horizon Clients across a
pool of Horizon Connection Servers
• Test and validate the Horizon Client connections
• Test the failure of one server in the pool
The BIG-IP provides intelligent monitoring and traffic management across a pool of
Connection Servers using the LTM module. In this scenario, the HTTPS connection
between the client and Connection Servers pass through the BIG-IP. Once the
connection is launched, the BIG-IP is no longer in the path of client-to-virtual desktop
traffic.
HOL-1859-01-ADV Page 10
HOL-1859-01-ADV
Traffic Flow
The diagram outlines a typical configuration and traffic flow of an internal Horizon Client
connection when using the BIG-IP Local Traffic Management (LTM) Module:
HOL-1859-01-ADV Page 11
HOL-1859-01-ADV
Here's some other important information (carried out in the steps to follow) when using
load balancers for Connection Servers servicing internal Horizon clients. The Connection
Servers are primarily used for authentication, resource enumeration and connection
brokering only. By default, the "Use Secure Tunnel Connection to Machine" and the "Use
Blast Secure Gateway for HTML access to machine" are checked. This will route portions
of the HTTPS and all HTML traffic through the Connection Servers, while the PCoIP
stream will go directly from the Horizon client to the server.
HOL-1859-01-ADV Page 12
HOL-1859-01-ADV
Although this will function, the Connection Servers will have to do additional work to
"proxy" this traffic - even with a load balancer.
For Connection Servers that will authenticate internal users and enumerate applications,
it is recommended these Secure Gateway boxes are unchecked.
HOL-1859-01-ADV Page 13
HOL-1859-01-ADV
To open the View Administrator Web Console from the Control Center desktop:
HOL-1859-01-ADV Page 14
HOL-1859-01-ADV
HOL-1859-01-ADV Page 15
HOL-1859-01-ADV
1. On the left side, click the down-arrow by View Configuration, then click Servers.
HOL-1859-01-ADV Page 16
HOL-1859-01-ADV
HOL-1859-01-ADV Page 17
HOL-1859-01-ADV
To open the View Administrator Web Console from the Control Center desktop:
HOL-1859-01-ADV Page 18
HOL-1859-01-ADV
HOL-1859-01-ADV Page 19
HOL-1859-01-ADV
HOL-1859-01-ADV Page 20
HOL-1859-01-ADV
1. On the left side, click the down-arrow by View Configuration, then click Servers.
2. Click on the Connection Servers Tab.
3. Highlight the first Connection Server in the list.
4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is
UNCHECKED.
6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to
machine is UNCHECKED.
7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to
machine is UNCHECKED.
8. When completed, click OK.
HOL-1859-01-ADV Page 21
HOL-1859-01-ADV
HOL-1859-01-ADV Page 22
HOL-1859-01-ADV
Next, we will configure load balancing of Connection Servers for internal users using the
Horizon iApp. The iApp has already been pre-loaded onto the BIG-IP.
Note: You will see other applications in this list for future modules they can safely be
ignored.
HOL-1859-01-ADV Page 23
HOL-1859-01-ADV
1. Type in the name MOD1-Internal, then select the View iApp Template from the list
(as shown above). Observe the iApp populate the screen with the next set of
questions.
2. Scroll down to the Template Options section - under "Which configuration mode
do you want to use?" - choose "Advanced - configure advanced options".
HOL-1859-01-ADV Page 24
HOL-1859-01-ADV
3. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to
deploy BIG-IP Access Policy Manager" - choose "No, do not deploy BIG-IP Access
Policy Manager".
NOTE: The iAPP Template was already imported to the F5 BIG-IP to reduce the amount
of time to take the lab.
Configuring SSL
1. Continue scrolling down until you get to SSL Encryption section. Choose
"Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to
"How should the BIG-IP system handle encrypted traffic?".
2. Scroll down to "Which Client SSL Profile do you want to use?" and ensure the
default "Create a new Client SSL profile" is selected.
3. Scroll down to "Which SSL certificate do you want to use?" and choose
"CORP.LOCAL_WILDCARD.crt".
HOL-1859-01-ADV Page 25
HOL-1859-01-ADV
4. Continue scrolling down to "Which SSL private key do you want ot use?" and
choose "CORP.LOCAL_WILDCARD.key".
5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose
"CORP.LOCAL_WILDCARD.crt".
NOTE: The SSL Certificates were already imported to the F5 BIG-IP to reduce the
amount of time to take the lab.
HOL-1859-01-ADV Page 26
HOL-1859-01-ADV
3. Next, scroll down to the "What FQDN will clients use to access the View
environment?" Type in 'hzn-internal.corp.local" (without quotes) as the FQDN that
will be used to access the BIG-IP by the Horizon Clients.
4. Scroll down to "Which servers should be included in this pool" - in the first box,
type in 192.168.110.47 (this is the IP of the first Connection Server), Click the
"Add" button and type in 192.168.110.48 (this is the IP of the second Connection
Server).
5. Scroll down to "Where will the virtual servers be in relation to the View servers"?"
and choose "BIG-IP virtual server IP address and View servers are on the same
subnet".
NOTE: If the port in the "Which servers should be included in this pool?" section say 80
instead of 443 then go to previous section "SSL Encryption" and change from SSL
Offload to SSL bridging.
Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to
Horizon to ensure key components and functioning as expected.
1. Scroll down to the Application Health section. Next to "Create a new health
monitor or use an existing one?" - choose "Create an advanced health monitor".
2. Type in "lab1user" (without quotes) next to "What user name should the monitor
use?".
HOL-1859-01-ADV Page 27
HOL-1859-01-ADV
Scroll down 3 lines until you see the section of the iApp with "Published Resources" as
shown in the picture.
1. Under the section "What published application(s) or pool(s) should the BIG-IP
system expect in the monitor response?" type in "Windows 10 Pool" (without
quotes).
2. Click the "Add" button.
3. Repeat steps 1 and 2, typing "Calculator" (without quotes) in the 2nd box and
then "Paint" (without quotes) in the 3rd box.
4. Under the section "Do all published applications or desktop pools listed need to
be available", choose "Only one of the application or desktop pools listed need to
be returned".
HOL-1859-01-ADV Page 28
HOL-1859-01-ADV
iRules
1. Under the Options section "Do you want to add any custom iRules to this
configuration?" select the HZN-Origin irule
2. Click the "<<" button.
3. Ensure that the HZN-Origin iRule is moved from the Options area to the Selected
area.
NOTE: The iRule implemented in this section deals with a specific issue with Horizon
HTML5 and Admin windows getting a white box effect or unable to load, this is becasue
load balacing Horizon Connection Servers after Version 7.0 added a security process
that detects the originating Connection Server but fails under load balanced scenarios.
For More information about the Horizon Origin iRule Visit: https://support.f5.com/csp/
article/K84958121
HOL-1859-01-ADV Page 29
HOL-1859-01-ADV
HOL-1859-01-ADV Page 30
HOL-1859-01-ADV
HOL-1859-01-ADV Page 31
HOL-1859-01-ADV
HOL-1859-01-ADV Page 32
HOL-1859-01-ADV
Before starting, minimize the Chrome browser window until you see the Control Center
desktop.
1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
2. Once the client launches, click on the icon with the FQDN "hzn-
internal.corp.local".
3. Login as lab1user, with a password of "VMware1!" (no quotes); then, click the
Login button.
4. Once the list of desktop and applications are enumerated, choose the "Windows
10 Pool" Desktop from the list.
5. Confirm the desktop opens and you can access it appropriately.
HOL-1859-01-ADV Page 33
HOL-1859-01-ADV
1. Once completed, click on the "X" in the upper right corner of the screen.
2. When asked to disconnect, Choose "OK".
3. If you wish to test other desktops and applications, feel free to do so.
4. When finished, close out all the launched desktops and applications. Then close
out the Horizon client by clicking the "X" in the upper right corner of the Horizon
Client window.
5. If prompted, click OK.
HOL-1859-01-ADV Page 34
HOL-1859-01-ADV
HOL-1859-01-ADV Page 35
HOL-1859-01-ADV
HOL-1859-01-ADV Page 36
HOL-1859-01-ADV
If you choose, you can also test HTML Desktop Access through the BIG-IP load balancer.
From there you can choose "VMware Horizon HTML Access", login to the web portal
interface.
If prompted, accept the certificate - once this is done, you will be able to launch a
dekstop!
HOL-1859-01-ADV Page 37
HOL-1859-01-ADV
Conclusion
This concludes Module 1 - F5 LTM with Horizon Connection Servers. You
should have a good understanding of how to deploy the F5 iAPP solution with
Horizon Connection Servers for Load Balancing and High Availability.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
HOL-1859-01-ADV Page 38
HOL-1859-01-ADV
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
HOL-1859-01-ADV Page 39
HOL-1859-01-ADV
HOL-1859-01-ADV Page 40
HOL-1859-01-ADV
Introduction
In this module, we'll configure the BIG-IP to load balance authentication, authorization
and proxied vdi connections across a pool of Horizon Unified Access Gateway Servers.
• Configure the iApp for View to support load balancing Horizon Clients across a
pool of Horizon Unified Access Gateway Servers
• Test and validate the Horizon Client connections
Some of the primary functions of the Horizon Unified Access Gateway Servers is to
provide authentication and desktop/application enumeration for clients accessing from a
trusted/secure network, as well as providing a full proxy from external clients to internal
resources. This configuration is typically used for clients making proxied connections to
virtual desktops and applications from an external network. All communications from
the client to the virtual dekstop are proxied via the PCoIP or Blast protocols. The Unified
Access Gateway Servers are used for authentication, application/desktop enumeration/
assignment and proxying connections from .
The BIG-IP provides intelligent monitoring and traffic management across a pool of
Unified Access Gateway Servers using the LTM module. In this scenario, the HTTPS
connection between the client and Connection Servers pass through the BIG-IP to the
Unified Access Gateway servers. Once the connection is launched, a new connection
based on the Horizon protocol (Blast Extreme or PCoIP) is then passed through the BIG-
IP to the Unified Access Gateway Servers to access to virtual desktop traffic.
Traffic Flow
HOL-1859-01-ADV Page 41
HOL-1859-01-ADV
The diagram outlines a typical configuration and traffic flow of an External Horizon
Client connection when using the BIG-IP Local Traffic Management (LTM) Module with
VMware Unified Access Gateway (UAG):
HOL-1859-01-ADV Page 42
HOL-1859-01-ADV
In order for a Unified Access Gateway to effectively proxy traffic, the tunneling features
for each Connection Server is enabled on the Unified Access Gateway appliances
themselves and not within the Connection Servers. This is different than how you would
configure those options for a Security Server.
See this brief summary before caring out the tasks in the steps below.
HOL-1859-01-ADV Page 43
HOL-1859-01-ADV
• If you plan to use a secure tunnel connection for client devices, disable the
secure tunnel for View Connection Server. In View Administrator, go to the Edit
View Connection Server Settings dialog box and deselect the check box called
Use secure tunnel connection to machine. By default, the secure tunnel is
enabled on the Unified Access Gateway appliance.
• Disable the PCoIP secure gateway for View Connection Server. In View
Administrator, go to the Edit View Connection Server Settings dialog box and
deselect the check box called Use PCoIP Secure Gateway for PCoIP connections to
machine. By default, the PCoIP secure gateway is enabled on the Unified Access
Gateway appliance.
• Disable the Blast secure gateway for View Connection Server. In View
Administrator, go to the Edit View Connection Server Settings dialog box and
deselect the check box called Use Blast Secure Gateway for HTML Access to
machine. By default, the Blast secure gateway is enabled on the Unified Access
Gateway appliance.
HOL-1859-01-ADV Page 44
HOL-1859-01-ADV
To open the View Administrator Web Console from the Control Center desktop:
HOL-1859-01-ADV Page 45
HOL-1859-01-ADV
HOL-1859-01-ADV Page 46
HOL-1859-01-ADV
1. On the left side, click the down-arrow by View Configuration, then click Servers.
HOL-1859-01-ADV Page 47
HOL-1859-01-ADV
HOL-1859-01-ADV Page 48
HOL-1859-01-ADV
To open the View Administrator Web Console from the Control Center desktop:
HOL-1859-01-ADV Page 49
HOL-1859-01-ADV
HOL-1859-01-ADV Page 50
HOL-1859-01-ADV
HOL-1859-01-ADV Page 51
HOL-1859-01-ADV
HOL-1859-01-ADV Page 52
HOL-1859-01-ADV
1. On the left side, click the down-arrow by View Configuration, then click Servers.
2. Click on the Connection Servers Tab.
3. Highlight the first Connection Server in the list.
4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is
UNCHECKED.
6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to
machine is UNCHECKED.
7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to
machine is UNCHECKED.
8. When completed, click OK.
HOL-1859-01-ADV Page 53
HOL-1859-01-ADV
HOL-1859-01-ADV Page 54
HOL-1859-01-ADV
Next, we will configure load balancing of the Unified Access Gateways for external users
using the Horizon iApp. The iApp has already been pre-loaded onto the BIG-IP.
Note: You will see other applications in this list for future modules they can safely be
ignored.
HOL-1859-01-ADV Page 55
HOL-1859-01-ADV
1. Type in the name MOD2-External, then select the View iApp Template from the list
(as shown above). Observe the iApp populate the screen with the next set of
questions.
2. Scroll down to the Template Options section - under "Which configuration mode
do you want to use?" - choose "Advanced - configure advanced options".
HOL-1859-01-ADV Page 56
HOL-1859-01-ADV
3. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to
deploy BIG-IP Access Policy Manager" - choose "No, do not deploy BIG-IP Access
Policy Manager".
NOTE: The iAPP Template was already imported to the F5 BIG-IP to reduce the amount
of time to take the lab.
Configuring SSL
1. Continue scrolling down until you get to SSL Encryption section. Choose
"Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to
"How should the BIG-IP system handle encrypted traffic?".
2. Scroll down to "Which Client SSL Profile do you want to use?" and ensure the
default "Create a new Client SSL profile" is selected.
3. Scroll down to "Which SSL certificate do you want to use?" and choose
"CORP.LOCAL_WILDCARD.crt".
HOL-1859-01-ADV Page 57
HOL-1859-01-ADV
4. Continue scrolling down to "Which SSL private key do you want ot use?" and
choose "CORP.LOCAL_WILDCARD.key".
5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose
"CORP.LOCAL_WILDCARD.crt".
NOTE: The SSL Certificates were already imported to the F5 BIG-IP to reduce the
amount of time to take the lab.
1. Scroll down to the "PC Over IP" section of the iApp. Next to "Should PCoIP
connections go through the BIG-IP System", choose "Yes, PCoIP connections
should go through the BIG-IP System".
2. Next to "Will PCoIP connections be proxied by the View Unified Access Gateways",
choose "Yes, PCoIP connections are proxied by View Unified Access Gateways".
3. Select "Yes, Support HTML5 View clientless browser connections" next to the
question, "Will VMware View HTML5 Client Connections go through the BIG-IP
system".
HOL-1859-01-ADV Page 58
HOL-1859-01-ADV
1. Next, scroll down to the Virtual Servers/Pools section, to "What virtual server IP
address do you want to use for remote, untrusted clients". In this box, type in
192.168.230.140.
2. Type in 'hzn-external.corp.local" (without quotes) as the FQDN that will be used to
access the BIG-IP by the Horizon Clients.
3. Scroll down to "Which servers should be included in this pool" - in the first box,
type in 192.168.110.85 (this is the IP of the 1st Unified Access Gateway, then
click Add. In the second box, type in 192.168.110.86 (this is the IP of the 2nd
Unified Access Gateway).
4. Scroll down to "Where will the virtual servers be in relation to the View servers?"
and choose "BIG-IP virtual server IP address and View servers are on different
subnets".
HOL-1859-01-ADV Page 59
HOL-1859-01-ADV
5. Next to "How have you configured routing on your View servers", choose "View
servers do not have a route to clients through the BIG-IP".
Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to
Horizon to ensure key components and functioning as expected.
1. Scroll down to the Application Health section. Next to "Create a new health
monitor or use an existing one?" - choose "Create a simple health monitor".
HOL-1859-01-ADV Page 60
HOL-1859-01-ADV
iRules
1. Under the Options section "Do you want to add any custom iRules to this
configuration?" select the HZN-Origin irule
2. Click the "<<" button.
3. Ensure that the HZN-Origin iRule is moved from the Options area to the Selected
area.
NOTE: The iRule implemented in this section deals with a specific issue with Horizon
HTML5 and Admin windows getting a white box effect or unable to load, this is becasue
load balacing Horizon Connection Servers after Version 7.0 added a security process
that detects the originating Connection Server but fails under load balanced scenarios.
HOL-1859-01-ADV Page 61
HOL-1859-01-ADV
HOL-1859-01-ADV Page 62
HOL-1859-01-ADV
HOL-1859-01-ADV Page 63
HOL-1859-01-ADV
HOL-1859-01-ADV Page 64
HOL-1859-01-ADV
Before starting, minimize the Chrome browser window until you see the Control Center
desktop.
1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
2. Once the client launches, click on the icon with the FQDN "hzn-
external.corp.local".
3. Login as lab1user, with a password of "VMware1!" (no quotes); then, click the
Login button.
4. Once the list of desktop and applications are enumerated, choose the "Windows
10 Pool" Desktop from the list.
5. Confirm the desktop opens and you can access it appropriately.
HOL-1859-01-ADV Page 65
HOL-1859-01-ADV
1. Once completed, click on the "X" in the upper right corner of the screen.
2. When asked to disconnect, Choose "OK".
3. If you wish to test other desktops and applications, feel free to do so.
4. When finished, close out all the launched desktops and applications. Then close
out the Horizon client by clicking the "X" in the upper right corner of the Horizon
Client window.
5. If prompted, click OK.
HOL-1859-01-ADV Page 66
HOL-1859-01-ADV
HOL-1859-01-ADV Page 67
HOL-1859-01-ADV
HOL-1859-01-ADV Page 68
HOL-1859-01-ADV
If you choose, you can also test HTML Desktop Access through the BIG-IP load balancer.
From there you can choose "VMware Horizon HTML Access", login to the web portal
interface.
If prompted, accept the certificate - once this is done, you will be able to launch a
dekstop!
HOL-1859-01-ADV Page 69
HOL-1859-01-ADV
Conclusion
This concludes Module 2 - F5 LTM with Unified Access Gateway Servers. You
should have a good understanding of how to deploy the F5 iAPP solution with
Horizon Unified Access Gateway Servers for Load Balancing and High
Availability.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
HOL-1859-01-ADV Page 70
HOL-1859-01-ADV
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
HOL-1859-01-ADV Page 71
HOL-1859-01-ADV
HOL-1859-01-ADV Page 72
HOL-1859-01-ADV
Introduction
In this module you will learn how to configure the F5 as a PCoIP Proxy/Security Server
alternative.
VMware’s Horizon Unified Access Gateway (UAG) Server provides secure access to
sessions over an unsecured WAN and/or Internet connection. Typically, the UAG Server
is placed within an organization’s DMZ. F5 BIG-IP Access Policy Manager (APM) makes it
possible to take advantage of PCoIP and Blast Extreme technology while simplifying
your VMware Horizon with View architecture, improving security, and increasing
scalability.
F5 BIG-IP Access Policy Manager is the industry’s first Application Delivery Networking
solution that brings full PCoIP and Blast Extreme proxy capabilities to the market. This
HOL-1859-01-ADV Page 73
HOL-1859-01-ADV
permits IT administrators to replace the VMware Unified Access Gateway Server with a
more secure and highly scalable solution in support of their end-user computing
deployments. BIG-IP APM is an ICSA Labs–certified flexible, high-performance access
and security solution that provides unified global access to your applications and
network. BIG-IP APM converges and consolidates remote access, LAN access, and
wireless connections within a single management interface and provides easy-to-
manage access policies. These capabilities help you free up valuable IT resources and
scale cost-effectively.
Because BIG-IP APM removes the need for having multiple gateway servers in the DMZ,
the overall architecture can not only be simplified, but a higher level of scalability can
be achieved. In addition to BIG-IP APM, F5 BIG-IP Local Traffic Manager (LTM) can provide
intelligent traffic management and load balancing to the Connection Servers. The
reduction in the overall number of components that need to be managed results in
increased productivity for IT administrators, which is especially critical for multi-site or
multi-pod VMware Horizon deployments.
Traffic Flow
The diagram outlines the traffic flow of an external Horizon Client connection when
using the BIG-IP Access Policy Manager (APM) Module as a Security Server alternative:
HOL-1859-01-ADV Page 74
HOL-1859-01-ADV
5. Once user is validated, APM sends a request to the load balanced pool of
Connection Servers to get a list of authorized applications and desktops using
HTTPS or HTTP.
6. The user is then presented with the list of available and authorized desktops and
applications.
7. User selects the application or desktop to launch.
8. Request then sent from client and proxied to View Connection Server via HTTPS –
client receives desktop and/or application source machine info (including the
public/client facing IP address if using NAT).
9. Client establishes a connection to the virtual desktop or RDS application server to
the APM via PCoIP, Blast Extreme, or HTML 5 (using HTML Access) using HTTPS .
The APM proxies this connection back to the virtual desktop or RDS application
server.
HOL-1859-01-ADV Page 75
HOL-1859-01-ADV
In order for a Unified Access Gateway to effectively proxy traffic, the tunneling features
for each Connection Server is enabled on the Unified Access Gateway appliances
themselves and not within the Connection Servers. This is different than how you would
configure those options for a Security Server.
See this brief summary before caring out the tasks in the steps below.
HOL-1859-01-ADV Page 76
HOL-1859-01-ADV
• If you plan to use a secure tunnel connection for client devices, disable the
secure tunnel for View Connection Server. In View Administrator, go to the Edit
View Connection Server Settings dialog box and deselect the check box called
Use secure tunnel connection to machine. By default, the secure tunnel is
enabled on the Unified Access Gateway appliance.
• Disable the PCoIP secure gateway for View Connection Server. In View
Administrator, go to the Edit View Connection Server Settings dialog box and
deselect the check box called Use PCoIP Secure Gateway for PCoIP connections to
machine. By default, the PCoIP secure gateway is enabled on the Unified Access
Gateway appliance.
• Disable the Blast secure gateway for View Connection Server. In View
Administrator, go to the Edit View Connection Server Settings dialog box and
deselect the check box called Use Blast Secure Gateway for HTML Access to
machine. By default, the Blast secure gateway is enabled on the Unified Access
Gateway appliance.
HOL-1859-01-ADV Page 77
HOL-1859-01-ADV
To open the View Administrator Web Console from the Control Center desktop:
HOL-1859-01-ADV Page 78
HOL-1859-01-ADV
HOL-1859-01-ADV Page 79
HOL-1859-01-ADV
HOL-1859-01-ADV Page 80
HOL-1859-01-ADV
HOL-1859-01-ADV Page 81
HOL-1859-01-ADV
1. On the left side, click the down-arrow by View Configuration, then click Servers.
2. Click on the Connection Servers Tab.
3. Highlight the first Connection Server in the list.
4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is
UNCHECKED.
6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to
machine is UNCHECKED.
7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to
machine is UNCHECKED.
8. When completed, click OK.
HOL-1859-01-ADV Page 82
HOL-1859-01-ADV
To open the View Administrator Web Console from the Control Center desktop:
HOL-1859-01-ADV Page 83
HOL-1859-01-ADV
HOL-1859-01-ADV Page 84
HOL-1859-01-ADV
HOL-1859-01-ADV Page 85
HOL-1859-01-ADV
HOL-1859-01-ADV Page 86
HOL-1859-01-ADV
1. On the left side, click the down-arrow by View Configuration, then click Servers.
2. Click on the Connection Servers Tab.
3. Highlight the first Connection Server in the list.
4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is
UNCHECKED.
6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to
machine is UNCHECKED.
7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to
machine is UNCHECKED.
8. When completed, click OK.
HOL-1859-01-ADV Page 87
HOL-1859-01-ADV
HOL-1859-01-ADV Page 88
HOL-1859-01-ADV
Next, we will configure load balancing of the Unified Access Gateways for external users
using the Horizon iApp. The iApp has already been pre-loaded onto the BIG-IP.
Note: You will see other applications in this list for future modules they can safely be
ignored.
HOL-1859-01-ADV Page 89
HOL-1859-01-ADV
1. Type in the name MOD3-APM, then select the View iApp Template from the list (as
shown above). Observe the iApp populate the screen with the next set of
questions.
2. Scroll down to the Template Options section - under "Which configuration mode
do you want to use?" - choose "Advanced - configure advanced options".
NOTE: The iAPP Template was already imported to the F5 BIG-IP to reduce the amount
of time to take the lab.
HOL-1859-01-ADV Page 90
HOL-1859-01-ADV
1. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to
deploy BIG-IP Access Policy Manager" - choose "Yes, Deploy BIG-IP Access Policy
Manager".
2. To allow HTML access to desktops, next to the "Do you want to support browser
based connections including the HTML5 client?" question choose "Yes, support
HTML 5 View clientless browser connections".
3. To not allow USB redirection, next to the "Do you want to support USB
redirection?" question choose "No, do not support USB redirection".
HOL-1859-01-ADV Page 91
HOL-1859-01-ADV
1. Scroll Down to "Should the BIG-IP APM support smart card authentication for
Horizon View" - choose "No, do not support smart card authentication".
2. Next, select "No, do not support SecurID or RADIUS two-factor authentication" for
the question "Should the BIG-IP system support SecurID or RADIUS with AD two-
factor authentication".
3. Next, select "No, do not add a message during logon" for the "Should the BIG-IP
system show a message to View users during logon?".
4. Leave the box BLANK when asked "If external clients use a network translated
address to access View, what is the public-facing IP address". Normally, if the BIG-
IP virtual server is NAT'd behind a firewall - you would enter the public, Internet-
facing address here (similar to the external PCoIP URL with Security Server).
5. Next, select "No, my View Environment uses a single Active Directory Domain"
next to the question "Do you want the BIG-IP system to support multiple
domains".
HOL-1859-01-ADV Page 92
HOL-1859-01-ADV
6. Enter "CORP" in the box next to "What is the NetBIOS domain name for your
environment?"
Next, let's create the Active Directory objects that will perform the user authentication.
1. Scroll down to "Create a new AAA Server object or select an existing one" -
choose "Create a new AAA Server Object"
2. Next, enter "controlcenter.corp.local" (without quotes) and 192.168.110.10 when
asked "Which Active Directory servers (IP and host name) are used for user
credential authentication".
3. Type "corp.local" (without quotes) when asked for the Active Directory domain
name.
4. Select "Yes, credentials are required for binding" when asked "Does your Active
Directory domain require credendials".
5. Enter "administrator" (without quotes) for the user name.
HOL-1859-01-ADV Page 93
HOL-1859-01-ADV
Configuring SSL
1. Continue scrolling down until you get to SSL Encryption section. Choose
"Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to
"How should the BIG-IP system handle encrypted traffic?".
2. Scroll down to "Which Client SSL Profile do you want to use?" and ensure the
default "Create a new Client SSL profile" is selected.
3. Scroll down to "Which SSL certificate do you want to use?" and choose
"CORP.LOCAL_WILDCARD.crt".
4. Continue scrolling down to "Which SSL private key do you want ot use?" and
choose "CORP.LOCAL_WILDCARD.key".
HOL-1859-01-ADV Page 94
HOL-1859-01-ADV
5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose
"CORP.LOCAL_WILDCARD.crt".
NOTE: The SSL Certificates were already imported to the F5 BIG-IP to reduce the
amount of time to take the lab.
1. Next, scroll down to the Virtual Servers/Pools section, "What virtual server IP
address do you want to use for remote, untrusted clients". In this box, type in
192.168.230.145.
2. Type in 'hzn-apm.corp.local" (without quotes) as the FQDN that will be used to
access the BIG-IP by the Horizon Clients.
HOL-1859-01-ADV Page 95
HOL-1859-01-ADV
1. Scroll down to "Which servers should be included in this pool" - in the first box,
type in 192.168.110.47 (this is the IP of the First Connection Server), then click
Add. In the second box, type in 192.168.110.48 (this is the IP of the Second
Connection Server).
2. Scroll down to "Where will the virtual servers be in relation to the View servers?"
and choose "BIG-IP virtual server IP address and View servers are on different
subnets".
3. Select "View servers do not have a route to clients through the BIG-IP" when
asked "How have you configured routing on your View servers?"
NOTE: If the port in the "Which servers should be included in this pool?" section says 80
instead of 443 then go to previous section "SSL Encryption" and change from SSL
Offload to SSL bridging.
HOL-1859-01-ADV Page 96
HOL-1859-01-ADV
Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to
Horizon to ensure key components and functioning as expected.
1. Scroll down to the Application Health section. Next to "Create a new health
monitor or use an existing one?" - choose "Create an advanced health monitor".
2. Type in "lab1user" (without quotes) next to "What user name should the monitor
use?".
3. Type in "VMware1!" (without quotes) next to "What is the password associated
with that account?".
4. Scroll down to "What is the NetBIOS domain name for your environment?" and
type in "CORP" (without quotes)
HOL-1859-01-ADV Page 97
HOL-1859-01-ADV
Scroll down 3 lines until you see the section of the iApp with "Published Resources" as
shown in the picture.
1. Under the section "What published application(s) or pool(s) should the BIG-IP
system expect in the monitor response?" type in Calculator.
2. Click the "Add" button.
3. Repeat steps 1 and 2, typing Paint in the 2nd box.
4. Under the section "Do all published applications or desktop pools listed need to
be available", choose "Only one of the application or desktop pools listed need to
be returned".
iRules
1. Under the Options section "Do you want to add any custom iRules to this
configuration?" select the HZN-Origin irule
2. Click the "<<" button.
HOL-1859-01-ADV Page 98
HOL-1859-01-ADV
3. Ensure that the HZN-Origin iRule is moved from the Options area to the Selected
area.
NOTE: The iRule implemented in this section deals with a specific issue with Horizon
HTML5 and Admin windows getting a white box effect or unable to load, this is becasue
load balacing Horizon Connection Servers after Version 7.0 added a security process
that detects the originating Connection Server but fails under load balanced scenarios.
HOL-1859-01-ADV Page 99
HOL-1859-01-ADV
Before starting, minimize the Chrome browser window until you see the Control Center
desktop.
1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
2. Once the client launches, click on the icon with the FQDN "hzn-apm.corp.local".
3. Login as lab1user, with a password of "VMware1!" (no quotes); then, click the
Login button.
4. Once the list of desktop and applications are enumerated, choose the "Windows
10 Pool" Desktop from the list.
5. Confirm the desktop opens and you can access it appropriately.
1. Once completed, click on the "X" in the upper right corner of the screen.
2. When asked to disconnect, Choose "OK".
3. If you wish to test other desktops and applications, feel free to do so.
4. When finished, close out all the launched desktops and applications. Then close
out the Horizon client by clicking the "X" in the upper right corner of the Horizon
Client window.
5. If prompted, click OK.
Next, we will test the launch of the Horizon Client using the F5 Webtop Portal.
1. You will see the desktop launch - feel free to navigate around and use the
Windows 10 Desktop.
2. Once completed, click on the "X" in the upper right corner of the screen.
3. When asked to disconnect, Choose "OK".
Conclusion
This concludes Module 3 - F5 APM with Horizon Alternative Gateway. You
should have a good understanding of how to deploy the F5 iAPP solution with
Horizon Alternative Gateway Servers for Load Balancing, Proxying
Connections and High Availability.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
Introduction
Intelligent Global Server Load Balancing with BIG-IP DNS
By deploying BIG-IP DNS (Formerly known as BIG-IP GTM), a single namespace (for
example, https://desktop.example.com) can be provided to all end users. BIG-IP DNS,
BIG-IP Access Policy Manager (APM) and BIG-IP Local Traffic Manager (LTM) work
together to ensure that requests are sent to a user's preferred data center securely,
regardless of the user’s current location. This type of implmenetation is common when
there are multiple Horizon instances distributed throughout two or more physical/logical
data centers.
Since the BIG-IP DNS/Global Traffic Management lab is pre-configured to use Connection
Servers that are internal to the network for this lab, we need to ensure that all Secure
Proxy functions are disabled. We'll walk through checking (and disabling, if necessary)
these Secure Proxy settings.
To open the View Administrator Web Console from the Control Center desktop:
1. On the left side, click the down-arrow by View Configuration, then click Servers.
2. Click on the Connection Servers Tab.
3. Highlight the first Connection Server in the list.
4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is
UNCHECKED.
6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to
machine is UNCHECKED.
7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to
machine is UNCHECKED.
8. When completed, click OK.
To open the View Administrator Web Console from the Control Center desktop:
1. On the left side, click the down-arrow by View Configuration, then click Servers.
2. Click on the Connection Servers Tab.
3. Highlight the first Connection Server in the list.
4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is
UNCHECKED.
6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to
machine is UNCHECKED.
7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to
machine is UNCHECKED.
8. When completed, click OK.
We'll now open a second tab to the other BIG-IP (BIGIP-02) so we can configure the
device for Global Server Load Balancing via F5-DNS.
1. Click on the Tab as shown in the picture to open another tabbed browsing
session.
2. When the browser is launched, click on the F5-BIG-IP-02 Favorite in the toolbar.
Make sure the IP address you are redirected to is https://f5-big-ip-02.corp.local
In this step, we will configure the BIG-IP's to talk with one another and exchange DNS
and BIG-IP pool information. The Horizon Desktop pools in each site have already been
created for you; normally, you would need to create and/or ensure each View pod is
configured for load balancing on the BIG-IP using Local Traffic Manager (LTM).
We'll use PUTTY to establish the communications between the two BIG-IP's that will be
used for global traffic management.
1. From the Control Center PC, look for the Putty icon at the bottom of the screen.
Click to launch Putty.
2. In the "Load, save or delete a stored session" box, scroll down and select "F5-BIG-
IP-01.CORP.LOCAL"
3. Click the Load button
1. From the existing Putty window, click on the icon in the upper left corner.
2. Click on New Session.
3. In the "Load, save or delete a stored session" box, scroll down and select "F5-BIG-
IP-02.CORP.LOCAL"
4. Click the Load button
5. Click the Open button
6. Login using root as the username and press enter, use VMware1! as the
password and then press enter again.
7. You will see the following prompt once logged in successfully.
Back in the Chrome Browser, we'll now setup some of the additional settings required
for global server load balancing.
First, we'll configure objects on the BIG-IP that will represent the 2 Horizon sites.
1. Maximize the browser window that was minimized from the previous exercise.
Select the F5-BIG-IP-01 tab in the browser session.
2. Click on DNS --> GSLB --> Data Centers.
3. Click Create.
4. Type in Site-A for the name.
5. Click the Repeat button.
6. Repeat step 4, typing in Site-B for the name.
7. Click the Finished button.
8. You should see the 2 data center/sites created.
Next, we will create the server objects. These are actually the BIG-IP's themselves and
will be used to autodiscover virtual servers hosted on Local Traffic Manager. In this case,
we'll let GTM autodiscover the virtual servers used for Horizon.
Next, we will create a pool of resources that will be used by GTM to route users to an
available Horizon instance.
**Note: You may have to scroll right to see the down arrow due to screen size
limitations.
In this next step, we'll configure the Wide IP. The Wide IP is used to help make the
appropriate load balancing/routing decision to a pool of virtual servers that are
contained within or across data centers. The Wide IP will be used as the FQDN that
returns the IP address of the site the user is directed to.
We'll now establish the trust and perform the initial sync up BIGIP-02 to sync the GTM
configuration to the other simulated data center. This configuration allows GTM to
failover to an alternate site in the event of a primary site failure.
1. Maximize the F5-BIG-IP-02 Putty session that was minimized in early on in the
lab. MAKE SURE YOU ARE ON F5-BIG-IP-02; if you run the command in step #2
on F5-BIG-IP-01, the configuration will be deleted.
2. Type in gtm_add 192.168.100.90 and press Enter.
3. When prompted, type y and press Enter.
4. You will see the following message once the sync is completed.
5. Minimize the Putty window.
6. Navigate to the F5-BIG-IP-02 tab in the browser window; click on DNS --> GSLB
--> Wide IP
7. You should see the configuration for GTM from F5-BIG-IP-01; this verifies the
sync is complete.
Configure DNS
We'll now create the CNAME record that will redirect the DNS request to the BIG-IP for
resolution.
4. Click OK
5. Exit the DNS Management by clicking the "X" in the upper right corner of the
window.
Now, we are ready to test! First, let's ping the FQDN to make sure we are resolving DNS
properly.
To simulate the GTM working properly, we will disable the GTM in Site A first and make a
connection to Horizon. We'll then enable the GTM in Site-A and disable the GTM in Site-B
to show GTM working properly.
1. Launch the VMware Horizon Client from the desktop. Click on the "New Server"
icon in the upper left corner of the client.
2. Enter hzn-dns.corp.local as the name of the connection server
3. Click the Connect button.
4. Login as lab1user with the password of VMware1! and then click the Login
button.
5. Launch the Windows 10 Pool.
6. Once the desktop launches, verify you are in the "B" data center by checking the
VM's name in the lower right corner of the screen - the computer name will be
"W10-02A".
7. Click the "X" at the top of the screen to disconnect; click OK if prompted to
disconnect from the desktop. Close out the Horizon View client by clicking the "X
" in the upper left corner of the screen.
1. Launch the VMware Horizon Client from the desktop, then Double click on the
"hzn-dns.corp.local" icon.
2. Login as lab1user with the password of VMware1! and then click the Login
button.
3. Launch the Windows 10 Pool.
4. Once the desktop launches, verify you are in the "A" data center by checking the
VM's name in the lower right corner of the screen - the computer name will be
"W10-01A".
5. Click the "X" at the top of the screen to disconnect; click OK if prompted to
disconnect from the desktop. Close out the Horizon View client by clicking the "X
" in the upper left corner of the screen.
Conclusion
This concludes Module 4 - F5 DNS with Horizon for Multi-Site Deployments.
You should have a good understanding of how to configure and deploy the F5
DNS solution with existing Horizon Environments for Global Server Load
Balancing and High Availability.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
Introduction
In this module you will learn how to configure F5 APM with VMware UEM Smart Policies.
VMware User Environment Manager (UEM) provides personalization and dynamic policy
configurations across any windows-based desktop environment (Virtual, Physical and
Cloud), and is a key component of VMware's Horizon Just-In-Time Management Platform
(JMP) the next generation of desktop and application delivery. Utilizing Active directory
Group Policies and the Horizon Cloud Manager, this solution is engineered to deliver
workplace productivity while driving down the cost of day-to-day desktop support and
operations
VMware UEM with Smart Policies allow the IT Admin to create policies that can control
the behavior of USB redirection, virtual printing, clipboard redirection, client drive
redirection, HTML access file transfer and bandwidth profiles for Horizon protocols such
as PCoIP and Blast Extreme for specific remote desktops.
With VMware UEM and Smart Policies, The IT Admin can create policies that take effect
only if certain conditions are met. For example, the ability to configure a policy that
disables the client drive redirection feature if a user connects to a remote desktop from
outside your corporate network
Before starting, minimize the Chrome browser window until you see the Control Center
desktop.
1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
2. Click on the "+ New Server" Button
3. Enter the FQDN "hzn-smart-apm.corp.local" (without quotes); then click the
Connect button
4. Login as lab1user, with a password of "VMware1!" (without quotes); then, click
the Login button.
5. Once the list of desktop and applications are enumerated, choose the "Windows
10 Pool" Desktop from the list.
6. Confirm the desktop opens and you can access it appropriately.
1. Click on the Windows Start Button icon and type in "cmd" (without quotes)
2. Wait for the Search to complete and click on the Command Prompt Icon at the
top of the search.
3. In the Command line box type "set" (without quotes) and press Enter
4. Once the output is completed scroll up and look for the specific environmental
variable ViewClient_APMGateway and ensure that it doesn't exist as of yet.
This confirms the variable we will create later didn't exist prior to accessing the
environment.
3. Notice in the Devices and drives section that the client drive redirection (CDR)
for Administrator on CONTROLCENTER is listed this shows that CDR is
enabled and working.
Click on the Management Console shortcut to access the VMware User Environment
Manager - Management Console
1. Click on the User Environment Tab within the Management Console to display
the User based Policies.
2. Select the Horizon Smart Policies item from the left pane.
3. Click the Create button in the top pane.
1. Click on the User Environment Tab within the Management Console to display
the User based Policies.
2. Select the Triggered Tasks item from the left pane.
3. Click the Create button in the top pane.
1. Select the VMware View Policy link in the Visual Policy Editor.
2. Click the Add new entry button
3. Enter "APMGateway" (without quotes) in the Variable Name
4. Enter expr {"true"} in the Value Field
5. Click the Save button
1. Click the Apply Access Policy Link - Wait till the Link disappears
2. Click the Close button
Before starting, minimize the Chrome browser window until you see the Control Center
desktop.
1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
2. Double click on the previously created server in the list "hzn-smart-
apm.corp.local"
3. Login as lab1user, with a password of "VMware1!" (without quotes); then, click
the Login button.
4. Once the list of desktop and applications are enumerated, choose the "Windows
10 Pool" Desktop from the list.
5. Confirm the desktop opens and you can access it appropriately.
NOTE: If you didn't log off from the previous session the new policies might
not apply, its recommended if you didn't log off the previous session to log-off
and log back in for the Smart Policy to apply.
1. Click on the Windows Start Button icon and type in "cmd" (without quotes)
2. Wait for the Search to complete and click on the Command Prompt Icon at the
top of the search.
3. In the Command line box type "set" (without quotes) and press Enter
4. Once the output is completed scroll up and look for the specific environmental
variable ViewClient_APMGateway that we entered into the F5 APM earlier.
As you can see the F5 APM Policy has injected the variable into the horizon session and
that variable we set earlier to block certain policies on the Horizon Instance such as
Client Drive Redirectoin (CDR).
1. Click on the Windows Start Button icon and type in "Regedit" (without quotes)
2. Wait for the Search to complete and click on the Registry Editor Icon at the top
of the search.
3. Expand out HKEY_CURRENT_USER
4. Expand out SOFTWARE
5. Expand out Policies
6. Expand out VMware, Inc. and verify policies have been modified by the UEM
Smart Policy.
3. Notice in the Devices and drives section that you only see a Floppy, DVD and
Local Disk (C:) but no client side redirection is there anymore this proves the
policy is in place and working.
1. Once completed, click on the "X" in the upper right corner of the screen.
2. When asked to disconnect, Choose "OK".
3. If you wish to test other desktops and applications, feel free to do so.
4. When finished, close out all the launched desktops and applications. Then close
out the Horizon client by clicking the "X" in the upper right corner of the Horizon
Client window.
Conclusion
This concludes Module 5 - F5 APM with VMware UEM Smart Policy Integration.
You should have a good understanding of how to configure the F5 APM
solution with an existing APM Horizon Deployment, as well as configure
VMware UEM to leverage Smart Policies from the injected variables in the
Horizon connections.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
Introduction
In this module you will learn how to configure the F5 as a Load Balancer for the App
Volumes Manager.
Due to Limitation capabilities of this lab, only the configuration will be done for the App
Volumes Managers, there are no agents accessible to test and load balance the agents
side. This has been a tested and documented method by F5 and VMware.
1. Name: MOD6-AppVolumes-SSL
2. Parent Profile: clientssl
3. Custom Checkbox Checked for "Certificate Key Chain"
4. Click the "Add" Button
5. Certificate: CORP.LOCAL_WILDCARD
6. Key: CORP.LOCAL_WILDCARD
7. Chain: CORP.LOCAL_WILDCARD
8. Click the "Add" Button to add the information to the Certificate Key Chain
1. Name: MOD6-AppVolumes-Server-SSL
2. Parent Profile: serverssl
3. Click the "Finished" button.
After creating the SSL Client profile, we must create an HTTP Profile.
• Browse to the HTTP Service, from the top Menu bar, by clicking 1. Services, then
2. HTTP
• Then click the "Create" button in the upper right hand corner of the HTTP Profiles
table.
1. Name: MOD6-AppVolumes-HTTP
2. Parent Profile: http
3. Ensure the checkbox for "Insert X-Forwarded-For" is Checked
4. Insert X-Forward-For: Enabled
After applying the settings above, scroll to the bottom and click "Finished"
1. Name: MOD6-AppVolumes-persistence
2. Persistence Type: Cookie
3. Then scroll to the bottom of the page and click the "Finished" button
1. Name: MOD6-AppVolumes-Monitor
2. Type: HTTPS
3. Interval: 30 Seconds
4. Timeout: 15 Seconds
5. Send String: GET /login HTTP/1.1\r\nHost: appvolumes.corp.local\r\
nConnection: Close\r\n\r\n
6. Receive String: App Volumes Manager Login
7. Leave all remaining values default
8. Scroll to the bottom and click the "Finished" Button
Create Pool
We must now create the VMware App Volumes pool for the BIG-IP Appliance to monitor.
1. Name: MOD6-AppVolumes-Pool
2. Health Monitors: MOD6-AppVolumes-Monitor
Repeat the steps from the last section to create an entry for the second App Volumes
Manager.
NOTE: The second node does not exist due to available resources for Lab, this
node will be offline but shows how to add the additional node.
After we have configured our Pool, we can continue and create a Virtual Server.
Under the General Properties of the Virtual Server, enter the following settings:
1. Name: MOD6-AppVolumes
2. Destination Address: 192.168.130.160
3. Service Port: 443 [HTTPS]
Under the Configuration properties of the Virtual Server, enter the following settings:
Under the Resource properties of the Virtual Server, enter the following settings:
Browser Validation
Browser Validation is shown that when using the F5 Load Balanced URL, that Certificate
is still Valid for the new website
1. Green Lock in Google Chrome Browser Identifies that the Certificate is Valid
2. You can further validate functionality of the browser by Logging into the
AppVolumes Manager
Username: Administrator
Password: VMware1!
Conclusion
This concludes Module 1 - F5 LTM with Horizon Connection Servers. You
should have a good understanding of how to deploy the F5 iAPP solution with
Horizon Connection Servers for Load Balancing and High Availibility.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
Introduction
In this module you will learn how to configure the F5 as a Load Balancer for the VMware
Identity Manager Portal.
Identity Manager is delivered as a virtual appliance (VA) that is easy to deploy onsite
and integrate with existing enterprise services. Organizations can centralize assets,
devices, and applications and manage users and data securely behind the firewall.
Users can share and collaborate with external partners and customers securely when
policy allows.
This lab provides step-by-step instructions for setting up the first Identity Manager
virtual appliance (Node 1), for production implementations VMware recommends the
deployment of two (2) additional nodes to have a total of three (3). Nodes 2 and 3 will
be cloned from the first node after it has been configured and setup with the F5 to
provide a fully load balanced configuration.
Due to the resource constraint of this lab the setup of the LTM configuration and the
setup of the first node (Node 1) will be completed.
1. Name: MOD7-VIDM-SSL
2. Parent Profile: clientssl
3. Custom Checkbox Checked for "Certificate Key Chain"
4. Click the "Add" Button
5. Certificate: CORP.LOCAL_WILDCARD
6. Key: CORP.LOCAL_WILDCARD
7. Chain: CORP.LOCAL_WILDCARD
8. Click the "Add" Button to add the information to the Certificate Key Chain
After creating the SSL Client profile, we must create an HTTP Profile.
• Browse to the HTTP Service, from the top Menu bar, by clicking 1. Services, then
2. HTTP
• Then click the "Create" button in the upper right hand corner of the HTTP Profiles
table.
1. Name: MOD7-VIDM-HTTP
2. Parent Profile: http
3. Ensure the checkbox for "Insert X-Forwarded-For" is Checked
4. Insert X-Forward-For: Enabled
After applying the settings above, scroll to the bottom and click "Finished"
1. Name: MOD7-VIDM-persistence
2. Persistence Type: Cookie
3. Then scroll to the bottom of the page and click the "Finished" button
1. Name: MOD7-VIDM-Monitor
2. Type: HTTPS
3. Interval: 5 Seconds
4. Timeout: 16 Seconds
Create Pool
We must now create the VMware Identity Manager Pool for the BIG-IP Appliance to
monitor.
1. Name: MOD7-VIDM-Pool
2. Health Monitors: MOD7-VIDM-Monitor
Repeat the steps from the last section to create an entry for the second and third
VMware Identity Manager Servers.
NOTE: The second and third nodes do not exist due to available resources as
well as during the process of deploying VIDM the configurations for the other
two nodes would be cloned from the first node. If this were to be a 3 node
enviornment all configurations including the load balancer setup must be
done prior to cloning the second and third nodes in real production
environments.
NOTE: Nodes 2 and 3 will be offline but shows how to add the additional
nodes.
After we have configured our Pool, we can continue and create a Virtual Server.
Under the General Properties of the Virtual Server, enter the following settings:
1. Name: MOD6-VIDM
2. Destination Address: 192.168.130.170
3. Service Port: 443 [HTTPS]
Under the Configuration properties of the Virtual Server, enter the following settings:
Under the Resource properties of the Virtual Server, enter the following settings:
• VMware1!
Once the FQDN update starts, we should be prompted with a pop-up screen that
displays the progress.
If we've completed every step successfully then we should be prompted with four (4)
green checkmarks. If that is the case, please continue to the next step.
In VMware Identity Manager Versions 2.6 and Above a new User Interface was enabled
by default during deployment of the Appliances, However When configuring behind a
load balancer the UI is disabled by default and must be re-enabled to ensure proper
accessibility to the environment. Above is the example if you try to login to a VMware
Identity Manager Portal that is load balanced behind the F5 without enabling the New UI
You can now Close the Administrative UI Tab out of your browser and continue onto the
next step.
In this section we will test the load balanced configuration to verify that, in fact, the BIG-
IP appliance is balancing the connection.
Ensure the domain "corp.local" and click the "Next >>" button
• lab1user
• VMware1!
**Note** If after entering your credentials, the page does not proceed to log you in -
terminate the entire browser instance and open a new session.
You have successfully logged into a load balanced instance of Identity Manager Portal!
Conclusion
This concludes Module 7 - F5 LTM with Identity Manager Integration. You
should have a good understanding of how to deploy the F5 iAPP solution with
VMware Identity Manager for Load Balancing and High Availibility.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Version: 20170920-143811