Оптимизированное решение f5 для vmware horizon view:...

16
BEST PRACTICES F5 VMware Horizon View Optimized Solution: Recommended Practices

Upload: dmitry-tikhovich

Post on 05-Dec-2014

224 views

Category:

Technology


0 download

DESCRIPTION

This document provides a recommended practice guide for designing a joint F5® & VMware Horizon View deployment using the F5® VMware Horizon View Optimized BIG-IP® Access Policy Manager® (APM) Virtual Edition.

TRANSCRIPT

Page 1: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

BEST PRACTICES

F5 VMware Horizon View Optimized

Solution: Recommended Practices

Page 2: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

2

Contents

1. Concepts................................................................................................................................................ 3

1.1. Introduction .................................................................................................................................. 3

1.2. Scope ............................................................................................................................................. 3

1.3. Solution Extensions ....................................................................................................................... 4

1.4. Major components and their interactions .................................................................................... 4

Client ..................................................................................................................................................... 4

Firewall .................................................................................................................................................. 5

VMWARE HORIZON VIEW OPTIMIZED BIG-IP APM VIRTUAL EDITION ................................................. 5

Active Directory .................................................................................................................................... 6

View Connection Server ........................................................................................................................ 6

Desktop Pools........................................................................................................................................ 6

2. F5 VMware Horizon View Architecture ................................................................................................ 7

2.1. Network Architecture ................................................................................................................... 7

2.2. F5 VMware Horizon View iApp Template ..................................................................................... 7

3. F5 Recommended Practices .................................................................................................................. 8

3.1. F5 BIG-IP Base Configuration & High Availability .......................................................................... 8

3.2. Networking and IP Addresses ....................................................................................................... 9

3.3. Time Synchronization .................................................................................................................. 10

3.4. ESXi Host Selection ...................................................................................................................... 11

Host Resource Requirements ............................................................................................................. 11

Host Separation................................................................................................................................... 11

3.5. SSL Certificates ............................................................................................................................ 11

3.6. Hostnames and Addresses .......................................................................................................... 13

3.7. Authentication ............................................................................................................................ 13

3.8. Suggested Implementation Flow ............................................................................................ 1314

4. Conclusion ....................................................................................................................................... 1516

5. Further Reading & Resources ............................................................................................................. 16

Page 3: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

3

1. Concepts

1.1. Introduction

VDI offers organizations a centralized infrastructure for enterprise desktop management. These benefits

do not come without obstacles however.

Employees demand flexibility, choice, and desktop customization, while businesses require secure

control along with supporting multiple computing platforms including mobile devices. Deployments can

be complicated, time consuming, require significant cost and can lead to frustration for both IT and

employees.

With the F5® VMware® Horizon ViewTM Reference Architecture, organizations can rapidly dispense VDI

access and gain tighter virtual desktop control all within an economical, secure and high performing

environment.

This document provides a recommended practice guide for designing a joint F5® & VMware Horizon

View deployment using the F5® VMware Horizon View Optimized BIG-IP® Access Policy Manager® (APM)

Virtual Edition.

1.2. Scope

This guide will offer a reference architecture design for deploying an F5 BIG-IP component into a single

datacenter with a VMware Horizon View infrastructure capable of serving up to 1000 concurrent users

using the PC over IP (PCoIP) protocol to access desktops. The design supports access from clients inside

and outside the network perimeter of an organization.

This guide offers a resource for architects and engineers who are designing an F5 and VMware Horizon

View infrastructure, and includes links and references to documentation that will provide more detailed

information to guide the implementation process.

The architecture overview and design principles provided here are a result of a design that has been

jointly tested by F5 and VMware. This results in an infrastructure that is simple to implement and

manage.

This architecture has been built and tested with the following software versions

Component Version

BIG-IP Access Policy Manager® 11.4 HF-5, 11.4.1, 11.5,11.5.1

VMware vSphere® 5.5

VMware Horizon ViewTM 5.2,5.3

Page 4: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

4

1.3. Solution Extensions

While this reference architecture offers and design that is simple to deploy and manage, one of the key

advantages of the F5 BIG-IP platform is the flexibility and extensibility that it provides. Custom solutions

to meet a wide range of requirements can be created from this base architecture. Where appropriate,

this document highlights these extensions and points to additional documentation and resources to

assist with the design and deployment of more customized architectures. This design is based on the

existing F5 VMware Horizon View solution which can be grown and adapted to support the largest scale

deployments and most complex scenarios. For more information consult the “F5 BIG-IP Access Policy

Manager: VMware Horizon View Integration Implementations” manual which is listed in the “Further

Reading & Resources“ section at the end of this document.

1.4. Major components and their interactions

There are a number of components involved in establishing and maintaining a session between an

Horizon View client and their desktop. This guide deals only with the VMware components that interact

with the F5 access solution (so does not address components such as SQL servers etc.).

Figure 1: F5 VMware Horizon View Architecture

Client

VMware Horizon View offers clients for multiple operating systems and platforms as well as support for

a range of hardware zero clients. The client software/hardware will make the TCP and UDP connections

back to the F5 BIG-IP to authenticate and connect to the virtual desktop.

Page 5: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

5

Solution Extension: A BIG-IP hardware platform can perform the functions of an external

perimeter firewall, secure remote access to VMware Horizon View and load balancing of the

Connection Servers. The recommended design given here can be easily applied to a consolidated

F5 BIG-IP hardware solution collapsing multiple functions such as L2-3 firewalling, access to

Horizon View desktops, and application delivery functions.

See http://www.f5.com/it-management/solutions/application-delivery-firewall/overview/ for

more information on the F5 Application Delivery Firewall.

Firewall

Most organizations will require a firewall between the client and the internal infrastructure. Where this

firewall is performing Network Address Translation (NAT) it is important to know the external NAT

address that clients will connect to. As a Solution extension, an F5 BIG-IP hardware appliance running

the F5® Advanced Firewall ModuleTM (AFM) software makes an excellent choice for this role due to its

high throughput and DDoS protection capabilities.

VMWARE HORIZON VIEW OPTIMIZED BIG-IP APM VIRTUAL EDITION

The F5 BIG-IP Virtual Edition (VE) secure appliance acts as a full proxy between the client and all of the

View components. Authentication connections and PCoIP traffic (from external clients) are all

terminated on the appliance before being proxied to the relevant internal component.

The BIG-IP authenticates the View client’s identity with the Microsoft® Active Directory® service before

passing the username and password to the View Connection Server. The BIG-IP provides high availability

and load balancing services for the Connection Servers.

The BIG-IP can provide SSL offload for the client authentication traffic, saving CPU resources on the View

Connection Servers by forwarding traffic to the Connection Server unencrypted.

The BIG-IP replaces the PCoIP proxy functions of the View Security Server role, eliminating a layer of

infrastructure and simplifying management of the solution.

The VMware Horizon View specific configuration is performed using an F5 supplied iApp® template,

which creates all the configuration items required to manage the View application traffic. The created

Solution Extension: The Horizon View Optimized APM BIG-IP Virtual Edition includes the full

functionality of the BIG-IP APM software. This allows the creation of rich authentication and

verification schemes, even when using native clients. The pre-defined policy that the iApp template

implements can easily be extended to include a number of additional restrictions such as time of

day, Active Directory attribute requirements, and IP location or reputation.

Page 6: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

6

configuration follows the tested best practice design and dramatically reduces the time to deploy the

solution.

Active Directory

The Microsoft® Active Directory infrastructure provides the authentication service for user connecting to

the View system. Active Directory is used by both the BIG-IP and the View Connection Server to

authenticate and authorize a user when they connect.

View Connection Server

The View Connection Server serves as broker for client connections. View Connection Server

authenticates users through Windows Active Directory and directs the request to the appropriate virtual

machine.

The View Connection Server provides the following management capabilities:

Authenticating users

Entitling users to specific desktops and pools

Assigning applications packaged with VMware ThinApp to specific desktops and pools

Managing local and remote desktop sessions

Establishing secure connections between users and desktops

Enabling single sign-on

Setting and applying policies

Desktop Pools

Desktop pools are pools of virtual machines running the desktop operating system that the user

accesses from their View client. The BIG-IP proxies the client PCoIP connection to the virtual machine in

the desktop pool nominated by the View Connection Server.

Page 7: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

7

2. F5 VMware Horizon View Architecture

2.1. Network Architecture

INTERNAL VLAN

Firewall

Access NetworkExternal Clients

Connection Servers

Router

Active Directory

ESXi® Hosts

Man

agem

ent

VLA

N

NTP

MA

NA

GEM

ENT

VLA

N

SQL Servers

vCenter® Server

HA VLAN

Desktop VLAN

Desktop Servers

Internal Client VLAN

Internal Clients

EXTERNAL VLAN

APM APM

Compositor Servers

DNS

Figure 2: F5 VMware Horizon View Network Diagram

2.2. F5 VMware Horizon View iApp Template

F5 iApp templates allow the creation and management of BIG-IP configurations supporting specific

applications.

The iApp template for the VMware Horizon View Optimized Solution can be downloaded from the F5

DevCentral site (https://devcentral.f5.com/wiki/iApp.VMware-Applications.ashx) and installed into the

templates library on your BIG-IP systems.

The use and deployment of the iApp template is fully documented in the deployment guide that

accompanies the iApp template. It is recommended that you read the rest of this guide to provide

background and design information before commencing with the iApp deployment.

Page 8: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

8

Supplemental Notes to the Deployment Guide:

Configuring the BIG-IP System

This section in the deployment guide provides a step-by-step guide to deploying the BIG-IP software

onto a virtual machine.

Correct network settings are important. Ensure you map the correct source and destination networks

during the network mapping steps. Refer to section 3.2 and Figure 4 to understand the use of each

network. While adhering to this design is not mandatory (BIG-IP is an extremely flexible platform and

can be successfully configured in many different ways), using the default network objects and names will

result in a simpler and faster installation.

Other notes:

Step 5 of the deployment guide gives instructions for importing an SSL device certificate to match the

FQDN host name of the BIG-IP. This represents good practice, and failure to do this will result in SSL

certificate errors when accessing the BIG-IP management GUI but is not essential, especially during

piloting or testing phases. Updating device certificates at a later date, however, will require some

updating of the HA pairing of the devices, since device certificates are used to encrypt communications

between device and are exchanged to establish device trust.

3. F5 Recommended Practices

3.1. F5 BIG-IP Base Configuration & High Availability

The F5 BIG-IP performs a critical role in the infrastructure and must be configured in a highly available

pair. In the event of the active BIG-IP running the services supporting View connections becoming

unavailable the other node will take over traffic processing.

High availability for BIG-IP systems is delivered by F5 Device Service Clustering (DSC). DSC is part of the

F5 ScaleNTM architecture which creates a programmable high performance Application Services Fabric.

This reference architecture, however, is concerned only with the setup of a highly available active-

standby pair of BIG-IP appliances.

DSC relies on network communications between the appliances for heartbeat, failover and configuration

synchronization purposes. Whilst a wide range of manual configurations are possible, adhering to the

defaults expected by the setup wizard will greatly simplify the installation process.

Page 9: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

9

Figure 3: F5 DSC Network Communications

3.2. Networking and IP Addresses

The BIG-IP Setup Wizard will expect the creation of a minimum of three logical network objects. BIG-IP

uses the term ‘VLAN’ to refer to a logical network object which associates a network interface with a

Self-IP and Subnet. See the link below for more detailed information on F5 and VLANs.

http://support.f5.com/kb/en-us/products/big-

ip_ltm/manuals/product/bigip_tmos_concepts_11_0_0/tmos_vlans.html

In addition a management network connection will be required. The management network is used to

both administer the BIG-IP system and as part of ScaleN clustering communications.

The logical networks (VLANs) required are:

A VLAN for the internal network, named internal A VLAN for the external network, named external A VLAN for failover communications, named HA

You should plan for the following IP Addressing for the base device setup (this is the total for both

devices)

Three IP addresses on the same subnet for VLAN internal. Three IP addresses on the same subnet for VLAN external.

Two IP address on the same subnet for VLAN HA. Two IP addresses on the management network, one for each appliance

Page 10: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

10

All VLANs must have separate IP subnets and cannot have overlapping subnets1.

In addition IP addresses for the VMware Horizon View services will be required.

An IP address on the external network for terminating external VMware Horizon View client traffic

An IP address on the internal network for terminating internal VMware Horizon View client traffic

These IP addresses are shared between the highly-available pair, but are only active on one device at any given time.

Figure 4: Example IP addressing Schema

3.3. Time Synchronization

Time synchronization is important in BIG-IP DSC operations, and it is critical that the BIG-IP and the

Active Directory services be in sync. NTP services should be available and BIG-IP devices should be

configured to use NTP services during the initial setup.

3.4. DNS

The BIG-IP systems should be able to resolve hostname of Microsoft Active Directory servers for

authentication purposes. The use of DNS servers is highly recommended for this. If DNS has not already

1 There are advanced configurations of the BIG-IP platform that can eliminate this requirement, but at the cost of

additional complexity.

Page 11: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

11

been configured on the platform, the iApp template (see section 2.2 above) allows the configuration of

DNS during the application service deployment.

3.5. ESXi Host Selection

Host Resource Requirements

BIG-IP® Virtual Editions require the following minimum virtual machine guest environment.

Concurrent Users vCPUs GB RAM Disk Space GB

100 2 4 100

250 2 4 100

1000 2 4 100

For production use it is recommended to thick allocate disk.

Host Separation

Each member of the DSC cluster should reside on a different ESXi host. Where you are using VMware

Dynamic Resource Scheduler (DRS), create a DRS rule with the option Separate Virtual Machine that

includes each unit of the BIG-IP VE redundant pair.

The following links discuss these topics in more detail:

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-vmware-esxi-11-

4-1/4.html#r_ve_best_practices

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-

11-4-0.html

3.6. SSL Certificates

SSL certificates are used to both secure the HTTPS traffic from clients to the BIG-IP (and on to the

connection broker) and in generating keys and tokens for securing and authenticating PCoIP traffic from

client to desktop. Planning and management of SSL certificates is therefore an essential component in

the architecture design.

Page 12: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

12

Figure 5: SSL Certificate Requirements

SSL Certificate Use The method described in the “F5 APM Optimized Solution for VMware Horizon View” deployment guide (see section 2.2) is to use a single SSL certificate that signs the FQDN to which clients will connect and modifies the connection servers to use this same FQDN. This certificate is installed on both the BIG-IP devices and the Connection Servers. This certificate shod

SSL Decryption

The F5 BIG-IP can be configured to either pass the authentication traffic to the Connection Server in plain text or to re-encrypt the traffic over SSL. Re-encrypting secures the data within the internal network at the expense of additional workload on the compute resources. Controlling the re-encryption of data is done using the iApp setup for VMware View on the BIG-IP (see below). If SSL offload (no re-encryption) is chosen then the VMware Horizon View Connection Servers will need to be configured to listen on port 80 on their internal network address. This involves creating

and/or editing the locked.properties file and is documented in the VMware Horizon View Administration documentation (VMware Horizon View Administration > Configuring View Connection Server > Configuring Settings for Client Sessions > Off-load SSL Connections to Intermediate Servers).

Installation Note: The SSL Certificate friendly name must be set as “vdm”. See http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-E5EA22DE-E8CD-4E8D-8F76-C5105307D09F.html for additional information.

Page 13: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

13

3.7. Hostnames and Addresses

Horizon View clients will need to be configured with single, resolvable FQDN that points to the relevant

IP address of the service (either that on the internal network or the firewall); this should match one of

the FQDN entries (or wildcard equivalent) on the SSL certificate. For maximum flexibility F5 recommends

that all clients, internal and external, are given the same FQDN and a split DNS system resolves the

correct DNS dependent on the location of the client.

3.8. Authentication

Active Directory (AD) services are used by both the BIG-IP and the View Connection servers to

authenticate user sessions. Active directory objects are defined on the BIG-IP as part of the View

Deployment. If anonymous binding is not allowed by the Active Directory, an administrator account and

password will be required during the View iApp Service creation on the BIG-IP

Clients are authenticated by the F5 BIG-IP against the Active Directory before they are proxied to the

Connection Server. This ensures that only traffic from authenticated users is allowed into the internal

network.

Active Directory authentication can be configured against a single AD server or against a pool of AD

servers for high availability.

3.9. Suggested Implementation Flow

Design and Document

A success full VMware Horizon View deployment requires a variety of systems to work together,

including authentication, traffic management, DNS, firewalls, and View components. Documenting IP

addressing, routing, Active Directory accounts and SSL Certificates will ensure a faster add more

successful deployment.

Solution Extension: F5 Global Traffic Manager is an advanced DNS solution that gives logical and

programmatic control of DNS name, making it simple to direct a client to the most appropriate

address based on their location or the availability of services. See http://www.f5.com/it-

management/solutions/global-load-balancing/overview/ for more details.

Installation Note: The SSL certificates used for offload will still need to be installed onto the

Connection Servers irrespective of the method chosen since the certificate thumbprint is sent to

the client by the server to validate the connection.

Page 14: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

14

Obtain or Generate SSL Certificates

As discussed above, SSL certificates are key components in View deployments, the required SSL

certificates should be obtained (or generated) in advance of the deployment.

Configure Networking

Ensure the availability of the required networks and document which Port Groups they will map to for

the guests. Test connectivity to routers, firewalls and clients.

For instance:

Destination Network Source Network* Network Adapter BIG-IP interface BIG-IP VLAN

Management 1 Management Management

HA 2 1.1 Internal

Internal 3 1.2 External

External 4 1.3 HA *Port Group – defined in your virtual infrastructure.

Configure or verify supporting infrastructure components

Test the DNS resolution, NTP, and AD components.

Implement View Components

Follow the VMware Horizon View installation and planning notes:

https://www.vmware.com/support/pubs/view_pubs.html.

Note that you may want to enable HTTP connections on the View Connection Servers (see section 3.6

above) if you do not wish to re-encrypt SSL traffic, but should install the correct SSL certificate onto the

Connection Servers.

Test internal View client

Test that the View client can access View desktops by connecting directly to all Connection Servers.

Implement base BIG-IP configuration

Follow the setup guide for BIG-IP Virtual edition on ESXi:-

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-vmware-esxi-11-

4-1.html

In step 13 or 14 refer to the table above to successfully map the source networks for management,

internal, external and HA networks, referring to the table above.

Once you have a management address assigned for both BIG-IP Virtual edition appliances, move on to

configuring the active-standby high availability configuration by following the steps in the “F5 BIG-IP

TMOS: Implementations” guide:

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-

0/2.html#conceptid

Page 15: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

15

The system setup wizard will guide you through licensing, creating logical VLANs, assigning IP addresses

and provisioning software.

At the end of this step you should have a pair of BIG-IP Virtual Edition systems configured on the

required networks and in a high-availability pair.

You may also need to add static routes for connectivity to components within your environment.

See: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-ip-routing-

administration-11-4-1/3.html#conceptid

Test Connectivity

Before proceeding to deploying the iApp template for View configuration, first test connectivity to all

the required components. Unless noted below, the CLI “ping” will be adequate.

Firewall

External clients

DNS (use “nslookup” from the CLI)

NTP ( use “ntpq –np” from the CLI)

Internal clients

Connection Servers

Active Directory (use “adtest” see https://support.f5.com/kb/en-

us/solutions/public/11000/300/sol11308.html for more information)

Run BIG-IP VMware Horizon View iApp Template

See above for running the iApp template and the required information and settings.

Test View Connections

You should now be able to test View connectivity from both internal and external clients.

Test High Availability

Now that services are running on the systems test the continued availability of the View service under

various failure conditions.

4. Conclusion

The F5’s VMware Horizon View Reference Architecture enables you to cost-effectively deliver rich,

personalized virtual desktops while increasing your VDI performance, control, security, and simplicity.

Installation Note: during the provisioning step you should ensure that the Access Policy Manager

(APM) module is enabled and the provisioning is set to dedicated (this may not be the case if you

are adapting this architecture into a consolidated BIG-IP system running other modules or

functions).

for more details

Page 16: Оптимизированное решение F5 для VMware Horizon View: рекомендации по дизайну и внедрению, Май 2014

F5 VMware Horizon View Optimized Solution Recommended Practices

16

By Following the architecture design and recommended practices in this document organizations can

design and deploy a simple, robust infrastructure to manage access to VMware Horizon View desktops.

5. Further Reading & Resources

VMware Horizon View Information

http://www.vmware.com/products/horizon-view/

F5 iApp for VMware Horizon View Optimized Solution by F5

https://devcentral.f5.com/wiki/iApp.VMware-Applications.ashx

F5 PCoIP Proxy for VMware Horizon View

http://www.youtube.com/watch?v=Ayjmq8HRkRw

http://www.youtube.com/watch?v=Ayjmq8HRkRw

F5 BIG-IP Access Policy Manager: VMware Horizon View Integration Implementations

11.4

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-vmware-integration-

implementations-11-4-0.html

11.5

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-

implementations-11-5-0

F5 Support

http://support.f5.com