Оптимизированное решение f5 для vmware horizon view:...
DESCRIPTION
This document provides a recommended practice guide for designing a joint F5® & VMware Horizon View deployment using the F5® VMware Horizon View Optimized BIG-IP® Access Policy Manager® (APM) Virtual Edition.TRANSCRIPT
BEST PRACTICES
F5 VMware Horizon View Optimized
Solution: Recommended Practices
F5 VMware Horizon View Optimized Solution Recommended Practices
2
Contents
1. Concepts................................................................................................................................................ 3
1.1. Introduction .................................................................................................................................. 3
1.2. Scope ............................................................................................................................................. 3
1.3. Solution Extensions ....................................................................................................................... 4
1.4. Major components and their interactions .................................................................................... 4
Client ..................................................................................................................................................... 4
Firewall .................................................................................................................................................. 5
VMWARE HORIZON VIEW OPTIMIZED BIG-IP APM VIRTUAL EDITION ................................................. 5
Active Directory .................................................................................................................................... 6
View Connection Server ........................................................................................................................ 6
Desktop Pools........................................................................................................................................ 6
2. F5 VMware Horizon View Architecture ................................................................................................ 7
2.1. Network Architecture ................................................................................................................... 7
2.2. F5 VMware Horizon View iApp Template ..................................................................................... 7
3. F5 Recommended Practices .................................................................................................................. 8
3.1. F5 BIG-IP Base Configuration & High Availability .......................................................................... 8
3.2. Networking and IP Addresses ....................................................................................................... 9
3.3. Time Synchronization .................................................................................................................. 10
3.4. ESXi Host Selection ...................................................................................................................... 11
Host Resource Requirements ............................................................................................................. 11
Host Separation................................................................................................................................... 11
3.5. SSL Certificates ............................................................................................................................ 11
3.6. Hostnames and Addresses .......................................................................................................... 13
3.7. Authentication ............................................................................................................................ 13
3.8. Suggested Implementation Flow ............................................................................................ 1314
4. Conclusion ....................................................................................................................................... 1516
5. Further Reading & Resources ............................................................................................................. 16
F5 VMware Horizon View Optimized Solution Recommended Practices
3
1. Concepts
1.1. Introduction
VDI offers organizations a centralized infrastructure for enterprise desktop management. These benefits
do not come without obstacles however.
Employees demand flexibility, choice, and desktop customization, while businesses require secure
control along with supporting multiple computing platforms including mobile devices. Deployments can
be complicated, time consuming, require significant cost and can lead to frustration for both IT and
employees.
With the F5® VMware® Horizon ViewTM Reference Architecture, organizations can rapidly dispense VDI
access and gain tighter virtual desktop control all within an economical, secure and high performing
environment.
This document provides a recommended practice guide for designing a joint F5® & VMware Horizon
View deployment using the F5® VMware Horizon View Optimized BIG-IP® Access Policy Manager® (APM)
Virtual Edition.
1.2. Scope
This guide will offer a reference architecture design for deploying an F5 BIG-IP component into a single
datacenter with a VMware Horizon View infrastructure capable of serving up to 1000 concurrent users
using the PC over IP (PCoIP) protocol to access desktops. The design supports access from clients inside
and outside the network perimeter of an organization.
This guide offers a resource for architects and engineers who are designing an F5 and VMware Horizon
View infrastructure, and includes links and references to documentation that will provide more detailed
information to guide the implementation process.
The architecture overview and design principles provided here are a result of a design that has been
jointly tested by F5 and VMware. This results in an infrastructure that is simple to implement and
manage.
This architecture has been built and tested with the following software versions
Component Version
BIG-IP Access Policy Manager® 11.4 HF-5, 11.4.1, 11.5,11.5.1
VMware vSphere® 5.5
VMware Horizon ViewTM 5.2,5.3
F5 VMware Horizon View Optimized Solution Recommended Practices
4
1.3. Solution Extensions
While this reference architecture offers and design that is simple to deploy and manage, one of the key
advantages of the F5 BIG-IP platform is the flexibility and extensibility that it provides. Custom solutions
to meet a wide range of requirements can be created from this base architecture. Where appropriate,
this document highlights these extensions and points to additional documentation and resources to
assist with the design and deployment of more customized architectures. This design is based on the
existing F5 VMware Horizon View solution which can be grown and adapted to support the largest scale
deployments and most complex scenarios. For more information consult the “F5 BIG-IP Access Policy
Manager: VMware Horizon View Integration Implementations” manual which is listed in the “Further
Reading & Resources“ section at the end of this document.
1.4. Major components and their interactions
There are a number of components involved in establishing and maintaining a session between an
Horizon View client and their desktop. This guide deals only with the VMware components that interact
with the F5 access solution (so does not address components such as SQL servers etc.).
Figure 1: F5 VMware Horizon View Architecture
Client
VMware Horizon View offers clients for multiple operating systems and platforms as well as support for
a range of hardware zero clients. The client software/hardware will make the TCP and UDP connections
back to the F5 BIG-IP to authenticate and connect to the virtual desktop.
F5 VMware Horizon View Optimized Solution Recommended Practices
5
Solution Extension: A BIG-IP hardware platform can perform the functions of an external
perimeter firewall, secure remote access to VMware Horizon View and load balancing of the
Connection Servers. The recommended design given here can be easily applied to a consolidated
F5 BIG-IP hardware solution collapsing multiple functions such as L2-3 firewalling, access to
Horizon View desktops, and application delivery functions.
See http://www.f5.com/it-management/solutions/application-delivery-firewall/overview/ for
more information on the F5 Application Delivery Firewall.
Firewall
Most organizations will require a firewall between the client and the internal infrastructure. Where this
firewall is performing Network Address Translation (NAT) it is important to know the external NAT
address that clients will connect to. As a Solution extension, an F5 BIG-IP hardware appliance running
the F5® Advanced Firewall ModuleTM (AFM) software makes an excellent choice for this role due to its
high throughput and DDoS protection capabilities.
VMWARE HORIZON VIEW OPTIMIZED BIG-IP APM VIRTUAL EDITION
The F5 BIG-IP Virtual Edition (VE) secure appliance acts as a full proxy between the client and all of the
View components. Authentication connections and PCoIP traffic (from external clients) are all
terminated on the appliance before being proxied to the relevant internal component.
The BIG-IP authenticates the View client’s identity with the Microsoft® Active Directory® service before
passing the username and password to the View Connection Server. The BIG-IP provides high availability
and load balancing services for the Connection Servers.
The BIG-IP can provide SSL offload for the client authentication traffic, saving CPU resources on the View
Connection Servers by forwarding traffic to the Connection Server unencrypted.
The BIG-IP replaces the PCoIP proxy functions of the View Security Server role, eliminating a layer of
infrastructure and simplifying management of the solution.
The VMware Horizon View specific configuration is performed using an F5 supplied iApp® template,
which creates all the configuration items required to manage the View application traffic. The created
Solution Extension: The Horizon View Optimized APM BIG-IP Virtual Edition includes the full
functionality of the BIG-IP APM software. This allows the creation of rich authentication and
verification schemes, even when using native clients. The pre-defined policy that the iApp template
implements can easily be extended to include a number of additional restrictions such as time of
day, Active Directory attribute requirements, and IP location or reputation.
F5 VMware Horizon View Optimized Solution Recommended Practices
6
configuration follows the tested best practice design and dramatically reduces the time to deploy the
solution.
Active Directory
The Microsoft® Active Directory infrastructure provides the authentication service for user connecting to
the View system. Active Directory is used by both the BIG-IP and the View Connection Server to
authenticate and authorize a user when they connect.
View Connection Server
The View Connection Server serves as broker for client connections. View Connection Server
authenticates users through Windows Active Directory and directs the request to the appropriate virtual
machine.
The View Connection Server provides the following management capabilities:
Authenticating users
Entitling users to specific desktops and pools
Assigning applications packaged with VMware ThinApp to specific desktops and pools
Managing local and remote desktop sessions
Establishing secure connections between users and desktops
Enabling single sign-on
Setting and applying policies
Desktop Pools
Desktop pools are pools of virtual machines running the desktop operating system that the user
accesses from their View client. The BIG-IP proxies the client PCoIP connection to the virtual machine in
the desktop pool nominated by the View Connection Server.
F5 VMware Horizon View Optimized Solution Recommended Practices
7
2. F5 VMware Horizon View Architecture
2.1. Network Architecture
INTERNAL VLAN
Firewall
Access NetworkExternal Clients
Connection Servers
Router
Active Directory
ESXi® Hosts
Man
agem
ent
VLA
N
NTP
MA
NA
GEM
ENT
VLA
N
SQL Servers
vCenter® Server
HA VLAN
Desktop VLAN
Desktop Servers
Internal Client VLAN
Internal Clients
EXTERNAL VLAN
APM APM
Compositor Servers
DNS
Figure 2: F5 VMware Horizon View Network Diagram
2.2. F5 VMware Horizon View iApp Template
F5 iApp templates allow the creation and management of BIG-IP configurations supporting specific
applications.
The iApp template for the VMware Horizon View Optimized Solution can be downloaded from the F5
DevCentral site (https://devcentral.f5.com/wiki/iApp.VMware-Applications.ashx) and installed into the
templates library on your BIG-IP systems.
The use and deployment of the iApp template is fully documented in the deployment guide that
accompanies the iApp template. It is recommended that you read the rest of this guide to provide
background and design information before commencing with the iApp deployment.
F5 VMware Horizon View Optimized Solution Recommended Practices
8
Supplemental Notes to the Deployment Guide:
Configuring the BIG-IP System
This section in the deployment guide provides a step-by-step guide to deploying the BIG-IP software
onto a virtual machine.
Correct network settings are important. Ensure you map the correct source and destination networks
during the network mapping steps. Refer to section 3.2 and Figure 4 to understand the use of each
network. While adhering to this design is not mandatory (BIG-IP is an extremely flexible platform and
can be successfully configured in many different ways), using the default network objects and names will
result in a simpler and faster installation.
Other notes:
Step 5 of the deployment guide gives instructions for importing an SSL device certificate to match the
FQDN host name of the BIG-IP. This represents good practice, and failure to do this will result in SSL
certificate errors when accessing the BIG-IP management GUI but is not essential, especially during
piloting or testing phases. Updating device certificates at a later date, however, will require some
updating of the HA pairing of the devices, since device certificates are used to encrypt communications
between device and are exchanged to establish device trust.
3. F5 Recommended Practices
3.1. F5 BIG-IP Base Configuration & High Availability
The F5 BIG-IP performs a critical role in the infrastructure and must be configured in a highly available
pair. In the event of the active BIG-IP running the services supporting View connections becoming
unavailable the other node will take over traffic processing.
High availability for BIG-IP systems is delivered by F5 Device Service Clustering (DSC). DSC is part of the
F5 ScaleNTM architecture which creates a programmable high performance Application Services Fabric.
This reference architecture, however, is concerned only with the setup of a highly available active-
standby pair of BIG-IP appliances.
DSC relies on network communications between the appliances for heartbeat, failover and configuration
synchronization purposes. Whilst a wide range of manual configurations are possible, adhering to the
defaults expected by the setup wizard will greatly simplify the installation process.
F5 VMware Horizon View Optimized Solution Recommended Practices
9
Figure 3: F5 DSC Network Communications
3.2. Networking and IP Addresses
The BIG-IP Setup Wizard will expect the creation of a minimum of three logical network objects. BIG-IP
uses the term ‘VLAN’ to refer to a logical network object which associates a network interface with a
Self-IP and Subnet. See the link below for more detailed information on F5 and VLANs.
http://support.f5.com/kb/en-us/products/big-
ip_ltm/manuals/product/bigip_tmos_concepts_11_0_0/tmos_vlans.html
In addition a management network connection will be required. The management network is used to
both administer the BIG-IP system and as part of ScaleN clustering communications.
The logical networks (VLANs) required are:
A VLAN for the internal network, named internal A VLAN for the external network, named external A VLAN for failover communications, named HA
You should plan for the following IP Addressing for the base device setup (this is the total for both
devices)
Three IP addresses on the same subnet for VLAN internal. Three IP addresses on the same subnet for VLAN external.
Two IP address on the same subnet for VLAN HA. Two IP addresses on the management network, one for each appliance
F5 VMware Horizon View Optimized Solution Recommended Practices
10
All VLANs must have separate IP subnets and cannot have overlapping subnets1.
In addition IP addresses for the VMware Horizon View services will be required.
An IP address on the external network for terminating external VMware Horizon View client traffic
An IP address on the internal network for terminating internal VMware Horizon View client traffic
These IP addresses are shared between the highly-available pair, but are only active on one device at any given time.
Figure 4: Example IP addressing Schema
3.3. Time Synchronization
Time synchronization is important in BIG-IP DSC operations, and it is critical that the BIG-IP and the
Active Directory services be in sync. NTP services should be available and BIG-IP devices should be
configured to use NTP services during the initial setup.
3.4. DNS
The BIG-IP systems should be able to resolve hostname of Microsoft Active Directory servers for
authentication purposes. The use of DNS servers is highly recommended for this. If DNS has not already
1 There are advanced configurations of the BIG-IP platform that can eliminate this requirement, but at the cost of
additional complexity.
F5 VMware Horizon View Optimized Solution Recommended Practices
11
been configured on the platform, the iApp template (see section 2.2 above) allows the configuration of
DNS during the application service deployment.
3.5. ESXi Host Selection
Host Resource Requirements
BIG-IP® Virtual Editions require the following minimum virtual machine guest environment.
Concurrent Users vCPUs GB RAM Disk Space GB
100 2 4 100
250 2 4 100
1000 2 4 100
For production use it is recommended to thick allocate disk.
Host Separation
Each member of the DSC cluster should reside on a different ESXi host. Where you are using VMware
Dynamic Resource Scheduler (DRS), create a DRS rule with the option Separate Virtual Machine that
includes each unit of the BIG-IP VE redundant pair.
The following links discuss these topics in more detail:
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-vmware-esxi-11-
4-1/4.html#r_ve_best_practices
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-
11-4-0.html
3.6. SSL Certificates
SSL certificates are used to both secure the HTTPS traffic from clients to the BIG-IP (and on to the
connection broker) and in generating keys and tokens for securing and authenticating PCoIP traffic from
client to desktop. Planning and management of SSL certificates is therefore an essential component in
the architecture design.
F5 VMware Horizon View Optimized Solution Recommended Practices
12
Figure 5: SSL Certificate Requirements
SSL Certificate Use The method described in the “F5 APM Optimized Solution for VMware Horizon View” deployment guide (see section 2.2) is to use a single SSL certificate that signs the FQDN to which clients will connect and modifies the connection servers to use this same FQDN. This certificate is installed on both the BIG-IP devices and the Connection Servers. This certificate shod
SSL Decryption
The F5 BIG-IP can be configured to either pass the authentication traffic to the Connection Server in plain text or to re-encrypt the traffic over SSL. Re-encrypting secures the data within the internal network at the expense of additional workload on the compute resources. Controlling the re-encryption of data is done using the iApp setup for VMware View on the BIG-IP (see below). If SSL offload (no re-encryption) is chosen then the VMware Horizon View Connection Servers will need to be configured to listen on port 80 on their internal network address. This involves creating
and/or editing the locked.properties file and is documented in the VMware Horizon View Administration documentation (VMware Horizon View Administration > Configuring View Connection Server > Configuring Settings for Client Sessions > Off-load SSL Connections to Intermediate Servers).
Installation Note: The SSL Certificate friendly name must be set as “vdm”. See http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-E5EA22DE-E8CD-4E8D-8F76-C5105307D09F.html for additional information.
F5 VMware Horizon View Optimized Solution Recommended Practices
13
3.7. Hostnames and Addresses
Horizon View clients will need to be configured with single, resolvable FQDN that points to the relevant
IP address of the service (either that on the internal network or the firewall); this should match one of
the FQDN entries (or wildcard equivalent) on the SSL certificate. For maximum flexibility F5 recommends
that all clients, internal and external, are given the same FQDN and a split DNS system resolves the
correct DNS dependent on the location of the client.
3.8. Authentication
Active Directory (AD) services are used by both the BIG-IP and the View Connection servers to
authenticate user sessions. Active directory objects are defined on the BIG-IP as part of the View
Deployment. If anonymous binding is not allowed by the Active Directory, an administrator account and
password will be required during the View iApp Service creation on the BIG-IP
Clients are authenticated by the F5 BIG-IP against the Active Directory before they are proxied to the
Connection Server. This ensures that only traffic from authenticated users is allowed into the internal
network.
Active Directory authentication can be configured against a single AD server or against a pool of AD
servers for high availability.
3.9. Suggested Implementation Flow
Design and Document
A success full VMware Horizon View deployment requires a variety of systems to work together,
including authentication, traffic management, DNS, firewalls, and View components. Documenting IP
addressing, routing, Active Directory accounts and SSL Certificates will ensure a faster add more
successful deployment.
Solution Extension: F5 Global Traffic Manager is an advanced DNS solution that gives logical and
programmatic control of DNS name, making it simple to direct a client to the most appropriate
address based on their location or the availability of services. See http://www.f5.com/it-
management/solutions/global-load-balancing/overview/ for more details.
Installation Note: The SSL certificates used for offload will still need to be installed onto the
Connection Servers irrespective of the method chosen since the certificate thumbprint is sent to
the client by the server to validate the connection.
F5 VMware Horizon View Optimized Solution Recommended Practices
14
Obtain or Generate SSL Certificates
As discussed above, SSL certificates are key components in View deployments, the required SSL
certificates should be obtained (or generated) in advance of the deployment.
Configure Networking
Ensure the availability of the required networks and document which Port Groups they will map to for
the guests. Test connectivity to routers, firewalls and clients.
For instance:
Destination Network Source Network* Network Adapter BIG-IP interface BIG-IP VLAN
Management 1 Management Management
HA 2 1.1 Internal
Internal 3 1.2 External
External 4 1.3 HA *Port Group – defined in your virtual infrastructure.
Configure or verify supporting infrastructure components
Test the DNS resolution, NTP, and AD components.
Implement View Components
Follow the VMware Horizon View installation and planning notes:
https://www.vmware.com/support/pubs/view_pubs.html.
Note that you may want to enable HTTP connections on the View Connection Servers (see section 3.6
above) if you do not wish to re-encrypt SSL traffic, but should install the correct SSL certificate onto the
Connection Servers.
Test internal View client
Test that the View client can access View desktops by connecting directly to all Connection Servers.
Implement base BIG-IP configuration
Follow the setup guide for BIG-IP Virtual edition on ESXi:-
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-vmware-esxi-11-
4-1.html
In step 13 or 14 refer to the table above to successfully map the source networks for management,
internal, external and HA networks, referring to the table above.
Once you have a management address assigned for both BIG-IP Virtual edition appliances, move on to
configuring the active-standby high availability configuration by following the steps in the “F5 BIG-IP
TMOS: Implementations” guide:
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-
0/2.html#conceptid
F5 VMware Horizon View Optimized Solution Recommended Practices
15
The system setup wizard will guide you through licensing, creating logical VLANs, assigning IP addresses
and provisioning software.
At the end of this step you should have a pair of BIG-IP Virtual Edition systems configured on the
required networks and in a high-availability pair.
You may also need to add static routes for connectivity to components within your environment.
See: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-ip-routing-
administration-11-4-1/3.html#conceptid
Test Connectivity
Before proceeding to deploying the iApp template for View configuration, first test connectivity to all
the required components. Unless noted below, the CLI “ping” will be adequate.
Firewall
External clients
DNS (use “nslookup” from the CLI)
NTP ( use “ntpq –np” from the CLI)
Internal clients
Connection Servers
Active Directory (use “adtest” see https://support.f5.com/kb/en-
us/solutions/public/11000/300/sol11308.html for more information)
Run BIG-IP VMware Horizon View iApp Template
See above for running the iApp template and the required information and settings.
Test View Connections
You should now be able to test View connectivity from both internal and external clients.
Test High Availability
Now that services are running on the systems test the continued availability of the View service under
various failure conditions.
4. Conclusion
The F5’s VMware Horizon View Reference Architecture enables you to cost-effectively deliver rich,
personalized virtual desktops while increasing your VDI performance, control, security, and simplicity.
Installation Note: during the provisioning step you should ensure that the Access Policy Manager
(APM) module is enabled and the provisioning is set to dedicated (this may not be the case if you
are adapting this architecture into a consolidated BIG-IP system running other modules or
functions).
for more details
F5 VMware Horizon View Optimized Solution Recommended Practices
16
By Following the architecture design and recommended practices in this document organizations can
design and deploy a simple, robust infrastructure to manage access to VMware Horizon View desktops.
5. Further Reading & Resources
VMware Horizon View Information
http://www.vmware.com/products/horizon-view/
F5 iApp for VMware Horizon View Optimized Solution by F5
https://devcentral.f5.com/wiki/iApp.VMware-Applications.ashx
F5 PCoIP Proxy for VMware Horizon View
http://www.youtube.com/watch?v=Ayjmq8HRkRw
http://www.youtube.com/watch?v=Ayjmq8HRkRw
F5 BIG-IP Access Policy Manager: VMware Horizon View Integration Implementations
11.4
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-vmware-integration-
implementations-11-4-0.html
11.5
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-
implementations-11-5-0
F5 Support
http://support.f5.com