Horizon View "This Page is Not Secure"
I have a connection to my VDI desktops via F5 (build using the iApp) and it essentially works i.e. I can get a virtual desktop although with a slight issue. To start with I enter the URL e.g. https://myvdi.mydomain.com Then after authenticating on the connection server and making my choice of desktop, the URL in the address bar changes to an IP in the range of the private LAN for the virtual desktops e.g. https://10.180.0.80:22443/d/DE841123-FE72-4C6D-A9F3-2E6B7072D7E1/certAccept.html?numPages=3 This results in a typical "this site is not secure" page in IE which I have to manually press on "go on to the webpage." Once I manually continue everything is fine as the URL is then https://myvdi.mydomain.com/portal/webclient/index.html/desktop and I get my authenticated, secure desktop. Does anyone know how I can stop this behaviour?
APM :: VMware View :: Blast Extreme
Anybody have any luck getting Blast Extreme configured for VMware View and APM via Horizon Client? Currently we launch the Horizon client via webtop link (vdi/rdp) and PCoIP is tunneled through the F5 via udp/4172... but our systems engineers are looking to upgrade to Blast Extreme, and I know NOTHING about how it works with the F5. Not too much on the interwebs in regards to this relationship. Is it just a matter of creating another virtual server on the BIG-IP and assigning the VDI profile? Or does the protocol work on TCP/443 and F5 just knows what to do with it on the existing virtual server? Thanks-VMware Horizon and F5 iAPP Deployments Backed by Ansible Automation
The Intro: A little over a year ago I knew barely anything about automation, zero about ansible, and didn't even think it would be something so tied to my life like it is now. I spend all my moments trying to think about how I can make Automation easier in my life, and being in Business Development I spend a lot of time testing F5 solutions and integrations between vendors (specifically between F5 and VMware as well as F5 and RedHat Ansible). I figured why not bring them a little closer together? It takes forever to build Labs and setup environments, and with automation I can do this in mere minutes compared to the hours it use to take (we are talking fresh builds, clean environments). I plan on sharing more about more of my VMware and Ansible automation integrations down the chain (like Horizon labs that can be built from scratch and ready to test in 30 minutes or less). But I wanted to start out with something that I get a lot of questions about:is it possible to automate iApp Deployments? Specifically the VMware Horizon iApp? The answer is YOU CAN NOW! grant you this like all automation is a work in progress. My suggestion is if you have a use case you want to build using what I have started with I encourage it!! TAKE, FORK and Expand!!!! The Code: All of the code I am using is completely accessible via the F5 DevCentral Git Repository and feel free to use it! What does it do? Well, if you are an F5 Guru then you might think it looks similar to how our AS3 code works, if you aren't a Guru its basically taking one set of variables and sending off a single command to the F5 to build the Application (I tell it the things that make it work, and how I want it deployed and it does all the work for me). Keep in mind this isn't using F5 AS3 code, it just mimics the same methods bytaking a JSON declaration of how I want things to be and the F5 does all of the imperative commands for me. --- - name: Build JSON payload ansible.builtin.template: src=f5.horizon.{{deployment_type |lower }}.j2 dest=/tmp/f5.horizon.json - name: Deploy F5 Horizon iApp f5networks.f5_modules.bigip_iapp_service: #Using Collections if not use - bigip_iapp_service: name: "VMware-Horizon" template: "{{iapp_template_name}}" parameters: "{{ lookup('template', '/tmp/f5.horizon.json') }}" provider: server: "{{f5_ip}}" user: "{{f5_user}}" password: "{{f5_pass}}" validate_certs: no delegate_to: localhost All of this code can be found at - https://github.com/f5devcentral/f5-bd-horizon-iapp-deploy/ Deployments: Using the F5 iApp for Horizon provided many options of deployment but they were all categorized into 3 buckets F5 APM with VMware Horizon - Where the F5 acts as the Gateway for all VMware Horizon Connections (Proxying PCoIP/Blast) F5 LTM with VMware Horizon - Internal Connections to an environment from a LAN and being able to secure and load balance Connection Servers F5 LTM with VMware Unified Access Gateway - Using the F5 to load balance the VMware Unified Access Gateways (UAGs) and letting the UAGs proxy the connections. The deployments offer the ability to utilize pre-imported certificates, set the Virtual IP, add additional Connection Servers, Create the iRule for internal connections (origin header check) and much more. All of this is dependent on your deployment and the way you need it setup. The current code doesn't import in the iApp Template nor the certificates, this could be done with other code but currently is not part of this code. All three of these deployment models are considered and part of the code and how its deployed is based on the variables file "{{code_directory}}/vars/horizon_iapp_vars.yml" as shown below. Keep in mind this is using clear text (i.e. username/password for AD) for some variables you can add other ways of securing your passwords like an Ansible VAULT. #F5 Authentication f5_ip: 192.168.1.10 f5_user: admin f5_pass: "my_password" f5_admin_port: 443 #All Deployment Types deployment_type: "apm" #option can be APM, LTM or UAG #iApp Variables iapp_vip_address: "172.16.192.100" iapp_template_name: "f5.vmware_view.v1.5.9" #SSL Info iapp_ssl_cert: "/Common/Wildcard-2022" # If want to use F5 Default Cert for Testing use "/Common/default.crt" iapp_ssl_key: "/Common/Wildcard-2022" # If want to use F5 Default Cert for Testing use "/Common/default.key" iapp_ssl_chain: "/#do_not_use#" #Horizon Info iapp_horizon_fqdn: "horizon.mycorp.com" iapp_horizon_netbios: "My-Corp" iapp_horizon_domainname: "My-Corp.com" iapp_horizon_nat_addresss: "" #enter NAT address or leave empty for none # LTM Deployment Type iapp_irule_origin: - "/Common/Horizon-Origin-Header" # APM and LTM Deployment Types iapp_horizon_connection_servers: - { ip: "192.168.1.50", port: "443" } # to add Connection Servers just add additional line - { ip: "192.168.1.51", port: "443" } #APM Deployment Type iapp_active_directory_username: "my_ad_user" iapp_active_directory_password: "my_ad_password" iapp_active_directory_password_encrypted: "no" # This is still being validated but requires the encrypted password from the BIG-IP iapp_active_directory_servers: - { name: "ad_server_1.mycorp.com", ip: "192.168.1.20" } # to add Active Directory Servers just add additional lines - { name: "ad_server_2.mycorp.com", ip: "192.168.1.21" } # UAG Deployment Type iapp_horizon_uag_servers: - { ip: "192.168.199.50", port: "443" } # to add UAG Servers Just add additional lines - { ip: "192.168.199.51", port: "443" } How do the Variables integrate with the Templates? The templates are JSON based code which Ansible will inject the variables into them depending on the deployment method called. This makes it easier to templates to specific deployments because we don't hard code specific values that aren't necessary or are part of the default deployments. Advanced Deployments would require modification of the JSON code to apply specialized settings that aren't apart of the default. If you want to see more about the templates for each operation (APM/LTM/UAG) check out the JSON Code at the link below: https://github.com/f5devcentral/f5-bd-horizon-iapp-deploy/tree/main/roles/ansible-deploy-iapp/templates The Results: Within seconds I can deploy, configure and make changes to my deployments or even change my deployment type. Could I do this in the GUI? Absolutely but the point is to Automate ALL THE THINGS, and being able to integrate this with solutions like Lab in a box (built from scratch including the F5) saves massive amounts of time. Example of a VMware Horizon iApp Deployment with F5 APM done in ~12 Seconds [root@Elysium f5-bd-horizon-iapp-deploy]# time ansible-playbook horizon_iapp_deploy.yaml PLAY [localhost] ******************************************************************************************************************************************************************** TASK [bypass-variables : ansible.builtin.stat] ************************************************************************************************************************************** ok: [localhost] TASK [bypass-variables : ansible.builtin.include_vars] ****************************************************************************************************************************** ok: [localhost] TASK [create-irule : Create F5 iRule] *********************************************************************************************************************************************** skipping: [localhost] TASK [ansible-deploy-iapp : Build JSON payload] ************************************************************************************************************************************* ok: [localhost] TASK [ansible-deploy-iapp : Deploy F5 Horizon iApp] ********************************************************************************************************************************* changed: [localhost] PLAY RECAP ************************************************************************************************************************************************************************** localhost : ok=4 changed=1 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 real 0m11.954s user 0m6.114s sys 0m0.542s Links: All of this code can be found at - https://github.com/f5devcentral/f5-bd-horizon-iapp-deploy/Securing your VMware Remote Solutions to Support COVID-19 Work From Home Scaling
Many of us are now working from home in unprecedented numbers. For infrastructure teams it's putting impressive strain on remote work solution. Building off our primary DevCentral COVID-19 article, our support teams and solution architects are hearing from many of you asking us for new and better ways to expand VMware capabilities with F5 BIG-IP Local Traffic Manager (LTM) and Access Policy Manager (APM). Get started securing your VMware remote working solutions with the field-recommended guides below. F5 with VMware Virtual Desktop Infrastructure (VDI) Solutions (Horizon View, Workspace ONE) How to deploy F5 with Horizon View using iApps This is a comprehensive guide for deploying F5 BIG-IP APM with VMware Horizon. Walk through the F5 iApp to assist in configuring APM with VMware Horizon View. How to use BIG-IP LTM in front of VMware Horizon Unified Access Gateway This guide will show step by step guidance on how to use F5 BIG-IP LTM to increase the scale and resiliency of either greenfield or brownfield VMware Horizon deployments. How to Deploy F5 APM with VMware ONE Providing a step-by-step instruction for setting up F5 BIG-IP APM as a proxy gateway for VMware Horizon with VMware Workspace ONE. How to deploy F5 BIG-IP LTM with VMware Workspace ONE Identity Manager (vIDM) This guide provides step-by-step instructions for setting up the first Identity Manager virtual appliance (Node 1), for production implementations. VMware recommends the deployment of two (2) additional nodes for three (3) total. Nodes 2 and 3 will be cloned from the first node after it's been configured and setup with the F5 BIG-IP to provide a fully load-balanced configuration. Reach Out To Us As our technical teams work with our users to provide continuous COVID-19 coverage, you may still need additional information we haven't surfaced yet. If you can't determine what best meets your requirements, let us know in the comments or reach out to our technical community. Don't forget to check out AskF5, our support knowledge center.Change Webtop Remote Desktop Icon
I have an access policy for VMware VDI and I can't seem to change the icons for my webtop/remote desktop links. The default icon is "terminal_service.png" located in /var/sam/www/webtop/public/images/full_wt I have changed this to an icon with the same dimensions (32px) in Access Policy>Customization>Basic>Remote Desktop and General>Branding>Remote Desktops but still the old icon is dispayed. Any ideas?
Remove the Select Client popup from VMware Horizon iApp
Due to security controls, we must have all users use web based HTML (BLAST) access to VDI sessions. The iApp works great, except when you launch a desktop it show a popup to requesting the user select a client (either VMware Horizon or HTML5 Client). I have gone though the iApp template () and cannot find any reference to the popup. I have looked through the APM policy, session-policy and Webtops to see if it there, but I can't seem to find it. Any ideas how to disable this popup?Connection Server Options for Horizon View iApp
I have used the iApp to build a VDI solution with the following basic configuration: Yes, deploy APM Yes, support HTML 5 clientless connections SSL bridging One IP defined for untrusted clients A different IP defined for local clients Of course I've also defined the SSL certificate, pool members, FQDN, etc Reading the deployment guide for the View Connection servers (we're not using security servers) under the heading "Modifying your Connection Servers to support HTML 5 clients" it states: Modify the Connection Servers to remove the Use Secure Tunnel connection to desktop and use Blast Secure Gateway for HTML. a. From the View Configuration tab, select Servers, and then click Connection Servers. b. Highlight one of the Connections servers and then click Edit. c. Modify the HTTP External URL and BLAST External URL to match the URL of your SSL certificates. d. Clear the check from Use Blast Secure Gateway for HTML access to desktop. Important: If using a BIG-IP version prior to 12.1 only: Clear the check from Use Secure Tunnel connection to desktop after modifying the External URLs. If using a BIG-IP version 12.1 and later only: If using v12.1 or later, you can leave this box checked if necessary (for example, this box must be checked if using USB redirection). If anyone can help my questions are as follows: 1) Why does it tell you populate the blast gateway and external URL fields only to then clear the checkboxes for thier use? 2) When testing from my internal network why can I only get a successful VDI desktop when the blast gateway field is ticked - going against what the deployment guide states?
Asymmetric Hardware Requiring Asymmetric View Pool Entitlements
Hi Guys! Need some thoughts on a View farm design. Givens: Horizon 7 Advanced Licensing F5 BigIP x2 - Full alphabet soup license NVIDIA GRID Profiles on page 4 of vGPU User Guide Pod A 5x Cisco UCS B200 2.0Ghz, 2 sockets, 28 cores, 56 threads 512GB RAM NetApp SAS backed 1x NVIDIA GRID M6 in vSGA Mode Pod B 5x Cisco UCS C240 2.6Ghz, 2 sockets, 24 cores, 48 threads 512GB RAM Micron PCIe Backed 2x NVIDIA GRID M10 in vGPU Mode 1GB per VM Pod C 5x Cisco UCS C240 2.1Ghz, 2 sockets, 36 cores, 72 threads 512GB RAM Micron PCIe Backed 2x NVIDIA GRID M10 in vGPU Mode 1GB per VM Pod D 5x Cisco UCS C240 2.1Ghz, 2 sockets, 36 cores, 72 threads 512GB RAM Micron PCIe Backed 2x NVIDIA GRID M10 in vGPU Mode 1GB per VM Pod X 1x Cisco UCS B200 2.0Ghz, 2 sockets, 28 cores, 56 threads 512GB RAM NetApp SAS backed 1x NVIDIA GRID M6 in vSGA Mode 1x Cisco UCS C240 1Ghz, 2 sockets, 36 cores, 72 threads 512GB RAM Micron PCIe Backed 2x NVIDIA GRID M10 in vGPU Mode 1GB per VM Use Scenario: We have 3 types of users. General Purpose Students and Staff Need some GPU to make Win10 experience better Windows 10 Creator vGPU Backed @ 512MB Power User Students and Staff Using apps that require GPU - Adobe Apps, Games, Autocad, Etc. Windows 10 Creator vGPU Backed @ 1GB Generic Accounts These accounts are used for: Kinder -> Second Grade Library Search Kiosks Academic Testing Kiosks (for SBA and MAP computer based testing) School Board Meeting Kiosks Probably fine using vSGA mode graphics Problem: We have a bottleneck with vSphere and View Composer where it takes an inordinate amount of time to prep pools during login/logout storms or events that cause the environment to go sideways. Our thought is to break up into pods to mitigate having all 4 pods go down due to view component parts at the same time. This would also provide the side benefit of only impacting 25% of the environment at a time when going to do upgrades and even make it possible depending on the calendar to do the maintenance of the environment during the production day. Snag: Pod A is composed of vastly asymmetric hardware than what Pod’s B, C and D are composed of. Pod X is set aside so that we have a test bed for image development, upgrade testing and firmware testing with UCS. Hosts from Pod X could be added to Pod A or B if needed to help with increasing capacity. The idea would be to put users that have less need for GPU onto Pod A and run the NVIDIA M6 GRID Cards in vSGA mode to make Windows 10 more bearable due to the limitation of 16 VMs with a 512MB frame buffer if in vGPU mode. Then users who need vGPU would be routed to the C240 pods (Pod B, C and D) and could have a mixture of 512MB and 1GB profiles on the same host provided that like profiles map to the same card giving a theoretical max load of 64x 512MB VMs and 32x 1GB VMs per host and around 5GB RAM per VM if evenly distributed also understanding that in a running configuration that doesn’t allow for enough CPU threads per desktop. So at the end of this is what is the best method to use for having a user login to an entitled pool that doesn’t exist on all 5 pods that are deployed. Do you solve this with a Big-IP config, Cloud Pod Architecture or something else less complex (ie. Load balance Pod B, C and D. Have a separate DNS for Pods A and X.)?Vmware View F5 APM KCD limitations
Before I start banging around in the lab, I figured I'd post something on dev to see if anyone has tried doing authentication delegation with vmware view. I know you can tie vmware view in with active directory so I assume that you can use kerberos for authentication purposes. Now, since you can do that, can you do Kerberos Constrained Delegation? I would assume so, and if so, can you setup a Kerberos Constrained Delegation configuration with F5 APM and vmware view? Ultimately what I am trying to achieve is 2 factor auth with a smart card that is related to an active directory user. I am not a VDI expert by any means. I only know the F5 side of the house. Any knowledge on this subject and the limitations that come with it would be awesome! Thanks!Load Balancing Omnissa Unified Access Gateway with BIG-IP LTM
This article highlights the renewed partnership between Omnissa and F5, focusing on updated guides for integrating F5 BIG-IP LTM with the Omnissa Unified Access Gateway (UAG) for Horizon. UAG, formerly known as VMware Unified Access Gateway, provides secure access to desktop and application resources for remote users. F5’s products enhance the reliability, scalability, and security of UAG deployments, particularly for large Horizon environments requiring multiple pods or data centers. The guide offers two deployment options: leveraging the existing iApp or using a manual method. Both approaches ensure efficient, seamless implementation tailored to users’ needs. The collaboration between F5 and Omnissa continues to drive faster deployments while preparing for future growth and requirements. Readers are also encouraged to explore the integration guide for F5 APM with Omnissa Workspace ONE.
