VMware Hands-on Labs - HOL-1859-01-ADV


Lab Overview - HOL-1859-01-ADV - F5 Integration with VMware Horizon 7 Enterprise

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

This Hands on Lab will explore the use case and advantages for load balancing VMware EUC Products with F5 BIG-IP Software.  You will integrate the BIG-IP with VMware Horizon 7, VMware App Volumes, and VMware Identity Manager.

Lab Module List:

 Lab Captains:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - F5 LTM with Horizon Connection Servers (45 min)

Introduction


In this module, we'll configure the BIG-IP to load balance authentication and authorization connections across a pool of Horizon Connection Servers.

Here's a high-level of what will be completed during the setup:


 

Load Balancing Horizon Connection Servers for Trusted/Secure Networks and Clients

One of the primary functions of the Horizon Connection Servers is to provide authentication and desktop/application enumeration for clients accessing from a trusted/secure network. This configuration is typically used for clients making connections to virtual desktops and applications from an internal network. All communications from the client to the virtual dekstop are direct; there is no "proxy" of any Horizon ports or protocols. The Connection Servers are only used for authentication and application/desktop enumeration and assignment.

The BIG-IP provides intelligent monitoring and traffic management across a pool of Connection Servers using the LTM module. In this scenario, the HTTPS connection between the client and Connection Servers pass through the BIG-IP. Once the connection is launched, the BIG-IP is no longer in the path of client-to-virtual desktop traffic.

 

 

Traffic Flow

 

The diagram outlines a typical configuration and traffic flow of an internal Horizon Client connection when using the BIG-IP Local Traffic Management (LTM) Module:

  1. Client Device connects in from the trusted network.
  2. Connection to LTM made over HTTPS using the client.
  3. User logs in – Horizon Connection Server processes the authentication to AD and/or other authentication source (LDAPS/RADIUS, etc.)
  4. Once user is validated, Horizon Connection Server enumerates applications and desktops back to the client (via HTTP/HTTPS).
  5. User (from client) selects the application or desktop to launch.
  6. Connection Servers then send (via HTTP/HTTPS) virtual desktop or RDS application connection information to client.
  7. Client then establishes direct connection to the virtual desktop or RDS application server via HTML5 Blast, Blast Extreme or PCoIP.
  8. BIG-IP is no longer in the traffic flow unless another application or desktop is launched.

 

F5 LTM with Horizon Connection Servers


In this module you will learn how to load balance multiple VMware Horizon Connection Servers with BIG-IP LTM.


 

Disable HTTPS, PCoIP and BLAST Proxy Services for each Connection Server

 

Here's some other important information (carried out in the steps to follow) when using load balancers for Connection Servers servicing internal Horizon clients. The Connection Servers are primarily used for authentication, resource enumeration and connection brokering only. By default, the "Use Secure Tunnel Connection to Machine" and the "Use Blast Secure Gateway for HTML access to machine" are checked. This will route portions of the HTTPS and all HTML traffic through the Connection Servers, while the PCoIP stream will go directly from the Horizon client to the server.

Although this will function, the Connection Servers will have to do additional work to "proxy" this traffic - even with a load balancer.

For Connection Servers that will authenticate internal users and enumerate applications, it is recommended these Secure Gateway boxes are unchecked.

 

 

 

Access the BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, click on the BIGIP-01 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

 

 

Login to BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Create iApp Application Service for Connection Server Load Balancing

 

Next, we will configure load balancing of Connection Servers for internal users using the Horizon iApp.  The iApp has already been pre-loaded onto the BIG-IP.

  1. Once logged in to the BIG-IP, click on iApps
  2. Click Application Services.
  3. On the right side of the screen, click Create.

Note: You will see other applications in this list for future modules they can safely be ignored.

 

 

Initial iApp Configuration for Load Balancing Connection Servers

 

Let's configure the iApp.

  1. Type in the name MOD1-Internal, then select the View iApp Template from the list (as shown above). Observe the iApp populate the screen with the next set of questions.
  2. Scroll down to the Template Options section - under "Which configuration mode do you want to use?" - choose "Advanced - configure advanced options".
  3. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to deploy BIG-IP Access Policy Manager" - choose "No, do not deploy BIG-IP Access Policy Manager".

NOTE: The iAPP Template was already imported to the F5 BIG-IP to reduce the amount of time to take the lab.

 

 

Configuring SSL

 

  1. Continue scrolling down until you get to SSL Encryption section. Choose "Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to "How should the BIG-IP system handle encrypted traffic?".
  2. Scroll down to "Which Client SSL Profile do you want to use?" and ensure the default "Create a new Client SSL profile" is selected.
  3. Scroll down to "Which SSL certificate do you want to use?" and choose "CORP.LOCAL_WILDCARD.crt".
  4. Continue scrolling down to "Which SSL private key do you want ot use?" and choose "CORP.LOCAL_WILDCARD.key".
  5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose "CORP.LOCAL_WILDCARD.crt".

NOTE: The SSL Certificates were already imported to the F5 BIG-IP to reduce the amount of time to take the lab.

 

 

Configuring PCoIP and Virtual Servers/Pools

 

  1. Scroll down to the PC Over IP section; next to "Should PCoIP connections go through the BIG-IP System" - choose "No, PCoIP connections should not go through the BIG-IP System".
  2. Scroll down to Virtual Servers/Pools section "What virtual server IP address do you want to use for remote, untrusted clients". Even though the question says "remote, untrusted clients" - it will be the virtual server and IP address that the internal Horizon clients will use to access Horizon Connection Servers. In this box, type in 192.168.130.140.
  3. Next, scroll down to the "What FQDN will clients use to access the View environment?" Type in 'hzn-internal.corp.local" (without quotes) as the FQDN that will be used to access the BIG-IP by the Horizon Clients.
  4. Scroll down to "Which servers should be included in this pool" - in the first box, type in 192.168.110.47 (this is the IP of the first Connection Server), Click the "Add" button and type in 192.168.110.48 (this is the IP of the second Connection Server).
  5. Scroll down to "Where will the virtual servers be in relation to the View servers"?" and choose "BIG-IP virtual server IP address and View servers are on the same subnet".

NOTE: If the port in the "Which servers should be included in this pool?" section say 80 instead of 443 then go to previous section "SSL Encryption" and change from SSL Offload to SSL bridging.

Next, scroll down to the Application Health section of the iApp.

 

 

 

Application Health Monitor

 

Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to Horizon to ensure key components and functioning as expected.

  1. Scroll down to the Application Health section. Next to "Create a new health monitor or use an existing one?" - choose "Create an advanced health monitor".
  2. Type in "lab1user" (without quotes) next to "What user name should the monitor use?".
  3. Type in "VMware1!" (without quotes) next to "What is the password associated with that account?".
  4. Scroll down to "What is the NetBIOS domain name for your environment?" and type in "CORP" (without quotes)

 

 

 

Application Health Monitor (Continued)

 

Scroll down 3 lines until you see the section of the iApp with "Published Resources" as shown in the picture.

  1. Under the section "What published application(s) or pool(s) should the BIG-IP system expect in the monitor response?" type in "Windows 10 Pool" (without quotes).
  2. Click the "Add" button.
  3. Repeat steps 1 and 2, typing "Calculator" (without quotes) in the 2nd box and then "Paint" (without quotes) in the 3rd box.
  4. Under the section "Do all published applications or desktop pools listed need to be available", choose "Only one of the application or desktop pools listed need to be returned".

 

 

iRules

 

Scroll down to the iRules Section.

  1. Under the Options section "Do you want to add any custom iRules to this configuration?" select the HZN-Origin irule
  2. Click the "<<" button.
  3. Ensure that the HZN-Origin iRule is moved from the Options area to the Selected area.

NOTE: The iRule implemented in this section deals with a specific issue with Horizon HTML5 and Admin windows getting a white box effect or unable to load, this is becasue load balacing Horizon Connection Servers after Version 7.0 added a security process that detects the originating Connection Server but fails under load balanced scenarios.

For More information about the Horizon Origin iRule Visit: https://support.f5.com/csp/article/K84958121 

 

 

Finish the iApp

 

  1. Scroll down to the bottom of the screen; click Finish.
  2. Next, you will see the "Components" screen, which will show you a summary of your configuration and all the objects created on the BIG-IP. Make sure the MOD1-Internal_https and Mod1-Internal_pool_1 nodes are displayed as shown in the picture.

 

 

Test Horizon Client Access

 

Now, we will test client access using the Horizon Client.

Before starting, minimize the Chrome browser window until you see the Control Center desktop.

  1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
  2. Once the client launches, click on the icon with the FQDN "hzn-internal.corp.local".
  3. Login as lab1user, with a password of "VMware1!" (no quotes); then, click the Login button.
  4. Once the list of desktop and applications are enumerated, choose the "Windows 10 Pool" Desktop from the list.
  5. Confirm the desktop opens and you can access it appropriately.

 

 

Test Horizon Client Access (Continued)

 

  1. Once completed, click on the "X" in the upper right corner of the screen.
  2. When asked to disconnect, Choose "OK".
  3. If you wish to test other desktops and applications, feel free to do so.
  4. When finished, close out all the launched desktops and applications. Then close out the Horizon client by clicking the "X" in the upper right corner of the Horizon Client window.
  5. If prompted, click OK.

 

 

Optional - Testing HTML Desktop Access

 

If you choose, you can also test HTML Desktop Access through the BIG-IP load balancer.

Open the Chrome Browser window and navigate to https://hzn-internal.corp.local

From there you can choose "VMware Horizon HTML Access", login to the web portal interface. 

Launch the "Windows 10 Pool" using HTML5.

If prompted, accept the certificate  - once this is done, you will be able to launch a dekstop!

 

Conclusion


This concludes Module 1 - F5 LTM with Horizon Connection Servers.  You should have a good understanding of how to deploy the F5 iAPP solution with Horizon Connection Servers for Load Balancing and High Availability.


 

You've finished Module 1

 

Congratulations on completing  Module 1.

If you are looking for additional information on F5 and Horizon Integrations try one of these:

Proceed to any module below which interests you most.

 

 

Module 2 - F5 LTM with Horizon Unified Access Gateways (45 min)

Introduction


In this module, we'll configure the BIG-IP to load balance authentication, authorization and proxied vdi connections across a pool of Horizon Unified Access Gateway Servers.

Here's a high-level of what will be completed during the setup:


 

Load Balancing Unified Access Gateway Servers for External Networks

Some of the primary functions of the Horizon Unified Access Gateway Servers is to provide authentication and desktop/application enumeration for clients accessing from a trusted/secure network, as well as providing a full proxy from external clients to internal resources. This configuration is typically used for clients making proxied connections to virtual desktops and applications from an external network. All communications from the client to the virtual dekstop are proxied via the PCoIP or Blast protocols. The Unified Access Gateway Servers are used for authentication, application/desktop enumeration/assignment and proxying connections from .

The BIG-IP provides intelligent monitoring and traffic management across a pool of Unified Access Gateway Servers using the LTM module. In this scenario, the HTTPS connection between the client and Connection Servers pass through the BIG-IP to the Unified Access Gateway servers. Once the connection is launched, a new connection based on the Horizon protocol (Blast Extreme or PCoIP) is then passed through the BIG-IP to the Unified Access Gateway Servers to access to virtual desktop traffic.

 

 

Traffic Flow

 

The diagram outlines a typical configuration and traffic flow of an External Horizon Client connection when using the BIG-IP Local Traffic Management (LTM) Module with VMware Unified Access Gateway (UAG):

  1. Client Device connects in from the external network.
  2. Connection to LTM made over HTTPS using the client.
  3. User logs in – Horizon UAG Server then proxies the authentication to the connection servers which then processes the authentication to AD and/or other authentication source (LDAPS/RADIUS, etc.)
  4. Once user is validated, Horizon Connection Server enumerates applications and desktops back to the UAG servers throught he LTM connection (via HTTP/HTTPS).
  5. User (from client) selects the application or desktop to launch.
  6. UAG Servers then send (via HTTP/HTTPS) virtual desktop or RDS application connection information to client.
  7. Client then establishes a tunneled connection to the virtual desktop or RDS application server via HTML5 Blast, Blast Extreme or PCoIP through the UAG server being hosted by the front end LTM.

 

F5 LTM with Horizon Unified Access Gateways


In this module you will learn how to load balance multiple VMware Horizon Unified Access Gateways.


 

Disable HTTPS, PCoIP and BLAST Proxy Services for each Connection Server

 

In order for a Unified Access Gateway to effectively proxy traffic, the tunneling features for each Connection Server is enabled on the Unified Access Gateway appliances themselves and not within the Connection Servers.  This is different than how you would configure those options for a Security Server.  

See this brief summary before caring out the tasks in the steps below.

 

 

Access the BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, click on the BIGIP-01 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

 

 

Login to BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Create iApp Application Service for Connection Server Load Balancing

 

Next, we will configure load balancing of the Unified Access Gateways for external users using the Horizon iApp.  The iApp has already been pre-loaded onto the BIG-IP.

  1. Once logged in to the BIG-IP, click on iApps
  2. Click Application Services.
  3. On the right side of the screen, click Create.

Note: You will see other applications in this list for future modules they can safely be ignored.

 

 

Initial iApp Configuration for Load Balancing Connection Servers

 

Let's configure the iApp.

  1. Type in the name MOD2-External, then select the View iApp Template from the list (as shown above). Observe the iApp populate the screen with the next set of questions.
  2. Scroll down to the Template Options section - under "Which configuration mode do you want to use?" - choose "Advanced - configure advanced options".
  3. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to deploy BIG-IP Access Policy Manager" - choose "No, do not deploy BIG-IP Access Policy Manager".

NOTE: The iAPP Template was already imported to the F5 BIG-IP to reduce the amount of time to take the lab.

 

 

Configuring SSL

 

  1. Continue scrolling down until you get to SSL Encryption section. Choose "Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to "How should the BIG-IP system handle encrypted traffic?".
  2. Scroll down to "Which Client SSL Profile do you want to use?" and ensure the default "Create a new Client SSL profile" is selected.
  3. Scroll down to "Which SSL certificate do you want to use?" and choose "CORP.LOCAL_WILDCARD.crt".
  4. Continue scrolling down to "Which SSL private key do you want ot use?" and choose "CORP.LOCAL_WILDCARD.key".
  5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose "CORP.LOCAL_WILDCARD.crt".

NOTE: The SSL Certificates were already imported to the F5 BIG-IP to reduce the amount of time to take the lab.

 

 

Configuring PCoIP for Unified Access Gateway

 

  1. Scroll down to the "PC Over IP" section of the iApp. Next to "Should PCoIP connections go through the BIG-IP System", choose "Yes, PCoIP connections should go through the BIG-IP System".
  2. Next to "Will PCoIP connections be proxied by the View Unified Access Gateways", choose "Yes, PCoIP connections are proxied by View Unified Access Gateways".
  3. Select "Yes, Support HTML5 View clientless browser connections" next to the question, "Will VMware View HTML5 Client Connections go through the BIG-IP system".

 

 

Configuring Virtual Servers/Pools

 

  1. Next, scroll down to the Virtual Servers/Pools section, to "What virtual server IP address do you want to use for remote, untrusted clients". In this box, type in 192.168.230.140.
  2. Type in 'hzn-external.corp.local" (without quotes) as the FQDN that will be used to access the BIG-IP by the Horizon Clients.
  3. Scroll down to "Which servers should be included in this pool" - in the first box, type in 192.168.110.85 (this is the IP of the 1st Unified Access Gateway, then click Add. In the second box, type in 192.168.110.86 (this is the IP of the 2nd Unified Access Gateway).
  4. Scroll down to "Where will the virtual servers be in relation to the View servers?" and choose "BIG-IP virtual server IP address and View servers are on different subnets".
  5. Next to "How have you configured routing on your View servers", choose "View servers do not have a route to clients through the BIG-IP".

 

 

Application Health Monitor

 

Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to Horizon to ensure key components and functioning as expected.

  1. Scroll down to the Application Health section. Next to "Create a new health monitor or use an existing one?" - choose "Create a simple health monitor".  

 

 

iRules

 

Scroll down to the iRules Section.

  1. Under the Options section "Do you want to add any custom iRules to this configuration?" select the HZN-Origin irule
  2. Click the "<<" button.
  3. Ensure that the HZN-Origin iRule is moved from the Options area to the Selected area.

NOTE: The iRule implemented in this section deals with a specific issue with Horizon HTML5 and Admin windows getting a white box effect or unable to load, this is becasue load balacing Horizon Connection Servers after Version 7.0 added a security process that detects the originating Connection Server but fails under load balanced scenarios.

 

 

Finish the iApp

 

  1. Scroll down to the bottom of the screen; click Finish.
  2. Next, you will see the "Components" screen, which will show you a summary of your configuration and all the objects created on the BIG-IP. Make sure the Mod2-External_https and Mod2-External_pool_1 nodes are displayed as shown in the picture.

 

 

Test Horizon Client Access

 

Now, we will test client access using the Horizon Client.

Before starting, minimize the Chrome browser window until you see the Control Center desktop.

  1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
  2. Once the client launches, click on the icon with the FQDN "hzn-external.corp.local".
  3. Login as lab1user, with a password of "VMware1!" (no quotes); then, click the Login button.
  4. Once the list of desktop and applications are enumerated, choose the "Windows 10 Pool" Desktop from the list.
  5. Confirm the desktop opens and you can access it appropriately.

 

 

Test Horizon Client Access (Continued)

 

  1. Once completed, click on the "X" in the upper right corner of the screen.
  2. When asked to disconnect, Choose "OK".
  3. If you wish to test other desktops and applications, feel free to do so.
  4. When finished, close out all the launched desktops and applications. Then close out the Horizon client by clicking the "X" in the upper right corner of the Horizon Client window.
  5. If prompted, click OK.

 

 

Optional - Testing HTML Desktop Access

 

If you choose, you can also test HTML Desktop Access through the BIG-IP load balancer.

Open the Chrome Browser window and navigate to https://hzn-external.corp.local

From there you can choose "VMware Horizon HTML Access", login to the web portal interface.

Launch the "Windows 10 Pool" using HTML5.

If prompted, accept the certificate  - once this is done, you will be able to launch a dekstop!

 

Conclusion


This concludes Module 2 - F5 LTM with Unified Access Gateway Servers.  You should have a good understanding of how to deploy the F5 iAPP solution with Horizon Unified Access Gateway Servers for Load Balancing and High Availability.


 

You've finished Module 2

 

Congratulations on completing  Module 2.

If you are looking for additional information on F5 and Horizon Integrations try one of these:

Proceed to any module below which interests you most.

 

 

Module 3 - F5 APM with Horizon Alternative Gateway (45 min)

Introduction


In this module you will learn how to configure the F5 as a PCoIP Proxy/Security Server alternative.


 

Implementing PCoIP Proxy as a Security Server Alternative

 

VMware’s Horizon Unified Access Gateway (UAG) Server provides secure access to sessions over an unsecured WAN and/or Internet connection. Typically, the UAG Server is placed within an organization’s DMZ. F5 BIG-IP Access Policy Manager (APM) makes it possible to take advantage of PCoIP and Blast Extreme technology while simplifying your VMware Horizon with View architecture, improving security, and increasing scalability.

Harden Security and Increase Scalability

F5 BIG-IP Access Policy Manager is the industry’s first Application Delivery Networking solution that brings full PCoIP and Blast Extreme proxy capabilities to the market. This permits IT administrators to replace the VMware Unified Access Gateway Server with a more secure and highly scalable solution in support of their end-user computing deployments. BIG-IP APM is an ICSA Labs–certified flexible, high-performance access and security solution that provides unified global access to your applications and network. BIG-IP APM converges and consolidates remote access, LAN access, and wireless connections within a single management interface and provides easy-to-manage access policies. These capabilities help you free up valuable IT resources and scale cost-effectively.

Simplifying Your Horizon Architecture

Because BIG-IP APM removes the need for having multiple gateway servers in the DMZ, the overall architecture can not only be simplified, but a higher level of scalability can be achieved. In addition to BIG-IP APM, F5 BIG-IP Local Traffic Manager (LTM) can provide intelligent traffic management and load balancing to the Connection Servers. The reduction in the overall number of components that need to be managed results in increased productivity for IT administrators, which is especially critical for multi-site or multi-pod VMware Horizon deployments.

 

 

 

Traffic Flow

 

The diagram outlines the traffic flow of an external Horizon Client connection when using the BIG-IP Access Policy Manager (APM) Module as a Security Server alternative:

  1. Device connects in from the untrusted network.
  2. Connection to APM made over HTTPS using the client or the F5 APM WebTop Portal.
  3. User logs in.
  4. APM processes the authentication (single/multi-factor) to AD and/or other authentication source (LDAPS/RADIUS, etc.)
  5. Once user is validated, APM sends a request to the load balanced pool of Connection Servers to get a list of authorized applications and desktops using HTTPS or HTTP.
  6. The user is then presented with the list of available and authorized desktops and applications.
  7. User selects the application or desktop to launch.
  8. Request then sent from client and proxied to View Connection Server via HTTPS – client receives desktop and/or application source machine info (including the public/client facing IP address if using NAT).
  9. Client establishes a connection to the virtual desktop or RDS application server to the APM via PCoIP, Blast Extreme, or HTML 5 (using HTML Access) using HTTPS . The APM proxies this connection back to the virtual desktop or RDS application server.

 

F5 APM with Horizon Alternative Gateway


In this module, you will configure the BIG-IP to function as a Security Server alternative.


 

Disable HTTPS, PCoIP and BLAST Proxy Services for each Connection Server

 

In order for a Unified Access Gateway to effectively proxy traffic, the tunneling features for each Connection Server is enabled on the Unified Access Gateway appliances themselves and not within the Connection Servers.  This is different than how you would configure those options for a Security Server.  

See this brief summary before caring out the tasks in the steps below.

 

 

Access the BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, click on the BIGIP-01 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

 

 

Login to BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Create iApp Application Service for Connection Server Load Balancing

 

Next, we will configure load balancing of the Unified Access Gateways for external users using the Horizon iApp.  The iApp has already been pre-loaded onto the BIG-IP.

  1. Once logged in to the BIG-IP, click on iApps
  2. Click Application Services.
  3. On the right side of the screen, click Create.

Note: You will see other applications in this list for future modules they can safely be ignored.

 

 

Initial iApp Configuration for PCoIP/Blast Proxy

 

Let's configure the iApp.

  1. Type in the name MOD3-APM, then select the View iApp Template from the list (as shown above). Observe the iApp populate the screen with the next set of questions.
  2. Scroll down to the Template Options section - under "Which configuration mode do you want to use?" - choose "Advanced - configure advanced options".

NOTE: The iAPP Template was already imported to the F5 BIG-IP to reduce the amount of time to take the lab.

 

 

Configuring the iApp for PCoIP/Blast Proxy (Continued)

 

  1. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to deploy BIG-IP Access Policy Manager" - choose "Yes, Deploy BIG-IP Access Policy Manager".
  2. To allow HTML access to desktops, next to the "Do you want to support browser based connections including the HTML5 client?" question choose "Yes, support HTML 5 View clientless browser connections".
  3. To not allow USB redirection, next to the "Do you want to support USB redirection?" question choose "No, do not support USB redirection".

 

 

Configuring the iApp for PCoIP Proxy (Continued)

 

  1. Scroll Down to "Should the BIG-IP APM support smart card authentication for Horizon View" - choose "No, do not support smart card authentication".
  2. Next, select "No, do not support SecurID or RADIUS two-factor authentication" for the question "Should the BIG-IP system support SecurID or RADIUS with AD two-factor authentication".
  3. Next, select "No, do not add a message during logon" for the "Should the BIG-IP system show a message to View users during logon?".
  4. Leave the box BLANK when asked "If external clients use a network translated address to access View, what is the public-facing IP address". Normally, if the BIG-IP virtual server is NAT'd behind a firewall - you would enter the public, Internet-facing address here (similar to the external PCoIP URL with Security Server).
  5. Next, select "No, my View Environment uses a single Active Directory Domain" next to the question "Do you want the BIG-IP system to support multiple domains".
  6. Enter "CORP" in the box next to "What is the NetBIOS domain name for your environment?"

 

 

Setting up the Active Directory Component for Authentication

 

Next, let's create the Active Directory objects that will perform the user authentication.

  1. Scroll down to "Create a new AAA Server object or select an existing one" - choose "Create a new AAA Server Object"
  2. Next, enter "controlcenter.corp.local" (without quotes) and 192.168.110.10 when asked "Which Active Directory servers (IP and host name) are used for user credential authentication".
  3. Type "corp.local" (without quotes) when asked for the Active Directory domain name.
  4. Select "Yes, credentials are required for binding" when asked "Does your Active Directory domain require credendials".
  5. Enter "administrator" (without quotes) for the user name.
  6. Enter "VMware1!" (without quotes) for the password.
  7. Scroll down, and select "Yes, create a simple ICMP monitor" when asked to "Create a new monitor for the Active Directory servers".

 

 

Configuring SSL

 

  1. Continue scrolling down until you get to SSL Encryption section. Choose "Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to "How should the BIG-IP system handle encrypted traffic?".
  2. Scroll down to "Which Client SSL Profile do you want to use?" and ensure the default "Create a new Client SSL profile" is selected.
  3. Scroll down to "Which SSL certificate do you want to use?" and choose "CORP.LOCAL_WILDCARD.crt".
  4. Continue scrolling down to "Which SSL private key do you want ot use?" and choose "CORP.LOCAL_WILDCARD.key".
  5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose "CORP.LOCAL_WILDCARD.crt".

NOTE: The SSL Certificates were already imported to the F5 BIG-IP to reduce the amount of time to take the lab.

 

 

Virtual Server Configuration

 

  1. Next, scroll down to the Virtual Servers/Pools section,  "What virtual server IP address do you want to use for remote, untrusted clients". In this box, type in 192.168.230.145.
  2. Type in 'hzn-apm.corp.local" (without quotes) as the FQDN that will be used to access the BIG-IP by the Horizon Clients.

 

 

Horizon Connection Server Settings

 

  1. Scroll down to "Which servers should be included in this pool" - in the first box, type in 192.168.110.47 (this is the IP of the First Connection Server), then click Add. In the second box, type in 192.168.110.48 (this is the IP of the Second Connection Server).  
  2. Scroll down to "Where will the virtual servers be in relation to the View servers?" and choose "BIG-IP virtual server IP address and View servers are on different subnets".
  3. Select "View servers do not have a route to clients through the BIG-IP" when asked "How have you configured routing on your View servers?"

NOTE: If the port in the "Which servers should be included in this pool?" section says 80 instead of 443 then go to previous section "SSL Encryption" and change from SSL Offload to SSL bridging.

Next, scroll down to the Application Health section of the iApp.

 

 

Application Health Monitor

 

Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to Horizon to ensure key components and functioning as expected.

  1. Scroll down to the Application Health section. Next to "Create a new health monitor or use an existing one?" - choose "Create an advanced health monitor".
  2. Type in "lab1user" (without quotes) next to "What user name should the monitor use?".
  3. Type in "VMware1!" (without quotes) next to "What is the password associated with that account?".
  4. Scroll down to "What is the NetBIOS domain name for your environment?" and type in "CORP" (without quotes)

 

 

 

Application Health Monitor (Continued)

 

Scroll down 3 lines until you see the section of the iApp with "Published Resources" as shown in the picture.

  1. Under the section "What published application(s) or pool(s) should the BIG-IP system expect in the monitor response?" type in Calculator.
  2. Click the "Add" button.
  3. Repeat steps 1 and 2, typing Paint in the 2nd box.
  4. Under the section "Do all published applications or desktop pools listed need to be available", choose "Only one of the application or desktop pools listed need to be returned".

 

 

iRules

 

Scroll down to the iRules Section.

  1. Under the Options section "Do you want to add any custom iRules to this configuration?" select the HZN-Origin irule
  2. Click the "<<" button.
  3. Ensure that the HZN-Origin iRule is moved from the Options area to the Selected area.

NOTE: The iRule implemented in this section deals with a specific issue with Horizon HTML5 and Admin windows getting a white box effect or unable to load, this is becasue load balacing Horizon Connection Servers after Version 7.0 added a security process that detects the originating Connection Server but fails under load balanced scenarios.

 

 

Finish the iApp

 

  1. Scroll down to the bottom of the screen; click Finish.
  2. Next, you will see the "Components" screen, which will show you a summary of your configuration and all the objects created on the BIG-IP. Scroll Down to the MOD3-APM_adv_view_eav and Mod3-APM_pool_1 nodes are displayed as shown in the picture.

 

 

Test Horizon Client Access

 

Now, we will test client access using the Horizon Client.

Before starting, minimize the Chrome browser window until you see the Control Center desktop.

  1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
  2. Once the client launches, click on the icon with the FQDN "hzn-apm.corp.local".
  3. Login as lab1user, with a password of "VMware1!" (no quotes); then, click the Login button.
  4. Once the list of desktop and applications are enumerated, choose the "Windows 10 Pool" Desktop from the list.
  5. Confirm the desktop opens and you can access it appropriately.

 

 

Test Horizon Client Access (Continued)

 

  1. Once completed, click on the "X" in the upper right corner of the screen.
  2. When asked to disconnect, Choose "OK".
  3. If you wish to test other desktops and applications, feel free to do so.
  4. When finished, close out all the launched desktops and applications. Then close out the Horizon client by clicking the "X" in the upper right corner of the Horizon Client window.
  5. If prompted, click OK.

 

 

Testing Client Access through F5 Webtop

Next, we will test the launch of the Horizon Client using the F5 Webtop Portal.

 

Conclusion


This concludes Module 3 - F5 APM with Horizon Alternative Gateway.  You should have a good understanding of how to deploy the F5 iAPP solution with Horizon Alternative Gateway Servers for Load Balancing, Proxying Connections and High Availability.


 

You've finished Module 3

 

Congratulations on completing  Module 3.

If you are looking for additional information on F5 and Horizon Integrations try one of these:

Proceed to any module below which interests you most.

 

 

Module 4 - F5 DNS with Horizon for Multi-Site Deployments (45 min)

Introduction



 

Intelligent Global Server Load Balancing with BIG-IP DNS

 

By deploying BIG-IP DNS (Formerly known as BIG-IP GTM), a single namespace (for example, https://desktop.example.com) can be provided to all end users. BIG-IP DNS, BIG-IP Access Policy Manager (APM) and BIG-IP Local Traffic Manager (LTM) work together to ensure that requests are sent to a user's preferred data center securely, regardless of the user’s current location. This type of implmenetation is common when there are multiple Horizon instances distributed throughout two or more physical/logical data centers.

 

F5 DNS with Horizon for Multi-Site Deployments


In this module, we'll configure BIG-IP DNS (formerly Global Traffic Manager - GTM) to support Horizon environments across two data centers. We will be able to simulate multiple data centers by using 2 separate BIG-IP appliances with 2 separate Horizon View instances for this lab module.


 

Disable Secure HTTPS, PCoIP, and Blast Proxy Functionality.

 

Since the BIG-IP DNS/Global Traffic Management lab is pre-configured to use Connection Servers that are internal to the network for this lab, we need to ensure that all Secure Proxy functions are disabled. We'll walk through checking (and disabling, if necessary) these Secure Proxy settings.

 

 

Access the First BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, click on the F5-BIG-IP-01 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

 

 

Login to First BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Access the Second BIG-IP Web Management Console

 

We'll now open a second tab to the other BIG-IP (BIGIP-02) so we can configure the device for Global Server Load Balancing via F5-DNS.

  1. Click on the Tab as shown in the picture to open another tabbed browsing session.
  2. When the browser is launched, click on the F5-BIG-IP-02 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-02.corp.local

 

 

Login to Second BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Configure BIG-IP DNS (Global Server Load Balancing)

In this step, we will configure the BIG-IP's to talk with one another and exchange DNS and BIG-IP pool information. The Horizon Desktop pools in each site have already been created for you; normally, you would need to create and/or ensure each View pod is configured for load balancing on the BIG-IP using Local Traffic Manager (LTM).

 

 

Configure BIG-IP DNS (Global Server Load Balancing) Pool Settings and DNS Configuration

Back in the Chrome Browser, we'll now setup some of the additional settings required for global server load balancing.

 

 

Testing Access using PING

 

Now, we are ready to test! First, let's ping the FQDN to make sure we are resolving DNS properly.

  1. Open a command prompt window by clicking on the command prompt icon located in the lower left corner of the desktop.
  2. Type ipconfig /flushdns and press Enter
    This will flush out the DNS Cache to ensure the latest entries were updated.
  3. Type in ping hzn-dns and press Enter.
  4. You should see the DNS name resolve to hzn-dns.wip.corp.local with an IP address of 192.168.110.90 or 192.168.110.91.
  5. Exit the Command Prompt window by clicking the "X" in the upper right corner of the window.

 

 

Testing Access using Horizon

To simulate the GTM working properly, we will disable the GTM in Site A first and make a connection to Horizon. We'll then enable the GTM in Site-A and disable the GTM in Site-B to show GTM working properly.

 

Conclusion


This concludes Module 4 - F5 DNS with Horizon for Multi-Site Deployments.  You should have a good understanding of how to configure and deploy the F5 DNS solution with existing Horizon Environments for Global Server Load Balancing and High Availability.


 

You've finished Module 4

 

Congratulations on completing  Module 4.

If you are looking for additional information on F5 and Horizon Integrations try one of these:

Proceed to any module below which interests you most.

 

 

Module 5 - F5 APM with VMware UEM Smart Policy Integration (30 min)

Introduction


In this module you will learn how to configure F5 APM with VMware UEM Smart Policies.


 

F5 APM with VMware UEM Smart Policy Integration

 

VMware User Environment Manager (UEM) provides personalization and dynamic policy configurations across any windows-based desktop environment (Virtual, Physical and Cloud), and is a key component of VMware's Horizon Just-In-Time Management Platform (JMP) the next generation of desktop and application delivery.  Utilizing Active directory Group Policies and the Horizon Cloud Manager, this solution is engineered to deliver workplace productivity while driving down the cost of day-to-day desktop support and operations

VMware UEM with Smart Policies allow the IT Admin to create policies that can control the behavior of USB redirection, virtual printing, clipboard redirection, client drive redirection, HTML access file transfer and bandwidth profiles for Horizon protocols such as PCoIP and Blast Extreme for specific remote desktops.

With VMware UEM and Smart Policies, The IT Admin can create policies that take effect only if certain conditions are met. For example, the ability to configure a policy that disables the client drive redirection feature if a user connects to a remote desktop from outside your corporate network

 

F5 APM with VMware UEM Smart Policy Integration



 

Validate CDR Functional

 

Now, we will test client access using the Horizon Client.

Before starting, minimize the Chrome browser window until you see the Control Center desktop.

  1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
  2. Click on the "+ New Server" Button
  3. Enter the FQDN "hzn-smart-apm.corp.local" (without quotes); then click the Connect button
  4. Login as lab1user, with a password of "VMware1!" (without quotes); then, click the Login button.
  5. Once the list of desktop and applications are enumerated, choose the "Windows 10 Pool" Desktop from the list.
  6. Confirm the desktop opens and you can access it appropriately.

 

 

Access the User Environment Manager Console

 

From the Control Center desktop:

Click on the Management Console shortcut to access the VMware User Environment Manager - Management Console

 

 

 

Setting up the UEM Smart Policy

 

  1. Click on the User Environment Tab within the Management Console to display the User based Policies.
  2. Select the Horizon Smart Policies item from the left pane.
  3. Click the Create button in the top pane.

 

 

 

Access the BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, click on the BIGIP-01 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

 

 

Login to BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Editing the BIG-IP APM Horizon Instance

 

From the BIG-IP Admin Screen:

  1. Select the Main Tab in the BIG-IP Management Console.
  2. Select iApps
  3. Select Application Services.
  4. Click on the MOD5-HZN-APM name/link.
  5. Select the Properties Tab.
  6. Change the Application Service from Basic to Advanced.
  7. UnCheck the checkbox next to Strict Updates
  8. Click the Update button

 

 

Test Horizon Client Access

 

Now, we will test client access using the Horizon Client.

Before starting, minimize the Chrome browser window until you see the Control Center desktop.

  1. From the Control Center desktop, double-click on the VMware Horizon Client icon.
  2. Double click on the previously created server in the list "hzn-smart-apm.corp.local"
  3. Login as lab1user, with a password of "VMware1!" (without quotes); then, click the Login button.
  4. Once the list of desktop and applications are enumerated, choose the "Windows 10 Pool" Desktop from the list.
  5. Confirm the desktop opens and you can access it appropriately.

NOTE: If you didn't log off from the previous session the new policies might not apply, its recommended if you didn't log off the previous session to log-off and log back in for the Smart Policy to apply.

 

Conclusion


This concludes Module 5 - F5 APM with VMware UEM Smart Policy Integration.  You should have a good understanding of how to configure the F5 APM solution with an existing APM Horizon Deployment, as well as configure VMware UEM to leverage Smart Policies from the injected variables in the Horizon connections.


 

You've finished Module 5

 

Congratulations on completing  Module 5.

If you are looking for additional information on F5 and Horizon Integrations try one of these:

Proceed to any module below which interests you most.

 

 

Module 6 - F5 LTM with AppVolumes (45 min)

Introduction


In this module you will learn how to configure the F5 as a Load Balancer for the App Volumes Manager.


 

Load Balancing App Volumes Manager Servers

 

App Volumes is a just-in-time method for integrating and delivering applications to virtualized desktop and Remote Desktop Services (RDS) based computing environments.

VMware App Volumes Manager is delivered as a software on top of a Windows Server OS and Agents Deployed within VDI that contact the Managers FQDN once configured for HA it is easy to deploy onsite and integrate with existing enterprise services. Organizations can centralize and simplify application delivery

Due to Limitation capabilities of this lab, only the configuration will be done for the App Volumes Managers, there are no agents accessible to test and load balance the agents side.  This has been a tested and documented method by F5 and VMware.

 

F5 LTM with AppVolumes


In this lab module, due to Lab limitations we will load balance one (1) instance of VMware App Volumes Manager.


 

Access the BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, click on the BIGIP-01 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

 

 

Login to BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Create Client SSL Profile

 

From the BIG-IP Admin Screen:

  1. Click on Local Traffic
  2. Hover over to Profiles >> SSL >> Client (Do not click yet!)
  3. Click the Plus symbol (+) to the right of "Client" to create a new SSL Client Profile

 

 

Create Server SSL Profile

 

From the BIG-IP Admin Screen:

  1. Click on Local Traffic
  2. Hover over to Profiles >> SSL >> Server (Do not click yet!)
  3. Click the Plus symbol (+) to the right of "Server" to create a new SSL Server Profile

 

 

Create HTTP Profile

 

After creating the SSL Client profile, we must create an HTTP Profile.

 

 

Create Persistence Profile

 

After creating the HTTP profile, we must create an Persistence Profile.

  1. Click on Local Traffic
  2. Hover over to Profiles >> Persistence
  3. Click the Plus symbol (+) to the right of "Server" to create a new SSL Persistence Profile.

 

 

Create Health Monitor

 

After creating the Persistence Profile, we must create a Health Monitor.

  1. Click on Local Traffic
  2. Hover over to Monitors
  3. Click the Plus symbol (+) to the right of "Monitors" to create a new Monitor.

 

 

Create Pool

 

We must now create the VMware App Volumes pool for the BIG-IP Appliance to monitor.

  1. From the left-hand menu, Under Local Traffic
  2. Hover over Pools >> Pool List (Do not click yet!)
  3. Click the plus symbol (+) to create a new pool.

 

 

Create a Virtual Server

 

After we have configured our Pool, we can continue and create a Virtual Server.

From the left-hand menu, Under Traffic Manager

  1. From the left-hand menu, Under Local Traffic
  2. Hover over Virtual Servers >> Virtual Server List (Do not click yet!)
  3. Click the plus symbol (+) to create a new Virtual Server.

 

 

Access the BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, enter the URL https://appvolumes.corp.local

 

 

Browser Validation

 

Browser Validation is shown that when using the F5 Load Balanced URL, that Certificate is still Valid for the new website

  1. Green Lock in Google Chrome Browser Identifies that the Certificate is Valid
  2. You can further validate functionality of the browser by Logging into the AppVolumes Manager

Username: Administrator

Password: VMware1!

Note: Due to Limitations of Lab only Browser Validation is available,

 

Conclusion


This concludes Module 1 - F5 LTM with Horizon Connection Servers.  You should have a good understanding of how to deploy the F5 iAPP solution with Horizon Connection Servers for Load Balancing and High Availibility.


 

You've finished Module 1

 

Congratulations on completing  Module 1.

If you are looking for additional information on F5 and Horizon Integrations try one of these:

Proceed to any module below which interests you most.

 

 

Module 7 - F5 LTM with VMware Identity Manager Integration (45 min)

Introduction


In this module you will learn how to configure the F5 as a Load Balancer for the VMware Identity Manager Portal.


 

Load Balancing the VMware Identity Manager Portal

 

VMware Identity Manager combines applications and desktops in a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based. With fewer management points and flexible access, Identity Manager reduces the complexity of IT administration.

Identity Manager is delivered as a virtual appliance (VA) that is easy to deploy onsite and integrate with existing enterprise services. Organizations can centralize assets, devices, and applications and manage users and data securely behind the firewall. Users can share and collaborate with external partners and customers securely when policy allows.

This lab provides step-by-step instructions for setting up the first Identity Manager virtual appliance (Node 1), for production implementations VMware recommends the deployment of two (2) additional nodes to have a total of three (3).  Nodes 2 and 3 will be cloned from the first node after it has been configured and setup with the F5 to provide a fully load balanced configuration.

Due to the resource constraint of this lab the setup of the LTM configuration and the setup of the first node (Node 1) will be completed.

 

F5 LTM with VMware Identity Manager Integration


In this lab module, due to Lab limitations we will load balance one (1) instances of VMware Identity Manager Portal.


 

Access the BIG-IP Web Management Console

 

From the Control Center desktop:

  1. Click on the Chrome shortcut.
  2. When the browser is launched, click on the BIGIP-01 Favorite in the toolbar. Make sure the IP address you are redirected to is https://f5-big-ip-01.corp.local

 

 

Login to BIG-IP Web Administrator

 

Once the BIG-IP Login Screen appears:

  1. Type "admin" (without quotes) in the username box.
  2. Type "VMware1!" (without quotes) in the password box.
  3. Click the "Login" button.

 

 

Create Client SSL Profile

 

From the BIG-IP Admin Screen:

  1. Click on Local Traffic
  2. Hover over to Profiles >> SSL >> Client (Do not click yet!)
  3. Click the Plus symbol (+) to the right of "Client" to create a new SSL Client Profile

 

 

Create HTTP Profile

 

After creating the SSL Client profile, we must create an HTTP Profile.

 

 

Create Persistence Profile

 

After creating the HTTP profile, we must create an Persistence Profile.

  1. Click on Local Traffic
  2. Hover over to Profiles >> Persistence
  3. Click the Plus symbol (+) to the right of "Server" to create a new SSL Persistence Profile.

 

 

Create Health Monitor

 

After creating the Persistence Profile, we must create a Health Monitor.

  1. Click on Local Traffic
  2. Hover over to Monitors
  3. Click the Plus symbol (+) to the right of "Monitors" to create a new Monitor.

 

 

Create Pool

 

We must now create the VMware Identity Manager Pool for the BIG-IP Appliance to monitor.

  1. From the left-hand menu, Under Local Traffic
  2. Hover over Pools >> Pool List (Do not click yet!)
  3. Click the plus symbol (+) to create a new pool.

 

 

Create a Virtual Server

 

After we have configured our Pool, we can continue and create a Virtual Server.

From the left-hand menu, Under Traffic Manager

  1. From the left-hand menu, Under Local Traffic
  2. Hover over Virtual Servers >> Virtual Server List (Do not click yet!)
  3. Click the plus symbol (+) to create a new Virtual Server.

 

 

Configuring the VMware Identity Manager FQDN

 

 

Enabling the New End User Portal UI

 

In VMware Identity Manager Versions 2.6 and Above a new User Interface was enabled by default during deployment of the Appliances,  However When configuring behind a load balancer the UI is disabled by default and must be re-enabled to ensure proper accessibility to the environment.  Above is the example if you try to login to a VMware Identity Manager Portal that is load balanced behind the F5 without enabling the New UI

 

 

Testing the load balanced Identity Manager Portal configuration

In this section we will test the load balanced configuration to verify that, in fact, the BIG-IP appliance is balancing the connection.

 

Conclusion


This concludes Module 7 - F5 LTM with Identity Manager Integration.  You should have a good understanding of how to deploy the F5 iAPP solution with VMware Identity Manager for Load Balancing and High Availibility.


 

You've finished Module 7

 

Congratulations on completing  Module 7.

If you are looking for additional information on F5 and Horizon Integrations try one of these:

Proceed to any module below which interests you most.

 

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1859-01-ADV

Version: 20170920-143811