vWorkspace and F5 BigIP LTM

vWorkspace and F5 BigIP LTM

vWorkspace and F5 BigIP LTM

In many vWorkspace deployments remote access to applications and data is a primary goal. This is often achieved by implementing the Remote Access role of vWorkspace within an organization's DMZ. In so doing, your employees can access the vWorkspace broker and its hosted virtual desktops over a secure 128-bit SSL session. The Secure Access feature is a long standing feature that addresses a common use case for VDI and is a mature service that is capable of handling ten's of thousands of connections at a time. Many vWorkspace deployments that include remote access seek to eliminate single points of failure in their design. As a result, the Secure Access service is often load balanced to provide redundancy and to eliminate it as a SPoF. However, to accomplish this a third-party solution is required. One popular solution is F5's Local Traffic Manager (LTM). A long time vWorkspace technical wizard, Stephen Yorke (@vW_Guy), has compiled the steps necessary to configure LTM for Secure Access.. These steps are shown below:


By using multiple ports for the Secure Gateway/Secure Access Server, a proper load balancing scheme can be setup for a vWorkspace environment.

These steps are compiled to show how to configure SSL Termination on the F5 LTM device which assists the load balancing.  In setting up SSL Termination, it is the F5 itself which is load balanced to the vWorkspace environment since vWorkspace is seen being connected to by a single entity (the F5) and not a WAN entity which may be NAT’d behind a firewall.

We assume the F5 LTM is already setup and configured for proper networking.

F5 LTM version 11.6.0.0.0.401 was utilized as the default and we also tested on 11.5.1.0.0.110

F5 LTM Network Map

Below is a two node configured network map view via the Local Traffic -> Network Map node.

 

Initial Configuration

Initial configuration requires importing of the vWorkspace Secure Access SSL Certificate to the F5 LTM device, creation of a Persistence profile for vWorkspace Web Access, as well as Client and Server SSL profiles.

Importing vWorkspace SSL Certificate

On the F5 LTM device, browse to System -> File Management -> SSL Certificate List

Click the Import button on the top right of the SSL Certificate List to begin the import.

 

Depending on the type of Certificate being imported, click the drop-down for the Import Type, give a name, browse to the source of the certificate, enter the password if required and click the Import button.

 

Note: If a private certificate is being used, repeat the same procedure above but this time import the Root CA Certificate by selecting ‘Certificate’ in the import wizard to ensure the Root Certificate will be there for SSL Termination to work properly.

 

Create vWorkspace Persistence Profile

Creation of a Persistence Profile for vWorkspace is also required since Cookie based persistence will be used for the Web Access servers in the Load Balanced cluster

Navigate to Local Traffic ->Profiles ->Persistence

Click the Create button in the upper right area of the persistence profile area.

Enter a Name, set Persistence Type to ‘cookie’, Parent Profile to ‘cookie’.  Set the configuration to ‘HTTP Cookie Insert’, give a name for the Cookie, check the boxes for ‘Always Send Cookie’ and ‘Expiration’.

Click Finish to complete the task.

 

SSL Client Profile

Navigate to Local Traffic -> Profiles -> SSL -> Client

Click the Create button in the upper right area of the screen.  Give the profile a name and select ‘clientssl’ as the Parent Profile.  Set the Configuration to ‘Advanced’ then check the ‘Custom’ checkbox.

Certificate Key Chain:

            Certificate should be set to ‘default’ or the Root CA which was imported to the system

            Key should be set to the Certificate which was imported to the system

            Click the Add button

Ciphers Setting should be:  NATIVE:COMPAT

Client Authentication: Trusted Certificate Authorities should be set to the Imported CA certificate or None

All other settings can be left as default.  Click Finish to complete the creation of the Client Profile.

SSL Server Profile

Navigate to Local Traffic -> Profiles -> SSL -> Server

Click the Create button in the upper right area of the screen.

Give the profile a name and select ‘serverssl’ as the Parent Profile.  Check the ‘Custom’ box to enable the Configuration.

Options List -> Available Option -> Select ‘No TLS 1.2’ and click the ‘Enable’ button

Click ‘Finish’ to complete the creation of the SSL Server Profile.

 

F5 LTM Node Configuration

Node configuration for the F5 LTM

First step in configuring the F5 LTM is to add nodes which will be used for Load Balancing.  Add the vWorkspace nodes to the F5 LTM device.

 

Note: The above diagram shows a node configuration.  The above may not be exact in all instances.  Health monitors may differ between environments but each node should have the same configuration.

 

F5 LTM Pool Configuration

Below shows the Pool map of a two node vWorkspace Web Access/Secure Gateway/Secure Access Server configuration.

In a two node configuration, there are a total of five pools but could be as little as three.

One pool is created for all of the vWorkspace Web Access servers.  The node members to this pool are all vWorkspace Web Access servers.

For each Proxy being used (RDP and Connection Broker proxy) via the Secure Gateway/Secure Access Server, a new pool will need to be created.  The above image shows server1 and server2 designated by the S1/S2 naming.

 

 

Creating the Web Access Pool

To create a new pool navigate to Local Traffic -> Pools -> Pools List

In the upper right area, click the ‘Create’ button to create a new Pool for the Web Access servers.

Give the Pool a name.

Health Monitor set to ‘https’

Load Balancing Method set to ‘Least Connections (node)’

Add the Node Members to the list using the ‘Node’ radio button and selecting the proper Port.

Click ‘Finish’ to complete the Web Access Server pool.

 

Creating the RDP/CB Proxy Pool

To create a new pool navigate to Local Traffic -> Pools -> Pools List

In the upper right area, click the ‘Create’ button to create a new Pool for the RDP Proxy.

Give the Pool a name.

Health Monitor set to ‘gateway_icmp’

Load Balancing Method set to ‘Least Connections (node)’

Add a Node Member to the list using the ‘Node’ radio button and selecting the proper Port.

Click ‘Finish’ to complete the RDP/CB Proxy pool.

Note: The above step will have to be done for each RDP/CB Proxy which is to be Load Balanced through the F5 LTM device.  Each RDP/CB Proxy will be assigned a different TCP Port via the Secure Gateway/Secure Access Server control panel applet.

 

F5 LTM Virtual Server Configuration

Below shows the Virtual Server map of a two node vWorkspace Web Access/Secure Gateway/Secure Access Server configuration

In a two node configuration, there are also a total of five virtual servers but could be as little as three.

One virtual server is created for all of the vWorkspace Web Access servers.  The pool member to this virtual server is the vWorkspace Web Access pool which contains all Web Access nodes.

For each Proxy being used (RDP and Connection Broker proxy) via the Secure Gateway/Secure Access Server, a new virtual server will need to be created.  The above image shows virtual servers and ports for each proxy which will be used in the F5 LTM configuration.

 

Creating the Web Access Virtual Server

To create a new virtual server navigate to Local Traffic -> Virtual Servers -> Virtual Server List

In the upper right area, click the ‘Create’ button to create a new Virtual Server for Web Access.

In the ‘General Properties’ section:

Give the Virtual Server a name.

Give a description is wanted.

Type is Standard.

Destination Address is an assigned Virtual Address.

Service Port is 443 or select HTTPS from the drop-down.

In the ‘Configuration’ section:

          Set ‘HTTP Profile’ to ‘http’

          SSL Profile (Client) add the vWorkspace Client SSL Profile

          SSL Profile (Server) add the vWorkspace Server SSL Profile

          Set ‘Source Address Translation’ to ‘Auto Map’

In the ‘Resources’ section:

          Default Pool set to the vWorkspace Web Access Pool

          Default Persistence Profile set to the vWorkspace Persistence Profile

Click ‘Finish’ to create the Virtual Server.

 

Creating the RDP/CB Proxy Virtual Servers

In the upper right area, click the ‘Create’ button to create a new Virtual Server for Web Access.

In the ‘General Properties’ section:

Give the Virtual Server a name.

Give a description is wanted.

Type is Standard.

Destination Address is an assigned Virtual Address.

Service Port is set to the proper port for the server which this Virtual Server is being created for.

 

In the ‘Configuration’ section:

          SSL Profile (Client) add the vWorkspace Client SSL Profile

          SSL Profile (Server) add the vWorkspace Server SSL Profile

          Set ‘Source Address Translation’ to ‘Auto Map’

 

In the ‘Resources’ section:

          Default Pool set to the properly created Pool for which the Virtual Server will be used for.

Click ‘Finish’ to create the Virtual Server.

 

Note: The above steps will have to be performed for each RDP or CB Proxy setup.  In a two node configuration with only the Secure Gateway/Secure Access Server being setup, there will be two Virtual Servers, one for each Secure Gateway/Secure Access Server.  If two nodes utilizing both SG/SAS as well as the CB Proxy, there will be a total of four virtual servers created, two for SG/SAS as well as two for the CB.

 

vWorkspace Secure Gateway/Secure Access Server Configuration Applet

Below are screenshots of each node in a two node configuration utilizing vWorkspace Secure Gateway/Secure Access Server showing different ports for each the RDP Proxy as well as the Connection Broker Proxy.

    

2
  • Great post Kelly, thanks for sharing!

  • Nice work, iam now working on 2FA : vWorkspace and RSA On Demand Token via E-mail authentication.