Forum Discussion
View Connection Server Config with UAG
Hi Jay,
I have similar question. I found this guide: http://docs.hol.vmware.com/HOL-2017/hol-1759-use-3_html_en/
There is a newer version if you login to Vmware HOL - http://labs.hol.vmware.com/HOL/catalogs/lab/3675
I'm wondering if there is a way to load balance both UAG and Connection servers within the same LTM, given that both UAG and Connction server nodes will have their own VIPs. How is you setup, did you have luck setting it up?
- R_MarcJul 03, 2018Nimbostratus
I'm setting this up now, and yes you only really need one cluster. You'll need seperate vips, X vips for public stuff and X vips for the internal stuff. There's zero reason these have to live on different clusters. It took me a while to convince the VMWare SE of that, as he has his script and that's all they know.
You could even do it all on the same VIPs, but that would be more complicated than it needs to be (via an iRule to separate traffic based on source IP).
R. Marc
- Petar-I_365989Jul 03, 2018Nimbostratus
Thanks R Marc, Here is how I want to make it work, and wondering if your setup is similar.
All our clients will connect to VM desktop/app through UAGs VIP (external IP). This is because we do not trust our internal clients to directly connect to connection severs. So all clients will establish connections as follows:
client-> UAGs cluster VIP -> Connection server cluster VIP ->VM desktop/app
Our UAGs and Conn severs are on separate subnets, so having them on the same LTM seems OK, and you confirmed this too.
I'm also willing to use iApp for both - 1 iApp for UAG, and 1 for Connection servers, basically load balancing both clusters. The guides i have shared before - http://docs.hol.vmware.com/HOL-2017/hol-1759-use-3_html_en/ talk about LB for either UAG, or Connection servers, but not the case when I want to do both via separate iApps, and have this work.
Wondering if the above is supported approach, although i see no reason this to be an issue. What's your take?
-Pete
- R_MarcJul 03, 2018Nimbostratus
I do not use iApps (I've had nothing but trouble with them). My use case might be a touch different, as this is for a mobile MDM thingy + application VPN. I think there are other uses for UAG, but this is the only place I use it. But yeah, the second cluster in their diagram is completely unnecessary as it has to cross the firewall either way, having a second LTM cluster, physically, is redundant. You could do with two separate iApps on the same F5 cluster, which is effectively what I'm doing, minus the iApps.
- Jay_SpellJul 05, 2018Altostratus
We set everything up with the iApps - one for DMZ - one for Internal. The UAGs in DMZ forward traffic to the internal VIP. We have not had a problem with the configuration, but the VDI group is still testing the configuration. Can give you an update once we have client traffic.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com