In many vWorkspace deployments remote access to applications and data is a primary goal. This is often achieved by implementing the Remote Access role of vWorkspace within an organization's DMZ. In so doing, your employees can access the vWorkspace broker and its hosted virtual desktops over a secure 128-bit SSL session. The Secure Access feature is a long standing feature that addresses a common use case for VDI and is a mature service that is capable of handling ten's of thousands of connections at a time. Many vWorkspace deployments that include remote access seek to eliminate single points of failure in their design. As a result, the Secure Access service is often load balanced to provide redundancy and to eliminate it as a SPoF. However, to accomplish this a third-party solution is required. One popular solution is F5's Local Traffic Manager (LTM). A long time vWorkspace technical wizard, Stephen Yorke (@vW_Guy), has compiled the steps necessary to configure LTM for Secure Access.. These steps are shown below:
By using multiple ports for the Secure Gateway/Secure Access Server, a proper load balancing scheme can be setup for a vWorkspace environment.
These steps are compiled to show how to configure SSL Termination on the F5 LTM device which assists the load balancing. In setting up SSL Termination, it is the F5 itself which is load balanced to the vWorkspace environment since vWorkspace is seen being connected to by a single entity (the F5) and not a WAN entity which may be NAT’d behind a firewall.
We assume the F5 LTM is already setup and configured for proper networking.
F5 LTM version 126.96.36.199.0.401 was utilized as the default and we also tested on 188.8.131.52.0.110
Below is a two node configured network map view via the Local Traffic -> Network Map node.
Initial configuration requires importing of the vWorkspace Secure Access SSL Certificate to the F5 LTM device, creation of a Persistence profile for vWorkspace Web Access, as well as Client and Server SSL profiles.
On the F5 LTM device, browse to System -> File Management -> SSL Certificate List
Click the Import button on the top right of the SSL Certificate List to begin the import.
Depending on the type of Certificate being imported, click the drop-down for the Import Type, give a name, browse to the source of the certificate, enter the password if required and click the Import button.
Note: If a private certificate is being used, repeat the same procedure above but this time import the Root CA Certificate by selecting ‘Certificate’ in the import wizard to ensure the Root Certificate will be there for SSL Termination to work properly.
Creation of a Persistence Profile for vWorkspace is also required since Cookie based persistence will be used for the Web Access servers in the Load Balanced cluster
Navigate to Local Traffic ->Profiles ->Persistence
Click the Create button in the upper right area of the persistence profile area.
Enter a Name, set Persistence Type to ‘cookie’, Parent Profile to ‘cookie’. Set the configuration to ‘HTTP Cookie Insert’, give a name for the Cookie, check the boxes for ‘Always Send Cookie’ and ‘Expiration’.
Click Finish to complete the task.
Navigate to Local Traffic -> Profiles -> SSL -> Client
Click the Create button in the upper right area of the screen. Give the profile a name and select ‘clientssl’ as the Parent Profile. Set the Configuration to ‘Advanced’ then check the ‘Custom’ checkbox.
Certificate Key Chain:
Certificate should be set to ‘default’ or the Root CA which was imported to the system
Key should be set to the Certificate which was imported to the system
Click the Add button
Ciphers Setting should be: NATIVE:COMPAT
Client Authentication: Trusted Certificate Authorities should be set to the Imported CA certificate or None
All other settings can be left as default. Click Finish to complete the creation of the Client Profile.
Navigate to Local Traffic -> Profiles -> SSL -> Server
Click the Create button in the upper right area of the screen.
Give the profile a name and select ‘serverssl’ as the Parent Profile. Check the ‘Custom’ box to enable the Configuration.
Options List -> Available Option -> Select ‘No TLS 1.2’ and click the ‘Enable’ button
Click ‘Finish’ to complete the creation of the SSL Server Profile.
Node configuration for the F5 LTM
First step in configuring the F5 LTM is to add nodes which will be used for Load Balancing. Add the vWorkspace nodes to the F5 LTM device.
Note: The above diagram shows a node configuration. The above may not be exact in all instances. Health monitors may differ between environments but each node should have the same configuration.
Below shows the Pool map of a two node vWorkspace Web Access/Secure Gateway/Secure Access Server configuration.
In a two node configuration, there are a total of five pools but could be as little as three.
One pool is created for all of the vWorkspace Web Access servers. The node members to this pool are all vWorkspace Web Access servers.
For each Proxy being used (RDP and Connection Broker proxy) via the Secure Gateway/Secure Access Server, a new pool will need to be created. The above image shows server1 and server2 designated by the S1/S2 naming.
To create a new pool navigate to Local Traffic -> Pools -> Pools List
In the upper right area, click the ‘Create’ button to create a new Pool for the Web Access servers.
Give the Pool a name.
Health Monitor set to ‘https’
Load Balancing Method set to ‘Least Connections (node)’
Add the Node Members to the list using the ‘Node’ radio button and selecting the proper Port.
Click ‘Finish’ to complete the Web Access Server pool.
In the upper right area, click the ‘Create’ button to create a new Pool for the RDP Proxy.
Health Monitor set to ‘gateway_icmp’
Add a Node Member to the list using the ‘Node’ radio button and selecting the proper Port.
Click ‘Finish’ to complete the RDP/CB Proxy pool.
Note: The above step will have to be done for each RDP/CB Proxy which is to be Load Balanced through the F5 LTM device. Each RDP/CB Proxy will be assigned a different TCP Port via the Secure Gateway/Secure Access Server control panel applet.
Below shows the Virtual Server map of a two node vWorkspace Web Access/Secure Gateway/Secure Access Server configuration
In a two node configuration, there are also a total of five virtual servers but could be as little as three.
One virtual server is created for all of the vWorkspace Web Access servers. The pool member to this virtual server is the vWorkspace Web Access pool which contains all Web Access nodes.
For each Proxy being used (RDP and Connection Broker proxy) via the Secure Gateway/Secure Access Server, a new virtual server will need to be created. The above image shows virtual servers and ports for each proxy which will be used in the F5 LTM configuration.
To create a new virtual server navigate to Local Traffic -> Virtual Servers -> Virtual Server List
In the upper right area, click the ‘Create’ button to create a new Virtual Server for Web Access.
In the ‘General Properties’ section:
Give the Virtual Server a name.
Give a description is wanted.
Type is Standard.
Destination Address is an assigned Virtual Address.
Service Port is 443 or select HTTPS from the drop-down.
In the ‘Configuration’ section:
Set ‘HTTP Profile’ to ‘http’
SSL Profile (Client) add the vWorkspace Client SSL Profile
SSL Profile (Server) add the vWorkspace Server SSL Profile
Set ‘Source Address Translation’ to ‘Auto Map’
In the ‘Resources’ section:
Default Pool set to the vWorkspace Web Access Pool
Default Persistence Profile set to the vWorkspace Persistence Profile
Click ‘Finish’ to create the Virtual Server.
Service Port is set to the proper port for the server which this Virtual Server is being created for.
Default Pool set to the properly created Pool for which the Virtual Server will be used for.
Note: The above steps will have to be performed for each RDP or CB Proxy setup. In a two node configuration with only the Secure Gateway/Secure Access Server being setup, there will be two Virtual Servers, one for each Secure Gateway/Secure Access Server. If two nodes utilizing both SG/SAS as well as the CB Proxy, there will be a total of four virtual servers created, two for SG/SAS as well as two for the CB.
Below are screenshots of each node in a two node configuration utilizing vWorkspace Secure Gateway/Secure Access Server showing different ports for each the RDP Proxy as well as the Connection Broker Proxy.
Great post Kelly, thanks for sharing!
Nice work, iam now working on 2FA : vWorkspace and RSA On Demand Token via E-mail authentication.