VMWARE VIEW health monitor SG/Connection broker mapping

Question

We have F5 Big IP 3600 LTM running verision 11.1 HF2&nbsp;&nbsp;
&nbsp;The F5 currently is acting as a front-end for the VMWare security servers which do the authentication. Let’s say 2 physical servers per VIP. A client connects to the VIP (and a security server) and then the security server authenticates the client and pushes them to a Connection Broker (also 2 of them) with a 1:1 mapping of a security server interacts only with its assigned connection broker.&nbsp;
&nbsp;So the problem we’re having is that the node in F5 is still marked up (box and services are responding) even when it’s paired connection broker is down. Would it be possible to configure a health monitor on the F5 to monitor a node other than the ones that it’s assigned to use in the load balancing pool? &nbsp;
&nbsp;Quick mock-up of our setup…&nbsp;
&nbsp;(there’s 3 VIPs for each IP… tcp/443, udp/4172 and tcp/4172)&nbsp;
&nbsp;VIP: 10.2.1.101
&nbsp;VS: view.example.com_sslvpn_tcp_443
&nbsp;                VMView_sslvpn_pool
&nbsp;                                Nodes
&nbsp;                                                172.26.15.20:0
&nbsp;                                                172.26.15.31:0
&nbsp;                                Health Monitors
&nbsp;                                                tcp/443
&nbsp;                                                tcp/4172
&nbsp;                                                udp/4172&nbsp;
&nbsp;172.26.15.20 is “paired” with connection broker 10.26.15.20
&nbsp;likewise for .31&nbsp;&nbsp;

mendoza_60364 · Answer

Testing the View Servers

&nbsp; One of the best methods to test and make sure the servers are working is test run the following command from a client machin. &nbsp;&nbsp;echo -en "GET /view/ HTTP/1.1
Host: example.server.com
Connection: Close

" | nc 10.133.84.120 80 &nbsp;
&nbsp; Success will return the following: &nbsp;HTTP/1.1 200 OK &nbsp;cache-control: no-cache &nbsp;Content-Length: 1268 &nbsp;Expires: Thu, 01 Jan 1970 00:00:00 GMT &nbsp;Set-Cookie: JSESSIONID=16692AA68187DB39E1D5B69F3CBFCD6E; Path=/ &nbsp;Content-Type: text/html;charset=UTF-8 &nbsp;pragma: no-cache &nbsp;Connection: close &nbsp;Vary: Accept-Encoding&nbsp;&nbsp;&nbsp;&nbsp;VMware View Portal&nbsp;
&nbsp; If you are testing against HTTPS (443) servers it’s best to use openssl like this. &nbsp;
&nbsp; openssl s_client -crlf -connect 10.133.84.52:443 &nbsp;
&nbsp; Success will return something like this: &nbsp;CONNECTED(00000003) &nbsp;depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com &nbsp;verify error:num=20:unable to get local issuer certificate &nbsp;verify return:1 &nbsp;depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com &nbsp;verify error:num=21:unable to verify the first certificate &nbsp;verify return:1 &nbsp;--- &nbsp;Certificate chain &nbsp;0 s:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com &nbsp;i:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com &nbsp;---&nbsp;  
&nbsp;Once you get this you’ll use the same string we used before. &nbsp; GET / HTTP/1.1
Host: view.view.tc.f5net.com
Connection: Close

 &nbsp;
&nbsp; Success will return something like this: &nbsp;HTTP/1.1 200 OK &nbsp;cache-control: no-cache &nbsp;Content-Length: 1268 &nbsp;Expires: Thu, 01 Jan 1970 00:00:00 GMT &nbsp;Set-Cookie: JSESSIONID=36941E985BCD22421591BD52FA6CA0BC; Path=/; Secure; HttpOnly &nbsp;Content-Type: text/html;charset=UTF-8 &nbsp;pragma: no-cache &nbsp;VMware View Portal&nbsp; In the end your monitor would look like this: &nbsp;
&nbsp; GET /view/ HTTP/1.1
Host: HOSTFQDN
Connection: Close

 &nbsp;&nbsp; and you would expect a response string of  &nbsp;
&nbsp; VMware View Portal &nbsp;&nbsp;

paul_pindell · Answer

&nbsp;
&nbsp;
In VMware View 5.1 the receive string for the HTTPS Monitor needs to be updated to "VMware.*View Portal". (without he quote marks) This string will work for versions 4.6-5.1&nbsp;

&nbsp;
&nbsp;
We had to add the regex .* between VMware and View because the version 5.1 success page title changed to VMwareView Portal.&nbsp;

&nbsp;
&nbsp;
This receive string will test to make sure that both the security server and the paired connection server are both up and functioning. If either of them are not functioning then the monitor will fail.&nbsp;

&nbsp;
&nbsp;
Paul&nbsp;

Forum Discussion

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

SSL Forward Proxy, iRules and Client Hello

Related Content

AI/Bot Traffic Throttling iRule (UA Substring + IP Range Mapping)

API Gateway Mapping - Gartner - F5

Bigpipe Mappings

F5 TIC3.0 Capability Mappings

iRules Heat Map - US Only