APM :: VMware View :: Blast HTML5
I'm trying to get the APM functioning with VMware View Blast client - and I am having quite the time. I have tried the iApp (1.5) but haven't been able to get that to function either. At the moment, I have a manual configuration based-off of the deployment guide. The deployment guide says to create a forwarding virtual server, and the iApp does the same thing. Neither of which seem to be working for me. So with the forwarding VS above created… I can log-in fine, the webtop displays, the RDP link I have works great... the Blast HTML5 link... not so much. If I click on the VMware View desktop shown above, it brings me to the following: The error shown above is thrown-around a lot by View, so it’s hard to say what the real problem is. I’ve seen that error displayed for straight-up communications issues in the past… which I think this is. If I do a tcpdump on the BIG-IP, I can see it trying to connect to 8443, but it cannot connect (SYNs… no SYN/ACKs). 11:27:30.022625 IP x.x.x.10.28862 > x.x.x.252.8443: Flags [S], seq 2246191783, win 4140, options [mss 1380,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/xxxxxxxxxxxxxxxxxxxx-https Source is the floating IP, destination is the VS. I know 8443 is listening on the VMware View server because I can connect to it locally. And I know the VMware View server knows how to get back to the F5 because it populates the webtop with my available desktop(s) shown above. I tried converting the forwarding VS to standard, assigned a pool, etc… and it still did the same thing. SYNs… no SYN/ACKs. What might be telling though is the lis= above. It lists my main virtual server with the APM policy assigned. That makes me think though… Why is it trying to connect to that VS and not the forwarding VS? The forwarding virtual server is a better match no? In any event, yeah if the virtual server isn’t listening on 8443, of course it won’t reply back (my thought-process anyway). So I figure… welp, why not just try an “any” port VS… yeah not so much. If I manually remove the :0 and submit, it loads the same error about the certificate. Nothing shows-up in tcpdump trying to connect to 8443 either - so, a step back. If anybody happen to have any ideas for me, I would be really appreciative. Thanks!APM :: VMware View USB Redirection
I'm trying to get USB redirection working with VMware View 6.1.1, but I am not having any luck (BIG-IP v13.0). I took a look at the deployment guide (https://www.f5.com/pdf/deployment-guides/vmware-horizon-view-dg.pdf) and I noticed that my setup is a little bit different. The deployment guide talks about USB redirect when you're initiating the connection with the Horizon client: ... however I'm using a scenario where the user logs into a webtop, and then they launch the Horizon client from within the webtop (using a VDI/RDP profile that points to the VMware View pool). I have my assignment like so: ... where View USB is the VMware View Policy with USB redirection enabled, and View Assign is the Active Directory Resource Assigment. Is this supposed to work? Am I missing something that you know of? Thanks! -Ryan
Connection Server Options for Horizon View iApp
I have used the iApp to build a VDI solution with the following basic configuration: Yes, deploy APM Yes, support HTML 5 clientless connections SSL bridging One IP defined for untrusted clients A different IP defined for local clients Of course I've also defined the SSL certificate, pool members, FQDN, etc Reading the deployment guide for the View Connection servers (we're not using security servers) under the heading "Modifying your Connection Servers to support HTML 5 clients" it states: Modify the Connection Servers to remove the Use Secure Tunnel connection to desktop and use Blast Secure Gateway for HTML. a. From the View Configuration tab, select Servers, and then click Connection Servers. b. Highlight one of the Connections servers and then click Edit. c. Modify the HTTP External URL and BLAST External URL to match the URL of your SSL certificates. d. Clear the check from Use Blast Secure Gateway for HTML access to desktop. Important: If using a BIG-IP version prior to 12.1 only: Clear the check from Use Secure Tunnel connection to desktop after modifying the External URLs. If using a BIG-IP version 12.1 and later only: If using v12.1 or later, you can leave this box checked if necessary (for example, this box must be checked if using USB redirection). If anyone can help my questions are as follows: 1) Why does it tell you populate the blast gateway and external URL fields only to then clear the checkboxes for thier use? 2) When testing from my internal network why can I only get a successful VDI desktop when the blast gateway field is ticked - going against what the deployment guide states?VDI Access Policy
I've used the Horizon View iApp to secure access to our VDI environment but I have a query regarding the access policy. During the build I said 'no' to SecureID as although I do want 2FA we are using Radius. So now I want to add 2FA auth onto the access policy. For the browser logons this is simple as I added a 3rd password field and used a variable assign to switch the fields as neccessary for either AD or Radius auth. For the client logon page though there does not seem to be an option to add a 3rd password field. My only option is to select from a dropdown whether I want the form to support Windows, RSA, Disclaimer, Radius or Smart Card. I could do the Radius auth, come back to a 2nd logon page for AD credentials, then to AD auth, but as with the browser logon I'd much prefer if this could be done on a single page. Is this possible? As a side note - why on earth does the iApp tempalte only support SecureID as a 2FA method?APM :: VMware View :: PCoIP & UDP/0
Has anybody ran into an issue where the virtual machines reply back with UDP/0? After I log-on and am presented the webtop, I click the VMware View desktop link, I click to launch the VMware View Client, and then the client opens and connects. I'm shown the infamouse black/grey screen, and then it errors-out. If I look at the firewall logs, I see the following: The F5 floating IP connects to the virtual machine on TCP/4172 (for PCoIP I presume) Data is transmitted between the two and it finishes FIN/ACK The virtual machine then attempts an outbound connection to the F5 floating IP from UDP/4172 destined to UDP/0 Of course, the outbound connection-attempt to UDP/0 is dropped by the firewall since it's invalid. Any ideas on what could be causing this? I would anticipate the virtual machine would connect to UDP/4172 and not port 0. Thanks -RyanA 'Horizon' View from Above
Desktop and endpoint device management has long been a challenge for IT. People demand flexibility, multiple access options, and desktop customization, while business groups often require multiple desktop types based on business and/or technical requirements. This sour mash of devices can be a major management headache. Add in support for all the different desktop/laptop needs and desktop management can all but consume IT. VMware User Computing VMware Horizon View—part of VMware’s Horizon Suite of products—alleviates two major management headaches: location and standardization. To solve the location problem, virtual desktop infrastructure (VDI) deployments virtualize user desktops by delivering them to individual clients over the network from a central location. Those desktops are stored and run in the data center, rather than having individual desktop/laptop machines in the field running localized operating systems. This seamless virtualization goes undetected by users. To solve the standardization problem, VMware enables business groups with specific desktop needs to be clustered together in the data center and managed as a unit. For example, when all the Windows machines need a new service pack, it can be installed to the master image in the data center, which is delivered to users the next morning when they log in. Because IT staff no longer have to visit each local system or push software installations down through remote tools, employees aren’t forced to reboot during the business day. In addition to these location and standardization concerns, the user experience is consistently cited by organizations as critical to the success of virtual desktop deployments. Performance has to compare favorably to a conventional desktop while availability and security need to be even greater. F5 offers a variety of solutions to help organizations maximize the success of these critical elements in their View desktop deployments. Together, F5 and VMware have thoroughly tested and documented the benefits of using F5 Application Delivery Networking (ADN) solutions with VMware View to address the needs for secure access, a single namespace, load balancing, server health monitoring, and more. Performance and Scalability The larger the VMware Horizon View deployment, the more View Connection Servers are needed to handle the concurrent desktop connections. VMware Horizon View Optimized Secure Access & Traffic Management by F5 provides valuable load balancing and health monitoring, resulting in higher system availability and greater scalability—and ultimately, a better user experience. Additionally, an F5 iApps Template makes configuration straightforward, simplifying setup by providing the recommended settings and helping to prevent human error. VMware View client connectivity utilizes multiple ports and protocols that must be directed at the same View Connection Server for a successful session. While PC over IP (PCoIP), the View desktop streaming protocol is UDP-based, SSL-encrypted TCP connections are utilized for authentication and USB tunneling. Save capacity on the View Connection Servers by offloading this encryption to an F5 BIG-IP. Enhanced Security and Access Control Ensuring secure remote access is critical to protecting corporate information and often required in certain regulatory situations. To route incoming Horizon View connections to the internal network, a PCoIP proxy is needed in an organization’s DMZ. BIG-IP Access Policy Manager (APM) fulfills this function in a secure and scalable way. Placing BIG-IP APM in the DMZ avoids the need to expose sensitive Windows servers, Active Directory domain-joined servers, or View Connection Servers to the potentially risky DMZ. It also eliminates the requirement for VMware Security Gateway servers in the DMZ. The BIG-IP APM appliance proxies the PCoIP connection, passing it internally to any available Connection Server within the View pod, which then interprets the connection as a normal internal PCoIP session. This provides the scalability benefits of a BIG-IP appliance and gives BIG-IP APM and BIG-IP Local Traffic Manager (LTM) visibility into the PCoIP traffic, enabling more advanced access management decisions. A streamlined iApp Template is also included to ease deployment. This custom iApp presents fewer configuration options than the full iApp for View, which can be used if advanced functions are required. Either iApp yields a configuration that can be modified as needed to address specific business and technical requirements. These new F5 solution options were developed in conjunction with VMware and is easy for organizations to deploy and support. There are certainly advantages of deploying a virtualized desktop solution like VMware Horizon View throughout the enterprise. By deploying the F5 BIG-IP system alongside it, organizations can achieve higher security, availability, and scalability while improving the worker's experience. In addition, new and optimized solutions reduce both the cost and deployment complexity to ensure a BIG-IP ADC becomes a standard View component. ps Related VMware PEX 2014: F5 VMware Technology Alliance – Horizon View (feat Strobel) VMware PEX 2014: Optimized Horizon View Technical Whiteboard (feat Pindell) F5 Reference Architecture for VMware Horizon View New Virtual Editions of F5 BIG-IP® Access Policy Manager® Tailormade for VMWare Horizon View F5 and VMware Strengthen End-User Computing Offerings to Enhance Customers’ Virtual Desktop Infrastructures VMware EUC and F5: There are Three S's In Success(full VDI Deployments) F5 Solutions for VMware Technorati Tags: f5,apm,vdi,horizon_view,view,vmware,euc,pcoip,silva Connect with Peter: Connect with F5:
