EUCHorizon Cloud Services Advanced IntegrationsDay 2VMware NSX AVI Loadbalancer Integration with VMware Horizon

VMware NSX AVI Loadbalancer Integration with VMware Horizon

To deploy AVI LoadBalancer, there are two main components involved:

AVI Controller:
The Avi Controller is a centralized brain that spans data centers and clouds. The Avi Controller has full visibility across the environments and automates the deployment and management of the load balancing endpoints, which we call Service Engines.
We  need one AVI Controller to manage the Service Engine across the site if  all the network configurations are in-place. In Our Lab, Avi Controller is pre-deployed in Site-2 which will manage both the Service Engines

Service Engine:
Service Engine is a Load Balancer Component which runs on each datacenter. Service Engine(SE) is managed by AVI Controller. In the lab we will see how SEs are configured as a Load Balancer to full-fill the request from Applications.
In Our case Applications are UAGs across both Site-1 and Site-2

Part 1 - AVI Integration with UAG Servers Site-1

Section 1 - AVI Integration with UAG Servers in Site1

FQDN Entity Description
 Real IP
uag-hzn-avi01.euc-livefire.com FQDN of Avi LB VIP Site-1 172.16.20.100
uag-hzn-01a.euc-livefire.com
 FQDN of UAG server 1 on site 1
 172.16.20.10
uag-hzn-01b.euc-livefire.com
 FQDN of uag server 2 on site 1
 172.16.20.11
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-1
      • In the Address bar, Enter and browse to avicontroller.euc-livefire.com
        • In the Your Connection is not private window
          • Select Advanced
          • Select Proceed to avicontroller.euc-livefire.com
  1. In the VMware NSX ALB (Avi) page
    • Under Username, enter admin and  VMware1!VMware1! as the password
  1. In the Default landing page under the Applications tab
    • Close the Controller Faults notification
  1. From the NSX-ALB console,
    • Navigate to Templates > Groups.
      • Select IP Groups
    • In the Groups area
      • To the right of the Groups area
        • Select CREATE IP GROUP
  1. In the NEW IP Group: window
    • In the General area
      • Under Name*
        • Type UAG Servers-Site-1
    • Under IP Addresses area
      • Select ADD
  1. In the IP Addresses (1) area
    • Under IP Address
      • In the Enter IP Address area
        • Type 172.16.20.10
  1. In the IP Addresses (1) area
    • Select ADD
  1. In the IP Addresses (2) area
    • Under IP Address
      • In the Enter IP Address area
        • Type 172.16.20.11
  1. In the IP Addresses (2) area
    • In the bottom right hand corner
      • Select Save

The next step will be to create a custom Health Monitor Profile

Part 2: Creating a Custom Health Monitor Profile

The next step will be to create a custom Health Monitor Profile

  1. From the NSX-ALB console,
    • Navigate to Templates > Profiles 
      • Under Profiles
        • Select  Health Monitors
    • To the right of the console
      • Select CREATE
  1. On the New Health Monitor page,
    • Enter the profile information
      • Under Name*
        • type Horizon-HTTPS
      • Under Type
        • From the drop down, select HTTPS
      • Under Send Interval
        • Type 30
      • Receive Timeout
        • Type 10
  1. On the New Health Monitor: Horizon-HTTPS page,
    • Scroll down to the HTTPS Settings section
      • Under Health Monitor Port
        • Type 443
    • Under  Client Request Header
      • Remove GET / HTTP/1.0
      • Replace with GET /favicon.ico HTTP/1.0
  1. On the New Health Monitor: Horizon-HTTPS page,
    • Scroll down until you locate Response Code*
      • Below Response Code*
        • From the dropdown select 2XX
      •  Next to SSL Attributes:
        • Select the check box.
      • Below SSL Profile*
        • From the dropdown
          • Select System-Standard.
  1. On the New Health Monitor: Horizon-HTTPS page,
    • Scroll down until you locate Maintenance Response Code*
      • Under Maintenance Response Code,
        • Type 503
          • Ensure to leave all the settings as default
    • In the bottom right of the window
      • Click Save at the end

We will now create L7 Pools for Site-1

Part 3: Creating Layer 7 Pools For Site-1
  1. From the  NSX-ALB console
    • Navigate to Applications > Pools.
  1. In the Pools area
    • To the right of the pane
      • Select CREATE POOL
  1. In the New Pool: Horizon-L7-Pool-Site-1 window,
    • Step 1: Settings
      • Enter the required information:
        • Under Name*:
          • Type Horizon-L7-Pool-Site-1
        • Under Default Server Port
          • Type 443
        • Under Load Balance:
          • From the drop down
            • Select Consistent Hash 
              • with Source IP Address as the hash key.
  1. In the New Pool: Horizon-L7-Pool-Site-1 window,
    • Step 1: Settings
      • In the Health Monitors section
        • Make sure the checkbox next to:
          • Passive Health Monitor is checked
        • Select + Add Active Monitor.
          • Above + Add Active Monitor.
            • From the dropdown, select  is Horizon-HTTPS
              • This is the health monitor that you created earlier
  1. In the New Pool: Horizon-L7-Pool-Site-1 window,
    • Step 1: Settings
      • To the right of the Health Monitors area
        • Below Append Port:
          • From the dropdown
            • Select Never
  1. In the New Pool: Horizon-L7-Pool-Site-1 window,
    • Step 1: Settings
      • Select the check box, next to
        • Enable SSL
  1. In the New Pool: Horizon-L7-Pool window
    • Step 1: Settings
      • Under SSL Profile*
        • From the dropdown
          • Select System-Standard.
      • Ensure TLS SNI box is Checked
        • Leave all the remaining settings as defaults
      • To the bottom right of the page
    • Select Next
  1. In the New Pool: Horizon-L7-Pool-Site-1 window
    • Step 2: Servers
      • Under Select Servers
        • Select IP Group
  1. In the New Pool: Horizon-L7-Pool-Site-1 window
    • Step 2: Servers
      • IP Group area
        • Below the  IP Group header
          • From the dropdown,
            • select UAG Servers-Site-1
              • You created this earlier
      • Leave all the settings as default
    • Select Next
  1. In the New Pool: Horizon-L7-Pool-Site-1 window
    • Step 3: Advanced
      • Leave everything as Default
    • Select Next
  1. In the New Pool: Horizon-L7-Pool-Site-1 window
    • Step 4: Review
    • Review your settings
    • Select Save

Creating the UAG L4 Pool For Site-1

Part 4: Creating the Unified Access Gateway Layer 4 Pool for Site-1
  1. In the NSX-ALB admin console
    • In the Applications > Pools area
      • Select CREATE POOL
  1. In the New Pool: wizard
    • Step 1: Settings area
      • Enter the following under:-
        • Under Name*
          • type: Horizon-L4-Pool-Site-1
        • Under Default Service Port
          • Type: 443
        • Under Load Balance:
          • Select Consistent Hash 
            • with Source IP Address as the hash key.
  1. In the New Pool: wizard
    • Step 1: Settings area
      • Enable the following under:-
        • Ensure Passive Health Monitor is checked
    • In the Health Monitors section,
      • Select +Add Active Monitor.
  1. In the New Pool: wizard
    • Step 1: Settings area
    • Above + Add Active Monitor
      • From the dropdown. select Horizon-HTTPS
  1. In the New Pool: wizard
    • Step 1: Settings area
    • To the right of + Add Active Monitor
      • Below Append Port:
        • From the dropdown
          • Select Never
      • Leave all as default
    • Select  Next
  1. In the New Pool: wizard
    • Step 2: Servers area
      • Under Select Servers
        • Select IP Group
  1. In the New Pool: wizard
    • Step 2: Servers area
      • In the IP Group area
        • Under IP Group
          • From the dropdown
            • Select UAG Servers-Site-1
      • Leave all the rest of the settings default
    • Select Next
  1. In the New Pool: wizard
    • Step 3: Advanced area
      • Select Next
  1. In the New Pool: wizard
    • Step 4: Review area
      • Select Save

Installing the SSL certificate Required for L7 VIP

Part 5: Installing the SSL Certificate required for Layer 7 VIP
  1. From the NSX-ALB Admin console
    • Navigate to Templates > Security > SSL/TLS Certificates
  1. In the SSL/TLS Certificates area,
    • Select Create
      • Select Application Certificate
  1. In the New Certificate (SSL/TLS): HZN Cert page
    • Under Name*
      • Type HZN_Cert
    • Under Type
      • From the dropdown,
        • select Import
  1. In the New Certificate (SSL/TLS): HZN Cert page
    • Under Certificate
      • Select IMPORT FILE
  1. In Open File Explorer window
    • In the address bar
      • Enter the following path
        • \\horizon-01a.euc-livefire.com\software\certificates\Certifcate Bundle
        • Select euc-livefire_com.crt
        • Select Open
  1. In the New Certificate (SSL/TLS): HZN Cert page
    • Under Upload or Paste Key (PEM) or PKCS12 File,
      • Select IMPORT FILE
  1. In Open File Explorer window
    • In the address bar
    • Enter the following path
    • \\horizon-01a.euc-livefire.com\software\certificates\Certificate Bundle
    • Select RSAprivate.key
    • Select Open
  1. In the New Certificate (SSL/TLS): HZN Cert page
    • At the bottom right - hand side of the page
    • Select VALIDATE
    • Select SAVE
  1. In SSL/TLS Certificates page
    • Select CREATE
      • Select Root / intermediate CA Certificate
  1. In the New Certificate (SSL/TLS): window
    • Select IMPORT FILE
  1. In Open File Explorer window
    • In the address bar
    • Enter the following path
    • \\horizon-01a.euc-livefire.com\software\certificates\Certifcate Bundle
    • Select euc-livefire_com.ca-bundle
    • Select Open
  1. In the New Certificate (SSL/TLS): window
    • Under General
      • Below Name*
        • Type EUC-Livefire bundle
  1. In the New Certificate (SSL/TLS): window
    • Select VALIDATE
    • Select SAVE

Validating that  Connection Multiplexing is disabled

Part 6: Validating that Connection Multiplexing is disabled
  1. In the NSX-ALB console
    • Navigate to Templates > ProfilesApplication 
      • In the Application area
        • Select System-Secure-HTTP-VDI.
        • To the right of  System-Secure-HTTP-VDI
          • Select the edit icon.
  1. In Edit Application Profile: System-Secure-HTTP-VDI window
    • Ensure the checkbox next to Connection Multiplexing is NOT selected
    • Select Cancel
      • to close the Edit Application Profile: System-Secure-HTTP-VDI window

Creating the L7 Virtual Service for Site-1

Part 7: Creating the Layer 7 Virtual Service for Site-1
  1. In the NSX-ALB Console
    • Navigate to Applications Virtual Services
  1. In the Virtual Services area
    • To the top right, select CREATE VIRTUAL SERVICE 
      • Select  Advanced Setup.
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • Enter the following under:
        • Name*
          • type Horizon-UAG-L7-Site-1
        • VS VIP *
          • Select the dropdown,
            • Notice a Create VS VIP Green box appears
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • In the VIP Address area
        • Select Create VS VIP
  1. In the Create VS VIP: page
    • In the General tab,
      • Under Name
        • type: VIP-Horizon-UAG-Site1
      • Select ADD
  1. In the Edit VIP: 1 page
    • Under IPv4 Address*
      • type 172.16.20.100
      • Select SAVE
  1. In the Create VS VIP: VIP-Horizon-UAG-Site1 window
    • Select SAVE
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • Scroll down to the Service Port area
        • Under Services
          • Enable the checkbox next to SSL
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • In the Profiles sub-area
        • Below Application Profile*:
          • From the dropdown
            • Select System-Secure-HTTP-VDI
        • Below Error Page Profile:
          • From the dropdown
            • Select  Custom-Error-Page-Profile
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • In the *Pool* sub-area
        • Under Pool
          • Select the dropdown
            • Select: Horizon-L7-Pool-Site-1
      • In the *SSL Settings* sub-area
        • Under SSL Profile*
          • Select the dropdown
            • Select: System-Standard
        • Under SSL Certificate:
          • Select the dropdown
            • Select HZN_Cert
              • Remove the System-Default-Cert
          • Leave all other settings as default
    • In the bottom right corner
      • Select Next
  1. In the New Virtual Service wizard
    • Step 2: Policies area
      • (Leave everything as default)
    • Select Next
  1. In the New Virtual Service wizard
    • Step 3: Analytics area
      • (Leave everything as default)
      • Select Next
    • Step 4: Advanced tab,
      • (Leave everything as default)
      • Select Save
  1. In the New Virtual Service wizard
    • Step 4: Advanced area
      • (Leave everything as default)
    • Select Save

Creating L4 Virtual Service for Site-1

Part 8: Creating the Layer 4 Virtual Service for Site-1
  1. From the NSX-ALB admin console
    • Navigate to Applications > Virtual Services

 

  1. In the Virtual Services window
    • In the top right corner,
      • Select CREATE VIRTUAL SERVICE
      • Select  Advanced Setup.
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • Configure the following under:
        • Name*
          • Type Horizon-UAG-L4-Site-1
        • VS VIP *
          • Select the dropdown,
            • Select VIP-Horizon-UAG-Site1
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • *Profiles* sub area
        • Under Application Profile*
          • from the dropdown
            • Select: System-L4-Application
          • Under Error Page Profile
            • from the dropdown
              • Select: Custom-Error-Page-Profile
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • *Service Port* sub area
        • Select  Switch to Advanced.
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • *Service Port* sub area
        • Under Services
          • Replace port 80 with port 443
            • Port Min and Port Max areas to 443
        • Select the Checkbox next to Override TCP/UDP
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • Below the checkbox enabled Override TCP/UDP
        • Select the dropdown
          • Select System-UDP-Fast-Path-VDI
        • Select + Add Port
  1. In the New Virtual Service wizard
    • Step 1: Settings: continued
      • Type 8443 in Port Min and 8443 to Port Max
        • Note: You will notice Port Max will change automatically to 8443.
    • Uncheck Override TCP/UDP box if selected
    • Select + Add Port again.
    • Type 8443 in Port Min and 8443 to Port Max
    • Check the box Override TCP/UDP
    • Under Select Dropdown
      • Select System-UDP-Fast-Path-VDI
        • Note: Ensure all the Service Port details matches as per the screenshot above.
    • Select + Add Port again
  1. In the New Virtual Service wizard
    • Step 1: Settings: continued
      • Type 4172  in Port Min and 4172 to Port Max
        • Uncheck Override TCP/UDP box if selected.
    • Select + Add Port again
      • Type 4172 in Port Min and 4172 to Port Max
        • Check the box Override TCP/UDP
          • Under Select Dropdown
          • Select System-UDP-Fast-Path-VDI
    • Note: Ensure all the Service Port details matches as per the screenshot above.
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • To the right of *Service Port*
        • You will see the *Pool* area
          • Under Pool
            • From the dropdown
              • Select Horizon-L4-Pool-Site-1
      • Select Next
  1. In the New Virtual Service wizard
    • Step 2: Policies area
      • Leave everything as default
    • Select  Next
  1. In the New Virtual Service wizard
    • Step 3: Analytics area
      • Leave everything as default
    • Select  Next
  1. In the New Virtual Service wizard
    • Step 4: Advanced area
      • Leave everything as default
    • Select  Save
  1. In the NSX-ALB admin console
    • Select Applications
      • Select Virtual Services
    • In the right pane your configurations should look like the image above.

Configuring the Unified Access Gateway for Site1  AVI Integration

Part 9: Configuring the Unified Access Gateway for Site 1

Section 1. Configuring UAG-HZN-01a for AVI Integration

Section 1. Configuring UAG-HZN-01a for AVI Integration
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-1
    • In the Address bar, browse to https://uag-hzn-01a.euc-livefire.com:9443/admin/index.html
    • Login username: admin
    • Login password: VMware1!
  1. In the UAG Admin Console
    • Under Configure Manually
      • Click Select
  1. In the UAG Admin Console area
    • Under Advanced Settings
      • Scroll down until you find:
        • JWT Settings
  1. In the UAG Admin Console
    • Next to :
      • JWT Settings
        • select the gearbox
    • In the JWT Settings window
      • select Add JWT Consumer
  1. In the JWT Consumer Settings Page
    • Name: HZNBangalore
    • Issuer: Cluster-HORIZON-01A
      • Note:
        • It is the cluster name displayed in the  Horizon Admin Console
        • This a case-sensitive configuration
    • Dynamic Public key URL: https://horizon-01a.euc-livefire.com/broker/publicKey/protocolredirection
    • Trusted Certificates:
      • click the (+) icon
        • click Select
      • browse to Desktop > Software > certificates > Certificate Bundle
      • select euc-livefire_com.crt
    • Public key refresh interval: 900
    • Click Save
    • Click Close
  1. In the UAG Admin Console
    • Scroll back-up to General Settings
      • Next to Edge Service Settings,
        • Move the TOGGLE to the right
      • Next to Horizon Settings
        • Select the GEAR icon
  1. In the Horizon Settings
    • Next to Enable Tunnel
      • Move the Toggle Switch from enabled to disabled
  1. In the Horizon Settings
    • Click on More
    • Scroll Down to JWT Consumer
  1. In the Horizon Settings
    • Next to JWT Consumer
    • from the dropdown.
      • select HZNBangalore
  1. Next to Host Port Redirect Mappings,
    • In the Source Host Port area
      • enter uag-hzn-avi01.euc-livefire.com
    • In the Redirect Host Port area
      • enter  uag-hzn-01a.euc-livefire.com
    • Once the Host Redirect Mappings are filled,
      • click on + symbol to add the entries.
        • Note: It should match the screenshot above
    • To Close the Horizon settings page
      • Select Save

Section 2: Configuring UAG-HZN-01B in Site1 for AVI Integration

Section 2. Configuring UAG-HZN-01B for AVI Integration
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-1
    • In the Address bar, browse to https://uag-hzn-01b.euc-livefire.com:9443/admin/index.html
    • Login username: admin
    • Login password: VMware1!
  1. In the UAG Admin Console
    • Under Configure Manually
      • Click Select
  1. In the UAG Admin Console area
    • Under Advanced Settings
      • Scroll down until you find:
        • JWT Settings
  1. In the UAG Admin Console
    • Next to :
      • JWT Settings
        • select the gearbox
    • In the JWT Settings window
      • select Add JWT Consumer
  1. In the  JWT Consumer Settings Page
    • Name: HZNBangalore
    • Issuer: Cluster-HORIZON-01A
      • Note:
        • It is the cluster name displayed in the  Horizon Admin Console
        • This a case-sensitive configuration
    • Dynamic Public key URL: https://horizon-01a.euc-livefire.com/broker/publicKey/protocolredirection
    • Trusted Certificates:
      • click the (+) icon
        • click Select
      • browse to Desktop > Software > certificates > Certificate Bundle
      • select euc-livefire_com.crt
    • Public key refresh interval: 900
    • Click Save
    • Click Close
  1. In the UAG Admin Console
    • Scroll back-up to General Settings
      • Next to Edge Service Settings,
        • Move the TOGGLE to the right
      • Next to Horizon Settings
        • Select the GEAR icon
  1. In the Horizon Settings
    • Next to Enable Tunnel
      • Move the Toggle Switch from enabled to disabled
  1. In the Horizon Settings
    • Click on More
    • Scroll Down to JWT Consumer
  1. In the Horizon Settings
    • Next to JWT Consumer
    • from the dropdown.
      • select HZNBangalore
  1. Next to Host Redirect Mappings,
    • In the Source Host Port area
      • enter uag-hzn-avi01.euc-livefire.com
    • In the Redirect Host Port area
      • enter  uag-hzn-01b.euc-livefire.com
    • Once the Host Redirect Mappings are filled,
      • click on (+) symbol to add the entries.
        • Note: It should match the screenshot above
    • To Close the Horizon settings page
      • Select Save

Configuring Universal Console to map the external FQDN of HznBangalore to AVI-Site1

Part 10 : Configure Universal Console To Map External FQDN of HZNBangalore to AVI Site-1
  1. Configure Gateway Settings in Horizon Cloud Console
    • On ControlCenter Server
      • Open the Chrome Browser for Site-1 or Site-2
      • To login to Horizon Universal Console
        • In the Username area
          • (Enter your assigned username)
        • In the Password area,
          • type VMware1!
      • Select LOGIN
  1. In the Horizon Universal Console Page
    • Navigate to Settings > Capacity
      • Next to HZNXXBangalore
        • where XX is your assigned POD ID
      • Select Edit
    • On the Edit Pod page,
      1. Pod Setup area
        • Select NEXT
  1. On the Edit Pod page,
    1. In Gateway Settings area
      • Enter the following, next to :-
        • Pod External FQDN: uag-hzn-avi01.euc-livefire.com
        • Pod Internal FQDN: horizon-01a.euc-livefire.com
      • Click NEXT
  1. In Summary Page,
    • Review your information
      • Click VALIDATE & SAVE
  1. In the Edit Pod
    • Summary page
      • When you see an error:-
      • "Could not validate FQDN. Make sure the FQDN is valid and try again"
    • Select SAVE again.

Testing the Connectivity For Site-1

Part 11: Testing the Integration of Horizon Cloud services with AVI in Site-1
  1. In the ControlCenter Desktop
    • Navigate to > Remote Desktops > Site1
    • Launch the RDP session to w10Client-01a.RDP
      • Enter the following credentials:-
      • Select OK
  1. In the VMware Horizon Client
    • Select your assigned Broker ID
      • BrokerXX (Your initials).euc-livefire.com
        • where XX is your assigned POD ID
        • Your initials. (If my name is Tom Harry, then my initials will be th)
  1. In the VMware Horizon Client login
    • In the Username area
      • enter mark
    • In the login area
      • enter VMware1!
    • Select Login
  1. To Confirm the Desktop is launched from Site-1
    • Within the VDI Session
      • Select Start > run
        • enter cmd.exe
    • In the Command Prompt Window
      • Type hostname
      • Notice the desktop is launched from BLR , abbreviation for Bangalore which is Site-1
    • In the Horizon client
      • From the 3 dot dropdown
        • Select Logoff Desktop
      • In the Disconnect and log off  desktop? window
        • Select OK

Configure AVI Service Engine for Site-2

Part 12 : AVI Integration with UAG Servers in Site-2
FQDN Entity Description Real IP
uag-hzn-avi02.euc-livefire.com FQDN of AVI LB VIP Site-2 172.16.50.100
uag-hzn-02a.euc-livefire.com
 FQDN of UAG Server 1 on Site-2 172.16.50.10
uag-hzn-02b.euc-livefire.com
 FQDN of UAG Server 2 on Site-2
 172.16.50.11
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-2
      • In the Address bar,
        • Enter and browse to avicontroller.euc-livefire.com
      • In the Your Connection is not private window
        • Select Advanced
        • Select Proceed to avicontroller.euc-livefire.com
      • Under Username area,
        • enter admin
      • In the Password area
        • enter VMware1!VMware1!
  1. In the Default landing page
    • Close the Controller Faults notification
  1. From the NSX-ALB console,
    • Navigate to Templates > Groups.
      • Select IP GROUPS
        • Select Create IP Group
  1. In the NEW IP Group:window
    • Under Name: UAG-Server-Site-2
    • Under Type  drop down menu,
      • select IP Address
    • Under IP Address.
      • Click on Add
        • Type 172.16.50.10
      • Click Add
        • Type 172.16.50.11
    • In the bottom right hand corner
      • Click Save

 

We will now create L7 Pools for Site-2

Part 13: Creating Layer 7 Pools For Site-2
  1. In the NSX-ALB UI,
    • Navigate to Applications > Pools.
      • Click On CREATE POOL on the right hand side
        • In the New Pool window, enter the required information to the following:
          • In Step 1: Settings Tab:
            • Name: Horizon-L7-Pool-Site-2
            • Default Service Port: 443
            • Load Balance: Select Consistent Hash
              • with Source IP Address as the hash key.
            • Next to Passive Health Monitor
              • Ensure the checkbox is checked
            • In the Health Monitors section,
              • click + Add Active Monitor.
            • Above  + Add Active Monitor
              • From the dropdown
                • select Horizon-HTTPS
            • Append Port: Never
            • Enable SSL: Select the check box
            • SSL Profile: Select System-Standard.
            • Ensure TLS SNI box is Checked
            • Click Next
  1. In  Step 2: Servers Tab
    • Select Servers, area
      • Click on IP Group
    • From IP Group Drop Down,
      • Select UAG-Server-Site-2
        • Leave all the settings as default
    • Click Next
  1. In Step 3: Advanced Tab
    • Leave all the settings as default
    • Click Next
  1. In Step 4: Review Tab
    • Click Save

Configuring L4 Pool for Site 2

Part 14: Configure Layer 4 Pool For Site-2
  1. In the NSX-ALB UI,
    • Navigate to Applications > Pools.
      • Click On CREATE POOL on the right hand side
        • In the New Pool window, enter the required information to the following:
          • In Step 1: Settings Tab:
            • Name: Horizon-L4-Pool-Site2
            • Default Service Port: 443
            • Load Balance: Select Consistent Hash 
              • with Source IP Address as the hash key.
            • In the Health Monitors section,
              • Make sure Passive Health Monitor
                • is Checked
              • Click + Add Active Monitor.
                • Above + Add Active Monitor.
                  • From the dropdown
                    • Select  Horizon-HTTPS
            • Append Port: Never
    • click Next
  1. In Step 2: Servers Tab
    • Below Select Servers,
      • Click on IP Group
    • From the IP Group Drop Down,
      • Select UAG-Server-Site-2
    • Click Next
  1. In Step 3: Advanced Tab
    • Leave all the settings as default
    • Click Next
  1. In Step 4: Review Tab
    • Click Save

Creating the L7 Virtual Service for Site-2

Part 15: Configure the Layer 7 Virtual Service for Site-2

 

  1. In the NSX-ALB Console
    • Navigate to Applications > Virtual Services
  1. In the Virtual Services
    • Click  CREATE VIRTUAL SERVICE on the top right hand corner
      • Select Advanced Setup.
  1. In New Virtual Service Window:
    • Under Step 1: Settings tab:
      • Name: Horizon-UAG-L7-Site2
  1. New Virtual Service: Horizon-UAG-L7-Site2
    • Under VS VIP*
      • Select the dropdown,
        • Select Create VS VIP
  1. In the Create VS VIP: VIP-Horizon-UAG-Site2 window
    • In the General tab,
      • Under Name
        • enter: VIP-Horizon-UAG-Site2
  1. In the Create VS VIP: VIP-Horizon-UAG-Site2 window
    • Under VIP,
      • Click on ADD
        • under IPv4 Address:
          • enter 172.16.50.100
        • Ensure the Enable VIP tick-box is checked
      • Click Save
    • To close the Create VS VIP: VIP-Horizon-UAG-Site2
      • Select Save
  1. In the New Virtual Service: Page
    1. Step 1: Settings
      • Enable SSL for Services
      • Application Profile: Select System-Secure-HTTP-VDI
      • Error Page Profile: Custom-Error-Page-Profile
      • Pool: Horizon-L7-Pool-Site-2
      • SSL Profile: System-Standard
      • SSL Certificate: Hzn_Cert
      • Click Next
    2. Step 2: Policies tab,
      • Leave everything as default
        • click Next
    3. Step 3: Analytics tab,
      • Leave everything as default
        • click Next
    4. Step 4: Advanced tab,
      • Leave everything as default
        • click Save

Creating Layer 4 Virtual Service For Site-2

Part 16: Configure Layer 4 Virtual Service For Site-2
  1. On ControlCenter, Ensure you are logged in to AVI Controller using Chrome Site-2 profile
    • In the NSX-ALB Console
    • Navigate to Applications > Virtual Services
    • Click on  CREATE VIRTUAL SERVICE on the top right hand corner
    • Select Advanced Setup
  1. In the New Virtual Service Window
    • Under Step 1: Settings
      • Name: Horizon-UAG-L4-Site-2
    • Under the VS VIP dropdown,
      • select VIP-Horizon-UAG-Site2
    • Under Application Profile:
      • select System-L4-Application
    • Under Error Page Profile:
      • select Custom-Error-Page-Profile
  1. In the New Virtual Service Window
    • Under Step 1: Settings
      • Under Service Port 
        • click on Switch to Advanced.
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • *Service Port*sub area
        • Under Services
          • Replace port 80 with port 443
            • Port Min and Port Max areas
          • Select the Checkbox next to Override TCP/UDP
  1. In the New Virtual Service wizard
    • Step 1: Settings area
      • Under Override TCP/UDP
        • Select the dropdown
          • Select System-UDP-Fast-Path-VDI
      • Select + Add Port
  1. In the New Virtual Service wizard
    • Step 1: Settings: continued
      • Type 8443 in Port Min and 8443 to Port Max
        • Note: You will notice Port Max will change automatically to 8443.
      • Uncheck Override TCP/UDP box if selected
      • Select + Add Port again
      • Type 8443 in Port Min and 8443 to Port Max
      • Check the box Override TCP/UDP
      • Under Select Dropdown
        • Select System-UDP-Fast-Path-VDI
          • Note: Ensure all the Service Port details matches as per the screenshot above.
    • Select + Add Port again
  1. In the New Virtual Service wizard
    • Step 1: Settings: continued
      • Type 4172  in Port Min and 4172 to Port Max
        • Uncheck Override TCP/UDP box if selected.
        • Select + Add Port again
        • Type 4172 in Port Min and 4172 to Port Max
        • Check the box Override TCP/UDP
        • Under Select Dropdown
        • Select System-UDP-Fast-Path-VDI
          • Note: Ensure all the Service Port details matches as per the screenshot above.
  1. In the New Virtual Service wizard
    1. Step 1: Settings:
      • Under the Pool Section:
        • Select the option Pool.
        • Choose the Horizon-L4-Pool-Site2
      • Click Next
    2. Under Step 2: Policies tab,
      • Leave everything as default
        • click Next
    3. Under Step 3: Analytics tab,
      • (Leave everything as default)
        • click Next
    4. Under Step 4: Advanced tab,
      • (Leave everything as default)
        • click Save
  1. Once Configured, it should be shown as the image above.

Configuring UAG-HZN-02A in Site2 for AVI Integration

Part 17: Configure Unified Access Gateway for Site 2

Section 1. Configuring UAG-HZN-02a for AVI Integration

Section 1. Configuring UAG-HZN-02a for AVI Integration
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-2
    • In the Address bar, browse to https://uag-hzn-02a.euc-livefire.com:9443/admin/index.html
    • Login username: admin
    • Login password: VMware1!
  1. In the UAG Admin Console
    • Under Configure Manually
      • Click Select
  1. In the UAG Admin Console
    • General Settings area
      • Next to Edge Service Settings
        • Move the TOGGLE to the right
  1. In the UAG Admin Console
    • In the Advanced Settings area
      • Find JWT Settings
  1. In the UAG Admin Console
    • Under Advanced Settings
      • JWT Settings
        • click the gearbox forJWT Settings.
    • In the JWT window
      • select Add JWT Consumer.
  1. In the JWT Consumer Settings Page
    • Name: HZNSeattle
    • Issuer: Cluster-HORIZON-02A
      • Note:
        • It is the cluster name displayed in the Horizon Admin Console
        • This configuration is case-sensitive
    • Dynamic Public key URL: https://horizon-02a.euc-livefire.com/broker/publicKey/protocolredirection
    • Trusted Certificates:
      • click the (+) icon
        • click Select
      • browse to Desktop > Software > certificates > Certificate Bundle
      • select euc-livefire_com.crt
    • Public key refresh interval: 900
    • Click Save
    • Click Close
  1. In the UAG Admin Console
    • Scroll back up to General Settings
      • Under Edge Service Settings,
        • Next to Horizon Settings
          • Select the GEAR icon
  1. In the Horizon Settings
    • Next to Enable Tunnel
      • Move the Toggle Switch from enabled to disabled
  1. In the Horizon Settings
    • Click on More
    • Scroll Down to JWT Consumer
  1. In the Horizon Settings
    • Next to JWT Consumer
    • from the dropdown.
      • select HZNSeattle
  1. Next to Host Port Redirect Mappings,
    • In the Source Host Port area
      • enter uag-hzn-avi02.euc-livefire.com
    • In the Redirect Host Port area
      • enter  uag-hzn-02a.euc-livefire.com
    • Once the Host Redirect Mappings are filled,
      • click on + symbol to add the entries.
        • Note: It should match the screenshot above
    • To Close the Horizon settings page
      • Select Save

Section 2. Configuring UAG-HZN-02b for AVI Integration

Section 2. Configuring UAG-HZN-02b for AVI Integration
  1. On your ControlCenter Server
    • Open your Chrome Browser for Site-1
    • In the Address bar, browse to https://uag-hzn-02b.euc-livefire.com:9443/admin/index.html
    • Login username: admin
    • Login password: VMware1!
  1. In the UAG Admin Console
    • Under Configure Manually
      • Click Select
  1. In the UAG Admin Console
    • General Settings area
      • Next to Edge Service Settings
        • Move the TOGGLE to the right
  1. In the UAG Admin Console
    • In the Advanced Settings area
      • Find JWT Settings
  1. In the UAG Admin Console
    • Under Advanced Settings
      • JWT Settings
        • click the gearbox forJWT Settings.
    • In the JWT Settings window
      • select Add JWT Consumer
  1. In the JWT Consumer Settings Page
    • Name: HZNSeattle
    • Issuer: Cluster-HORIZON-02A
      • Note:
        • It is the cluster name displayed in the Horizon Admin Console
        • This configuration is case-sensitive
    • Dynamic Public key URL: https://horizon-02a.euc-livefire.com/broker/publicKey/protocolredirection
    • Trusted Certificates:
      • click the (+) icon
        • click Select
      • browse to Desktop > Software > certificates > Certificate Bundle
      • select euc-livefire_com.crt
    • Public key refresh interval: 900
    • Click Save
    • Click Close
  1. In the UAG Admin Console
    • Scroll back up to General Settings
      • Under Edge Service Settings,
        • Next to Horizon Settings
          • Select the GEAR icon
  1. In the Horizon Settings
    • Next to Enable Tunnel
      • Move the Toggle Switch from enabled to disabled
  1. In the Horizon Settings
    • Click on More
    • Scroll Down to JWT Consumer
  1. In the Horizon Settings
    • Next to JWT Consumer
    • from the dropdown.
      • select HZNSeattle
  1. Next to Host Port Redirect Mappings,
    • In the Source Host Port area
      • enter uag-hzn-avi02.euc-livefire.com
    • In the Redirect Host Port area
      • enter  uag-hzn-02b.euc-livefire.com
    • Once the Host Redirect Mappings are filled,
      • click on + symbol to add the entries.
        • Note: It should match the screenshot above
    • To Close the Horizon settings page
      • Select Save

Configuring Universal Console to map the external FQDN of HznSeattle to AVI-Site2

Part 18: Configure Universal Console To Map External FQDN of HZNSeattle to AVI Site-2

 

  1. Configure Gateway Settings in Horizon Cloud Console
    • On ControlCenter Server
    • Open Chrome Browser Site-2
    • Login to Horizon Universal Console https://cloud.horizon.vmware.com/
    • In the Username area(Enter your assigned username)
    • In the Password area, type VMware1!
    • Select LOGIN
  1. In the Horizon Universal Console Page
    • Navigate to Settings > Capacity
      • Select HZNXXSeattle
        • where XX is your assigned POD ID
        • Select EDIT
    • In the Edit Pod wizard
      1. Pod Setup page,
        • Select NEXT
  1. In the Edit Pod wizard
    1. Gateway Settings
      • enter the following next to:
        • Pod External FQDN, type uag-hzn-avi02.euc-livefire.com
        • Pod Internal FQDN, type horizon-02a.euc-livefire.com
        • Select NEXT
  1. In the Edit Pod wizard
    1. Summary
      • Select VALIDATE & SAVE
  1. On the Edit Pod page
    • Summary area
    • When you see the message
      • "Could not validate FQDN. Make sure the FQDN is valid and try again"
    • Select SAVE

Testing the Connectivity For Site-2

Part 19: Testing the Integration of Horizon Cloud services with AVI in Site-2

We will now validate the function of our configurations.

 

  1. In the ControlCenter
    • Navigate to
      • Remote Desktops > Site2
    • Launch the RDP session to w10EXT-02a.RDP
  1. On the w10EXT-02a desktop
    • Launch Horizon Client
    • In Horizon Client, Click on + Add Server
  1. In the Name of the Connection Server window
    • Enter YOUR assigned broker FQDN
    • BrokerXX (Your initials).euc-livefire.com
    • where XX is your assigned POD ID
    • Your initials. (If my name is Tom Harry, then my initials will be th)
    • Select Connect
  1. In the Login window
    • In the Username, area
      • Type Tom
    • In the Password, area
      • Type VMware1!
    • Select Login
  1. In the VMware Horizon Client
    • Select your CorpxxHZN desktop assignment
    • Where xx is your assigned number
  1. To Confirm the Desktop is launched from Site-2
    • Open Command Prompt
      • within the VDI Session
        • Start > run
          • type cmd.exe
    • In the Command Prompt Window
      • Type hostname
      • Notice the desktop is abbreviate SEA which is  from Seattle,  Site-2

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.