Forum Discussion

BMeyering_10972's avatar
BMeyering_10972
Icon for Nimbostratus rankNimbostratus
May 22, 2012

VMWARE VIEW health monitor SG/Connection broker mapping

We have F5 Big IP 3600 LTM running verision 11.1 HF2

 

 

 

The F5 currently is acting as a front-end for the VMWare security servers which do the authentication. Let’s say 2 physical servers per VIP. A client connects to the VIP (and a security server) and then the security server authenticates the client and pushes them to a Connection Broker (also 2 of them) with a 1:1 mapping of a security server interacts only with its assigned connection broker.

 

 

So the problem we’re having is that the node in F5 is still marked up (box and services are responding) even when it’s paired connection broker is down. Would it be possible to configure a health monitor on the F5 to monitor a node other than the ones that it’s assigned to use in the load balancing pool?

 

 

Quick mock-up of our setup…

 

 

(there’s 3 VIPs for each IP… tcp/443, udp/4172 and tcp/4172)

 

 

VIP: 10.2.1.101

 

VS: view.example.com_sslvpn_tcp_443

 

VMView_sslvpn_pool

 

Nodes

 

172.26.15.20:0

 

172.26.15.31:0

 

Health Monitors

 

tcp/443

 

tcp/4172

 

udp/4172

 

 

172.26.15.20 is “paired” with connection broker 10.26.15.20

 

likewise for .31

 

 

  • mendoza_60364's avatar
    mendoza_60364
    Historic F5 Account
    Testing the View Servers

     

    One of the best methods to test and make sure the servers are working is test run the following command from a client machin.

     

     

    echo -en "GET /view/ HTTP/1.1\r\nHost: example.server.com\r\nConnection: Close\r\n\r\n" | nc 10.133.84.120 80

     

     

    Success will return the following:

     

    HTTP/1.1 200 OK

     

    cache-control: no-cache

     

    Content-Length: 1268

     

    Expires: Thu, 01 Jan 1970 00:00:00 GMT

     

    Set-Cookie: JSESSIONID=16692AA68187DB39E1D5B69F3CBFCD6E; Path=/

     

    Content-Type: text/html;charset=UTF-8

     

    pragma: no-cache

     

    Connection: close

     

    Vary: Accept-Encoding

     

     

     

     

    VMware View Portal

     

     

    If you are testing against HTTPS (443) servers it’s best to use openssl like this.

     

     

    openssl s_client -crlf -connect 10.133.84.52:443

     

     

    Success will return something like this:

     

    CONNECTED(00000003)

     

    depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com

     

    verify error:num=20:unable to get local issuer certificate

     

    verify return:1

     

    depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com

     

    verify error:num=21:unable to verify the first certificate

     

    verify return:1

     

    ---

     

    Certificate chain

     

    0 s:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com

     

    i:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com

     

    ---

     

     

    Once you get this you’ll use the same string we used before.

     

    GET / HTTP/1.1\r\nHost: view.view.tc.f5net.com\r\nConnection: Close\r\n\r\n

     

     

    Success will return something like this:

     

    HTTP/1.1 200 OK

     

    cache-control: no-cache

     

    Content-Length: 1268

     

    Expires: Thu, 01 Jan 1970 00:00:00 GMT

     

    Set-Cookie: JSESSIONID=36941E985BCD22421591BD52FA6CA0BC; Path=/; Secure; HttpOnly

     

    Content-Type: text/html;charset=UTF-8

     

    pragma: no-cache

     

    VMware View Portal

     

    In the end your monitor would look like this:

     

     

    GET /view/ HTTP/1.1\r\nHost: HOSTFQDN\r\nConnection: Close\r\n\r\n

     

     

    and you would expect a response string of

     

     

    VMware View Portal

     

     

  •  

     

    In VMware View 5.1 the receive string for the HTTPS Monitor needs to be updated to "VMware.*View Portal". (without he quote marks) This string will work for versions 4.6-5.1

     

     

     

    We had to add the regex .* between VMware and View because the version 5.1 success page title changed to VMwareView Portal.

     

     

     

    This receive string will test to make sure that both the security server and the paired connection server are both up and functioning. If either of them are not functioning then the monitor will fail.

     

     

     

    Paul