22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityservers
April7,2014byMylesGray<http://www.mylesgray.com/author/myles/>

IhavebeendeployingaVDIsolutionrecentlybasedonthefantasticVMWareHorizonSuite<http://www.vmware.com/uk/products/horizonsuite>,oneofthe
importantpointsofdeployingtheHorizonView<http://www.vmware.com/uk/products/horizonview>componentofthisismakingithighlyavailableand
accessiblefromtheoutsideforontheroadusers.
ThebestwayIhavefoundtoloadbalanceincomingconnections(bothinternallyandexternally)istosetupalinuxVMandrun
NginX<http://nginx.org/>,whichisareversecachingproxyitallowsustoterminatetheSSLconnectionsandloadbalanceacrossourbackendView
SecurityServersinaDMZ.
YoucouldbuyahardwareorVMloadbalancerfromF5,Citrix,Barracudabutthatwillrunintothe1,000sifnot10,000s.Forourcase,using
NginXismorethanadequatepleasenotesomepeopleuseHAProxy,IdontrecommendthisasitdoesnothavenativeSSL(soHTTPS)support
untilv1.5whichisyettobereleased.
Whyisthisimportant?Itmeansyoucanuseoneaddresse.g:view.company.comtoactasaproxyforallthebackendsecurityand/orconnection
serversforyourusers,oneaddressissimplertouseandremember,foryou,itstreamlinesconfiguration.

http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

1/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

Sotogetdowntoit,heresaroughtopologyofwhatyourconfigwouldlooklike:

http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

2/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

IassumeyouhaveyourlinuxVMinstalled(sayUbuntu),staticIPassignedandDNSsetuppointview.company.comtothisaddress.
FirstlyweneedtoinstallNginX:

aptitudeupdate&&aptitudeinstallnginx

NextasVMWareViewsserversrequireSSLweneedtohaveanSSLcertsignedbyyourCAforthisVMfortheaddressview.company.com:

mkdir/ssl&&cd/ssl
opensslgenrsaoutview.company.com.key2048
opensslreqnewkeyview.company.com.keyoutview.company.com.csr

HaveyourCA(whetherADinternalorexternalCA)signthecert,retrievetherequestbydoingthis:

cat/ssl/view.company.com.csr

TheoutputisyourCertificateSigningRequest.
IfyouareusinganinternalMicrosoftCAyoucanhaveitsignedbythewebGUI:
Goto:https://[your.internal.ca.address]/CertSrv/default.asp
ClickDownloadaCACertificate,CertificateChain,orCRL
ClickBase64encoded
http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

3/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

ClickDownloadCACertificate
Gobackto:https://[your.internal.ca.address]/CertSrv/default.asp
ClickRequestacertificate
Clickadvancedcertificaterequest
Pasteinrequestandchangetemplatetowebserver
ClickSubmit
Downloadcertificate(Base64encoded)notthechain
OpenbothfileswithatexteditorlikeSublimeText3<http://www.sublimetext.com/3>andordertheminanewfilelikeso:

BEGINCERTIFICATE
ServerCertificate
ENDCERTIFICATE
BEGINCERTIFICATE
CARootCertificate
ENDCERTIFICATE

Saveitasanewfileview.company.com.crtandtransferittothe/sslfolderonyourNginXserver.
Editthe/etc/nginx/nginx.conffileandaddthefollowingtothehttp{section:remembertochangetheupstreamaddressestomatchyour
ViewSecurityServersaddresses!

#enablereverseproxy
proxy_redirectoff;
proxy_set_headerHost$http_host;
proxy_set_headerXRealIP$remote_addr;
proxy_set_headerXForwaredFor$proxy_add_x_forwarded_for;
client_max_body_size10m;
client_body_buffer_size128k;
client_header_buffer_size64k;
proxy_connect_timeout90;
proxy_send_timeout90;
proxy_read_timeout90;
proxy_buffer_size16k;
proxy_buffers3216k;
proxy_busy_buffers_size64k;
upstreamhrzviewcluster{
serverhrzviewsec01.company.com:443fail_timeout=1smax_fails=1;
serverhrzviewsec02.company.com:443backup;
http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

4/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

Youcanofcourseaddmoreupstreamserversbysimplyaddingthemtotheupstreamsectionyouwillalsonoticewearerunninginactivebackup,
thisisimportanttopreservesessionsotherwiseloginsdontworkastherequestsgetsplitacrossthetwoservers.
Youcanusetheip_hashmodule<http://wiki.nginx.org/HttpUpstreamModule#ip_hash>toencouragesessionpersistenceandsplittheloadevenly(morelike
properactiveloadbalancingthanthefailoverscenarioabove)howeverthismodulehasafewdrawbackslistedinanarticle
here<http://dgtool.blogspot.co.uk/2013/02/nginxasstickybalancerforhausing.html>:

Collisionsasitonlyusesthe3firstnumbersoftheIPforthehash.ThatmeansthatalltheipsofthesameCclassnetworkrangewill
gotothesamebackendserver.
AllusersbehindaNATwillaccesstothesamebackendserver.
Ifyouaddnewbackends,allthehasheswillchangeandsessionswillbelost.

Pleasenote:ip_hashdoesnowsupportIPv6.

upstreamhrzviewcluster{
ip_hash;
serverhrzviewsec01.company.com:443;
serverhrzviewsec02.company.com:443;
}

ThefinalthingweneedtodoissetupourNginXserverblockforthesitebyediting/etc/nginx/sitesenabled/default,emptyitscontents
andaddthefollowing:(Changetheview.company.cominstancestoyourownaddress)

#redirectallhttptohttps
server{
listen80default;
http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

5/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

server_nameview.company.com;
rewrite^https://view.company.compermanent;
}
server{
listen443ssl;
server_nameview.company.com;
sslon;
ssl_certificate/ssl/view.company.com.crt;
ssl_certificate_key/ssl/view.company.com.key;
location/{
proxy_passhttps://hrzviewcluster;
}
}

Savefile,andrestartNginX:

servicenginxrestart

Testyourhttpredirectbygoingtohttp://view.company.cominyourbrowser,youshouldberedirectedto:https://view.company.comand
seesomethingsimilartothis:

http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

6/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

Andyouredone!YoucannowusethisaddressinyourVMWareViewClienttoconnecttoyourremotedesktops:

http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

7/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

FiledUnder:Infrastructure<http://www.mylesgray.com/infrastructure/>,Software<http://www.mylesgray.com/software/>
TaggedWith:horizonview<http://www.mylesgray.com/tag/horizonview/>,loadbalancing<http://www.mylesgray.com/tag/loadbalancing/>,
NginX<http://www.mylesgray.com/tag/nginx/>,vdi<http://www.mylesgray.com/tag/vdi/>,vmware<http://www.mylesgray.com/tag/vmware/>

http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

8/9

22/9/2015

UsingNginXasaloadbalancerforVMWareHorizonViewsecurityserversBlah,Cloud.

Copyright2015NewsProTheme<http://my.studiopress.com/themes/news/>onGenesisFramework<http://www.studiopress.com/>

WordPress<http://wordpress.org/>Login<http://www.mylesgray.com/wplogin.php>

http://www.mylesgray.com/infrastructure/usingnginxloadbalancervmwarehorizonviewsecurityservers/

9/9