EUC

VMware NSX AVI Loadbalancer Integration with VMware Horizon

To deploy AVI LoadBalancer, there are two main components involved:

AVI Controller:
The Avi Controller is a centralized brain that spans data centers and clouds. The Avi Controller has full visibility across the environments and automates the deployment and management of the load balancing endpoints, which we call Service Engines.
We need one AVI Controller to manage the Service Engine across the site if all the network configurations are in-place. In Our Lab, Avi Controller is pre-deployed in Site-2 which will manage both the Service Engines

Service Engine:
Service Engine is a Load Balancer Component which runs on each datacenter. Service Engine(SE) is managed by AVI Controller. In the lab we will see how SEs are configured as a Load Balancer to full-fill the request from Applications.
In Our case Applications are UAGs across both Site-1 and Site-2

Part 1 - AVI Integration with UAG Servers Site-1

Section 1 - AVI Integration with UAG Servers in Site1

FQDN	Entity Description	Real IP
uag-hzn-avi01.euc-livefire.com	FQDN of Avi LB VIP Site-1	172.16.20.100
uag-hzn-01a.euc-livefire.com	FQDN of UAG server 1 on site 1	172.16.20.10
uag-hzn-01b.euc-livefire.com	FQDN of uag server 2 on site 1	172.16.20.11

On your ControlCenter Server
- Open your Chrome Browser for Site-1
  - In the Address bar, Enter and browse to avicontroller.euc-livefire.com
    - In the Your Connection is not private window
      - Select Advanced
      - Select Proceed to avicontroller.euc-livefire.com

In the VMware NSX ALB (Avi) page
- Under Username, enter admin and VMware1!VMware1! as the password

In the Default landing page under the Applications tab
- Close the Controller Faults notification

From the NSX-ALB console,
- Navigate to Templates > Groups.
  - Select IP Groups
- In the Groups area
  - To the right of the Groups area
    - Select CREATE IP GROUP

In the NEW IP Group: window
- In the General area
  - Under Name*
    - Type UAG Servers-Site-1
- Under IP Addresses area
  - Select ADD

In the IP Addresses (1) area
- Under IP Address
  - In the Enter IP Address area
    - Type 172.16.20.10

In the IP Addresses (1) area
- Select ADD

In the IP Addresses (2) area
- Under IP Address
  - In the Enter IP Address area
    - Type 172.16.20.11

In the IP Addresses (2) area
- In the bottom right hand corner
  - Select Save

The next step will be to create a custom Health Monitor Profile

Part 2: Creating a Custom Health Monitor Profile

The next step will be to create a custom Health Monitor Profile

From the NSX-ALB console,
- Navigate to Templates > Profiles
  - Under Profiles
    - Select Health Monitors
- To the right of the console
  - Select CREATE

On the New Health Monitor page,
- Enter the profile information
  - Under Name*
    - type Horizon-HTTPS
  - Under Type
    - From the drop down, select HTTPS
  - Under Send Interval
    - Type 30
  - Receive Timeout
    - Type 10

On the New Health Monitor: Horizon-HTTPS page,
- Scroll down to the HTTPS Settings section
  - Under Health Monitor Port
    - Type 443
- Under Client Request Header
  - Remove GET / HTTP/1.0
  - Replace with GET /favicon.ico HTTP/1.0

On the New Health Monitor: Horizon-HTTPS page,
- Scroll down until you locate Response Code*
  - Below Response Code*
    - From the dropdown select 2XX
  - Next to SSL Attributes:
    - Select the check box.
  - Below SSL Profile*
    - From the dropdown
      - Select System-Standard.

On the New Health Monitor: Horizon-HTTPS page,
- Scroll down until you locate Maintenance Response Code*
  - Under Maintenance Response Code,
    - Type 503
      - Ensure to leave all the settings as default
- In the bottom right of the window
  - Click Save at the end

We will now create L7 Pools for Site-1

Part 3: Creating Layer 7 Pools For Site-1

From the NSX-ALB console
- Navigate to Applications > Pools.

In the Pools area
- To the right of the pane
  - Select CREATE POOL

In the New Pool: Horizon-L7-Pool-Site-1 window,
- Step 1: Settings
  - Enter the required information:
    - Under Name*:
      - Type Horizon-L7-Pool-Site-1
    - Under Default Server Port
      - Type 443
    - Under Load Balance:
      - From the drop down
        
        Select Consistent Hash
        
        with Source IP Address as the hash key.

In the New Pool: Horizon-L7-Pool-Site-1 window,
- Step 1: Settings
  - In the Health Monitors section
    - Make sure the checkbox next to:
      - Passive Health Monitor is checked
    - Select + Add Active Monitor.
      - Above + Add Active Monitor.
        
        From the dropdown, select is Horizon-HTTPS
        
        This is the health monitor that you created earlier

In the New Pool: Horizon-L7-Pool-Site-1 window,
- Step 1: Settings
  - To the right of the Health Monitors area
    - Below Append Port:
      - From the dropdown
        
        Select Never

In the New Pool: Horizon-L7-Pool-Site-1 window,
- Step 1: Settings
  - Select the check box, next to
    - Enable SSL

In the New Pool: Horizon-L7-Pool window
- Step 1: Settings
  - Under SSL Profile*
    - From the dropdown
      - Select System-Standard.
  - Ensure TLS SNI box is Checked
    - Leave all the remaining settings as defaults
  - To the bottom right of the page
- Select Next

In the New Pool: Horizon-L7-Pool-Site-1 window
- Step 2: Servers
  - Under Select Servers
    - Select IP Group

In the New Pool: Horizon-L7-Pool-Site-1 window
- Step 2: Servers
  - IP Group area
    - Below the IP Group header
      - From the dropdown,
        
        select UAG Servers-Site-1
        
        You created this earlier
  - Leave all the settings as default
- Select Next

In the New Pool: Horizon-L7-Pool-Site-1 window
- Step 3: Advanced
  - Leave everything as Default
- Select Next

In the New Pool: Horizon-L7-Pool-Site-1 window
- Step 4: Review
- Review your settings
- Select Save

Creating the UAG L4 Pool For Site-1

Part 4: Creating the Unified Access Gateway Layer 4 Pool for Site-1

In the NSX-ALB admin console
- In the Applications > Pools area
  - Select CREATE POOL

In the New Pool: wizard
- Step 1: Settings area
  - Enter the following under:-
    - Under Name*
      - type: Horizon-L4-Pool-Site-1
    - Under Default Service Port
      - Type: 443
    - Under Load Balance:
      - Select Consistent Hash
        
        with Source IP Address as the hash key.

In the New Pool: wizard
- Step 1: Settings area
  - Enable the following under:-
    - Ensure Passive Health Monitor is checked
- In the Health Monitors section,
  - Select +Add Active Monitor.

In the New Pool: wizard
- Step 1: Settings area
- Above + Add Active Monitor
  - From the dropdown. select Horizon-HTTPS

In the New Pool: wizard
- Step 1: Settings area
- To the right of + Add Active Monitor
  - Below Append Port:
    - From the dropdown
      - Select Never
  - Leave all as default
- Select Next

In the New Pool: wizard
- Step 2: Servers area
  - Under Select Servers
    - Select IP Group

In the New Pool: wizard
- Step 2: Servers area
  - In the IP Group area
    - Under IP Group
      - From the dropdown
        
        Select UAG Servers-Site-1
  - Leave all the rest of the settings default
- Select Next

In the New Pool: wizard
- Step 3: Advanced area
  - Select Next

In the New Pool: wizard
- Step 4: Review area
  - Select Save

Installing the SSL certificate Required for L7 VIP

Part 5: Installing the SSL Certificate required for Layer 7 VIP

From the NSX-ALB Admin console
- Navigate to Templates > Security > SSL/TLS Certificates

In the SSL/TLS Certificates area,
- Select Create
  - Select Application Certificate

In the New Certificate (SSL/TLS): HZN Cert page
- Under Name*
  - Type HZN_Cert
- Under Type
  - From the dropdown,
    - select Import

In the New Certificate (SSL/TLS): HZN Cert page
- Under Certificate
  - Select IMPORT FILE

In Open File Explorer window
- In the address bar
  - Enter the following path
    - \\horizon-01a.euc-livefire.com\software\certificates\Certifcate Bundle
    - Select euc-livefire_com.crt
    - Select Open

In the New Certificate (SSL/TLS): HZN Cert page
- Under Upload or Paste Key (PEM) or PKCS12 File,
  - Select IMPORT FILE

In Open File Explorer window
- In the address bar
- Enter the following path
- \\horizon-01a.euc-livefire.com\software\certificates\Certificate Bundle
- Select RSAprivate.key
- Select Open

In the New Certificate (SSL/TLS): HZN Cert page
- At the bottom right - hand side of the page
- Select VALIDATE
- Select SAVE

In SSL/TLS Certificates page
- Select CREATE
  - Select Root / intermediate CA Certificate

In the New Certificate (SSL/TLS): window
- Select IMPORT FILE

In Open File Explorer window
- In the address bar
- Enter the following path
- \\horizon-01a.euc-livefire.com\software\certificates\Certifcate Bundle
- Select euc-livefire_com.ca-bundle
- Select Open

In the New Certificate (SSL/TLS): window
- Under General
  - Below Name*
    - Type EUC-Livefire bundle

In the New Certificate (SSL/TLS): window
- Select VALIDATE
- Select SAVE

Validating that Connection Multiplexing is disabled

Part 6: Validating that Connection Multiplexing is disabled

In the NSX-ALB console
- Navigate to Templates > Profiles> Application
  - In the Application area
    - Select System-Secure-HTTP-VDI.
    - To the right of System-Secure-HTTP-VDI
      - Select the edit icon.

In Edit Application Profile: System-Secure-HTTP-VDI window
- Ensure the checkbox next to Connection Multiplexing is NOT selected
- Select Cancel
  - to close the Edit Application Profile: System-Secure-HTTP-VDI window

Creating the L7 Virtual Service for Site-1

Part 7: Creating the Layer 7 Virtual Service for Site-1

In the NSX-ALB Console
- Navigate to Applications > Virtual Services

In the Virtual Services area
- To the top right, select CREATE VIRTUAL SERVICE
  - Select Advanced Setup.

In the New Virtual Service wizard
- Step 1: Settings area
  - Enter the following under:
    - Name*
      - type Horizon-UAG-L7-Site-1
    - VS VIP *
      - Select the dropdown,
        
        Notice a Create VS VIP Green box appears

In the New Virtual Service wizard
- Step 1: Settings area
  - In the VIP Address area
    - Select Create VS VIP

In the Create VS VIP: page
- In the General tab,
  - Under Name
    - type: VIP-Horizon-UAG-Site1
  - Select ADD

In the Edit VIP: 1 page
- Under IPv4 Address*
  - type 172.16.20.100
  - Select SAVE

In the Create VS VIP: VIP-Horizon-UAG-Site1 window
- Select SAVE

In the New Virtual Service wizard
- Step 1: Settings area
  - Scroll down to the Service Port area
    - Under Services
      - Enable the checkbox next to SSL

In the New Virtual Service wizard
- Step 1: Settings area
  - In the Profiles sub-area
    - Below Application Profile*:
      - From the dropdown
        
        Select System-Secure-HTTP-VDI
    - Below Error Page Profile:
      - From the dropdown
        
        Select Custom-Error-Page-Profile

In the New Virtual Service wizard
- Step 1: Settings area
  - In the *Pool* sub-area
    - Under Pool
      - Select the dropdown
        
        Select: Horizon-L7-Pool-Site-1
  - In the *SSL Settings* sub-area
    - Under SSL Profile*
      - Select the dropdown
        
        Select: System-Standard
    - Under SSL Certificate:
      - Select the dropdown
        
        Select HZN_Cert
        
        Remove the System-Default-Cert
      - Leave all other settings as default
- In the bottom right corner
  - Select Next

In the New Virtual Service wizard
- Step 2: Policies area
  - (Leave everything as default)
- Select Next

In the New Virtual Service wizard
- Step 3: Analytics area
  - (Leave everything as default)
  - Select Next
- Step 4: Advanced tab,
  - (Leave everything as default)
  - Select Save

In the New Virtual Service wizard
- Step 4: Advanced area
  - (Leave everything as default)
- Select Save

Creating L4 Virtual Service for Site-1

Part 8: Creating the Layer 4 Virtual Service for Site-1

From the NSX-ALB admin console
- Navigate to Applications > Virtual Services

In the Virtual Services window
- In the top right corner,
  - Select CREATE VIRTUAL SERVICE
  - Select Advanced Setup.

In the New Virtual Service wizard
- Step 1: Settings area
  - Configure the following under:
    - Name*
      - Type Horizon-UAG-L4-Site-1
    - VS VIP *
      - Select the dropdown,
        
        Select VIP-Horizon-UAG-Site1

In the New Virtual Service wizard
- Step 1: Settings area
  - *Profiles* sub area
    - Under Application Profile*
      - from the dropdown
        
        Select: System-L4-Application
      - Under Error Page Profile
        
        from the dropdown
        
        Select: Custom-Error-Page-Profile

In the New Virtual Service wizard
- Step 1: Settings area
  - *Service Port* sub area
    - Select Switch to Advanced.

In the New Virtual Service wizard
- Step 1: Settings area
  - *Service Port* sub area
    - Under Services
      - Replace port 80 with port 443
        
        Port Min and Port Max areas to 443
    - Select the Checkbox next to Override TCP/UDP

In the New Virtual Service wizard
- Step 1: Settings area
  - Below the checkbox enabled Override TCP/UDP
    - Select the dropdown
      - Select System-UDP-Fast-Path-VDI
    - Select + Add Port

In the New Virtual Service wizard
- Step 1: Settings: continued
  - Type 8443 in Port Min and 8443 to Port Max
    - Note: You will notice Port Max will change automatically to 8443.
- Uncheck Override TCP/UDP box if selected
- Select + Add Port again.
- Type 8443 in Port Min and 8443 to Port Max
- Check the box Override TCP/UDP
- Under Select Dropdown
  - Select System-UDP-Fast-Path-VDI
    - Note: Ensure all the Service Port details matches as per the screenshot above.
- Select + Add Port again

In the New Virtual Service wizard
- Step 1: Settings: continued
  - Type 4172 in Port Min and 4172 to Port Max
    - Uncheck Override TCP/UDP box if selected.
- Select + Add Port again
  - Type 4172 in Port Min and 4172 to Port Max
    - Check the box Override TCP/UDP
      - Under Select Dropdown
      - Select System-UDP-Fast-Path-VDI
- Note: Ensure all the Service Port details matches as per the screenshot above.

In the New Virtual Service wizard
- Step 1: Settings area
  - To the right of *Service Port*
    - You will see the *Pool* area
      - Under Pool
        
        From the dropdown
        
        Select Horizon-L4-Pool-Site-1
  - Select Next

In the New Virtual Service wizard
- Step 2: Policies area
  - Leave everything as default
- Select Next

In the New Virtual Service wizard
- Step 3: Analytics area
  - Leave everything as default
- Select Next

In the New Virtual Service wizard
- Step 4: Advanced area
  - Leave everything as default
- Select Save

In the NSX-ALB admin console
- Select Applications
  - Select Virtual Services
- In the right pane your configurations should look like the image above.

Configuring the Unified Access Gateway for Site1 AVI Integration

Part 9: Configuring the Unified Access Gateway for Site 1

Section 1. Configuring UAG-HZN-01a for AVI Integration

On your ControlCenter Server
- Open your Chrome Browser for Site-1
- In the Address bar, browse to https://uag-hzn-01a.euc-livefire.com:9443/admin/index.html
- Login username: admin
- Login password: VMware1!

In the UAG Admin Console
- Under Configure Manually
  - Click Select

In the UAG Admin Console area
- Under Advanced Settings
  - Scroll down until you find:
    - JWT Settings

In the UAG Admin Console
- Next to :
  - JWT Settings
    - select the gearbox
- In the JWT Settings window
  - select Add JWT Consumer

In the JWT Consumer Settings Page
- Name: HZNBangalore
- Issuer: Cluster-HORIZON-01A
  - Note:
    - It is the cluster name displayed in the Horizon Admin Console
    - This a case-sensitive configuration
- Dynamic Public key URL: https://horizon-01a.euc-livefire.com/broker/publicKey/protocolredirection
- Trusted Certificates:
  - click the (+) icon
    - click Select
  - browse to Desktop > Software > certificates > Certificate Bundle
  - select euc-livefire_com.crt
- Public key refresh interval: 900
- Click Save
- Click Close

In the UAG Admin Console
- Scroll back-up to General Settings
  - Next to Edge Service Settings,
    - Move the TOGGLE to the right
  - Next to Horizon Settings
    - Select the GEAR icon

In the Horizon Settings
- Next to Enable Tunnel
  - Move the Toggle Switch from enabled to disabled

In the Horizon Settings
- Click on More
- Scroll Down to JWT Consumer

In the Horizon Settings
- Next to JWT Consumer
- from the dropdown.
  - select HZNBangalore

Next to Host Port Redirect Mappings,
- In the Source Host Port area
  - enter uag-hzn-avi01.euc-livefire.com
- In the Redirect Host Port area
  - enter uag-hzn-01a.euc-livefire.com
- Once the Host Redirect Mappings are filled,
  - click on + symbol to add the entries.
    - Note: It should match the screenshot above
- To Close the Horizon settings page
  - Select Save

Section 2: Configuring UAG-HZN-01B in Site1 for AVI Integration

Section 2. Configuring UAG-HZN-01B for AVI Integration

On your ControlCenter Server
- Open your Chrome Browser for Site-1
- In the Address bar, browse to https://uag-hzn-01b.euc-livefire.com:9443/admin/index.html
- Login username: admin
- Login password: VMware1!

In the UAG Admin Console
- Under Configure Manually
  - Click Select

In the UAG Admin Console area
- Under Advanced Settings
  - Scroll down until you find:
    - JWT Settings

In the UAG Admin Console
- Next to :
  - JWT Settings
    - select the gearbox
- In the JWT Settings window
  - select Add JWT Consumer

In the JWT Consumer Settings Page
- Name: HZNBangalore
- Issuer: Cluster-HORIZON-01A
  - Note:
    - It is the cluster name displayed in the Horizon Admin Console
    - This a case-sensitive configuration
- Dynamic Public key URL: https://horizon-01a.euc-livefire.com/broker/publicKey/protocolredirection
- Trusted Certificates:
  - click the (+) icon
    - click Select
  - browse to Desktop > Software > certificates > Certificate Bundle
  - select euc-livefire_com.crt
- Public key refresh interval: 900
- Click Save
- Click Close

In the UAG Admin Console
- Scroll back-up to General Settings
  - Next to Edge Service Settings,
    - Move the TOGGLE to the right
  - Next to Horizon Settings
    - Select the GEAR icon

In the Horizon Settings
- Next to Enable Tunnel
  - Move the Toggle Switch from enabled to disabled

In the Horizon Settings
- Click on More
- Scroll Down to JWT Consumer

In the Horizon Settings
- Next to JWT Consumer
- from the dropdown.
  - select HZNBangalore

Next to Host Redirect Mappings,
- In the Source Host Port area
  - enter uag-hzn-avi01.euc-livefire.com
- In the Redirect Host Port area
  - enter uag-hzn-01b.euc-livefire.com
- Once the Host Redirect Mappings are filled,
  - click on (+) symbol to add the entries.
    - Note: It should match the screenshot above
- To Close the Horizon settings page
  - Select Save

Configuring Universal Console to map the external FQDN of HznBangalore to AVI-Site1

Part 10 : Configure Universal Console To Map External FQDN of HZNBangalore to AVI Site-1

Configure Gateway Settings in Horizon Cloud Console
- On ControlCenter Server
  - Open the Chrome Browser for Site-1 or Site-2
  - To login to Horizon Universal Console
    - In the Username area
      - (Enter your assigned username)
    - In the Password area,
      - type VMware1!
  - Select LOGIN

In the Horizon Universal Console Page
- Navigate to Settings > Capacity
  - Next to HZNXXBangalore
    - where XX is your assigned POD ID
  - Select Edit
- On the Edit Pod page,
  1. Pod Setup area
    - Select NEXT

On the Edit Pod page,
1. In Gateway Settings area
  - Enter the following, next to :-
    - Pod External FQDN: uag-hzn-avi01.euc-livefire.com
    - Pod Internal FQDN: horizon-01a.euc-livefire.com
  - Click NEXT

In Summary Page,
- Review your information
  - Click VALIDATE & SAVE

In the Edit Pod
- Summary page
  - When you see an error:-
  - "Could not validate FQDN. Make sure the FQDN is valid and try again"
- Select SAVE again.

Testing the Connectivity For Site-1

Part 11: Testing the Integration of Horizon Cloud services with AVI in Site-1

In the ControlCenter Desktop
- Navigate to > Remote Desktops > Site1
- Launch the RDP session to w10Client-01a.RDP
  - Enter the following credentials:-
    - Username: [email protected]
    - Password: VMware1!
  - Select OK

In the VMware Horizon Client
- Select your assigned Broker ID
  - BrokerXX (Your initials).euc-livefire.com
    - where XX is your assigned POD ID
    - Your initials. (If my name is Tom Harry, then my initials will be th)

In the VMware Horizon Client login
- In the Username area
  - enter mark
- In the login area
  - enter VMware1!
- Select Login

To Confirm the Desktop is launched from Site-1
- Within the VDI Session
  - Select Start > run
    - enter cmd.exe
- In the Command Prompt Window
  - Type hostname
  - Notice the desktop is launched from BLR , abbreviation for Bangalore which is Site-1
- In the Horizon client
  - From the 3 dot dropdown
    - Select Logoff Desktop
  - In the Disconnect and log off desktop? window
    - Select OK

Configure AVI Service Engine for Site-2

Part 12 : AVI Integration with UAG Servers in Site-2

FQDN	Entity Description	Real IP
uag-hzn-avi02.euc-livefire.com	FQDN of AVI LB VIP Site-2	172.16.50.100
uag-hzn-02a.euc-livefire.com	FQDN of UAG Server 1 on Site-2	172.16.50.10
uag-hzn-02b.euc-livefire.com	FQDN of UAG Server 2 on Site-2	172.16.50.11

On your ControlCenter Server
- Open your Chrome Browser for Site-2
  - In the Address bar,
    - Enter and browse to avicontroller.euc-livefire.com
  - In the Your Connection is not private window
    - Select Advanced
    - Select Proceed to avicontroller.euc-livefire.com
  - Under Username area,
    - enter admin
  - In the Password area
    - enter VMware1!VMware1!

In the Default landing page
- Close the Controller Faults notification

From the NSX-ALB console,
- Navigate to Templates > Groups.
  - Select IP GROUPS
    - Select Create IP Group

In the NEW IP Group:window
- Under Name: UAG-Server-Site-2
- Under Type drop down menu,
  - select IP Address
- Under IP Address.
  - Click on Add
    - Type 172.16.50.10
  - Click Add
    - Type 172.16.50.11
- In the bottom right hand corner
  - Click Save

We will now create L7 Pools for Site-2

Part 13: Creating Layer 7 Pools For Site-2

In the NSX-ALB UI,
- Navigate to Applications > Pools.
  - Click On CREATE POOL on the right hand side
    - In the New Pool window, enter the required information to the following:
      - In Step 1: Settings Tab:
        
        Name: Horizon-L7-Pool-Site-2
        
        Default Service Port: 443
        
        Load Balance: Select Consistent Hash
        
        with Source IP Address as the hash key.
        
        Next to Passive Health Monitor
        
        Ensure the checkbox is checked
        
        In the Health Monitors section,
        
        click + Add Active Monitor.
        
        Above + Add Active Monitor
        
        From the dropdown
        
        select Horizon-HTTPS
        
        Append Port: Never
        
        Enable SSL: Select the check box
        
        SSL Profile: Select System-Standard.
        
        Ensure TLS SNI box is Checked
        
        Click Next

In Step 2: Servers Tab
- Select Servers, area
  - Click on IP Group
- From IP Group Drop Down,
  - Select UAG-Server-Site-2
    - Leave all the settings as default
- Click Next

In Step 3: Advanced Tab
- Leave all the settings as default
- Click Next

In Step 4: Review Tab
- Click Save

Configuring L4 Pool for Site 2

Part 14: Configure Layer 4 Pool For Site-2

In the NSX-ALB UI,
- Navigate to Applications > Pools.
  - Click On CREATE POOL on the right hand side
    - In the New Pool window, enter the required information to the following:
      - In Step 1: Settings Tab:
        
        Name: Horizon-L4-Pool-Site2
        
        Default Service Port: 443
        
        Load Balance: Select Consistent Hash
        
        with Source IP Address as the hash key.
        
        In the Health Monitors section,
        
        Make sure Passive Health Monitor
        
        is Checked
        
        Click + Add Active Monitor.
        
        Above + Add Active Monitor.
        
        From the dropdown
        
        Select Horizon-HTTPS
        
        Append Port: Never
- click Next

In Step 2: Servers Tab
- Below Select Servers,
  - Click on IP Group
- From the IP Group Drop Down,
  - Select UAG-Server-Site-2
- Click Next

In Step 3: Advanced Tab
- Leave all the settings as default
- Click Next

In Step 4: Review Tab
- Click Save

Creating the L7 Virtual Service for Site-2

Part 15: Configure the Layer 7 Virtual Service for Site-2

In the NSX-ALB Console
- Navigate to Applications > Virtual Services

In the Virtual Services
- Click CREATE VIRTUAL SERVICE on the top right hand corner
  - Select Advanced Setup.

In New Virtual Service Window:
- Under Step 1: Settings tab:
  - Name: Horizon-UAG-L7-Site2

New Virtual Service: Horizon-UAG-L7-Site2
- Under VS VIP*
  - Select the dropdown,
    - Select Create VS VIP

In the Create VS VIP: VIP-Horizon-UAG-Site2 window
- In the General tab,
  - Under Name
    - enter: VIP-Horizon-UAG-Site2

In the Create VS VIP: VIP-Horizon-UAG-Site2 window
- Under VIP,
  - Click on ADD
    - under IPv4 Address:
      - enter 172.16.50.100
    - Ensure the Enable VIP tick-box is checked
  - Click Save
- To close the Create VS VIP: VIP-Horizon-UAG-Site2
  - Select Save

In the New Virtual Service: Page
1. Step 1: Settings
  - Enable SSL for Services
  - Application Profile: Select System-Secure-HTTP-VDI
  - Error Page Profile: Custom-Error-Page-Profile
  - Pool: Horizon-L7-Pool-Site-2
  - SSL Profile: System-Standard
  - SSL Certificate: Hzn_Cert
  - Click Next
2. Step 2: Policies tab,
  - Leave everything as default
    - click Next
3. Step 3: Analytics tab,
  - Leave everything as default
    - click Next
4. Step 4: Advanced tab,
  - Leave everything as default
    - click Save

Creating Layer 4 Virtual Service For Site-2

Part 16: Configure Layer 4 Virtual Service For Site-2

On ControlCenter, Ensure you are logged in to AVI Controller using Chrome Site-2 profile
- In the NSX-ALB Console
- Navigate to Applications > Virtual Services
- Click on CREATE VIRTUAL SERVICE on the top right hand corner
- Select Advanced Setup

In the New Virtual Service Window
- Under Step 1: Settings
  - Name: Horizon-UAG-L4-Site-2
- Under the VS VIP dropdown,
  - select VIP-Horizon-UAG-Site2
- Under Application Profile:
  - select System-L4-Application
- Under Error Page Profile:
  - select Custom-Error-Page-Profile

In the New Virtual Service Window
- Under Step 1: Settings
  - Under Service Port
    - click on Switch to Advanced.

In the New Virtual Service wizard
- Step 1: Settings area
  - *Service Port*sub area
    - Under Services
      - Replace port 80 with port 443
        
        Port Min and Port Max areas
      - Select the Checkbox next to Override TCP/UDP

In the New Virtual Service wizard
- Step 1: Settings area
  - Under Override TCP/UDP
    - Select the dropdown
      - Select System-UDP-Fast-Path-VDI
  - Select + Add Port

In the New Virtual Service wizard
- Step 1: Settings: continued
  - Type 8443 in Port Min and 8443 to Port Max
    - Note: You will notice Port Max will change automatically to 8443.
  - Uncheck Override TCP/UDP box if selected
  - Select + Add Port again
  - Type 8443 in Port Min and 8443 to Port Max
  - Check the box Override TCP/UDP
  - Under Select Dropdown
    - Select System-UDP-Fast-Path-VDI
      - Note: Ensure all the Service Port details matches as per the screenshot above.
- Select + Add Port again

In the New Virtual Service wizard
- Step 1: Settings: continued
  - Type 4172 in Port Min and 4172 to Port Max
    - Uncheck Override TCP/UDP box if selected.
    - Select + Add Port again
    - Type 4172 in Port Min and 4172 to Port Max
    - Check the box Override TCP/UDP
    - Under Select Dropdown
    - Select System-UDP-Fast-Path-VDI
      - Note: Ensure all the Service Port details matches as per the screenshot above.

In the New Virtual Service wizard
1. Step 1: Settings:
  - Under the Pool Section:
    - Select the option Pool.
    - Choose the Horizon-L4-Pool-Site2
  - Click Next
2. Under Step 2: Policies tab,
  - Leave everything as default
    - click Next
3. Under Step 3: Analytics tab,
  - (Leave everything as default)
    - click Next
4. Under Step 4: Advanced tab,
  - (Leave everything as default)
    - click Save

Once Configured, it should be shown as the image above.

Configuring UAG-HZN-02A in Site2 for AVI Integration

Part 17: Configure Unified Access Gateway for Site 2

Section 1. Configuring UAG-HZN-02a for AVI Integration

On your ControlCenter Server
- Open your Chrome Browser for Site-2
- In the Address bar, browse to https://uag-hzn-02a.euc-livefire.com:9443/admin/index.html
- Login username: admin
- Login password: VMware1!

In the UAG Admin Console
- Under Configure Manually
  - Click Select

In the UAG Admin Console
- General Settings area
  - Next to Edge Service Settings
    - Move the TOGGLE to the right

In the UAG Admin Console
- In the Advanced Settings area
  - Find JWT Settings

In the UAG Admin Console
- Under Advanced Settings
  - JWT Settings
    - click the gearbox forJWT Settings.
- In the JWT window
  - select Add JWT Consumer.

In the JWT Consumer Settings Page
- Name: HZNSeattle
- Issuer: Cluster-HORIZON-02A
  - Note:
    - It is the cluster name displayed in the Horizon Admin Console
    - This configuration is case-sensitive
- Dynamic Public key URL: https://horizon-02a.euc-livefire.com/broker/publicKey/protocolredirection
- Trusted Certificates:
  - click the (+) icon
    - click Select
  - browse to Desktop > Software > certificates > Certificate Bundle
  - select euc-livefire_com.crt
- Public key refresh interval: 900
- Click Save
- Click Close

In the UAG Admin Console
- Scroll back up to General Settings
  - Under Edge Service Settings,
    - Next to Horizon Settings
      - Select the GEAR icon

In the Horizon Settings
- Next to Enable Tunnel
  - Move the Toggle Switch from enabled to disabled

In the Horizon Settings
- Click on More
- Scroll Down to JWT Consumer

In the Horizon Settings
- Next to JWT Consumer
- from the dropdown.
  - select HZNSeattle

Next to Host Port Redirect Mappings,
- In the Source Host Port area
  - enter uag-hzn-avi02.euc-livefire.com
- In the Redirect Host Port area
  - enter uag-hzn-02a.euc-livefire.com
- Once the Host Redirect Mappings are filled,
  - click on + symbol to add the entries.
    - Note: It should match the screenshot above
- To Close the Horizon settings page
  - Select Save

Section 2. Configuring UAG-HZN-02b for AVI Integration

On your ControlCenter Server
- Open your Chrome Browser for Site-1
- In the Address bar, browse to https://uag-hzn-02b.euc-livefire.com:9443/admin/index.html
- Login username: admin
- Login password: VMware1!

In the UAG Admin Console
- Under Configure Manually
  - Click Select

In the UAG Admin Console
- General Settings area
  - Next to Edge Service Settings
    - Move the TOGGLE to the right

In the UAG Admin Console
- In the Advanced Settings area
  - Find JWT Settings

In the UAG Admin Console
- Under Advanced Settings
  - JWT Settings
    - click the gearbox forJWT Settings.
- In the JWT Settings window
  - select Add JWT Consumer

In the JWT Consumer Settings Page
- Name: HZNSeattle
- Issuer: Cluster-HORIZON-02A
  - Note:
    - It is the cluster name displayed in the Horizon Admin Console
    - This configuration is case-sensitive
- Dynamic Public key URL: https://horizon-02a.euc-livefire.com/broker/publicKey/protocolredirection
- Trusted Certificates:
  - click the (+) icon
    - click Select
  - browse to Desktop > Software > certificates > Certificate Bundle
  - select euc-livefire_com.crt
- Public key refresh interval: 900
- Click Save
- Click Close

In the UAG Admin Console
- Scroll back up to General Settings
  - Under Edge Service Settings,
    - Next to Horizon Settings
      - Select the GEAR icon

In the Horizon Settings
- Next to Enable Tunnel
  - Move the Toggle Switch from enabled to disabled

In the Horizon Settings
- Click on More
- Scroll Down to JWT Consumer

In the Horizon Settings
- Next to JWT Consumer
- from the dropdown.
  - select HZNSeattle

Next to Host Port Redirect Mappings,
- In the Source Host Port area
  - enter uag-hzn-avi02.euc-livefire.com
- In the Redirect Host Port area
  - enter uag-hzn-02b.euc-livefire.com
- Once the Host Redirect Mappings are filled,
  - click on + symbol to add the entries.
    - Note: It should match the screenshot above
- To Close the Horizon settings page
  - Select Save

Configuring Universal Console to map the external FQDN of HznSeattle to AVI-Site2

Part 18: Configure Universal Console To Map External FQDN of HZNSeattle to AVI Site-2

Configure Gateway Settings in Horizon Cloud Console
- On ControlCenter Server
- Open Chrome Browser Site-2
- Login to Horizon Universal Console https://cloud.horizon.vmware.com/
- In the Username area(Enter your assigned username)
- In the Password area, type VMware1!
- Select LOGIN

In the Horizon Universal Console Page
- Navigate to Settings > Capacity
  - Select HZNXXSeattle
    - where XX is your assigned POD ID
    - Select EDIT
- In the Edit Pod wizard
  1. Pod Setup page,
    - Select NEXT

In the Edit Pod wizard
1. Gateway Settings
  - enter the following next to:
    - Pod External FQDN, type uag-hzn-avi02.euc-livefire.com
    - Pod Internal FQDN, type horizon-02a.euc-livefire.com
    - Select NEXT

In the Edit Pod wizard
1. Summary
  - Select VALIDATE & SAVE

On the Edit Pod page
- Summary area
- When you see the message
  - "Could not validate FQDN. Make sure the FQDN is valid and try again"
- Select SAVE

Testing the Connectivity For Site-2

Part 19: Testing the Integration of Horizon Cloud services with AVI in Site-2

We will now validate the function of our configurations.

In the ControlCenter
- Navigate to
  - Remote Desktops > Site2
- Launch the RDP session to w10EXT-02a.RDP
  - Username: [email protected]
  - Password: VMware1!

On the w10EXT-02a desktop
- Launch Horizon Client
- In Horizon Client, Click on + Add Server

In the Name of the Connection Server window
- Enter YOUR assigned broker FQDN
- BrokerXX (Your initials).euc-livefire.com
- where XX is your assigned POD ID
- Your initials. (If my name is Tom Harry, then my initials will be th)
- Select Connect

In the Login window
- In the Username, area
  - Type Tom
- In the Password, area
  - Type VMware1!
- Select Login

In the VMware Horizon Client
- Select your CorpxxHZN desktop assignment
- Where xx is your assigned number

To Confirm the Desktop is launched from Site-2
- Open Command Prompt
  - within the VDI Session
    - Start > run
      - type cmd.exe
- In the Command Prompt Window
  - Type hostname
  - Notice the desktop is abbreviate SEA which is from Seattle, Site-2

EUC

VMware NSX AVI Loadbalancer Integration with VMware Horizon

0 Comments

Add your comment

Last Updated