4. NSX AVI Loadbalancer Integration with Horizon

You must complete Lab 2 and Lab 3 before beginning this lab. This lab will guide you through configuring a Load Balancer for the Unified Access Gateways deployed in Lab 3.

To deploy AVI LoadBalancer, there are two main components involved:

AVI Controller:
The Avi Controller is a centralized brain that spans Datacenters and clouds. The Avi Controller has full visibility across the environments and automates the deployment and management of the load balancing endpoints, which we call Service Engines.
We  need one AVI Controller to manage the Service Engine across the site if  all the network configurations are in-place. In Our Lab, Avi Controller is pre-deployed in Site-2 which will manage both the Service Engines

Service Engine:
Service Engine is a Load Balancer Component which runs on each datacenter. Service Engine(SE) is managed by AVI Controller. In the lab we will see how SEs are configured as a Load Balancer to full-fill the request from Applications.
In Our case Applications are UAGs across both Site-1 and Site-2

Part 1 - AVI Integration with UAG Servers Site-1

Section 1 - AVI Integration with UAG Servers in Site1

FQDN Entity Description
 Real IP
uag-hzn-avi01.techseals.co FQDN of Avi LB VIP Site-1 172.16.20.100
uag-hzn-01a.techseals.co
 FQDN of UAG server 1 on site 1
 172.16.20.10
uag-hzn-01b.techseals.co
 FQDN of uag server 2 on site 1
 172.16.20.11
  1. On your ControlCenter server
    • from the Taskbar
    • select the DNS admin shortcut
  1. In the DNS Admin Console
    • select and expand Forward Lookup Zones
    • select and expand techseals.co
      • right - click techseals.co
    • in the menu bar
      • select New Host (A or AAAA)....
  1. In the New Host window
    • under Name
      • enter
 uag-hzn-avi01
  • under IP address
    • enter 
172.16.20.100
  • select Add Host
  1. In the DNS window
    • select OK to close
    • in the New Host window
      • top-right corner
    • to close the window
      • select x
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-1
      • from the Favourites bar,  
        • select Avi Vantage Controller
  1. In the VMware NSX ALB (Avi) page
    • In the Username area,
      • enter admin
    • In the Password area
      • enter  Pa$$w0rd
    • select LOG IN

We will now move forward with verifying the Custom Health Monitor Profile

Part 2: Verify Custom Health Monitor Profile

The next step is to validate the custom Health Monitor Profile.
Note:- This is pre-created

  1. From the NSX-ALB console,
    • Navigate to Templates > Profiles 
      • Under Profiles
        • Select  Health Monitors > Horizon-HTTPS
        • Click on the pencil icon to  the right of Horizon-HTTPS
  1. On the New Health Monitor page,
    • Validate the following configuration
      • Name: Horizon-HTTPS
      • Type : HTTPS
      • Send Interval  30
      • Receive Timeout 10
  1. On the Edit Health Monitor: Horizon-HTTPS page,
    • Scroll down to the HTTPS Settings section
    • Under  Client Request Header: GET /favicon.ico HTTP/1.0
  1. On the New Health Monitor: Horizon-HTTPS page,
    • Scroll down until you locate Response Code*
      • Response Code*  : 2XX
      • Next to SSL Attributes: Checkbox is selected
      • SSL Profile* :  System-Standard.
  1. On the New Health Monitor: Horizon-HTTPS page,
    • Scroll down until you locate Maintenance Response Code*
    • Maintenance Response Code :503
    • Close the Edit Health Monitor: Horizon-HTTPS
    • Do Not make any changes

We will now create Pools for Site-1
Pools maintain the list of servers assigned to them and perform health monitoring, load balancing, persistence, and functions that involve NSX Advanced Load Balancer-to-server interaction

Pools are created for L7 and L4 traffic

Part 3: Creating Pool For Site-1
  1. From the  NSX-ALB console
    • navigate to Applications > Pools.
  1. In the Pools area
    • to the right of the pane
      • select CREATE POOL
  1. In the CREATE POOL:  window,
    • Step 1: Settings
      • enter the required information:
        • under Name*:
          • enter 
Horizon-UAG-Pool-Site-1
  • under Default Server Port
    • enter 443
  • under Load Balance Algorithm:
    • validate the following
      • that Least Connections is selected
  1. In the CREATE POOL: Horizon-UAG-Pool-Site-1 window
    • select the Servers tab
      • under Select Servers By IP Address
        enter
172.16.20.10,172.16.20.11
  • select ADD
  1. Once Added,
    • both UAG server IP Addresses from Site 1 show as Enabled.
      • note: 172.16.20.10 and 172.16.20.11 are two UAG Servers in Site1
  1. In the CREATE POOL: Horizon-UAG-Pool-Site-1 window,
    • select the Health Monitor tab
      1. Make sure the checkbox next to:
        • Enable Passive Health Monitor is checked
      2. Select ADD.
        • from the dropdown,
          • select  is Horizon-HTTPS

this is the health monitor that you validated earlier

  1. In the CREATE POOL: Horizon-UAG-Pool-Site-1 window,
    • in the Health Monitors area
      • scroll up
        • below Append Port To Host Name
          • next to Never
            • select the radio button
  1. In the CREATE POOL: Horizon-UAG-Pool-Site-1 window,
    • Health Monitor tab
      • Scroll down
        • below the SSL section
          • under SSL Profile
            • select System-Standard.
        • next to the Enable TLS SNI
          • ensure this box is Checked
          • Leave all the remaining settings as defaults
  1. In the CREATE POOL: Horizon-UAG-Pool-Site-1 window,
    • In the bottom right corner
      • select SAVE
Part 4: Verify SSL Certificate required is present.
  1. From the NSX-ALB Admin console
    • Navigate to Templates > Security > SSL/TLS Certificates
  1. In the SSL/TLS Certificate Window
    • Verify the HZNCert2024 shows status green

Validating that  Connection Multiplexing is disabled

Part 5: Validating that Connection Multiplexing is disabled
  1. In the NSX-ALB console
    • Navigate to Templates > ProfilesApplication 
      • In the Application area
        • select System-Secure-HTTP-VDI.
        • To the right of  System-Secure-HTTP-VDI
          • Select the edit icon.
  1. In Edit Application Profile: System-Secure-HTTP-VDI window
    • Ensure the checkbox next to Connection Multiplexing is NOT selected
    • Select Cancel
      • to close the Edit Application Profile: System-Secure-HTTP-VDI window

Creating the Virtual Service for Site-1

Virtual services are the core of the Avi Vantage load-balancing and proxy functionality. A virtual service advertises an IP address and ports to the external world and listens for client traffic

Part 6: Creating the Virtual Service for Site-1
  1. In the NSX-ALB Console
    • Navigate to Applications Virtual Services
  1. In the Virtual Services area
    • to the top right, select CREATE VIRTUAL SERVICE 
      • select  Advanced Setup.
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • enter the following under:
        • Name*
          • type 
Horizon-UAG-Site-1
  • VS VIP *
    • select the dropdown,
      • notice a Create VS VIP Green box appears
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • In the VIP Address area
        • select Create VS VIP
  1. In the Create VS VIP: page
    • In the General tab,
      • under Name
        • type: 
VIP-Horizon-UAG-Site1
  • select ADD
  1. In the Edit VIP: 1 page
    • under IPv4 Address*
      • type 
172.16.20.100
  • select SAVE
  1. In the Create VS VIP: VIP-Horizon-UAG-Site1 window
    • select SAVE
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • Scroll down to the Service Port area
        • under Services
          • next to SSL
            • enable the checkbox
          • select Switch to Advanced
  1. In the Service Port area
    • below the unchecked Overide TCP/UDP check box
      • select +Add Port
  • Note Steps 8 onward
  • These internal ports will be used for Tunnel Connections. These non-standard ports, are required on the Avi virtual service only.  These ports do not have to be opened for UAG servers. These ports need to be opened on the firewall that is placed in front of the load balancer. Ensure all the Service Port details matches as per the screenshot above.
  1. In the New Virtual Service wizard
    • enter 5001 in Port Min and 5005 to Port Max
      • next to Use as Horizon Primary/Tunnel Protocol Ports
        • select the checkbox
    • select + Add Port
      • enter 5001 in the Port Min area and 5005 in the Port Max area
      • next to SSL
        • uncheck the checkbox
      • under Override Application Profile
        • from the dropdown
          • select System-L4-Application
      • next to Override TCP/UDP
        • select the checkbox
      • below Override TCP/UDP
        • from the Dropdown
          • select System-UDP-Fast-Path-VDI

 

  • below System-UDP-Fast-Path-VDI
    • select + Add Port
  1. In the New Virtual Service wizard
    • in the Port area, enter 20001 TO 20005
    • under Override Application Profile
      • from the dropdown
      • select System-L4-Horizon-PCoIP
    • next to Override TCP/UDP
      • uncheck the check box

 

  • select + Add Port
    • in the Port area, enter 20001  TO 20005
      • under Override Application Profile
        • from the dropdown menu
          • select System-L4-Horizon-PCoIP
      • next to Override TCP/UDP
        • select the checkbox
    • below the just selected Override TCP/UDP checkbox
      • from the Dropdown menu
        • select System-UDP-Fast-Path-VDI.

 

  • select + Add Port
  1. In the New Virtual Service wizard
    • in the Port area enter 30001 TO 30005
    • under Override Application Profile
      • from the dropdown
        • select System-L4-Horizon-Blast
    • next to Override TCP/UDP
      • uncheck the checkbox

 

  • select + Add Port again
  • in the Port area enter 30001 TO 30005
  • under Override Application Profile
    • from the dropdown menu
      • select System-L4-Horizon-Blast
  • next to Override TCP/UDP
    • select the checkbox
  • below the selected Override TCP/UDP checkbox
    • from the dropdown menu
      • select System-UDP-Fast-Path-VDI
  1. Ensure all the settings matches as per the screenshot above.
    • Note: Ensure enough ports are opened on the virtual service to accommodate any new UAG servers you add to the UAG pool. In this example, six ports are opened for primary and secondary traffic:
    • Note: Port 443  
      • This is for XML API traffic
    • Note: Ports 5001 to 5005  
      • Horizon internal ports opened for L7 primary XML traffic to handle redirected traffic
    • Note: Ports 30001 to 30005
      •  Blast
    • Note: Ports 20001 to 20005
      • PCoIP
    • Note: These non-standard ports, are required on the Avi virtual service only. These ports do not have to be opened for UAG servers. These ports need to be opened on the firewall that is placed in front of the load balancer.
  1. In the New Virtual Service wizard
    • scroll up to the Settings area
    • in the Profiles sub-area
      • below Application Profile*:
        • from the dropdown
          • select System-HTTP-Horizon-UAG
      • below Error Page Profile:
        • from the dropdown
          • select  Custom-Error-Page-Profile
  1. In the New Virtual Service wizard
    • in the Pool sub area
      • below Pool
        • from the dropdown
          • select Horizon-UAG-Pool-Site1
    • in the *SSL Settings* sub-area
      • under SSL Profile*
        • from the dropdown
          • select: System-Standard
      • under SSL Certificate:
        • from the dropdown
          • select HZNcert2025
            • Remove the System-Default-Cert
    • Leave all other settings as default
      • in the bottom right corner
        • select Next
  1. In the New Virtual Service wizard
    • Step 2: Policies area
      • (Leave everything as default)
    • select Next
  1. In the New Virtual Service wizard
    • Step 3: Analytics area
      • (Leave everything as default)
      • select Next
    • Step 4: Advanced tab,
      • (Leave everything as default)
      • select Save
  1. In the New Virtual Service wizard
    • Step 4: Advanced area
      • (Leave everything as default)
    • select Save
Part 7: Binding the DataScript to the Virtual Service
  1. From the NSX-ALB admin console
    • navigate to Applications > Virtual Services
      • in front of Horizon-UAG-Site-1
        • select the checkbox
      • In line with Horizon-UAG-Site-1
        • select  edit
  1. In the Edit Horizon-UAG-Site-1 virtual service area
    • navigate to Polices > DataScripts tabs
    • In the top right
      • select  + Add DataScript
  1. In the Edit Horizon-UAG-Site-1 virtual service area
    • below Script To Execute
      • from the dropdown
        • select System-Standard-Horizon-UAG
      • In the bottom right corner
        • select Save DataScript
          • select Save
Part 8: Configuring the Unified Access Gateway for Site 1
Section 1. Get the custom ports for Blast and PCoIP per UAG server from the pool we created for Site1
  1. In the AVI Controller Admin Page
    • navigate to Applications > Pools
      • select Horizon-UAG-Pool-Site1
  1. In the Pool: Horizon-UAG-Pool-Site1 window
    • select the Servers tab
      • Make a Note all the custom ports
        • In this example
          • UAG-01a (172.16.20.10) uses 5002 for tunnel, 20002 for PCoIP and 30002 for Blast
          • UAG-02 (172.16.20.11) uses 5001 for tunnel, 20001 for PCoIP and 30001 for Blast

Note: It is just an example and it may vary based on your environment  

Note: We will use these custom ports while configuring UAGs, the port configuration needs to maps to your existing setup in NSX AVI

Section 2. Add the custom ports to the respective UAG-01a Blast and PCoIP external URLs
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-1
      • In the Address bar,
        • select UAG-HZN-01a
          • In the UAG Login window
            • in the username: area
              • enter admin
            • in the password: area
              • enter Pa$$w0rd
        • select SIGN IN
  1. In the UAG Admin Console
    • under Configure Manually
      • click SELECT
  1. In the UAG Admin Console
    • In the General Settings area
      • next to Edge Service Settings,
        • move the TOGGLE to the right
      • next to Horizon Settings
        • select the GEAR icon
  1. In the UAG Admin Console
    • next to PCOIP External URL
      • edit the existing entry to the following
        • 172.16.20.10:20002
      • Note: PCOIP Port number may different in your case.
        • Refer Part 8 Section 1
      • Note: PCOIP Port should be the custom port noted in previous section
        • (Part 8 Section 1)
    • next to Blast External URL
      • edit the existing entry to the following
https://uag-hzn-01a.techseals.co:30002/?UDPPort=30002
  • Note:Blast Port number may different in your case.
    • Refer Part 8 Section 1
  • Note: Blast Port should be the custom port noted in previous section
    • Part 8 Section 1
  • scroll down
    • at the bottom
      • select SAVE
  1. In the UAG admin console
    • below Advanced Settings
      • next to System Configuration
        • select GEAR Icon
  1. In the System Configuration window
    • next to Allowed Host Headers
      • enter corp.techseals.co
        • to the right
          • select the + icon
      • enter uag-hzn-avi01a.techseals.co
        • to the right
          • select the + icon
  1. In the System Configuration window
    • to close the System Configuration window
      • Scroll down
      • select SAVE
Section 3. Add the custom ports to the respective UAG-01b Blast and PCoIP external URLs
  1. On your ControlCenter Server
    • on your Chrome Browser for Site-1
      • on the Address bar,
        • select UAG-HZN-01b
      • In the UAG Login window
        • in the username: area
          • enter admin
        • in the password: area
          • enter Pa$$w0rd
      • select SIGN IN
  1. In the UAG Admin Console
    • under Configure Manually
      • click SELECT
  1. In the UAG Admin Console
    • In the General Settings area
      • next to Edge Service Settings,
        • move the TOGGLE to the right
      • next to Horizon Settings
        • select the GEAR icon
  1. In the UAG Admin Console
    • next to  PCOIP External URL 
172.16.20.11:20001
  • note: PCOIP Port number may different in your case.
    • Refer Part 8 Section 1
  • note: PCOIP Port should be the custom port noted in previous section
    • Part 8 Section 1
  • next to Blast External URL
    • enter the following
https://uag-hzn-01b.techseals.co:30001/?UDPPort=30001
  • Note:Blast Port number may different in your case.
    • Refer Part 8 Section 1
  • Note: Blast Port should be the custom port noted in previous section
    • Part 8 Section 1
      • scroll down
        • at the bottom
          • select SAVE
  1. In the UAG admin console
    • below Advanced Settings
      • next to System Configuration
        • select GEAR Icon
  1. In the System Configuration window
    • next to Allowed Host Headers
      • enter 
corp.techseals.co
  • to the right
    • select the + icon
  1. In the System Configuration window
    • to close the System Configuration window
      • scroll down
        • select SAVE
Part 9. Disable Tunnelling on the Connection servers

When Integrating Horizon with Unified Access Gateway we need to disable all Tunnel configuration on the Connection servers

Task 1: Disabling Session Protocol Tunnelling on Horizon-01a
  1. On your ControlCenter server
    • on the Site 1 - Bangalore Chrome browser
      • from the Favourites Bar
        • select the Horizon Site 1
  1. In the Horizon login page
    • in the Username area
      • enter administrator
    • in the Password area
      • enter Pa$$w0rd
        • select Sign in
  1. In the Horizon Admin console
    • In the Settings area
      • select Servers
  1. In the Servers area
    • select the Connection Servers tab
  1. In the Connection Servers tab area
    • next to HORIZON-01A
      • select the radio button
    • select EDIT
  1. In the Edit Connection Server Settings window
    • below HTTP(s) Secure Tunnel
      • next to Use Secure Tunnel connection to machine
        • uncheck the checkbox
      • scroll down
  1. In the Edit Connection Server Settings window
    • below Blast Secure Gateway
      • next to Do not use Blast Secure Gateway
        • select the radio button
    • to close the  Edit Connection Server Settings window
      • in the bottom right-corner
        • select OK
Task 2: Disabling Session Protocol Tunnelling on Horizon-01b
  1. In the Connection Servers tab area
    • next to HORIZON-01B
      • select the radio button
    • select EDIT
  1. In the Edit Connection Server Settings window
    • below HTTP(s) Secure Tunnel
      • next to Use Secure Tunnel connection to machine
        • uncheck the checkbox
      • scroll down
  1. In the Edit Connection Server Settings window
    • below Blast Secure Gateway
      • next to Do not use Blast Secure Gateway
        • select the radio button
    • to close the  Edit Connection Server Settings window
      • in the bottom right-corner
        • select OK

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.