Hol-1859-01-Adv

HOL-1859-01-ADV
Table of Contents
Lab Overview - HOL-1859-01-ADV - F5 Integration with VMware Horizon 7 Enterprise..... 2
Lab Guidance .......................................................................................................... 3
Module 1 - F5 LTM with Horizon Connection Servers (45 min) .......................................... 9
Introduction........................................................................................................... 10
F5 LTM with Horizon Connection Servers .............................................................. 12
Conclusion............................................................................................................. 38
Module 2 - F5 LTM with Horizon Unified Access Gateways (45 min)................................ 40
Introduction........................................................................................................... 41
F5 LTM with Horizon Unified Access Gateways ...................................................... 43
Conclusion............................................................................................................. 70
Module 3 - F5 APM with Horizon Alternative Gateway (45 min) ...................................... 72
Introduction........................................................................................................... 73
F5 APM with Horizon Alternative Gateway ............................................................ 76
Conclusion........................................................................................................... 110
Module 4 - F5 DNS with Horizon for Multi-Site Deployments (45 min) .......................... 112
Introduction......................................................................................................... 113
F5 DNS with Horizon for Multi-Site Deployments ................................................ 114
Conclusion........................................................................................................... 163
Module 5 - F5 APM with VMware UEM Smart Policy Integration (30 min) ...................... 165
Introduction......................................................................................................... 166
F5 APM with VMware UEM Smart Policy Integration ............................................ 167
Conclusion........................................................................................................... 200
Module 6 - F5 LTM with AppVolumes (45 min)............................................................... 202
Introduction......................................................................................................... 203
F5 LTM with AppVolumes..................................................................................... 204
Conclusion........................................................................................................... 225
Module 7 - F5 LTM with VMware Identity Manager Integration (45 min) ....................... 227
Introduction......................................................................................................... 228
F5 LTM with VMware Identity Manager Integration.............................................. 230
Conclusion........................................................................................................... 259
HOL-1859-01-ADV Page 1
HOL-1859-01-ADV
Lab Overview -
HOL-1859-01-ADV - F5
Integration with VMware
Horizon 7 Enterprise
HOL-1859-01-ADV
Lab Guidance
Note: It will take more than 90 minutes to complete this lab. You should
expect to only finish 2-3 of the modules during your time. The modules are
independent of each other so you can start at the beginning of any module
and proceed from there. You can use the Table of Contents to access any
module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the
Lab Manual.
This Hands on Lab will explore the use case and advantages for load balancing VMware
EUC Products with F5 BIG-IP Software. You will integrate the BIG-IP with VMware Horizon
7, VMware App Volumes, and VMware Identity Manager.
Lab Module List:
• Module 1 - F5 LTM with Horizon Connection Servers (45 minutes)

(Intermediate) This lab focuses on using the F5 iAPP to deploy a load balanced
solution for VMware Horizon (formerly known as View) Connection Servers.
• Module 2 - F5 LTM with Horizon Unified Access Gateway Servers (45
minutes) (Intermediate) This lab focuses on using the F5 iAPP to deploy a load
balanced solution for VMware Horizon (formerly known as View) Unified Access
Gateway Servers.
• Module 3 - F5 APM with Horizon Alternative Gateway (45 minutes)
proxied solution for VMware Horizon (formerly known as View).
• Module 4 - F5 DNS with Horizon for Multi-Site Deployments (45 minutes)
(Advanced) This lab focuses on using the F5 to deploy a Global Load Balanced
solution for VMware Horizon (formerly known as View) multi-site solutions.
• Module 5 - F5 APM with VMware UEM Smart Policy Integration (45
minutes) (Advanced) This lab focuses on modifying the existing deployed APM
with Horizon Alternative Gateway to inject variables to allow for UEM Smart Policy
Integration.
• Module 6 - F5 LTM with App Volumes Integration (45 minutes)
(Intermediate) This lab focuses on using the F5 to deploy a load balanced solution
for VMware App Volumes Servers.
• Module 7 - F5 LTM with VMware Identity Manager Integration (45
minutes) (Intermediate) This lab focuses on using the F5 to deploy a load
balanced solution for VMware Identity Manager Servers.
Lab Captains:
• Chris Betz - Staff Systems Engineer - Federal Army - VMware

• Justin Venezia - Senior Architect - EUC Office of the CTO - VMware
• Matt Mabis - Principal Solutions Engineer - F5 Networks
HOL-1859-01-ADV
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.vmware.com
This lab may be available in other languages. To set your language preference and have
a localized manual deployed with your lab, you may utilize this document to help guide
you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
Location of the Main Console
1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
HOL-1859-01-ADV
Alternate Methods of Keyboard Data Entry
During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.
Click and Drag Lab Manual Content Into Console Active

Window
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
HOL-1859-01-ADV
Click once in active console window
In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.
1. Click once in the active console window.

2. Click on the Shift key.
Click on the @ key
1. Click on the "@ key".
Notice the @ sign entered in the active console window.
HOL-1859-01-ADV
Activation Prompt or Watermark
When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.
This cosmetic issue has no effect on your lab.
Look at the lower right portion of the screen
HOL-1859-01-ADV
Please check to see that your lab is finished all the startup routines and is ready for you
to start. If you see anything other than "Ready", please wait a few minutes. If after 5
minutes your lab has not changed to "Ready", please ask for assistance.
HOL-1859-01-ADV
Module 1 - F5 LTM with

Horizon Connection
Servers (45 min)
HOL-1859-01-ADV
Introduction
In this module, we'll configure the BIG-IP to load balance authentication and
authorization connections across a pool of Horizon Connection Servers.
Here's a high-level of what will be completed during the setup:
• Configure the iApp for View to support load balancing Horizon Clients across a
pool of Horizon Connection Servers
• Test and validate the Horizon Client connections
• Test the failure of one server in the pool
Load Balancing Horizon Connection Servers for Trusted/

Secure Networks and Clients
One of the primary functions of the Horizon Connection Servers is to provide

authentication and desktop/application enumeration for clients accessing from a
trusted/secure network. This configuration is typically used for clients making
connections to virtual desktops and applications from an internal network. All
communications from the client to the virtual dekstop are direct; there is no "proxy" of
any Horizon ports or protocols. The Connection Servers are only used for authentication
and application/desktop enumeration and assignment.
The BIG-IP provides intelligent monitoring and traffic management across a pool of
Connection Servers using the LTM module. In this scenario, the HTTPS connection
between the client and Connection Servers pass through the BIG-IP. Once the
connection is launched, the BIG-IP is no longer in the path of client-to-virtual desktop
traffic.
HOL-1859-01-ADV
Traffic Flow
The diagram outlines a typical configuration and traffic flow of an internal Horizon Client
connection when using the BIG-IP Local Traffic Management (LTM) Module:
1. Client Device connects in from the trusted network.

2. Connection to LTM made over HTTPS using the client.
3. User logs in – Horizon Connection Server processes the authentication to AD and/
or other authentication source (LDAPS/RADIUS, etc.)
4. Once user is validated, Horizon Connection Server enumerates applications and
desktops back to the client (via HTTP/HTTPS).
5. User (from client) selects the application or desktop to launch.
6. Connection Servers then send (via HTTP/HTTPS) virtual desktop or RDS
application connection information to client.
7. Client then establishes direct connection to the virtual desktop or RDS application
server via HTML5 Blast, Blast Extreme or PCoIP.
8. BIG-IP is no longer in the traffic flow unless another application or desktop is
launched.
HOL-1859-01-ADV
F5 LTM with Horizon Connection

Servers
In this module you will learn how to load balance multiple VMware Horizon Connection
Servers with BIG-IP LTM.
Disable HTTPS, PCoIP and BLAST Proxy Services for each

Connection Server
Here's some other important information (carried out in the steps to follow) when using
load balancers for Connection Servers servicing internal Horizon clients. The Connection
Servers are primarily used for authentication, resource enumeration and connection
brokering only. By default, the "Use Secure Tunnel Connection to Machine" and the "Use
Blast Secure Gateway for HTML access to machine" are checked. This will route portions
of the HTTPS and all HTML traffic through the Connection Servers, while the PCoIP
stream will go directly from the Horizon client to the server.
HOL-1859-01-ADV
Although this will function, the Connection Servers will have to do additional work to
"proxy" this traffic - even with a load balancer.
For Connection Servers that will authenticate internal users and enumerate applications,
it is recommended these Secure Gateway boxes are unchecked.
HOL-1859-01-ADV
Login to the Connection Server
To open the View Administrator Web Console from the Control Center desktop:
HOL-1859-01-ADV
1. Click on the Chrome shortcut.

2. When the browser is launched, click on the FIRST Horizon View Web Favorite in
the toolbar (if you hover over the shortcut, it should say "View-01A Admin"). Make
sure the web address you are redirected to is https://view-01a.corp.local/admin/#
3. Login as administrator
4. Password is VMware1!
5. Click Login.
HOL-1859-01-ADV
Disable Secure Tunneling on Horizon Connection Server
Once you are in the View Administrator, perform the following:
1. On the left side, click the down-arrow by View Configuration, then click Servers.
HOL-1859-01-ADV
2. Click on the Connection Servers Tab.

3. Highlight the first Connection Server in the list.
4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is
UNCHECKED.
6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to
machine is UNCHECKED.
7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to
8. When completed, click OK.
HOL-1859-01-ADV
Login to the Second Connection Server
HOL-1859-01-ADV
1. Click on a new tab within Chrome.

2. When the browser is launched, click on the Second Horizon View Web Favorite in
sure the IP address you are redirected to is https://view-02a.corp.local/admin/#
5. Click Login.
HOL-1859-01-ADV
HOL-1859-01-ADV
4. Click Edit
UNCHECKED.
Access the BIG-IP Web Management Console
From the Control Center desktop:

2. When the browser is launched, click on the BIGIP-01 Favorite in the toolbar. Make
sure the IP address you are redirected to is https://f5-big-ip-01.corp.local
HOL-1859-01-ADV
Login to BIG-IP Web Administrator
Once the BIG-IP Login Screen appears:
1. Type "admin" (without quotes) in the username box.

2. Type "VMware1!" (without quotes) in the password box.
3. Click the "Login" button.
HOL-1859-01-ADV
Create iApp Application Service for Connection Server

Load Balancing
Next, we will configure load balancing of Connection Servers for internal users using the
Horizon iApp. The iApp has already been pre-loaded onto the BIG-IP.
1. Once logged in to the BIG-IP, click on iApps

2. Click Application Services.
3. On the right side of the screen, click Create.
Note: You will see other applications in this list for future modules they can safely be
ignored.
HOL-1859-01-ADV
Initial iApp Configuration for Load Balancing Connection

Servers
Let's configure the iApp.
1. Type in the name MOD1-Internal, then select the View iApp Template from the list
(as shown above). Observe the iApp populate the screen with the next set of
questions.
2. Scroll down to the Template Options section - under "Which configuration mode
do you want to use?" - choose "Advanced - configure advanced options".
HOL-1859-01-ADV
3. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to
deploy BIG-IP Access Policy Manager" - choose "No, do not deploy BIG-IP Access
Policy Manager".
NOTE: The iAPP Template was already imported to the F5 BIG-IP to reduce the amount
of time to take the lab.
Configuring SSL
1. Continue scrolling down until you get to SSL Encryption section. Choose
"Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to
"How should the BIG-IP system handle encrypted traffic?".
2. Scroll down to "Which Client SSL Profile do you want to use?" and ensure the
default "Create a new Client SSL profile" is selected.
3. Scroll down to "Which SSL certificate do you want to use?" and choose
"CORP.LOCAL_WILDCARD.crt".
HOL-1859-01-ADV
4. Continue scrolling down to "Which SSL private key do you want ot use?" and
choose "CORP.LOCAL_WILDCARD.key".
5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose
NOTE: The SSL Certificates were already imported to the F5 BIG-IP to reduce the
amount of time to take the lab.
Configuring PCoIP and Virtual Servers/Pools
1. Scroll down to the PC Over IP section; next to "Should PCoIP connections go

through the BIG-IP System" - choose "No, PCoIP connections should not go
through the BIG-IP System".
2. Scroll down to Virtual Servers/Pools section "What virtual server IP address do you
want to use for remote, untrusted clients". Even though the question says
"remote, untrusted clients" - it will be the virtual server and IP address that the
internal Horizon clients will use to access Horizon Connection Servers. In this box,
type in 192.168.130.140.
HOL-1859-01-ADV
3. Next, scroll down to the "What FQDN will clients use to access the View
environment?" Type in 'hzn-internal.corp.local" (without quotes) as the FQDN that
will be used to access the BIG-IP by the Horizon Clients.
4. Scroll down to "Which servers should be included in this pool" - in the first box,
type in 192.168.110.47 (this is the IP of the first Connection Server), Click the
"Add" button and type in 192.168.110.48 (this is the IP of the second Connection
Server).
5. Scroll down to "Where will the virtual servers be in relation to the View servers"?"
and choose "BIG-IP virtual server IP address and View servers are on the same
subnet".
NOTE: If the port in the "Which servers should be included in this pool?" section say 80
instead of 443 then go to previous section "SSL Encryption" and change from SSL
Offload to SSL bridging.
Next, scroll down to the Application Health section of the iApp.
Application Health Monitor
Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to
Horizon to ensure key components and functioning as expected.
1. Scroll down to the Application Health section. Next to "Create a new health
monitor or use an existing one?" - choose "Create an advanced health monitor".
2. Type in "lab1user" (without quotes) next to "What user name should the monitor
use?".
HOL-1859-01-ADV
3. Type in "VMware1!" (without quotes) next to "What is the password associated

with that account?".
4. Scroll down to "What is the NetBIOS domain name for your environment?" and
type in "CORP" (without quotes)
Application Health Monitor (Continued)
Scroll down 3 lines until you see the section of the iApp with "Published Resources" as
shown in the picture.
1. Under the section "What published application(s) or pool(s) should the BIG-IP
system expect in the monitor response?" type in "Windows 10 Pool" (without
quotes).
2. Click the "Add" button.
3. Repeat steps 1 and 2, typing "Calculator" (without quotes) in the 2nd box and
then "Paint" (without quotes) in the 3rd box.
4. Under the section "Do all published applications or desktop pools listed need to
be available", choose "Only one of the application or desktop pools listed need to
be returned".
HOL-1859-01-ADV
iRules
Scroll down to the iRules Section.
1. Under the Options section "Do you want to add any custom iRules to this
configuration?" select the HZN-Origin irule
2. Click the "<<" button.
3. Ensure that the HZN-Origin iRule is moved from the Options area to the Selected
area.
NOTE: The iRule implemented in this section deals with a specific issue with Horizon
HTML5 and Admin windows getting a white box effect or unable to load, this is becasue
load balacing Horizon Connection Servers after Version 7.0 added a security process
that detects the originating Connection Server but fails under load balanced scenarios.
For More information about the Horizon Origin iRule Visit: https://support.f5.com/csp/
article/K84958121
HOL-1859-01-ADV
Finish the iApp
1. Scroll down to the bottom of the screen; click Finish.

2. Next, you will see the "Components" screen, which will show you a summary of
your configuration and all the objects created on the BIG-IP. Make sure the
MOD1-Internal_https and Mod1-Internal_pool_1 nodes are displayed as shown in
the picture.
HOL-1859-01-ADV
Test Horizon Client Access
HOL-1859-01-ADV
HOL-1859-01-ADV
Now, we will test client access using the Horizon Client.
Before starting, minimize the Chrome browser window until you see the Control Center
desktop.
1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
2. Once the client launches, click on the icon with the FQDN "hzn-
internal.corp.local".
3. Login as lab1user, with a password of "VMware1!" (no quotes); then, click the
Login button.
4. Once the list of desktop and applications are enumerated, choose the "Windows
10 Pool" Desktop from the list.
5. Confirm the desktop opens and you can access it appropriately.
HOL-1859-01-ADV
Test Horizon Client Access (Continued)
1. Once completed, click on the "X" in the upper right corner of the screen.
2. When asked to disconnect, Choose "OK".
3. If you wish to test other desktops and applications, feel free to do so.
4. When finished, close out all the launched desktops and applications. Then close
out the Horizon client by clicking the "X" in the upper right corner of the Horizon
Client window.
5. If prompted, click OK.
HOL-1859-01-ADV
Optional - Testing HTML Desktop Access
HOL-1859-01-ADV
HOL-1859-01-ADV
If you choose, you can also test HTML Desktop Access through the BIG-IP load balancer.
Open the Chrome Browser window and navigate to https://hzn-internal.corp.local
From there you can choose "VMware Horizon HTML Access", login to the web portal
interface.
Launch the "Windows 10 Pool" using HTML5.
If prompted, accept the certificate - once this is done, you will be able to launch a
dekstop!
HOL-1859-01-ADV
Conclusion
This concludes Module 1 - F5 LTM with Horizon Connection Servers. You
should have a good understanding of how to deploy the F5 iAPP solution with
Horizon Connection Servers for Load Balancing and High Availability.
You've finished Module 1
Congratulations on completing Module 1.
If you are looking for additional information on F5 and Horizon Integrations try one of
these:
• Click on this link

• Or go to http://bit.ly/2tHfe4G
• Or use your smart device to scan the QRC Code.
Proceed to any module below which interests you most.

Gateway Servers.
HOL-1859-01-ADV

Integration.
How to End Lab and not continue on to other modules in

this lab
You can continue on to other modules in this lab or you can end your lab completely by
clicking on the END button.
HOL-1859-01-ADV

Horizon Unified Access
Gateways (45 min)
HOL-1859-01-ADV
Introduction
In this module, we'll configure the BIG-IP to load balance authentication, authorization
and proxied vdi connections across a pool of Horizon Unified Access Gateway Servers.
Here's a high-level of what will be completed during the setup:
• Configure the iApp for View to support load balancing Horizon Clients across a
pool of Horizon Unified Access Gateway Servers
• Test and validate the Horizon Client connections
Load Balancing Unified Access Gateway Servers for

External Networks
Some of the primary functions of the Horizon Unified Access Gateway Servers is to
provide authentication and desktop/application enumeration for clients accessing from a
trusted/secure network, as well as providing a full proxy from external clients to internal
resources. This configuration is typically used for clients making proxied connections to
virtual desktops and applications from an external network. All communications from
the client to the virtual dekstop are proxied via the PCoIP or Blast protocols. The Unified
Access Gateway Servers are used for authentication, application/desktop enumeration/
assignment and proxying connections from .
The BIG-IP provides intelligent monitoring and traffic management across a pool of
Unified Access Gateway Servers using the LTM module. In this scenario, the HTTPS
connection between the client and Connection Servers pass through the BIG-IP to the
Unified Access Gateway servers. Once the connection is launched, a new connection
based on the Horizon protocol (Blast Extreme or PCoIP) is then passed through the BIG-
IP to the Unified Access Gateway Servers to access to virtual desktop traffic.
Traffic Flow
HOL-1859-01-ADV
The diagram outlines a typical configuration and traffic flow of an External Horizon
Client connection when using the BIG-IP Local Traffic Management (LTM) Module with
VMware Unified Access Gateway (UAG):
1. Client Device connects in from the external network.

2. Connection to LTM made over HTTPS using the client.
3. User logs in – Horizon UAG Server then proxies the authentication to the
connection servers which then processes the authentication to AD and/or other
authentication source (LDAPS/RADIUS, etc.)
4. Once user is validated, Horizon Connection Server enumerates applications and
desktops back to the UAG servers throught he LTM connection (via HTTP/HTTPS).
5. User (from client) selects the application or desktop to launch.
6. UAG Servers then send (via HTTP/HTTPS) virtual desktop or RDS application
connection information to client.
7. Client then establishes a tunneled connection to the virtual desktop or RDS
application server via HTML5 Blast, Blast Extreme or PCoIP through the UAG
server being hosted by the front end LTM.
HOL-1859-01-ADV
F5 LTM with Horizon Unified Access

Gateways
In this module you will learn how to load balance multiple VMware Horizon Unified
Access Gateways.

Connection Server
In order for a Unified Access Gateway to effectively proxy traffic, the tunneling features
for each Connection Server is enabled on the Unified Access Gateway appliances
themselves and not within the Connection Servers. This is different than how you would
configure those options for a Security Server.
See this brief summary before caring out the tasks in the steps below.
HOL-1859-01-ADV
• If you plan to use a secure tunnel connection for client devices, disable the
secure tunnel for View Connection Server. In View Administrator, go to the Edit
View Connection Server Settings dialog box and deselect the check box called
Use secure tunnel connection to machine. By default, the secure tunnel is
enabled on the Unified Access Gateway appliance.
• Disable the PCoIP secure gateway for View Connection Server. In View
Administrator, go to the Edit View Connection Server Settings dialog box and
deselect the check box called Use PCoIP Secure Gateway for PCoIP connections to
machine. By default, the PCoIP secure gateway is enabled on the Unified Access
Gateway appliance.
• Disable the Blast secure gateway for View Connection Server. In View
deselect the check box called Use Blast Secure Gateway for HTML Access to
machine. By default, the Blast secure gateway is enabled on the Unified Access
Gateway appliance.
HOL-1859-01-ADV
HOL-1859-01-ADV

2. When the browser is launched, click on the First Horizon View Web Favorite in the
toolbar (if you hover over the shortcut, it should say "View-01A Admin"). Make
5. Click Login.
HOL-1859-01-ADV
HOL-1859-01-ADV

4. Click Edit
UNCHECKED.
HOL-1859-01-ADV
HOL-1859-01-ADV

2. When the browser is launched, click on the Seond Horizon View Web Favorite in
5. Click Login.
HOL-1859-01-ADV
Disable Secure Tunneling on the Second Horizon

Connection Server
HOL-1859-01-ADV
HOL-1859-01-ADV
4. Click Edit
UNCHECKED.

HOL-1859-01-ADV

HOL-1859-01-ADV

Load Balancing
Next, we will configure load balancing of the Unified Access Gateways for external users
using the Horizon iApp. The iApp has already been pre-loaded onto the BIG-IP.

ignored.
HOL-1859-01-ADV
Initial iApp Configuration for Load Balancing Connection

Servers
1. Type in the name MOD2-External, then select the View iApp Template from the list
(as shown above). Observe the iApp populate the screen with the next set of
questions.
HOL-1859-01-ADV
deploy BIG-IP Access Policy Manager" - choose "No, do not deploy BIG-IP Access
Policy Manager".
Configuring SSL
HOL-1859-01-ADV
Configuring PCoIP for Unified Access Gateway
1. Scroll down to the "PC Over IP" section of the iApp. Next to "Should PCoIP
connections go through the BIG-IP System", choose "Yes, PCoIP connections
should go through the BIG-IP System".
2. Next to "Will PCoIP connections be proxied by the View Unified Access Gateways",
choose "Yes, PCoIP connections are proxied by View Unified Access Gateways".
3. Select "Yes, Support HTML5 View clientless browser connections" next to the
question, "Will VMware View HTML5 Client Connections go through the BIG-IP
system".
HOL-1859-01-ADV
Configuring Virtual Servers/Pools
1. Next, scroll down to the Virtual Servers/Pools section, to "What virtual server IP
address do you want to use for remote, untrusted clients". In this box, type in
192.168.230.140.
2. Type in 'hzn-external.corp.local" (without quotes) as the FQDN that will be used to
access the BIG-IP by the Horizon Clients.
type in 192.168.110.85 (this is the IP of the 1st Unified Access Gateway, then
click Add. In the second box, type in 192.168.110.86 (this is the IP of the 2nd
Unified Access Gateway).
4. Scroll down to "Where will the virtual servers be in relation to the View servers?"
and choose "BIG-IP virtual server IP address and View servers are on different
subnets".
HOL-1859-01-ADV
5. Next to "How have you configured routing on your View servers", choose "View
servers do not have a route to clients through the BIG-IP".
monitor or use an existing one?" - choose "Create a simple health monitor".
HOL-1859-01-ADV
iRules
area.
HOL-1859-01-ADV
Finish the iApp

your configuration and all the objects created on the BIG-IP. Make sure the
Mod2-External_https and Mod2-External_pool_1 nodes are displayed as shown in
the picture.
HOL-1859-01-ADV
HOL-1859-01-ADV
HOL-1859-01-ADV
desktop.
2. Once the client launches, click on the icon with the FQDN "hzn-
external.corp.local".
Login button.
HOL-1859-01-ADV
Client window.
HOL-1859-01-ADV
Optional - Testing HTML Desktop Access
HOL-1859-01-ADV
HOL-1859-01-ADV
If you choose, you can also test HTML Desktop Access through the BIG-IP load balancer.
Open the Chrome Browser window and navigate to https://hzn-external.corp.local
From there you can choose "VMware Horizon HTML Access", login to the web portal
interface.
Launch the "Windows 10 Pool" using HTML5.
If prompted, accept the certificate - once this is done, you will be able to launch a
dekstop!
HOL-1859-01-ADV
Conclusion
This concludes Module 2 - F5 LTM with Unified Access Gateway Servers. You
Horizon Unified Access Gateway Servers for Load Balancing and High
Availability.
these:


HOL-1859-01-ADV

Integration.

this lab
HOL-1859-01-ADV
Module 3 - F5 APM with

Horizon Alternative
Gateway (45 min)
HOL-1859-01-ADV
Introduction
In this module you will learn how to configure the F5 as a PCoIP Proxy/Security Server
alternative.
Implementing PCoIP Proxy as a Security Server Alternative
VMware’s Horizon Unified Access Gateway (UAG) Server provides secure access to
sessions over an unsecured WAN and/or Internet connection. Typically, the UAG Server
is placed within an organization’s DMZ. F5 BIG-IP Access Policy Manager (APM) makes it
possible to take advantage of PCoIP and Blast Extreme technology while simplifying
your VMware Horizon with View architecture, improving security, and increasing
scalability.
Harden Security and Increase Scalability
F5 BIG-IP Access Policy Manager is the industry’s first Application Delivery Networking
solution that brings full PCoIP and Blast Extreme proxy capabilities to the market. This
HOL-1859-01-ADV
permits IT administrators to replace the VMware Unified Access Gateway Server with a
more secure and highly scalable solution in support of their end-user computing
deployments. BIG-IP APM is an ICSA Labs–certified flexible, high-performance access
and security solution that provides unified global access to your applications and
network. BIG-IP APM converges and consolidates remote access, LAN access, and
wireless connections within a single management interface and provides easy-to-
manage access policies. These capabilities help you free up valuable IT resources and
scale cost-effectively.
Simplifying Your Horizon Architecture
Because BIG-IP APM removes the need for having multiple gateway servers in the DMZ,
the overall architecture can not only be simplified, but a higher level of scalability can
be achieved. In addition to BIG-IP APM, F5 BIG-IP Local Traffic Manager (LTM) can provide
intelligent traffic management and load balancing to the Connection Servers. The
reduction in the overall number of components that need to be managed results in
increased productivity for IT administrators, which is especially critical for multi-site or
multi-pod VMware Horizon deployments.
Traffic Flow
The diagram outlines the traffic flow of an external Horizon Client connection when
using the BIG-IP Access Policy Manager (APM) Module as a Security Server alternative:
1. Device connects in from the untrusted network.

2. Connection to APM made over HTTPS using the client or the F5 APM WebTop
Portal.
3. User logs in.
4. APM processes the authentication (single/multi-factor) to AD and/or other
authentication source (LDAPS/RADIUS, etc.)
HOL-1859-01-ADV
5. Once user is validated, APM sends a request to the load balanced pool of
Connection Servers to get a list of authorized applications and desktops using
HTTPS or HTTP.
6. The user is then presented with the list of available and authorized desktops and
applications.
7. User selects the application or desktop to launch.
8. Request then sent from client and proxied to View Connection Server via HTTPS –
client receives desktop and/or application source machine info (including the
public/client facing IP address if using NAT).
9. Client establishes a connection to the virtual desktop or RDS application server to
the APM via PCoIP, Blast Extreme, or HTML 5 (using HTML Access) using HTTPS .
The APM proxies this connection back to the virtual desktop or RDS application
server.
HOL-1859-01-ADV
F5 APM with Horizon Alternative

Gateway
In this module, you will configure the BIG-IP to function as a Security Server alternative.

Connection Server
In order for a Unified Access Gateway to effectively proxy traffic, the tunneling features
for each Connection Server is enabled on the Unified Access Gateway appliances
themselves and not within the Connection Servers. This is different than how you would
configure those options for a Security Server.
See this brief summary before caring out the tasks in the steps below.
HOL-1859-01-ADV
• If you plan to use a secure tunnel connection for client devices, disable the
secure tunnel for View Connection Server. In View Administrator, go to the Edit
View Connection Server Settings dialog box and deselect the check box called
Use secure tunnel connection to machine. By default, the secure tunnel is
enabled on the Unified Access Gateway appliance.
• Disable the PCoIP secure gateway for View Connection Server. In View
deselect the check box called Use PCoIP Secure Gateway for PCoIP connections to
machine. By default, the PCoIP secure gateway is enabled on the Unified Access
Gateway appliance.
• Disable the Blast secure gateway for View Connection Server. In View
deselect the check box called Use Blast Secure Gateway for HTML Access to
machine. By default, the Blast secure gateway is enabled on the Unified Access
Gateway appliance.
HOL-1859-01-ADV
HOL-1859-01-ADV

2. When the browser is launched, click on the First Horizon View Web Favorite in the
toolbar (if you hover over the shortcut, it should say "View-01A Admin"). Make
5. Click Login.
HOL-1859-01-ADV
HOL-1859-01-ADV
HOL-1859-01-ADV
4. Click Edit
UNCHECKED.
HOL-1859-01-ADV
HOL-1859-01-ADV

5. Click Login.
HOL-1859-01-ADV
Disable Secure Tunneling on the Second Horizon

Connection Server
HOL-1859-01-ADV
HOL-1859-01-ADV
4. Click Edit
UNCHECKED.

HOL-1859-01-ADV

HOL-1859-01-ADV

Load Balancing
Next, we will configure load balancing of the Unified Access Gateways for external users
using the Horizon iApp. The iApp has already been pre-loaded onto the BIG-IP.

ignored.
HOL-1859-01-ADV
Initial iApp Configuration for PCoIP/Blast Proxy
1. Type in the name MOD3-APM, then select the View iApp Template from the list (as
shown above). Observe the iApp populate the screen with the next set of
questions.
HOL-1859-01-ADV
Configuring the iApp for PCoIP/Blast Proxy (Continued)
deploy BIG-IP Access Policy Manager" - choose "Yes, Deploy BIG-IP Access Policy
Manager".
2. To allow HTML access to desktops, next to the "Do you want to support browser
based connections including the HTML5 client?" question choose "Yes, support
HTML 5 View clientless browser connections".
3. To not allow USB redirection, next to the "Do you want to support USB
redirection?" question choose "No, do not support USB redirection".
HOL-1859-01-ADV
Configuring the iApp for PCoIP Proxy (Continued)
1. Scroll Down to "Should the BIG-IP APM support smart card authentication for
Horizon View" - choose "No, do not support smart card authentication".
2. Next, select "No, do not support SecurID or RADIUS two-factor authentication" for
the question "Should the BIG-IP system support SecurID or RADIUS with AD two-
factor authentication".
3. Next, select "No, do not add a message during logon" for the "Should the BIG-IP
system show a message to View users during logon?".
4. Leave the box BLANK when asked "If external clients use a network translated
address to access View, what is the public-facing IP address". Normally, if the BIG-
IP virtual server is NAT'd behind a firewall - you would enter the public, Internet-
facing address here (similar to the external PCoIP URL with Security Server).
5. Next, select "No, my View Environment uses a single Active Directory Domain"
next to the question "Do you want the BIG-IP system to support multiple
domains".
HOL-1859-01-ADV
6. Enter "CORP" in the box next to "What is the NetBIOS domain name for your
environment?"
Setting up the Active Directory Component for

Authentication
Next, let's create the Active Directory objects that will perform the user authentication.
1. Scroll down to "Create a new AAA Server object or select an existing one" -
choose "Create a new AAA Server Object"
2. Next, enter "controlcenter.corp.local" (without quotes) and 192.168.110.10 when
asked "Which Active Directory servers (IP and host name) are used for user
credential authentication".
3. Type "corp.local" (without quotes) when asked for the Active Directory domain
name.
4. Select "Yes, credentials are required for binding" when asked "Does your Active
Directory domain require credendials".
5. Enter "administrator" (without quotes) for the user name.
HOL-1859-01-ADV
6. Enter "VMware1!" (without quotes) for the password.

7. Scroll down, and select "Yes, create a simple ICMP monitor" when asked to
"Create a new monitor for the Active Directory servers".
Configuring SSL
HOL-1859-01-ADV
Virtual Server Configuration
1. Next, scroll down to the Virtual Servers/Pools section, "What virtual server IP
address do you want to use for remote, untrusted clients". In this box, type in
192.168.230.145.
2. Type in 'hzn-apm.corp.local" (without quotes) as the FQDN that will be used to
access the BIG-IP by the Horizon Clients.
HOL-1859-01-ADV
Horizon Connection Server Settings
type in 192.168.110.47 (this is the IP of the First Connection Server), then click
Add. In the second box, type in 192.168.110.48 (this is the IP of the Second
Connection Server).
2. Scroll down to "Where will the virtual servers be in relation to the View servers?"
and choose "BIG-IP virtual server IP address and View servers are on different
subnets".
3. Select "View servers do not have a route to clients through the BIG-IP" when
asked "How have you configured routing on your View servers?"
NOTE: If the port in the "Which servers should be included in this pool?" section says 80
instead of 443 then go to previous section "SSL Encryption" and change from SSL
Offload to SSL bridging.
Next, scroll down to the Application Health section of the iApp.
HOL-1859-01-ADV
monitor or use an existing one?" - choose "Create an advanced health monitor".
2. Type in "lab1user" (without quotes) next to "What user name should the monitor
use?".
3. Type in "VMware1!" (without quotes) next to "What is the password associated
with that account?".
4. Scroll down to "What is the NetBIOS domain name for your environment?" and
type in "CORP" (without quotes)
Application Health Monitor (Continued)
HOL-1859-01-ADV
Scroll down 3 lines until you see the section of the iApp with "Published Resources" as
shown in the picture.
1. Under the section "What published application(s) or pool(s) should the BIG-IP
system expect in the monitor response?" type in Calculator.
3. Repeat steps 1 and 2, typing Paint in the 2nd box.
4. Under the section "Do all published applications or desktop pools listed need to
be available", choose "Only one of the application or desktop pools listed need to
be returned".
iRules
HOL-1859-01-ADV
area.
HOL-1859-01-ADV
Finish the iApp

your configuration and all the objects created on the BIG-IP. Scroll Down to the

HOL-1859-01-ADV
MOD3-APM_adv_view_eav and Mod3-APM_pool_1 nodes are displayed as shown in

the picture.

HOL-1859-01-ADV

HOL-1859-01-ADV

HOL-1859-01-ADV
desktop.
2. Once the client launches, click on the icon with the FQDN "hzn-apm.corp.local".
Login button.

HOL-1859-01-ADV
Client window.
Testing Client Access through F5 Webtop
Next, we will test the launch of the Horizon Client using the F5 Webtop Portal.

HOL-1859-01-ADV
Testing Horizon Client Launch using Webtop

HOL-1859-01-ADV
1. Open the Chrome Browser

HOL-1859-01-ADV
2. Type in "https://view-apm.corp.local and press enter.

3. Login with the username "lab1user" (without quotes) and "VMware1!" (without
quotes) as the password.
4. Click Logon.
5. You will now be prompted with the F5 Webtop. Click on the "RDS Desktop" link.
6. Click on "VMware View Client" when asked to choose between the VMware View
Client or the HTML Desktop.
Testing Horizon Client Launch using Webtop (Continued)

HOL-1859-01-ADV
1. You will see the desktop launch - feel free to navigate around and use the
Windows 10 Desktop.

HOL-1859-01-ADV
Conclusion
This concludes Module 3 - F5 APM with Horizon Alternative Gateway. You
Horizon Alternative Gateway Servers for Load Balancing, Proxying
Connections and High Availability.
these:


Gateway Servers.

HOL-1859-01-ADV

Integration.

this lab

HOL-1859-01-ADV
Module 4 - F5 DNS with

Horizon for Multi-Site
Deployments (45 min)

HOL-1859-01-ADV
Introduction
Intelligent Global Server Load Balancing with BIG-IP DNS
By deploying BIG-IP DNS (Formerly known as BIG-IP GTM), a single namespace (for
example, https://desktop.example.com) can be provided to all end users. BIG-IP DNS,
BIG-IP Access Policy Manager (APM) and BIG-IP Local Traffic Manager (LTM) work
together to ensure that requests are sent to a user's preferred data center securely,
regardless of the user’s current location. This type of implmenetation is common when
there are multiple Horizon instances distributed throughout two or more physical/logical
data centers.

HOL-1859-01-ADV
F5 DNS with Horizon for Multi-Site

Deployments
In this module, we'll configure BIG-IP DNS (formerly Global Traffic Manager - GTM) to
support Horizon environments across two data centers. We will be able to simulate
multiple data centers by using 2 separate BIG-IP appliances with 2 separate Horizon
View instances for this lab module.
Disable Secure HTTPS, PCoIP, and Blast Proxy

Functionality.
Since the BIG-IP DNS/Global Traffic Management lab is pre-configured to use Connection
Servers that are internal to the network for this lab, we need to ensure that all Secure
Proxy functions are disabled. We'll walk through checking (and disabling, if necessary)
these Secure Proxy settings.

HOL-1859-01-ADV
Site A - Login to the Connection Server

HOL-1859-01-ADV

2. When the browser is launched, click on the FIRST Horizon View Web Favorite in
5. Click Login.

HOL-1859-01-ADV
Site A - Disable Secure Tunneling on Horizon Connection

Servers

HOL-1859-01-ADV

HOL-1859-01-ADV
4. Click Edit
UNCHECKED.

HOL-1859-01-ADV
Site B - Login to the Connection Server

HOL-1859-01-ADV

5. Click Login.

HOL-1859-01-ADV
Site B - Disable Secure Tunneling on Horizon Connection

Servers

HOL-1859-01-ADV

HOL-1859-01-ADV
4. Click Edit
UNCHECKED.
Access the First BIG-IP Web Management Console

2. When the browser is launched, click on the F5-BIG-IP-01 Favorite in the toolbar.
Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

HOL-1859-01-ADV
Login to First BIG-IP Web Administrator


HOL-1859-01-ADV
Access the Second BIG-IP Web Management Console
We'll now open a second tab to the other BIG-IP (BIGIP-02) so we can configure the
device for Global Server Load Balancing via F5-DNS.
1. Click on the Tab as shown in the picture to open another tabbed browsing
session.
2. When the browser is launched, click on the F5-BIG-IP-02 Favorite in the toolbar.
Make sure the IP address you are redirected to is https://f5-big-ip-02.corp.local

HOL-1859-01-ADV
Login to Second BIG-IP Web Administrator

Configure BIG-IP DNS (Global Server Load Balancing)
In this step, we will configure the BIG-IP's to talk with one another and exchange DNS
and BIG-IP pool information. The Horizon Desktop pools in each site have already been
created for you; normally, you would need to create and/or ensure each View pod is
configured for load balancing on the BIG-IP using Local Traffic Manager (LTM).

HOL-1859-01-ADV
Enabling the connectivity between BIG-IP systems
We'll use PUTTY to establish the communications between the two BIG-IP's that will be
used for global traffic management.
1. From the Control Center PC, look for the Putty icon at the bottom of the screen.
Click to launch Putty.
2. In the "Load, save or delete a stored session" box, scroll down and select "F5-BIG-
IP-01.CORP.LOCAL"
3. Click the Load button

HOL-1859-01-ADV
4. Click the Open button

5. Login using root as the username and press enter, use VMware1! as the
password and then press enter again.
6. You will see the following prompt once logged in successfully.

HOL-1859-01-ADV
Open 2nd Putty Session to BIGIP-02

HOL-1859-01-ADV

HOL-1859-01-ADV
To open the second putty session to BIGIP-02:
1. From the existing Putty window, click on the icon in the upper left corner.
2. Click on New Session.
3. In the "Load, save or delete a stored session" box, scroll down and select "F5-BIG-
IP-02.CORP.LOCAL"
4. Click the Load button
5. Click the Open button
6. Login using root as the username and press enter, use VMware1! as the
password and then press enter again.
7. You will see the following prompt once logged in successfully.
Establish connectivity between BIG-IP's
Click on the Putty window that has F5-BIG-IP-01 at the top.
1. In the putty window, type in bigip_add 192.168.110.91 and press ENTER.

2. Type in yes to accept the fingerprint.
3. Type in the password VMware1!
Once completed, you will see the "Done" message.
4. Repeat steps 1 through 3 by clicking on the F5-BIG-IP-02 Putty window and using
the command bigip add 192.168.110.90 for step #1.
5. When completed, minimize both F5-BIG-IP-01 and F5-BIG-IP-02 Putty Sessions.
Configure BIG-IP DNS (Global Server Load Balancing) Pool

Settings and DNS Configuration
Back in the Chrome Browser, we'll now setup some of the additional settings required
for global server load balancing.

HOL-1859-01-ADV
Create Data Centers for BIG-IP DNS
First, we'll configure objects on the BIG-IP that will represent the 2 Horizon sites.
1. Maximize the browser window that was minimized from the previous exercise.
Select the F5-BIG-IP-01 tab in the browser session.
2. Click on DNS --> GSLB --> Data Centers.
3. Click Create.
4. Type in Site-A for the name.
5. Click the Repeat button.
6. Repeat step 4, typing in Site-B for the name.
7. Click the Finished button.
8. You should see the 2 data center/sites created.

HOL-1859-01-ADV
Create BIG-IP Server Objects

HOL-1859-01-ADV

HOL-1859-01-ADV
Next, we will create the server objects. These are actually the BIG-IP's themselves and
will be used to autodiscover virtual servers hosted on Local Traffic Manager. In this case,
we'll let GTM autodiscover the virtual servers used for Horizon.
1. Click on DNS --> GSLB --> Servers.

2. Click Create.
3. Type in SITE-A-DNS for the name.
4. In the IP Address box, type in 192.168.110.90.
5. Click Add - you will see the IP address move into the box below.
6. For the Data Center, choose SITE-A.
7. Next to Virtual Server Discovery - change from Disabled to Enabled.
8. Click Repeat.
9. Repeat steps 2 through 7, using SITE-B-DNS for the name, SITE-B for the Data
Center and the IP Address of 192.168.110.91 (Remove the 192.168.110.90
address).
10. Click Finished
11. You should see the GTM objects in the list, and they should have green circles
next to them. If you don't see them right away, click the Server List box as shown
in the diagram to refresh the screen until the circles are green and you see two
virtual servers for each SITE GTM.

HOL-1859-01-ADV
Create BIG-IP GTM Pool
Next, we will create a pool of resources that will be used by GTM to route users to an
available Horizon instance.

HOL-1859-01-ADV
1. Click on DNS --> GSLB --> Pools.

2. Click Create.
3. In the General Properties Section; Name: HZN-DNS-POOL and Type: A
4. Under the load balancing method, choose Least Connection for the Preferred
method, and Round Robin for the alternate method.
5. To create the member list, click the down arrow** on the right side of the virtual
server box. Choose one of the virtual servers listed with MOD4-HZN-SITE-
A_https; then click Add.
6. Repeat the Same step as #5 and select the other virtual server listed that has
MOD4-HZN-SITE-B_https from the list and click Add.
7. Click Finished.
8. You will then seen the pool show up in the list. Click the "Pool List" tab until you
see the pool's status change to Green.
**Note: You may have to scroll right to see the down arrow due to screen size
limitations.

HOL-1859-01-ADV
Setup GTM Wide IP

HOL-1859-01-ADV

HOL-1859-01-ADV
In this next step, we'll configure the Wide IP. The Wide IP is used to help make the
appropriate load balancing/routing decision to a pool of virtual servers that are
contained within or across data centers. The Wide IP will be used as the FQDN that
returns the IP address of the site the user is directed to.
1. Click on GSLB --> Wide IPs.

2. Click the Create button
3. Name: hzn-dns.wip.corp.local
4. Type: A
5. In the Pools list box, click the down arrow next to Pool. Choose the HZN-DNS-
POOL list, and then click Add.
6. Click Finished.
7. Make sure the Wide IP address returns a green status.

HOL-1859-01-ADV
Add BIGIP-02 to Sync Group

HOL-1859-01-ADV

HOL-1859-01-ADV
We'll now establish the trust and perform the initial sync up BIGIP-02 to sync the GTM
configuration to the other simulated data center. This configuration allows GTM to
failover to an alternate site in the event of a primary site failure.
1. Maximize the F5-BIG-IP-02 Putty session that was minimized in early on in the
lab. MAKE SURE YOU ARE ON F5-BIG-IP-02; if you run the command in step #2
on F5-BIG-IP-01, the configuration will be deleted.
2. Type in gtm_add 192.168.100.90 and press Enter.
3. When prompted, type y and press Enter.
4. You will see the following message once the sync is completed.
5. Minimize the Putty window.
6. Navigate to the F5-BIG-IP-02 tab in the browser window; click on DNS --> GSLB
--> Wide IP
7. You should see the configuration for GTM from F5-BIG-IP-01; this verifies the
sync is complete.
Enable GTM Sync on F5-BIG-IP-01 and F5-BIG-IP-02
Next, we will turn on the GTM Sync for each BIG-IP.
1. Navigate to the F5-BIG-IP-01 tab in the browser.

2. Click on DNS --> Settings --> GSLB --> General.
3. Check the box to enable Synchronization; Set the group name to BIG-IP, and
check the box to enable Synchronize DNS Zone Files.
4. Scroll to the bottom of the screen and click Update
5. Repeat steps 1 through 4 on F5-BIG-IP-02.

HOL-1859-01-ADV
6. When completed, minimize the browser window.
Configure DNS

HOL-1859-01-ADV
1. Click on the Windows icon in the Start Menu

2. in the search bar type DNS
3. in the search results select the DNS icon
4. Expand the ControlCenter.corp.local DNS server then Expand the Forward
Lookup Zones Section

HOL-1859-01-ADV
Configure DNS Records (Continued)

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Right-click on corp.local in the DNS window and choose New Delegation.

2. Click Next in the Wizard Menu.
3. Type in wip for the Delegated Domain, then click Next.
4. Click the Add button.
5. Type in f5-big-ip-01.corp.local and click the Resolve Button
6. Click the OK button.
7. Repeat steps 4 thru 6, using f5-big-ip-02.corp.local.
8. Compare the image in step 7 with your configuration; if correct, click Next.
9. Click Finish in the Wizard Menu.
10. You will see the DNS zone WIP that will be delegated to the BIG-IP.

HOL-1859-01-ADV
Create CNAME DNS Record
We'll now create the CNAME record that will redirect the DNS request to the BIG-IP for
resolution.
1. Right-click on corp.local and choose New Alias (CNAME)...

2. Alias Name: hzn-dns
3. Fully Qualified domain name (FQDN) for target host: hzn-dns.wip.corp.local
The FQDN for target host contains the DNS zone we delegated to BIG-IP. BIG-IP
will resolve the DNS name for anyone trying to resolve hzn-dns.corp.local.

HOL-1859-01-ADV
4. Click OK
5. Exit the DNS Management by clicking the "X" in the upper right corner of the
window.

HOL-1859-01-ADV
Configure DNS Listening on the BIG-IP

HOL-1859-01-ADV
The last step is to configure the BIG-IP to answer DNS requests.

HOL-1859-01-ADV
1. Maximize the browser and choose the F5-BIG-IP-01 tab.

2. Click on DNS --> Delivery --> Listeners.
3. Click Create.
4. Type HZN-A-DNS for the name
5. Type in 192.168.110.90 for the Destination IP Address
6. Click the Finished button.
7. You will then see the DNS listener created on F5-BIG-IP-01.
8. Click on the BIGIP-02 tab in the browser and repeat steps 2 through 7 using HZN-
B-DNS as the name and 192.168.110.91 for the Destination IP address.
9. Minimize the browser window.
Testing Access using PING
Now, we are ready to test! First, let's ping the FQDN to make sure we are resolving DNS
properly.
1. Open a command prompt window by clicking on the command prompt icon

located in the lower left corner of the desktop.
2. Type ipconfig /flushdns and press Enter
This will flush out the DNS Cache to ensure the latest entries were updated.
3. Type in ping hzn-dns and press Enter.
4. You should see the DNS name resolve to hzn-dns.wip.corp.local with an IP address
of 192.168.110.90 or 192.168.110.91.
5. Exit the Command Prompt window by clicking the "X" in the upper right corner of
the window.

HOL-1859-01-ADV
Testing Access using Horizon
To simulate the GTM working properly, we will disable the GTM in Site A first and make a
connection to Horizon. We'll then enable the GTM in Site-A and disable the GTM in Site-B
to show GTM working properly.
Disable Site "A"
Maximize the browser and click on the F5-BIG-IP-01 tab.
1. Click on Local Traffic --> Virtual Servers.

2. Locate the MOD4-HZN-SITE-A_https virtual server; check the box next to the
green circle. Click Disable at the bottom of the screen.
3. You will now see the green circle go black, indicating the Site A Virtual Server
hosting view is disabled. Once completed, minimize the browser window.

HOL-1859-01-ADV
Site "A" Disabled and Test Access

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Launch the VMware Horizon Client from the desktop. Click on the "New Server"
icon in the upper left corner of the client.
2. Enter hzn-dns.corp.local as the name of the connection server
3. Click the Connect button.
4. Login as lab1user with the password of VMware1! and then click the Login
button.
5. Launch the Windows 10 Pool.
6. Once the desktop launches, verify you are in the "B" data center by checking the
VM's name in the lower right corner of the screen - the computer name will be
"W10-02A".
7. Click the "X" at the top of the screen to disconnect; click OK if prompted to
disconnect from the desktop. Close out the Horizon View client by clicking the "X
" in the upper left corner of the screen.
Enable Site "A"

black circle. Click Enable.
3. You will now see the green circle go green, indicating the Site A Virtual Server
hosting view is enabled.
4. Select the F5-BIG-IP-02 Tab

HOL-1859-01-ADV

Disable Site "B"
Click on the F5-BIG-IP-02 tab in the browser.

2. Locate the MOD4-HZN-SITE-B_https virtual server; check the box next to the

HOL-1859-01-ADV
Site "B" Disabled and Test Access

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Launch the VMware Horizon Client from the desktop, then Double click on the
"hzn-dns.corp.local" icon.
2. Login as lab1user with the password of VMware1! and then click the Login
button.
3. Launch the Windows 10 Pool.
4. Once the desktop launches, verify you are in the "A" data center by checking the
VM's name in the lower right corner of the screen - the computer name will be
"W10-01A".
5. Click the "X" at the top of the screen to disconnect; click OK if prompted to
disconnect from the desktop. Close out the Horizon View client by clicking the "X
" in the upper left corner of the screen.

HOL-1859-01-ADV
Conclusion
This concludes Module 4 - F5 DNS with Horizon for Multi-Site Deployments.
You should have a good understanding of how to configure and deploy the F5
DNS solution with existing Horizon Environments for Global Server Load
Balancing and High Availability.
these:


Gateway Servers.

HOL-1859-01-ADV

Integration.

this lab

HOL-1859-01-ADV
Module 5 - F5 APM with

VMware UEM Smart Policy
Integration (30 min)

HOL-1859-01-ADV
Introduction
In this module you will learn how to configure F5 APM with VMware UEM Smart Policies.
F5 APM with VMware UEM Smart Policy Integration
VMware User Environment Manager (UEM) provides personalization and dynamic policy
configurations across any windows-based desktop environment (Virtual, Physical and
Cloud), and is a key component of VMware's Horizon Just-In-Time Management Platform
(JMP) the next generation of desktop and application delivery. Utilizing Active directory
Group Policies and the Horizon Cloud Manager, this solution is engineered to deliver
workplace productivity while driving down the cost of day-to-day desktop support and
operations
VMware UEM with Smart Policies allow the IT Admin to create policies that can control
the behavior of USB redirection, virtual printing, clipboard redirection, client drive
redirection, HTML access file transfer and bandwidth profiles for Horizon protocols such
as PCoIP and Blast Extreme for specific remote desktops.
With VMware UEM and Smart Policies, The IT Admin can create policies that take effect
only if certain conditions are met. For example, the ability to configure a policy that
disables the client drive redirection feature if a user connects to a remote desktop from
outside your corporate network

HOL-1859-01-ADV
F5 APM with VMware UEM Smart Policy

Integration

HOL-1859-01-ADV
Validate CDR Functional

HOL-1859-01-ADV

HOL-1859-01-ADV
desktop.
2. Click on the "+ New Server" Button
3. Enter the FQDN "hzn-smart-apm.corp.local" (without quotes); then click the
Connect button
4. Login as lab1user, with a password of "VMware1!" (without quotes); then, click
the Login button.

HOL-1859-01-ADV
Validate CDR Functional (Continued)

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Click on the Windows Start Button icon and type in "cmd" (without quotes)
2. Wait for the Search to complete and click on the Command Prompt Icon at the
top of the search.
3. In the Command line box type "set" (without quotes) and press Enter
4. Once the output is completed scroll up and look for the specific environmental
variable ViewClient_APMGateway and ensure that it doesn't exist as of yet.
This confirms the variable we will create later didn't exist prior to accessing the
environment.
1. Click on the Windows Explorer icon in the taskbar

2. Click on the This PC icon in the left menus

HOL-1859-01-ADV
3. Notice in the Devices and drives section that the client drive redirection (CDR)
for Administrator on CONTROLCENTER is listed this shows that CDR is
enabled and working.

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Right Click on the Windows Start icon

2. Hover over Shut down or sign out
3. Select Sign out
4. Close out the Horizon client by clicking the "X" in the upper right corner of the
Horizon Client window.
Access the User Environment Manager Console
Click on the Management Console shortcut to access the VMware User Environment
Manager - Management Console

HOL-1859-01-ADV
Setting up the UEM Smart Policy
1. Click on the User Environment Tab within the Management Console to display
the User based Policies.
2. Select the Horizon Smart Policies item from the left pane.
3. Click the Create button in the top pane.

HOL-1859-01-ADV
Setting up the UEM Smart Policy (Continued)
1. Click on the Management Console shortcut.


HOL-1859-01-ADV

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Click the ADD button.

2. Select Horizon Client Property
3. Enter "APMGateway" (without quotes).
4. Select Exists from the pull down menu.
5. Click the OK button.
6. Verify that the entry exists from the previously entered data.
7. Click the Save button.
1. Click on the User Environment Tab within the Management Console to display
the User based Policies.
2. Select the Triggered Tasks item from the left pane.
3. Click the Create button in the top pane.

HOL-1859-01-ADV
1. Name: "Refresh UEM on Reconnect for Smart Policies" (without quotes).

2. Trigger: Reconnect Session
3. Action: User Environment Refresh
4. Check the box next to Horizon Smart Policies in the Refresh Section.
5. Click the Save button.
Minimize the VMware User Environment Manager - Management Console

HOL-1859-01-ADV


HOL-1859-01-ADV


HOL-1859-01-ADV
Editing the BIG-IP APM Horizon Instance
From the BIG-IP Admin Screen:
1. Select the Main Tab in the BIG-IP Management Console.

2. Select iApps
3. Select Application Services.
4. Click on the MOD5-HZN-APM name/link.
5. Select the Properties Tab.

HOL-1859-01-ADV
6. Change the Application Service from Basic to Advanced.

7. UnCheck the checkbox next to Strict Updates
8. Click the Update button
Editing the BIG-IP APM Horizon Instance (Continued)
1. Expand the Access Policy

2. Hover the mouse over Access Porfiles

HOL-1859-01-ADV
3. Select Access profiles List

4. Click the Edit... Link for the MOD5-HZN-APM Profile

HOL-1859-01-ADV
1. Select the VMware View Policy link in the Visual Policy Editor.
2. Click the Add new entry button
3. Enter "APMGateway" (without quotes) in the Variable Name
4. Enter expr {"true"} in the Value Field
5. Click the Save button
1. Click the Apply Access Policy Link - Wait till the Link disappears
2. Click the Close button
Minimize the Browser with the F5 Admin Session

HOL-1859-01-ADV

HOL-1859-01-ADV

HOL-1859-01-ADV
desktop.
2. Double click on the previously created server in the list "hzn-smart-
apm.corp.local"
3. Login as lab1user, with a password of "VMware1!" (without quotes); then, click
the Login button.
NOTE: If you didn't log off from the previous session the new policies might
not apply, its recommended if you didn't log off the previous session to log-off
and log back in for the Smart Policy to apply.

HOL-1859-01-ADV

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Click on the Windows Start Button icon and type in "cmd" (without quotes)
2. Wait for the Search to complete and click on the Command Prompt Icon at the
top of the search.
3. In the Command line box type "set" (without quotes) and press Enter
4. Once the output is completed scroll up and look for the specific environmental
variable ViewClient_APMGateway that we entered into the F5 APM earlier.
As you can see the F5 APM Policy has injected the variable into the horizon session and
that variable we set earlier to block certain policies on the Horizon Instance such as
Client Drive Redirectoin (CDR).

HOL-1859-01-ADV

HOL-1859-01-ADV

HOL-1859-01-ADV
1. Click on the Windows Start Button icon and type in "Regedit" (without quotes)
2. Wait for the Search to complete and click on the Registry Editor Icon at the top
of the search.
3. Expand out HKEY_CURRENT_USER
4. Expand out SOFTWARE
5. Expand out Policies
6. Expand out VMware, Inc. and verify policies have been modified by the UEM
Smart Policy.
1. Click on the Windows Explorer icon in the taskbar

2. Click on the This PC icon in the left menus

HOL-1859-01-ADV
3. Notice in the Devices and drives section that you only see a Floppy, DVD and
Local Disk (C:) but no client side redirection is there anymore this proves the
policy is in place and working.
Client window.

HOL-1859-01-ADV

HOL-1859-01-ADV
Conclusion
This concludes Module 5 - F5 APM with VMware UEM Smart Policy Integration.
You should have a good understanding of how to configure the F5 APM
solution with an existing APM Horizon Deployment, as well as configure
VMware UEM to leverage Smart Policies from the injected variables in the
Horizon connections.
these:


Gateway Servers.

HOL-1859-01-ADV


this lab

HOL-1859-01-ADV

AppVolumes (45 min)

HOL-1859-01-ADV
Introduction
In this module you will learn how to configure the F5 as a Load Balancer for the App
Volumes Manager.
Load Balancing App Volumes Manager Servers
App Volumes is a just-in-time method for integrating and delivering applications to

virtualized desktop and Remote Desktop Services (RDS) based computing
environments.
VMware App Volumes Manager is delivered as a software on top of a Windows Server OS

and Agents Deployed within VDI that contact the Managers FQDN once configured for
HA it is easy to deploy onsite and integrate with existing enterprise services.
Organizations can centralize and simplify application delivery
Due to Limitation capabilities of this lab, only the configuration will be done for the App
Volumes Managers, there are no agents accessible to test and load balance the agents
side. This has been a tested and documented method by F5 and VMware.

HOL-1859-01-ADV
F5 LTM with AppVolumes

In this lab module, due to Lab limitations we will load balance one (1) instance of
VMware App Volumes Manager.


HOL-1859-01-ADV


HOL-1859-01-ADV
Create Client SSL Profile
1. Click on Local Traffic

2. Hover over to Profiles >> SSL >> Client (Do not click yet!)
3. Click the Plus symbol (+) to the right of "Client" to create a new SSL Client Profile

HOL-1859-01-ADV
Create Client SSL Profile (continued)
Create a new SSL Client profile with the following properties:
1. Name: MOD6-AppVolumes-SSL
2. Parent Profile: clientssl
3. Custom Checkbox Checked for "Certificate Key Chain"
4. Click the "Add" Button
5. Certificate: CORP.LOCAL_WILDCARD
6. Key: CORP.LOCAL_WILDCARD
7. Chain: CORP.LOCAL_WILDCARD

HOL-1859-01-ADV
8. Click the "Add" Button to add the information to the Certificate Key Chain
Scroll to the bottom of the page and click "Finished"
Create Server SSL Profile

2. Hover over to Profiles >> SSL >> Server (Do not click yet!)
3. Click the Plus symbol (+) to the right of "Server" to create a new SSL Server
Profile

HOL-1859-01-ADV
Create Server SSL Profile (continued)
Create a new SSL Server profile with the following properties:
1. Name: MOD6-AppVolumes-Server-SSL
2. Parent Profile: serverssl
3. Click the "Finished" button.

HOL-1859-01-ADV
Create HTTP Profile
After creating the SSL Client profile, we must create an HTTP Profile.
• Browse to the HTTP Service, from the top Menu bar, by clicking 1. Services, then
2. HTTP
• Then click the "Create" button in the upper right hand corner of the HTTP Profiles
table.

HOL-1859-01-ADV
Create HTTP Profile (continued)
Create a new HTTP Profile with the following settings:
1. Name: MOD6-AppVolumes-HTTP
2. Parent Profile: http
3. Ensure the checkbox for "Insert X-Forwarded-For" is Checked
4. Insert X-Forward-For: Enabled
After applying the settings above, scroll to the bottom and click "Finished"
*X-Forwarded-For Headers. You must enable X-Forwarded-For headers on your load

balancer.

HOL-1859-01-ADV
Create Persistence Profile
After creating the HTTP profile, we must create an Persistence Profile.

2. Hover over to Profiles >> Persistence
3. Click the Plus symbol (+) to the right of "Server" to create a new SSL Persistence
Profile.

HOL-1859-01-ADV
Create Persistence Profile (continued)
Create a Persistence Profile with the following settings:
1. Name: MOD6-AppVolumes-persistence
2. Persistence Type: Cookie
3. Then scroll to the bottom of the page and click the "Finished" button

HOL-1859-01-ADV
Create Health Monitor
After creating the Persistence Profile, we must create a Health Monitor.

2. Hover over to Monitors
3. Click the Plus symbol (+) to the right of "Monitors" to create a new Monitor.

HOL-1859-01-ADV
Create Health Monitor (Continued)
Create a Health Monitor with the following settings:
1. Name: MOD6-AppVolumes-Monitor

HOL-1859-01-ADV
2. Type: HTTPS
3. Interval: 30 Seconds
4. Timeout: 15 Seconds
5. Send String: GET /login HTTP/1.1\r\nHost: appvolumes.corp.local\r\
nConnection: Close\r\n\r\n
6. Receive String: App Volumes Manager Login
7. Leave all remaining values default
8. Scroll to the bottom and click the "Finished" Button
Create Pool
We must now create the VMware App Volumes pool for the BIG-IP Appliance to monitor.
1. From the left-hand menu, Under Local Traffic

2. Hover over Pools >> Pool List (Do not click yet!)
3. Click the plus symbol (+) to create a new pool.

HOL-1859-01-ADV
Create Pool (continued) - Pool Configuration
Create a Pool with the following settings:
1. Name: MOD6-AppVolumes-Pool
2. Health Monitors: MOD6-AppVolumes-Monitor

HOL-1859-01-ADV
Create Pool (continued) - Resources Node 1
Under Resources, add a new member with the following settings:
1. Load Balancing Method: Least Connections (member)

2. Select the "New Node" radio button
3. Node Name: appvol-01a.corp.local
4. Address: 192.168.110.49
5. Service Port: 443 [HTTPS]

HOL-1859-01-ADV
Create App Volumes Pool (continued) - Resources Node 2
Repeat the steps from the last section to create an entry for the second App Volumes
Manager.
1. Node Name: appvol-02a.corp.local

2. Address: 192.168.110.50
5. After you have added the second node, scroll to the bottom of the page and click
"Finished"
NOTE: The second node does not exist due to available resources for Lab, this
node will be offline but shows how to add the additional node.

HOL-1859-01-ADV
Create a Virtual Server
After we have configured our Pool, we can continue and create a Virtual Server.
From the left-hand menu, Under Traffic Manager

2. Hover over Virtual Servers >> Virtual Server List (Do not click yet!)
3. Click the plus symbol (+) to create a new Virtual Server.
Create a Virtual Server (continued) - General Properties

HOL-1859-01-ADV
Under the General Properties of the Virtual Server, enter the following settings:
1. Name: MOD6-AppVolumes
2. Destination Address: 192.168.130.160
Continue to the next step...
Create a Virtual Server (continued) - Configuration
Under the Configuration properties of the Virtual Server, enter the following settings:
1. Protocol Profile (Client): tcp-wan-optimized

HOL-1859-01-ADV
2. Protocol Profile (Server): tcp-lan-optimized

3. HTTP Profile: MOD6-AppVolumes-HTTP
4. SSL Profile (Client): MOD6-AppVolumes-SSL
5. SSL Profile (Server): MOD6-AppVolumes-Server-SSL
6. Source Address Translation: Auto Map
Create a Virtual Server (continued) - Resources
Under the Resource properties of the Virtual Server, enter the following settings:
1. Default Pool: MOD6-AppVolumesl-Pool

2. Default Persistence Profile: MOD6-AppVolumes-Persistence
3. Once you have completed all the steps, scroll to the bottom of the page and click
the "Finished" button.

HOL-1859-01-ADV

2. When the browser is launched, enter the URL https://appvolumes.corp.local

HOL-1859-01-ADV
Browser Validation
Browser Validation is shown that when using the F5 Load Balanced URL, that Certificate
is still Valid for the new website
1. Green Lock in Google Chrome Browser Identifies that the Certificate is Valid
2. You can further validate functionality of the browser by Logging into the
AppVolumes Manager
Username: Administrator
Password: VMware1!
Note: Due to Limitations of Lab only Browser Validation is available,

HOL-1859-01-ADV
Conclusion
This concludes Module 1 - F5 LTM with Horizon Connection Servers. You
Horizon Connection Servers for Load Balancing and High Availibility.
these:


Gateway Servers.

HOL-1859-01-ADV

Integration.

this lab

HOL-1859-01-ADV

VMware Identity Manager
Integration (45 min)

HOL-1859-01-ADV
Introduction
In this module you will learn how to configure the F5 as a Load Balancer for the VMware
Identity Manager Portal.
Load Balancing the VMware Identity Manager Portal
VMware Identity Manager combines applications and desktops in a single, aggregated

workspace. Employees can then access the desktops and applications regardless of
where they are based. With fewer management points and flexible access, Identity
Manager reduces the complexity of IT administration.
Identity Manager is delivered as a virtual appliance (VA) that is easy to deploy onsite
and integrate with existing enterprise services. Organizations can centralize assets,
devices, and applications and manage users and data securely behind the firewall.
Users can share and collaborate with external partners and customers securely when
policy allows.
This lab provides step-by-step instructions for setting up the first Identity Manager
virtual appliance (Node 1), for production implementations VMware recommends the
deployment of two (2) additional nodes to have a total of three (3). Nodes 2 and 3 will
be cloned from the first node after it has been configured and setup with the F5 to
provide a fully load balanced configuration.

HOL-1859-01-ADV
Due to the resource constraint of this lab the setup of the LTM configuration and the
setup of the first node (Node 1) will be completed.

HOL-1859-01-ADV
F5 LTM with VMware Identity Manager

Integration
In this lab module, due to Lab limitations we will load balance one (1) instances of
VMware Identity Manager Portal.


HOL-1859-01-ADV


HOL-1859-01-ADV
Create Client SSL Profile

2. Hover over to Profiles >> SSL >> Client (Do not click yet!)
3. Click the Plus symbol (+) to the right of "Client" to create a new SSL Client Profile

HOL-1859-01-ADV
Create Client SSL Profile (continued)
Create a new SSL Client profile with the following properties:
1. Name: MOD7-VIDM-SSL
2. Parent Profile: clientssl
3. Custom Checkbox Checked for "Certificate Key Chain"
4. Click the "Add" Button
5. Certificate: CORP.LOCAL_WILDCARD
6. Key: CORP.LOCAL_WILDCARD
7. Chain: CORP.LOCAL_WILDCARD

HOL-1859-01-ADV
8. Click the "Add" Button to add the information to the Certificate Key Chain
Scroll to the bottom of the page and click "Finished"
Create HTTP Profile
After creating the SSL Client profile, we must create an HTTP Profile.
• Browse to the HTTP Service, from the top Menu bar, by clicking 1. Services, then
2. HTTP
• Then click the "Create" button in the upper right hand corner of the HTTP Profiles
table.

HOL-1859-01-ADV
Create HTTP Profile (continued)
Create a new HTTP Profile with the following settings:
1. Name: MOD7-VIDM-HTTP
2. Parent Profile: http
3. Ensure the checkbox for "Insert X-Forwarded-For" is Checked
4. Insert X-Forward-For: Enabled
After applying the settings above, scroll to the bottom and click "Finished"
*X-Forwarded-For Headers. You must enable X-Forwarded-For headers on your load

balancer.

HOL-1859-01-ADV
Create Persistence Profile
After creating the HTTP profile, we must create an Persistence Profile.

2. Hover over to Profiles >> Persistence
3. Click the Plus symbol (+) to the right of "Server" to create a new SSL Persistence
Profile.

HOL-1859-01-ADV
Create Persistence Profile (continued)
Create a Persistence Profile with the following settings:
1. Name: MOD7-VIDM-persistence
2. Persistence Type: Cookie
3. Then scroll to the bottom of the page and click the "Finished" button

HOL-1859-01-ADV
Create Health Monitor
After creating the Persistence Profile, we must create a Health Monitor.

2. Hover over to Monitors
3. Click the Plus symbol (+) to the right of "Monitors" to create a new Monitor.

HOL-1859-01-ADV
Create Health Monitor (Continued)
Create a Health Monitor with the following settings:
1. Name: MOD7-VIDM-Monitor
2. Type: HTTPS
3. Interval: 5 Seconds
4. Timeout: 16 Seconds

HOL-1859-01-ADV
5. Send String: GET /SAAS/API/1.0/REST/system/health/heartbeat HTTP/1.1\r\

nHost: \r\nConnection: Close\r\n\r\n
6. Receive String: ok$
7. Receive Disable String: 404
8. Leave all remaining values default
9. Scroll to the bottom and click the "Finished" Button
Create Pool
We must now create the VMware Identity Manager Pool for the BIG-IP Appliance to
monitor.

2. Hover over Pools >> Pool List (Do not click yet!)
3. Click the plus symbol (+) to create a new pool.

HOL-1859-01-ADV
Create Pool (continued) - Pool Configuration
Create a Pool with the following settings:
1. Name: MOD7-VIDM-Pool
2. Health Monitors: MOD7-VIDM-Monitor

HOL-1859-01-ADV
Create Pool (continued) - Resources Node 1
Under Resources, add a new member with the following settings:
1. Load Balancing Method: Least Connections (member)

2. Select the "New Node" radio button
3. Node Name: vidm-01a.corp.local
4. Address: 192.168.110.82

HOL-1859-01-ADV
Create App Volumes Pool (continued) - Resources Node 2

&3
Repeat the steps from the last section to create an entry for the second and third
VMware Identity Manager Servers.
1. Node Name: vidm-02a.corp.local

2. Address: 192.168.110.101
5. Repeat Steps 1-4 for the Third node with Node Name of vidm-03a.corp.local an
Address of 192.168.110.102 and a Service port of 443
6. After you have added the second node, scroll to the bottom of the page and click
"Finished"
NOTE: The second and third nodes do not exist due to available resources as
well as during the process of deploying VIDM the configurations for the other
two nodes would be cloned from the first node. If this were to be a 3 node
enviornment all configurations including the load balancer setup must be
done prior to cloning the second and third nodes in real production
environments.
NOTE: Nodes 2 and 3 will be offline but shows how to add the additional
nodes.

HOL-1859-01-ADV
Create a Virtual Server
After we have configured our Pool, we can continue and create a Virtual Server.
From the left-hand menu, Under Traffic Manager

2. Hover over Virtual Servers >> Virtual Server List (Do not click yet!)
3. Click the plus symbol (+) to create a new Virtual Server.
Create a Virtual Server (continued) - General Properties

HOL-1859-01-ADV
Under the General Properties of the Virtual Server, enter the following settings:
1. Name: MOD6-VIDM
2. Destination Address: 192.168.130.170
Create a Virtual Server (continued) - Configuration
Under the Configuration properties of the Virtual Server, enter the following settings:
1. Protocol Profile (Client): tcp-wan-optimized

HOL-1859-01-ADV
2. Protocol Profile (Server): tcp-lan-optimized

3. HTTP Profile: MOD7-VIDM-HTTP
4. SSL Profile (Client): MOD7-VIDM-SSL
5. SSL Profile (Server): MOD7-VIDM-Server-SSL
6. Source Address Translation: Auto Map
Create a Virtual Server (continued) - Resources
Under the Resource properties of the Virtual Server, enter the following settings:
1. Default Pool: MOD7-VIDM-Pool

2. Default Persistence Profile: MOD7-VIDM-Persistence
3. Once you have completed all the steps, scroll to the bottom of the page and click
the "Finished" button.
Configuring the VMware Identity Manager FQDN

HOL-1859-01-ADV
Log onto the VMware Identity Manager Portal Appliance

Configuration Page

2. When the browser is launched, type in the following address:
https://vidm-01a.corp.local:8443/cfg/login
3. Press enter to browse to the page.

HOL-1859-01-ADV
Log onto the Identity Manager Portal Appliance

Configuration Page
Login with the following password:
• VMware1!
Change the Workspace FQDN
***NOTE*** In Production environments it is required to import the Root CA of the

namespace certificate being used on the F5 into the vIDM VM
The Root CA was already imported to conserve time on restarting services.

HOL-1859-01-ADV
Once in the Workspace Appliance Configuration Page:
1. Select "Identity Manager FQDN" from the left-hand menu

2. Enter the following for Identity Management FQDN: https://vidm.corp.local
3. Click "Save"
Confirming the FQDN Name change
***NOTE*** This process can take up to 5 minutes
Once the FQDN update starts, we should be prompted with a pop-up screen that
displays the progress.
If we've completed every step successfully then we should be prompted with four (4)
green checkmarks. If that is the case, please continue to the next step.
Enabling the New End User Portal UI
In VMware Identity Manager Versions 2.6 and Above a new User Interface was enabled
by default during deployment of the Appliances, However When configuring behind a

HOL-1859-01-ADV
load balancer the UI is disabled by default and must be re-enabled to ensure proper
accessibility to the environment. Above is the example if you try to login to a VMware
Identity Manager Portal that is load balanced behind the F5 without enabling the New UI

HOL-1859-01-ADV
Logging into the Identity Manager Administrative Portal

Manually

HOL-1859-01-ADV

HOL-1859-01-ADV

https://vidm-01a.corp.local:8443/SAAS/admin/ then press enter to browse to the
page.
3. Select the "System Domain" and make sure that "Remember this setting" is
UNCHECKED and click the Next button.
4. Login with username admin and password VMware1! and click the "Sign In"
button.
Accessing the Catalog Settings
Once Logged Into the Administrative Portal:
1. Click on the Pull Down Arrow next to "Catalog".

2. Click on Settings

HOL-1859-01-ADV
New End User Portal UI Setting
In the Catalog Settings Menus:
1. Click on "New End User Portal UI".

2. Click on "Enable New Portal UI"
3. After a few seconds you should see the Portal Enabled Successfully.
You can now Close the Administrative UI Tab out of your browser and continue onto the
next step.
Testing the load balanced Identity Manager Portal

configuration
In this section we will test the load balanced configuration to verify that, in fact, the BIG-
IP appliance is balancing the connection.

HOL-1859-01-ADV
Login to the Identity Manager Portal

https://vidm.corp.local
3. Press enter to browse to the page.

HOL-1859-01-ADV
Verify domain page is displayed
Ensure the domain "corp.local" and click the "Next >>" button

HOL-1859-01-ADV
Verify login page is displayed
Login with the following credentials:
• lab1user
• VMware1!
**Note** If after entering your credentials, the page does not proceed to log you in -
terminate the entire browser instance and open a new session.

HOL-1859-01-ADV
View Identity Manager Portal
You have successfully logged into a load balanced instance of Identity Manager Portal!
NOTE: In Production scenarios the first appliance would be configured fully

behind the load balancer and configured for all of the settings required for it
to be considered an operational node (Active Directory/Authentication
Policies/etc.) after that the first node would be shutdown and cloned. This lab
does not go through those steps as there arent enough resources to clone/
test this. VMware Provides documentation on the process to clone the
additional nodes at https://communities.vmware.com/docs/DOC-33552

HOL-1859-01-ADV
Conclusion
This concludes Module 7 - F5 LTM with Identity Manager Integration. You
VMware Identity Manager for Load Balancing and High Availibility.
these:


Gateway Servers.

HOL-1859-01-ADV

Integration.

this lab

HOL-1859-01-ADV
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-1859-01-ADV
Version: 20170920-143811

Hol-1859-01-Adv - PDF - en - Load Balancer Configuration

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hol-1859-01-Adv - PDF - en - Load Balancer Configuration

Uploaded by

Copyright:

Available Formats

Lab Module List:

• Module 1 - F5 LTM with Horizon Connection Servers (45 minutes)

• Chris Betz - Staff Systems Engineer - Federal Army - VMware

Location of the Main Console

Alternate Methods of Keyboard Data Entry

Click and Drag Lab Manual Content Into Console Active

Accessing the Online International Keyboard

Click once in active console window

1. Click once in the active console window.

Click on the @ key

1. Click on the "@ key".

Notice the @ sign entered in the active console window.

Activation Prompt or Watermark

This cosmetic issue has no effect on your lab.

Look at the lower right portion of the screen

Module 1 - F5 LTM with

Here's a high-level of what will be completed during the setup:

Load Balancing Horizon Connection Servers for Trusted/

One of the primary functions of the Horizon Connection Servers is to provide

1. Client Device connects in from the trusted network.

F5 LTM with Horizon Connection

Disable HTTPS, PCoIP and BLAST Proxy Services for each

Login to the Connection Server

1. Click on the Chrome shortcut.

Disable Secure Tunneling on Horizon Connection Server

Once you are in the View Administrator, perform the following:

2. Click on the Connection Servers Tab.

Login to the Second Connection Server

1. Click on a new tab within Chrome.

Disable Secure Tunneling on Horizon Connection Server

Once you are in the View Administrator, perform the following:

Access the BIG-IP Web Management Console

From the Control Center desktop:

1. Click on the Chrome shortcut.

Login to BIG-IP Web Administrator

Once the BIG-IP Login Screen appears:

1. Type "admin" (without quotes) in the username box.

Create iApp Application Service for Connection Server

1. Once logged in to the BIG-IP, click on iApps

Initial iApp Configuration for Load Balancing Connection

Let's configure the iApp.

Configuring PCoIP and Virtual Servers/Pools

1. Scroll down to the PC Over IP section; next to "Should PCoIP connections go

Next, scroll down to the Application Health section of the iApp.

Application Health Monitor

3. Type in "VMware1!" (without quotes) next to "What is the password associated

Application Health Monitor (Continued)

Scroll down to the iRules Section.

Finish the iApp

1. Scroll down to the bottom of the screen; click Finish.

Test Horizon Client Access

Now, we will test client access using the Horizon Client.

Test Horizon Client Access (Continued)

Optional - Testing HTML Desktop Access

Open the Chrome Browser window and navigate to https://hzn-internal.corp.local

Launch the "Windows 10 Pool" using HTML5.

You've finished Module 1

Congratulations on completing Module 1.

• Click on this link

Proceed to any module below which interests you most.

• Module 1 - F5 LTM with Horizon Connection Servers (45 minutes)