Horizon View Load Balancing – NetScaler 11

Navigation

Use this procedure to load balance Horizon View Connection Servers or Horizon View Security Servers.

• Overview
• Monitors
• Servers
• Services
• Load Balancing Virtual Servers
• Persistency Group
• Horizon View Configuration

Overview

A typical Horizon View Installation will have at least six connection servers:

• Two Internal View Connection Servers – these need to be load balanced on an internal VIP
• Two DMZ View Security Servers – these need to be load balanced on a DMZ VIP
• The DMZ View Security Servers are paired with two additional internal View Connection Servers. There is no need to load balance the internal Paired Connection Servers. However, we do need to monitor them.

Monitors

Users connect to Horizon View Connection Server and Horizon View Security Server on four ports: TCP 443, TCP 8443, TCP 4172, and UDP 4172. Users will initially connect to port 443 and then be redirected to one of the other ports on the same server initially used for the 443 connection. If one of the ports is down, the entire server should be removed from load balancing. To facilitate this, create a monitor for each of the ports (except UDP 4172).

1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
   
2. On the right, click Add.
   
3. Name it View-PCOIP or similar.
4. Change the Type drop-down to TCP.
   
5. In the Destination Port field, enter 4172.
   
6. Scroll down and click Create.
   
7. On the right, click Add.
   
8. Name it View-Blast or similar.
9. Change the Type drop-down to TCP.
   
10. In the Destination Port field, enter 8443.
    
11. Scroll down and click Create.
    
12. On the right, click Add.
    
13. Name it View-SSL or similar.
14. Change the Type drop-down to HTTP-ECV.
    
15. In the Destination Port field, enter 443.
    
16. Scroll down and check the box next to Secure.
    
17. On the Special Parameters tab, in the Send String section, enter GET /broker/xml
18. In the Receive String section, enter clientlaunch-default
19. Scroll down and click Create.
    
20. View Security Servers are paired with View Connection Servers. If the paired View Connection Server is down, then we should probably stop sending users to the corresponding View Security Server. Let’s create a monitor that has a specific IP address in it. Right-click the existing View-SSL monitor and click Add.
    
21. Normally a monitor does not have any Destination IP defined, which means it uses the IP address of the service that it is bound to. However, we intend to bind this monitor to the View Security Server but we need it to monitor the paired View Connection Server, which is a different IP address. Type in the IP address of the paired View Connection Server. Then rename the monitor so it includes the View Connection Server name.
    
22. Since we are embedding an IP address into the monitor, you have to create a separate monitor for each paired View Connection Server IP.
    

Servers

Create Server Objects for the DMZ Security Servers and the internal non-paired Connection Servers. Do not create Server Objects for the Paired Connection Servers.

1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
   
2. On the right, click Add.
   
3. Enter a descriptive server name, usually it matches the actual server name.
4. Enter the IP address of the View Connection Server or View Security Server.
5. Enter comments to describe the server. Click Create.
   
6. Continue adding View Connection Servers or View Security Servers.
   

Services

For Internal Connection Servers (not the paired servers), load balancing monitoring is very simple:

• Create services for SSL 443
• To verify server availability, monitor port TCP 443 on the same server.
• If tunneling is disabled then internal users connect directly to View Agents and UDP/TCP 4172 and TCP 8443 are not used on Internal Connection Servers. There’s no need to create services and monitors for these ports.

Security Servers are more complex:

• The PCoIP Secure Gateway and HTML Blast Secure Gateway are typically enabled on Security Servers but they are not typically enabled on internal Connection Servers.
• All traffic initially connects on TCP 443. For Security Servers, the clients then connect to UDP 4172 or TCP 8443 on the same Security Server. If UDP 4172 or TCP 8443 are down, then you probably want to make sure TCP 443 is also brought down.
• Each Security Server is paired with an internal Connection Server. If the internal Connection Server is down then the Security Server should be taken down.
• To accommodate these failure scenarios, bind multiple monitors to the View Security Server. If any of the monitors fails then NetScaler will no longer forward traffic to 443 on that particular server.

If you have two View Security Servers named VSS01 and VSS02, the configuration is summarized as follows (scroll down for detailed configuration):

• Server = VSS01, Protocol = SSL_BRIDGE, Port = 443
  • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
  • Monitor = SSL (443) for paired View Connection Server VCS01
• Server = VSS02, Protocol = SSL_BRIDGE, Port = 443
  • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
  • Monitor = SSL (443) for paired View Connection Server VCS02
• Server = VSS01, Protocol = TCP, Port = 4172
  • Monitor = PCoIP (TCP 4172)
• Server = VSS02, Protocol = TCP, Port = 4172
  • Monitor = PCoIP (TCP 4172)
• Server = VSS01, Protocol = UDP, Port = 4172
  • Monitor = PCoIP (TCP 4172)
• Server = VSS02, Protocol = UDP, Port = 4172
  • Monitor = PCoIP (TCP 4172)
• Server = VSS01, Protocol = SSL_BRIDGE, Port = 8443
  • Monitor = Blast (8443)
• Server = VSS02, Protocol = SSL_BRIDGE, Port = 8443
  • Monitor = Blast (8443)

If you are not using HTML Blast then you can skip 8443. If you are not using PCoIP Secure Gateway, then you can skip the 4172 ports.

1. On the left, expand Traffic Management, expand Load Balancing, and click Services.
   
2. On the right, click Add.
   
3. Give the Service a descriptive name (e.g. svc-VSS01-SSL).
4. Change the selection to Existing Server and select the View Security Server or internal (non-paired) View Connection Server you created earlier.
5. Change the Protocol to SSL_BRIDGE and click OK.
   
6. On the left, in the Monitors section, click where it says 1 Service to Load Balancing Monitor Binding.
   
7. Ignore the current monitor and click Add Binding.
   
8. Click the arrow next to Click to select.
   
9. Select the View-SSL monitor and click Select.
   
10. Then click Bind.
    
11. If this server will host PCoIP Secure Gateway and/or Blast Secure Gateway, add monitors for them too. If any of those services fails, then 443 needs to be marked DOWN.
    
    
12. If this is a View Security Server, also add a monitor that has the IP address of the paired View Connection Server. If the paired View Connection Server is down, then stop sending connections to this View Security Server.
    
13. The Last Response should indicate Success. If you bound multiple monitors to the Service, then the member will only be UP if all monitors succeed. There’s a refresh button on the top-right. Click Close when done.
    
14. Then click Done.
    
15. Right-click the first service and click Add.
    
16. Change the name to match the second View Server.
17. Select Existing Server and use the Server drop-down to select to the second View Server.
18. The remaining configuration is identical to the first server. Click OK.
    
19. You will need to configure the monitors again. They will be identical to the first server except for the monitoring of the paired View Connection Server. Click Done when done.
    
    
20. Add another Service for PCoIP on TCP 4172.
    1. Name = svc-VSS01-PCoIPTCP or similar.
    2. Server = Existing Server, select the first View Server.
    3. Protocol = TCP
    4. Port = 4172.
       
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
       
21. Repeat for the 2^nd View Security Server.
    
22. Add another Service for PCoIP on UDP 4172.
    1. Name = svc-VSS01-PCoIPUDP or similar.
    2. Existing Server = first View Server
    3. Protocol = UDP
    4. Port = 4172.
       
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
       
23. Repeat for the 2^nd View Server.
    
24. Add another Service for HTML Blast on SSL_BRIDGE 8443.
    1. Name = svc-VSS01-HTMLBlast or similar.
    2. Existing Server = the first View Server
    3. Protocol = SSL_BRIDGE
    4. Port = 8443.
       
    5. Monitors = View-Blast. You can add the other monitors if desired.
       
25. Repeat for the 2^nd View Server.
    
26. The eight services should look something like this:
    
27. Repeat these instructions to add the internal (non-paired) View Connection Servers except that you only need to add services for SSL_BRIDGE 443 and only need monitoring for 443.

Load Balancing Virtual Servers

Create separate load balancers for internal and DMZ.

• Internal load balances the two non-paired Internal View Connections Servers.
• DMZ load balances the two View Security Servers.

The paired View Connection Servers do not need to be load balanced.

For the internal View Connection Servers you only need a load balancer for SSL_BRIDGE 443. If tunneling is disabled then you don’t need load balancers for the other ports (UDP/TCP 4172 and SSL_BRIDGE 8443).

However, tunneling is enabled on the View Security Servers so you will need separate load balancers for each port number. Here is a summary of the Virtual Servers:

• Virtual Server on SSL_BRIDGE 443 – bind both View SSL Services.
• Virtual Server on UDP 4172 – bind both View PCoIPUDP Services.
• Virtual Server on TCP 4172 – bind both View PCoIPTCP Services.
• Virtual Server on SSL_BRIDGE 8443 – bind both View Blast Services.

Do the following to create the Virtual Servers:

1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
   
   
2. On the right click Add.
   
3. Name it View-SSL-LB or similar.
4. Change the Protocol to SSL_BRIDGE.
5. Specify a new internal VIP. This one VIP will be used for all of the Virtual Servers.
6. Enter 443 as the Port.
7. Click OK.
   
8. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
   
9. Click the arrow next to Click to select.
   
10. Select the two View-SSL Services and click Select.
    
11. Click Bind.
    
12. Click Continue.
    
13. Then click Done. Persistency will be configured later.
    
14. If this is a View Security Server or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP UDP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 4172
       
    3. Services = the PCoIP UDP Services.
       
15. If this is a View Security Server or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP TCP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = TCP, Port = 4172
       
    3. Services = the PCoIP TCP Services.
       
16. If this is a View Security Server or if tunneling is enabled then create another Load Balancing Virtual Server for HTML Blast SSL_BRIDGE 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = SSL_BRIDGE, Port = 8443
       
    3. Services = the HTML Blast SSL_BRIDGE Services.
       
17. This gives you four Virtual Servers on the same VIP but different protocols and port numbers.
    

Persistency Group

For Security Servers, users will first connect to SSL_BRIDGE 443 and be load balanced. Subsequent connections to the other port numbers must go to the same load balanced server. Create a Persistency Group to facilitate this.

If tunneling is disabled on the internal View Connection Servers then you probably only have one load balancer for those servers and thus you could configure persistence directly on that one load balancer instead of creating a Persistency Group. However, since the View Security Servers have multiple load balancers then you need to bind them together into a Persistency Group.

1. On the left, under Traffic Management, expand Load Balancing and click Persistency Groups.
   
2. On the right, click Add.
   
3. Give the Persistency Group a name (e.g. View).
4. Change the Persistence to SOURCEIP.
5. Enter a timeout that is equal to or greater than the timeout in View Administrator, which defaults to 10 hours (600 minutes).
6. In the Virtual Server Name section, click Add.
   
7. Move all four View Security Server / View Connection Server Load Balancing Virtual Servers to the right. Click Create.
   

Horizon View Configuration

1. On the View Security Servers (or View Connection Servers), request a certificate that matches the FQDN that resolves to the Load Balancing VIP.
   
2. Make sure the private key is exportable.
   
3. Set the Friendly Name to vdm and restart the View Security Server services.
   
4. In View Administrator, go to View Configuration > Servers.
   
5. On the right, switch to the Security Servers tab.
6. Highlight a server and click Edit.
   
7. Change the URLs to the FQDN that resolves to the load balancing VIP.
8. Change the PCoIP URL to the VIP. For View Security Servers, this is typically a public IP that is NAT’d to the DMZ Load Balancing VIP.