The Kemp Load Balancer configuration in a VMware Horizon environment must reflect the design of the infrastructure and understand how the traffic is segmented.
In a typical Horizon deployment we have some components placed in DMZ zone (UAG) and some others in the LAN zone (Connection Servers for instance). To balance the Horizon components and route the traffic, the Kemp LoadMaster must be configured accordingly.
Blog Series
Kemp Load Balancer for VMware Horizon deployment - pt.1
Kemp Load Balancer for VMware Horizon configuration - pt.2
Kemp Load Balancer for VMware Horizon configure HA - pt.3
Kemp Load Balancer network setup
Access the LoadMaster login page, enter the bal credentials and click Login.
Since the appliance must balance both DMZ and LAN components, the eth1 NIC needs to be configured by setting a DMZ IP address. Go to System Configuration > Network Setup > Interfaces > eth1 section, enter the Interface Address and click Set Address.
Click OK to confirm the configured IP Address.
Configured the DMZ NIC, go to System Configuration > Host & DNS Configuration section to complete the network settings configuration. Enter the Hostname then click Set Hostname. Specify the DNS Search Domain and click Add.
As suggested by the best practices, in the System Configuration > L7 Configuration section set Yes - Accept Changes value in the Always Check Persist field.
In System Configuration > Network Options section, enable options Enable Alternate GW Support and Subnet Originating Requests.
The main network configuration is complete.
Install Horizon templates
To balance the Horizon environment, Kemp made available some templates to simplify the configuration steps. From Kemp website, download the two templates for Horizon required for this configuration:
Go to Virtual Services > Manage Templates section and click Browse. Select the first template and click Add New Template.
Click OK.
Now click Browse and select the second template. Click Add New Template.
Click OK.
The templates have been uploaded successfully.
Configure the LAN Virtual Service
When the templates have been uploaded, go to Virtual Services > Add New section to create the Virtual IP Address (VIP) for the LAN side. Enter the Virtual Address and select VMware Connection Server from the Use Template drop-down menu. Click Add the Virtual Service.
We need to associate the Real Servers to the VIP. In this example, two Connection Servers are installed in the Horizon infrastructure. For Port 80 no Real Servers have to be configured.
The installed template provides all the parameters required to properly configure the kemp Load Balancer. Click Modify to configure the Real Servers for the 443 port.
Again, in the Real Servers tab click Add New.
The procedure is the same as we previously seen. Enter the Real Server Address of the first Connection Server then click on Add The Real Server button. We are now configuring the IP Address for the 443 port.
Add also the second Connection Server to complete the LAN side configuration.
Configure the DMZ Virtual Service
Now go back to Virtual Services > Add New section to create the Virtual IP Address (VIP) for the DMZ side. Enter the Virtual Address and select UAGLB - Source IP Affinity for the Use Template field. Click Add the Virtual Service.
We need to associate the Real Servers to the VIP in DMZ. In this example, two UAGs are installed in the Horizon infrastructure. For Port 80 no Real Servers have to be configured.
Click Modify to configure the Real Servers for port 443.
In the Real Servers tab click Add New.
Enter the Real Server Address of the first UAG then click on Add The Real Server button.
When the Status is shown as Up, go ahead with next port to configure. Do the same steps for all the remaining configuration entries.
When all the ports have been configured properly, all the items must report the Status as Up.
Configure the Administration Access
To increase the security, the management of the Kemp appliance should be allowed only from the LAN. Go to Certificates & Security > Remote Access and select the eth0: LAN_IPAddress from the drop-down menu to restrict access from the LAN only.
Click OK to confirm the configuration.
Specify the Admin Default gateway to use then click Set Administrative Access.
Click OK.
The Kemp configuration page is now accessible only from the LAN side.
Change the Default Gateway
The Default Gateway currently configured is good to route the LAN side network traffic but cannot operate in the DMZ area.
Since the DMZ has a different Default Gateway, we need to specify the gateway used for the subnet associated with the DMZ area. Go to System Configuration > Network Setup >Interface > eth1 and enable the Use for Default Gateway checkbox.
Automatically the Default Gateway page is displayed. Enter the IPv4 Default Gateway Address and click Set IPv4 Default Gateway.
Click OK.
The DMZ traffic can now be managed.
Configure Static Routes
Because the Default Gateway configured can route the DMZ traffic only, to route the traffic in the LAN zone we need to add static routes for all used LAN networks. Enter the Destination network, specify the Gateway then click Add Route.
The static route has been added successfully.
If you try accessing the Horizon infrastructure from the external, the Kemp is now able to balance and redirect the traffic accordingly.
With a single Kemp appliance, you can manage both DMZ and LAN traffic in a secure way ensuring service continuity in case one Horizon component (UAG or Connection Server) fails.
To avoid service disruption, also the Kemp should provide high availability to ensure the functionality in case of LoadMaster failure. Part 3 will cover the procedure to configure the Kemp in HA mode.
s
