APM :: VMware View :: Blast Extreme
Anybody have any luck getting Blast Extreme configured for VMware View and APM via Horizon Client? Currently we launch the Horizon client via webtop link (vdi/rdp) and PCoIP is tunneled through the F5 via udp/4172... but our systems engineers are looking to upgrade to Blast Extreme, and I know NOTHING about how it works with the F5. Not too much on the interwebs in regards to this relationship. Is it just a matter of creating another virtual server on the BIG-IP and assigning the VDI profile? Or does the protocol work on TCP/443 and F5 just knows what to do with it on the existing virtual server? Thanks-APM :: VMware View USB Redirection
I'm trying to get USB redirection working with VMware View 6.1.1, but I am not having any luck (BIG-IP v13.0). I took a look at the deployment guide (https://www.f5.com/pdf/deployment-guides/vmware-horizon-view-dg.pdf) and I noticed that my setup is a little bit different. The deployment guide talks about USB redirect when you're initiating the connection with the Horizon client: ... however I'm using a scenario where the user logs into a webtop, and then they launch the Horizon client from within the webtop (using a VDI/RDP profile that points to the VMware View pool). I have my assignment like so: ... where View USB is the VMware View Policy with USB redirection enabled, and View Assign is the Active Directory Resource Assigment. Is this supposed to work? Am I missing something that you know of? Thanks! -RyanDelivering Security and Scalability Across the Digital Workspace with Workspace ONE and F5 APM
Hey Everyone! Just wanted to provide an exciting update on a new document in the series for Integration/Deployment guides for F5 with VMware Products. This integration has been a long time coming and really shows F5's and VMware's joint vision of a digital workspace. I am happy to announce that the next document APM Proxy with Workspace ONE is now available to the public! What is Workspace ONE? VMware Workspace ONE, powered by VMware AirWatch technology, is an intelligence-driven digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. With Workspace ONE, organizations can remove siloes of cloud, desktop and mobile investments, and unify management of all devices and apps from one platform. Where does F5 Help? When combined with Workspace ONE, the portfolio of BIG-IP’s leading ADC technologies optimizes the user experience by delivering speed, scale, and resiliency. Customers can reap several benefits from the integration, including: Access to Apps without Disruption - This integration helps clients non-disruptively accelerate, simplify, and secure the delivery of business applications. End users are presented with a modern workspace that increases productivity with single sign-on access. IT organizations can utilize their Workspace ONE platform to extend the same user experience to legacy or custom applications. Using identity integrations, VMware provides the platform and user experience, while F5 provides the scale and application interoperability. Reducing Risk Across the Entire Organization - IT now has access policies that reduce the risk of data loss across the entire organization. Policies include app access (including legacy apps), conditional access and device compliance. Workspace ONE and F5 can leverage modern authentication protocols like OAuth to offload and simplify identity and access management. Providing Great User Experience Across All Devices - New features in the Workspace ONE and F5 integration, like OAuth and JSON Web Tokens (JWT) help deliver a transparent user experience while support ensuring secure access across all devices including mobile, desktop and web interface. Consolidation of Gateways - Gateway-sprawl can lead to complexity in an environment. With this integration, IT can simplify management of gateways by consolidating them into a single platform using the Workspace ONE and F5 integration. What does this Integration Guide Detail? This documentation focuses on deploying F5 BIG-IP APM for with VMware Workspace ONE (Cloud or VIDM onpremise) to deliver VMware Horizon desktops and applications in a production environment. This guide will provide the necessary steps to configuring your Workspace ONE Cloud or VIDM onpremise and BIG-IP to work with the JWT Token integration that was developed and tested by VMware and F5. Once configured, access to desktops and applications will become seamless and secure through single-sign on with VMware Workspace One and BIG-IP APM. Here is an example from the integration guide that shows the Workspace ONE network ranges "All Ranges" page with the newly added "Wrap Artifact in JWT" and "Audience in JWT" settings. This will allow the F5 BIG-IP APM to consume the JWT Token to validate a user at the perimeter (DMZ) and once validated will then pass along the SAML Artifact to the Horizon Connection Server(s) for authentication. In the All Ranges Network Setting Enable the checkbox for "Wrap Artifact in JWT" on the Horizon Environment that was configured in previous steps Click the + under the "Audience in JWT" next to the checkbox and provide a unique name (our example is f5cpa) Click the Save button. You can now download the updated step-by-step guide for APM Proxy with Workspace ONE. Special Thanks to the VMware Workspace ONE development team for all of their assistance putting this together!
iAPP vmware view (only ltm)
Hi, I'm trying to get the v1.5.1 iapp to work with our vmware connection servers. I've tried multiple setup's even with the virtual IP on the same subnet as the connection servers. We only have LTM enabled on our Big-IP Little overview of the setup: url with public certificate virtual ip: different subnet OR same subnet as the connection server. I switched the IP for this ssl offloading (also disabled the checkboxes on the vmware view connection server + edited the locked.properties file) For the rest is most likely the same I've tried this only with the DNS host file on my pc to change the url towards the virtual i on big-ip I'm not getting this to work. Any Suggestions? Kind regards, Igor
WILS: The Importance of DTLS to Successful VDI
One of the universal truths about user adoption is that if performance degrades, they will kick and scream and ultimately destroy your project. Most VDI (Virtual Desktop Infrastructure) solutions today still make use of traditional thin-client protocols like RDP (Remote Desktop Protocol) as a means to enable communication between the client and their virtual desktop. Starting with VMware View 4.5, VMware introduced the high-performance PCoIP (PC over IP) communications protocol. While PCoIP is usually associated with rich media delivery, it is also useful in improving performance over distances. Such as the distances often associated with remote access. You know, the remote access by employees whose communications you particularly want to secure because it’s traversing the wild, open Internet. Probably with the use of an SSL VPN. Unfortunately, most traditional SSL VPN devices are unable to properly handle this unique protocol and therefore run slow, which degrades the user experience. The result? A significant hindrance to adoption of VDI has just been introduced and your mission, whether you choose to accept it or not, is to find a way to improve performance such that both IT and your user community can benefit from using VDI. The solution is actually fairly simple, at least in theory. PCoIP is a datagram (UDP) based protocol. Wrapping it up in what is a TCP-based security protocol, SSL, slows it down. That’s because TCP is (designed to be) reliable, checking and ensuring packets are received before continuing on. On the other hand UDP is a fire-and-assume-the-best-unless-otherwise-notified protocol, streaming out packets and assuming clients have received them. It’s not as reliable, but it’s much faster and it’s not at all uncommon. Video, audio, and even DNS often leverages UDP for speedy transmission with less overhead. So what you need, then, is a datagram-focused transport layer security protocol. Enter DTLS: In information technology, the Datagram Transport Layer Security (DTLS) protocol provides communications privacy for datagram protocols. DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees. The datagram semantics of the underlying transport are preserved by the DTLS protocol — the application will not suffer from the delays associated with stream protocols, but will have to deal with packet reordering, loss of datagram and data larger than a datagram packet size. -- Wikipedia If your increasingly misnamed SSL VPN (which is why much of the industry has moved to calling them “secure remote access” devices) is capable of leveraging DTLS to secure PCoIP, you’ve got it made. If it can’t, well, attempts to deliver VDI to remote or roaming employees over long distances may suffer setbacks or outright defeat due to a refusal to adopt based on performance and availability challenges experienced by the end users. DTLS is the best alternative to ensuring secure remote access to virtual desktops remains secured over long distances without suffering unacceptable performance degradation. If you’re looking to upgrade, migrate, or just now getting into secure remote access and you’re also considering VDI via VMware, ask about DTLS support before you sign on the dotted line. WILS: Write It Like Seth. Seth Godin always gets his point across with brevity and wit. WILS is an ATTEMPT TO BE concise about application delivery TOPICS AND just get straight to the point. NO DILLY DALLYING AROUND. Related blogs & articles: WILS: Load Balancing and Ephemeral Port Exhaustion All WILS Topics on DevCentral WILS: SSL TPS versus HTTP TPS over SSL WILS: Three Ways To Better Utilize Resources In Any Data Center WILS: Why Does Load Balancing Improve Application Performance? WILS: A Good Hall Monitor Actually Checks the Hall Pass WILS: Applications Should Be Like Sith Lords F5 Friday: Beyond the VPN to VAN F5 Friday: Secure, Scalable and Fast VMware View Deployment Desktop Virtualization Solutions from F5F5 Friday: A Single Namespace to Rule Them All
#vmware An infrastructure architecture that overcomes VMware View concurrency limitations Sheer volume and geographically disparate deployment of VMware View pods can result in a confusing array of locations from which users must choose to find their preferred desktop. Currently, View deployments are called “pods” and each is limited to a maximum 10,000 concurrent users. That may seem an unlikely upper limit to hit, but there are organizations for which that number is an issue. Every additional 10,000 concurrent users requires a unique supporting infrastructure along with a unique endpoint – an URL – to which the client must point. Users must be aware of which URL they should use; Bob cannot rely on Alice for the information, because Alice may be assigned to a different pod. The same restrictions apply to geographically disparate deployments. A west coast-east coast or even region-based distributed architecture is not uncommon for large and global organizations. Each location requires that the infrastructure supporting the pod be local, too, which means duplicated infrastructure across each geographical location at which it is desirable to deliver virtual desktops. Again, each pod has its own unique endpoint (URL). This can be confusing for end users, and renders more difficult the process of automating client distribution and management, as it may not be known at installation and configuration time to which of the many endpoints the client should point, leaving it in the hands of users who may or may not remember the URL. A combination of F5 solutions mitigates these pain points by supporting a single, global “namespace” for VMware View, i.e. one URL from which virtual desktops can be delivered, regardless of pod membership or physical location. HOW IT WORKS Kevin’s preferred virtual desktop is in the east coast data center. This means if the east coast data center is available, it is preferred to have him connect there, most likely because of Kevin’s proximity to the east coast data center. Kevin travels to California for a business trip, and wants to access his desktop. His desktop has not traveled, and it is preferable to use the same namespace as Kevin would use when on the east coast. To accomplish this, we make use of several F5 technologies, enabling a consistent, global namespace without sacrificing security or performance. 1. The View client connects to the global namespace, e.g. mydesktop.example.com 2. BIG-IP GTM determines Kevin’s location correctly as being on the west coast, and directs his client to the west coast data center, returning 1.1.1.1 as an IP address in response to the DNS lookup. Kevin’s View Client then connects to 1.1.1.1 on port 443. 3. BIG-IP LTM watches Kevin authenticate, sending the username to Active Directory. Examining the response and user attributes, BIG-IP LTM determines that Kevin’s primary desktop is deployed on the east coast. 4. The BIG-IP LTM on the west coast forwards the login request to an available server on the east coast. The connection server logs Kevin in and shows him his available desktop. Kevin opens his preferred desktop. 5. BIG-IP LTM relays the appropriate information back to Kevin’s View client 6. Kevin’s View Client now has the connection information necessary to open his PCoIP session directly to the server in the east coast data center, and does so. SOLUTION SUMMARY BIG-IP Global Traffic Manager (GTM) provides the single namespace, e.g. mydesktop.example.com. BIG-IP Local Traffic Manager (LTM) provides SSL offloading and load balancing of of connection broker traffic, enabling scalability and improved performance. It also provides user-based persistence, enabling BIG-IP LTM to direct the user to the correct server based on the VMware View JsessionID. BIG-IP Access Policy Manager (APM) takes the username and validates it against Active Directory, Radius, LDAP or an HTTP-based authentication service as well as determining group membership to locate the preferred desktop. Working in concert with VMware View servers, this trifecta of intelligent application delivery technologies enables a single hostname for VMware View clients worldwide. It uses the recommended VMware pod deployment model, and has been tested with the iPad, Windows, and zero-client platforms.APM :: VMware View :: PCoIP & UDP/0
Has anybody ran into an issue where the virtual machines reply back with UDP/0? After I log-on and am presented the webtop, I click the VMware View desktop link, I click to launch the VMware View Client, and then the client opens and connects. I'm shown the infamouse black/grey screen, and then it errors-out. If I look at the firewall logs, I see the following: The F5 floating IP connects to the virtual machine on TCP/4172 (for PCoIP I presume) Data is transmitted between the two and it finishes FIN/ACK The virtual machine then attempts an outbound connection to the F5 floating IP from UDP/4172 destined to UDP/0 Of course, the outbound connection-attempt to UDP/0 is dropped by the firewall since it's invalid. Any ideas on what could be causing this? I would anticipate the virtual machine would connect to UDP/4172 and not port 0. Thanks -Ryan
RSA then AD connection. How to autopopulate and keep the username ?
Hello, I want to give access to our VDI platform through a F5 APM 11.4.1. (with view client and html5). All work fine but I want to make it easier for the user, and more secure. So, I have 2 questions: 1- when view client connection, how to prevent the user to change the username (the RSA and AD ID are similar) ? I have put the Read-Only attribute in the logon page with no change. Perhaps in the view.inc ? but how ? 2- when browser connection, how to autopopulate the username and domain when the user clic on remote desktop ressource ? thanks in advance. Regards PatriceF5 Friday: Doing VDI, Only Better
#F5 does #VDI, and it does it better. There are three core vendors and protocols supporting VDI today. Microsoft with RDP, Citrix with ICA, and VMware with PCoIP. For most organizations a single vendor approach has been necessary, primarily because the costs associated with the supporting network and application delivery network infrastructure required to deliver VDI with the appropriate levels of security while meeting performance expectations of users and the need to maintain high availability. It’s a tall order that’s getting taller with every mobile client introduced, especially when you toss in a liberal dose of enforcing policies regarding access to virtual desktops. Most folks are well aware of F5’s long history of deep integration with its partners Microsoft and VMware. Whether it’s integrating with management systems or designing, testing, and documenting the often times complex joint architectures required to deliver enterprise-class applications like SharePoint and Exchange or building out a dynamic data center model to support cloud computing , F5 works in tandem with its partners to ensure the best experience possible not only for the ultimate consumers but for the IT operations folks who must deploy the solutions. But what most folks aren’t likely as aware of is F5’s commitment and expertise to delivering Citrix VDI as well. That’s natural. After all, Citrix competes with F5 at the application delivery tier and it might seem natural to assume that Citrix could deliver its own technology better than any competitor. But that assumption ignores that F5’s core focus has been and continues to be unified application delivery rather than applications – like VDI - themselves. That unified is in bold because it’s a key factor in why F5 is able to deliver all VDI solutions better, faster, and more efficiently than any other solution today. See, F5’s approach since introducing v9 and its platform has been about the integration of application delivery services. Whether those services reside on the same physical (or virtual) platform is not as important as the integration and collaboration between those services that is made possible by being designed, developed, and ultimately deployed on a common, high-speed, high-security application delivery platform. Consider, for example, the case of a comprehensive Citrix VDI delivery solution: That’s a lot of components, each of which adversely impacts performance and increases operational risk by adding additional complexity and components to the architecture. That’s ignoring the cost, as well, added by not only the need to deploy these solutions but to power them, manage them, and maintain them over time. It’s costly, it’s complex, and it’s ultimately not very extensible. Authentication, for example, must be managed in multiple locations, which increases the risk of misconfiguration or human error, and makes it more likely that orphaned identities will be left behind, always a concern as it creates an opportunity for a breach. This solution also requires manual scripting to integrate the disparate authentication sources, yet another tedious, manual and error-prone process. Now consider the same solution, but leveraging F5 and its platform with BIG-IP Local Traffic Manager and BIG-IP Access Policy Manager deployed: Consolidated (and integrated) authentication. Highly extensible policy management and enforcement, and we’ve eliminated the Web Interface Servers (and NetScalers, but as we’ve replaced them with BIG-IP that’s more of a wash than a win). But it’s not just about reducing the complexity (and ultimately the cost) of such a deployment. BIG-IP LTM and APM can simultaneously support Microsoft and VMware VDI while delivering Citrix VDI – as well as a host of other applications. F5’s solution isn’t a VDI delivery solution, it’s an application delivery solution with support for all VDI implementations and protocols. That includes Citrix Session Reliability to session roaming and reconnection as well as SmartAccess filters. F5 BIG-IP APM can populate SmartAccess filter values based upon any information discovered using VPE(source IP address, AV presence, client certificate presence, etc.) and pass them to the XML broker for evaluation. And let’s not forget about Citrix Multi-Streaming, which to give Citrix credit where due is an innovative solution to the problem of traffic prioritization in VDI delivery. If you aren’t familiar with Multi-streaming, it was introduced in XenDesktop 5.5 & XenApp 6.5 and uses multiple TCP connections (aka Multi-Stream ICA) to carry the ICA traffic between the client and the server. Each of the connections is associated with a different class of service, which allows the network administrator to prioritize each class of service, independently from each other, based on the TCP port number used for the connection. F5 supports Multi-Streaming and has for some time now. No worries. Then there’s VMware PCoIP – which can be challenging, especially when paired with DTLS for security. F5 has that covered, too, as well as its long-term support for optimal delivery of Microsoft-based solutions including its broad set of VDI solutions . I know, you’ve heard configuring F5 BIG-IP is hard and cumbersome. Well, in the past that may have been true but the introduction of iApp with BIG-IP v11 has changed that tune from a dirge to a delightful melody. iApp deployment templates and accompanying deployment guides for XenApp and XenDesktop make deploying BIG-IP painless and far less error-prone than manual processes. One of the drawbacks of VDI architectural complexity is it often presents itself as a single-vendor solution – and a reason for a single vendor virtualization strategy. If your application delivery and access management solution is capable of unifying access while delivering secure, highly performing, very available of any flavor, you’d have more of a choice in what your overall architecture would look like. That kind of choice is enabled through flexibility of the underlying application delivery network infrastructure, which is exactly the role F5 plays in your data center. If your application delivery solution is a flexible platform and not a product, then your network becomes an enabler of architecture and choice rather than being the limiting factor. VDI Resources: Updated Citrix XenApp/XenDesktop APM Template Citrix XenApp/XenDesktop Combined Load-balancing iApp VMware View 5 iApp Template Delivering Virtual Desktop Infrastructure with a Joint F5-Microsoft Solution Optimizing VMware View VDI Deployments F5 Friday: A Single Namespace to Rule Them All (Overcoming VMware Pod Limitations) F5 Friday: Cookie Cutter vApps Realized (Overcoming IP address dependencies to enable application mobility) More Users, More Access, More Clients, Less Control WILS: The Importance of DTLS to Successful VDI From a Network Perspective, What Is VDI, Really? Scaling VDI Architectures VMworld 2011: F5 BIG-IP v11 iApps for CitrixF5 Friday: A War of Ecosystems
Nokia’s brutally honest assessment of its situation identifies what is not always obvious in the data center - it’s about an ecosystem. In what was certainly a wake-up call for many, Nokia’s CEO Stephen Elop tells his organization its “platform is burning.” In a leaked memo reprinted by Engadget and picked up by many others, Elop explained the analogy as well as why he believes Nokia is in trouble. Through careful analysis of its competitors and their successes, he finds the answer in the ecosystem its competitors have built -comprising developers, applications and more. The battle of devices has now become a war of ecosystems, where ecosystems include not only the hardware and software of the device, but developers, applications, ecommerce, advertising, search, social applications, location-based services, unified communications and many other things. Our competitors aren’t taking our market share with devices; they are taking our market share with an entire ecosystem. This means we’re going to have to decide how we either build, catalyse or join an ecosystem. If you’re wondering what this could possibility have to do with networking and application delivery, well, the analysis Elop provides regarding the successes of a mobile device vendor can be directly applied to the data center. The nature of data centers and networks is changing. It’s becoming more dynamic, more integrated, more dependent upon collaboration and connections between devices (components) that have traditionally stood alone on their own. But as data center models evolve and morph and demands placed upon them increase the need for contextual awareness and collaboration and the ability to be both reactive and proactive in applying policies across a wide spectrum of data center concerns, success becomes as dependent on a components ability to support and be supported by an ecosystem. Not just the success of vendors, which was Elop’s focus, but success of data center architecture implementations. To counter the rising cost and complexity introduced by new computing and networking models requires automation, orchestration, and collaboration across data center components. cloud computing and virtualization has turned the focus from technology focused components to process-oriented platforms. From individual point solutions to integrated, collaborative systems that encourage development and innovation as a means to address the challenges arising from extreme dynamism. F5 Networks Wins VMware Global Technology Innovator Award Yesterday we took home top honors for enhancing the value of VMware virtualization solutions for companies worldwide. At VMware Partner Exchange 2011, VMware’s annual worldwide partner event, F5 was recognized with VMware’s Technology Innovator Partner of the Year Award. Why is that important? Because it recognizes the significant value placed on building a platform and developing an ecosystem in which that platform can be leveraged to integrate and collaborate on solutions with partners and customers alike. And it is about an ecosystem; it is about collaborative solutions that address key data center challenges that may otherwise hinder the adoption of emerging technologies like cloud computing and virtualization. A robust and flexible application delivery platform provides not only the means by which data and traffic can be dynamically delivered and secured, but also the means through which a more comprehensive strategy to address operational challenges associated with increasingly dynamic data center architectures can be implemented. The collaboration between VMware and F5’s BIG-IP platforms is enabled through integration, through infrastructure 2.0 enabled systems that create an environment in which flexible architectures and dynamism can be managed efficiently. In 2010 alone, F5 and VMware collaborated on a number of solutions leveraging the versatile capabilities of F5’s BIG-IP product portfolio, including: Accelerated long distance live migration with VMware vMotion The joint solution helps solve latency, bandwidth, and packet-loss issues, which historically have prevented customers from performing live migrations between data centers over long distances. An integrated enterprise cloudbursting solution with VMware vCloudDirector The joint solution simplifies and automates use of cloud resources to enhance application delivery performance and availability while minimizing capital investment. Optimized user experience and secure access capabilities with VMware View The solution enhances VMware View user experience with secure access, single sign-on, high performance, and scalability. “Since joining VMware’s Technology Alliance Partner program in 2008, F5 has driven a number of integration and interoperability efforts aimed at enhancing the value of customers’ virtualization and cloud deployments,” said Jim Ritchings, VP of Business Development at F5. “We’re extremely proud of the industry-leading work accomplished with VMware in 2010, and we look forward to continued collaboration to deliver new innovations around server and desktop virtualization, cloud solutions, and more.” It is just such collaboration that builds a robust ecosystem that is necessary to successfully move forward with dynamic data center models built upon virtualization and cloud computing principles. Without this type of collaboration, and the platforms that enable it, the efficiencies of private cloud computing and economy of scale of public cloud computing simply wouldn’t be possible. F5 has always been focused on delivering applications, and that has meant not just partnering extensively with application providers like Oracle and Microsoft and IBM, it has also meant partnering and collaborating with infrastructure providers like HP and Dell and VMware to create solutions that address the very real challenges associated with data center and traffic management. Elop is exactly right when he points to ecosystems being the key to the future. In the case of network and application networking solutions that ecosystem is both about vendor relationships and partnerships as much as it is solutions that enable IT to better align with business and operational goals; to reduce the complexity introduced by increasingly dynamic operations. VMware’s recognition of the value of that ecosystem, of the joint solutions designed and developed through partnerships, is great validation of the important role of the ecosystem in the successful implementation of emerging data center models. F5 Friday: Join Robin “IT” Hood and Take Back Control of Your Applications F5 Friday: The Dynamic VDI Security Game WILS: The Importance of DTLS to Successful VDI F5 Friday: Elastic Applications are Enabled by Dynamic Infrastructure F5 Friday: Efficient Long Distance Transfer of VMs with F5 BIG-IP WOM and NetApp Flexcache F5 Friday: Playing in the Infrastructure Orchestra(tion) Why Virtualization is a Requirement for Private Cloud Computing F5 VMware View Solutions F5 VMware vSphere Solutions Application Delivery for Virtualized Infrastructure DevCentral - VMware / F5 Solutions Topic Group
