Archive | Unified Access Gateway RSS feed for this section

VMware EUC stack upgrade – Legacy? or Modernizing? or Middleground?

14 Sep

It was that time of the year to perform a VMware End-User Computing (EUC) stack upgrade on the environment, and I thought of sharing the overall thought process and decisions made along the way. It will be interesting to share with others who might be in a similar situation or process of developing their upgrade/migration strategies. In this post, we shall take a look into these topics:

  • Current versions of the VMware EUC Stack
  • What version numbers did we upgrade/migrated to?
  • Why did we migrate to these versions?
  • Wishlist (Someone Listening?)
  • Valuable links to reference during upgrade/migration

Current versions of the VMware EUC Stack

  • VMware Horizon 7.11 (Connection Server/Agents)
  • VMware Horizon Client 5.5
  • VMware App Volumes 2.18.1.x Manager/VMware App Volumes 2.18.5 Agent version
  • VMware Workspace ONE Access 20.01/Connector 1903 (Not in scope for the upgrade)
  • VMware Dynamic Environment Manager 9.10
  • VMware Unified Access Gateway 3.10

What versions numbers did we upgrade/migrated to?

  • VMware Horizon 7.13.1 (Connection Server/Agents)
  • VMware Horizon Client 5.5.2
  • VMware App Volumes 2.18.10.10 (Manager/Agents)
  • VMware Dynamic Environment Manager 2103
  • VMware Unified Access Gateway 2103.1

Why did we migrate to these versions?

The obvious question everyone might ask is the latest versions are Horizon 8.x and App Volumes 4.x why are you picking older versions for the upgrade? The short answer is the limitations and trade-off, and the following matrix tries to uncover in more detail.

Note – Not all customers might fall under the limitation category, or the limiting feature/functionality could be different in your case. By no means this should be your defacto reasons. Make sure to evaluate your situation and create a matrix to make a data-driven decision. If the project is greenfield/no-limitations applied, it’s a no-brainer to opt for the latest product releases.

ProductUpgrade DecisionVerison of Choice
VMware Horizon++ We had all the boxes ticked from a feature/functionality standpoint to be able to upgrade/migrate to Horizon 8.x version. (Instant Clones, Printing, UAG etc.). Infact everything worked well in the development environment
++ The latest vROPS Horizon Adapter 1.2/Horizon 8.x version doesn’t include the built-in Horizon reports. We use the reporting feature for all sorts of custom reporting on Horizon PODs. The older version of vROPS Horizon Adapter 6.7.1/Horizon 7.x has all the existing metrics and reporting available but doesn’t include support for Horizon 8.x on the support matrix
++ The no reporting on the Horizon Adapter 1.2 + limited metrics on RDSH limited our ability to move to the latest version of Horizon 8.x. Once the built-in reports\metrics and guidance is made available, we shall jump onto the latest version (n-1)		Horizon 7.13.1
VMware App Volumes++ Lack of Writable Volumes (UIA+Profile and UIA) migrations from 2.18.x to 4.x. Need official guidance or tool/script/guidance to upgrade all the wrtiable of the 2.18.x environment to 4.x. I am sure alot of enterprise customers will have plenty of Writable Volumes to migrate and don’t have the flexibility to start from scratch on a new version
++ VMware AppStack Migration fling is the perfect migration utility to migrate AppStacks 2.18.x to 4.x need something similar for Writable Volumes		App Volumes 2.18.10.10
VMware Dynamic Environment Manager++ This was the only piece of software that didn’t have interoperability or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)DEM 2103
VMware Unified Access Gateway++ The appliance has no interoperability issues with Horizon 7.13.1 or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)UAG 2103.1
Upgrade Decision Matrix

The above stack provides us with the required General Availability support until Q2 FY2022 and beyond.

Wishlist

I am looking forward to vROPS Horizon Adapter XX to include the built-in Horizon Reports/Additional Metrics for RDSH in the new version or provide detailed guidance on creating meaningful reports in future releases. Additionally, the App Volumes team releases tools and advice on migrating 4000’s+ Writable Volumes from 2.18.x to 4.x. Once the above is released, I plan to upgrade to the branch of Horizon 8.x and App Volumes 4.x releases version numbers.

Valuable links to reference during upgrades

Here is the cheat sheet for all the useful links to review and formulate an upgrade plan:

DescriptionLinks
VMware Product Interoperability MatrixProduct Interoperability Matrix (vmware.com)
Product DocumentationVMware Horizon Documentation
VMware App Volumes Documentation
VMware Dynamic Environment Manager (Formerly Known as VMware User Environment Manager) Documentation
Techzone Migrating Legacy Horizon Components to Modern Alternatives

View Composer –> Instant Clones
Security Server –> UAG
Persona –> DEM
Persistent Disk – FSLogix		Modernizing VDI for a New Horizon | VMware
App Volumes Upgrade considerationsVMware App Volumes 4 Installation and Upgrade Considerations | VMware
Fling Migrate App Volumes AppStack from 2.18.x to 4.xApp Volumes Migration Utility | VMware Flings
Supported Windows 10 versions based on Horizon AgentSupported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393) (vmware.com)
VMware EUC Stack Agent OrderAgent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (2118048) (vmware.com)
Supported Windows 10 versions based on App Volumes AgentVMware App Volumes and Microsoft Windows 10 Support
VMware Product Lifecycle – End of LifeProduct Lifecycle Matrix (vmware.com)
Reference Material

I hope you will find the above information useful in your enterprise upgrade/migrate strategy for VMware EUC Stack. I would love to hear your strategy and similar situations limiting your ability to migrate to the latest and greatest versions.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , , ,

Script to replace VMware Unified Access Gateway certificates (ADMIN and Internet)

9 Jul

Our certificates are coming close to expiry, and we use VMware Unified Access Gateway for Internal and External traffic tunneling. This brings us to perform the replacement of the expiring certificates on 12 UAG Appliances. Performing this activity from the GUI is straight forward. However, we need to perform this activity on 12 appliances.

Thanks to Mark Benson for the motivation, and I went ahead and created a script to perform this activity at further ease, sit back, relax and have a coffee!

Pre-requisites:

  • You need the CAchain pem and RSA private key certificate output in one line. Please make sure you run the following command to grab the output in a single line
    • Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-name.pem
    • Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-namersapriv.pem
    • I saved the certificate files on a Linux machine and then ran the above command. Pasted the output in Notepad++, which is in one line.
    • Doco reference
    • The CAChain pem certificate should include (MainCA content, Subordinate Certificate content and Root Certificate content without any spaces between them.)
  • There are seperate API calls for the certificate replacement for the ADMIN and Internet facing. You can comment or un-comment the block as per your requirement
    • /rest/v1/config/certs/ssl/ADMIN
    • /rest/v1/config/certs/ssl/END_USER
  • The IP address or Hostname of the UAG Appliance along with the admin password.
##############################################################################################################################################
# Replace the ADMIN and Internet Facing certificate on the UAG Appliance
# Uncomment if you dont plan to do both the interfaces (Internet/ADMIN)
# Get the certificate in one line following this documentation 
# https://docs.vmware.com/en/Unified-Access-Gateway/3.10/com.vmware.uag-310-deploy-config.doc/GUID-870AF51F-AB37-4D6C-B9F5-4BFEB18F11E9.html
# Author - Aresh Sarkari (Twitter - @askaresh)
##############################################################################################################################################

#UAGServer Name or IP
$UAGServer = "10.1.1.1"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


#API Call to make the intial connection to the UAG Appliance##
$Uri = "https://$UAGServer`:9443/rest/v1/config/adminusers/logAdminUserAction/LOGIN"

$Username = "admin"
$Password = "enteryouradminpassword"

$Headers = @{ Authorization = "Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $Username,$Password))) }

Invoke-WebRequest -SessionVariable DaLogin -Uri $Uri -Headers $Headers

#The PEM Certificate + Private Key in RSA Format
#The certificate has to be in online using linux command - awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem 
$certificatersaContent = "-----BEGIN RSA PRIVATE KEY-----\nMIIEo... followed by a large block of text...\n-----END RSA PRIVATE KEY-----\n"
$certificateContent = "-----BEGIN CERTIFICATE-----\nMIIEo... followed by a large block of text...\n-----END CERTIFICATE-----\n"

#Body to replace the certificate
$body = @{
  privateKeyPem = $certificatersaContent
  certChainPem = $certificateContent
} 

#Converting the Json and line breaks in strings 
#https://communary.net/2018/03/30/quick-tip-convertto-json-and-line-breaks-in-strings/
$Jsonbody = ($body | ConvertTo-Json).Replace('\\n','\n')

#API to replace the Admin Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputadmin = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/ADMIN" -Body $Jsonbody -ContentType "application/json" -Verbose

#API to replace the Internet facing Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputenduser = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/END_USER" -Body $Jsonbody -ContentType "application/json" -Verbose

GitHub scripts/vmwareuagcertreplace at master · askaresh/scripts (github.com)

Observations:

  • The array within the $body has further line breaks, which needs to adjust. I had to spend a considerable amount of time. Thanks to this blog post which came in hand. Powershell function ConvertTo-Json
  • The Powershell function Invoke-Webrequest and the -URI I had to add the Backtick ` in order to escape the colon
  • The key of the above script is the CAChain certificate and RSA Private Key certificate to be available online.

I hope you will find this script useful to replace or change the certificate on the VMware Unified Access Gateway appliances. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , ,

Script create read-only account for monitoring VMware Unified Access Gateway

23 Sep

We have been using VMware Unified Access Gateway (UAG) for quite a few years. To monitor the appliance using vROPS or other monitoring tools or API calls scripts you need a read-only monitoring account created in the console under “Account Settings”.

Account Settings - UAG
Read-only account for monitoring

In our deployment we have 14 UAG appliances (Internal/External) – Yes we tunnel internal connections too. Post the upgrade we had to re-create the read-only account for the API call monitoring on all 14 appliances. The following script I wrote to create the read-only account per UAG server. Just change the IP and point to another UAG to create accounts.

####################################################################
# Create ready-only account in the VMware Unified Access Gateway Appliance
# for monitoring purposes using vROPS or API etc.
# Author - Aresh Sarkari (@askaresh)
# Version - V5.0
####################################################################


# Ignore UAG cert errors (self signed or 

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


##API Call to make the intial connection to the UAG Appliance##

$Uri = "https://10.0.0.1:9443/rest/v1/config/adminusers/logAdminUserAction/LOGIN"
$Username = "admin"
$Password = "adminpassword"

$Headers = @{ Authorization = "Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $Username,$Password))) }

Invoke-RestMethod -SessionVariable DaLogin -Uri $Uri -Headers $Headers


###API Call to create the user account with read-only access under VMware Unified Access Gateway##

$body = @{
  name = "UAG_vRops"
  password= "typeyourpassword"
  enabled=$true
  roles = @("ROLE_MONITORING")
  noOfDaysRemainingForPwdExpiry=0
} | ConvertTo-Json

$output = Invoke-RestMethod -WebSession $DaLogin -Method Put -Uri "https://10.0.0.1:9443/rest/v1/config/adminusers" -Body $body -ContentType "application/json"

Write-Output $output

GitHub https://github.com/askaresh/scripts/blob/master/uagreadonlyacct

I hope you will find this script useful to create the UAG read only accounts and would not have to create them manually on multiple appliances. My request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Swagger-UI and Postman Collection for VMware Unified Access Gateway

6 May

I aimed to perform a particular VMware Unified Access Gateway (UAG) tasks programatically. After some guidance from Mark Benson he introduced me to the Swagger-UI that is available within the product.

To access the Swagger-UI on UAG open the following URL within the browser and enter your username and password.

https://uagnameorip:9443/swagger-ui/index.html
Swagger-UI – UAG API Calls

One can do alot within the swagger-ui to make various GET, POST, PUT actions. However, my preferred tool is POSTMAN. I needed a way to figure out how to get all the swagger-ui converted to POSTMAN. Upon searching, I came across this method mentioned here.

To fetch all the swagger JSON output, go to this URL on the VMware UAG Appliance.

https://uagnameorip:9443/rest/swagger.json

We have two options here. #Option1 – copy all the data from the webpage and paste it under Postman – Import – Paste Raw Text. You will have all the VMware UAG Access Gateway Rest API listed. #Option2 – Paste the above URL into Postman – Import – Import from link (This didn’t work for me maybe authentication was required)

Postman – Import

Please find attached the POSTMAN export for the VMware Unified Access Gateway Appliance 3.9.1. (Note I believe swagger-ui was availble post UAG 3.7 onwards).

Postman – API Calls UAG

I hope you will find this post useful to start using the Swagger-UI and Postman collections to begin working with UAG appliance. My request if you further create interesting scripts or perform cool activities with UAG appliance, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , ,

VMware EUC – Horizon, UAG, VIDM and AppVolumes – NSX Load Balancing – Health Check Monitors

2 Feb

There is no single place to find a consolidated list of Load balancer health check monitors (aka Service Monitors in NSX) for the VMware EUC products:

I have been using VMware NSX load balancer across the board. The below details will provide an overview of what to enter for the health monitors. Note – If you are using something more meaningful  for your environment leave feedback in the comments section. I will try to implement the same and update the blog later.

VMware Unified Access Gateway (UAG)

Create a new Service Monitor under NSX and call is UAG_https_monitor. Refer to the screenshot for more details.

UAG Service Monitor

Send String: GET /favicon.ico
Response code: 200s

VMware Identity Manager or Workspace ONE Access

Create a new Service Monitor under NSX and call is VIDM_https_monitor. Refer to the screenshot for more details.

VIDM Service Monitor
Send String: GET /SAAS/auth/login
Response code: 200s

VMware Horizon Connection Servers

Update 13th Sep 2021 – For all Horizon version 7.10 and above please start using the following service monitor within NSX.

Send String: GET /favicon.ico
Response code: 200s

You can use this string for versions 7.7 or upto 7.10. Create a new Service Monitor under NSX and call is Horizon_https_monitor. Refer to the screenshot for more details.

image
Send String: GET /broker/xml/
Receive string: /styles/clientlaunch-default

VMware App Volumes

Create a new Service Monitor under NSX and call is AV_https_monitor. Refer to the screenshot for more details.

AV Service Monitor

I hope you will find these monitors useful in monitoring the VMware EUC products.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

NSX Load Balancing for VMware Unified Access Gateway – Part2

5 Mar

In this post we shall go over the remaining configuration on “Pools” and “Virtual Servers” of the NSX Load Balancing for VMware Unified Access Gateway.

4. Configure the Load Balancing – Pools

  • Overall we will be creating four Pools as follows:
    Pools
  • Click on the green plus sign to add a new pool
    • In the Name field, type: XXX-UAG-POOL-8443
    • Leave the Description blank
    • For Algorithm, pick IP-HASH
    • Leave Algorithm Parameters blank
    • For Monitors, pick default_tcp_monitor
      Pools_8443
  • Click on the green plus sign to add a new pool
    • In the Name field, type: XXX-UAG-POOL-4172TCP
    • Leave the Description blank
    • For Algorithm, pick IP-HASH
    • Leave Algorithm Parameters blank
    • For Monitors, pick default_tcp_monitor
      Pools_4172_TCP
  • Click on the green plus sign to add a new pool
    • In the Name field, type: XXX-UAG-POOL-4172UDP
    • Leave the Description blank
    • For Algorithm, pick IP-HASH
    • Leave Algorithm Parameters blank
    • For Monitors, pick default_tcp_monitor
      Pools_4172_UDP
  • Click on the green plus sign to add a new pool
    • In the Name field, type: XXX-UAG-POOL-443
    • Leave the Description blank
    • For Algorithm, pick IP-HASH
    • Leave Algorithm Parameters blank
    • For Monitors, pick default_https_monitor
      Pools_443

5. Configure the Load Balancer – Virtual Servers

  • Overall we will be creating six virtual servers as follows:
    Virtual_Server
  • Click on the green plus sign to add a new Virtual Server
    • Click on Enable Virtual Server
    • Click on Enable Acceleration
    • Set the Application Profile to XX-External-UDP
    • In the Name field, type: XXX-UAG-8443UDP
    • Leave the Description blank
    • For IP Address, select IP address by click on the link
    • For Protocol select UDP
    • In Port/Port Range type 8443
    • Set Default Pool select XXX-UAG-Pool-8443
    • Everything else should be default
      UDP_Virtual_Server
  • Click on the green plus sign to add a new Virtual Server
    • Click on Enable Virtual Server
    • Click on Enable Acceleration
    • Set the Application Profile to XX-External-UDP
    • In the Name field, type: XXX-UAG-4172UDP
    • Leave the Description blank
    • For IP Address, select IP address by click on the link
    • For Protocol select UDP
    • In Port/Port Range type 4172
    • Set Default Pool select XXX-UAG-Pool-4172UDP
    • Everything else should be default
      UDP_Virtual_Server
  • Click on the green plus sign to add a new Virtual Server
    • Click on Enable Virtual Server
    • Click on Enable Acceleration
    • Set the Application Profile to XX-External-TCP
    • In the Name field, type: XXX-UAG-8443TCP
    • Leave the Description blank
    • For IP Address, select IP address by click on the link
    • For Protocol select TCP
    • In Port/Port Range type 8443
    • Set Default Pool select XXX-UAG-Pool-8443
    • Everything else should be default
      TCP_Virtual_Server
  • Click on the green plus sign to add a new Virtual Server
    • Click on Enable Virtual Server
    • Click on Enable Acceleration
    • Set the Application Profile to XX_external_ssl_offload
    • In the Name field, type: XXX-UAG-443HTTPS
    • Leave the Description blank
    • For IP Address, select IP address by click on the link
    • For Protocol select TCP
    • In Port/Port Range type 443
    • Set Default Pool select XXX-UAG-Pool-443
    • Everything else should be default
      HTTPS_Virtual_Server
  • Click on the green plus sign to add a new Virtual Server
    • Click on Enable Virtual Server
    • Click on Enable Acceleration
    • Set the Application Profile to XX_external_tcp
    • In the Name field, type: XXX-UAG-4172TCP
    • Leave the Description blank
    • For IP Address, select IP address by click on the link
    • For Protocol select TCP
    • In Port/Port Range type 4172
    • Set Default Pool select XXX-UAG-Pool-4172TCP
    • Everything else should be default
      TCP_Virtual_Server

Previous configuration around the “Global Configuration”, “Application Profiles” and “Service Monitoring” the NSX Load Balancing for VMware Unified Access Gateway – Part1

We haven’t configured any “Application Rules”. I hope you find these steps useful and don’t have to invent the wheel when it comes to NSX LB for VMware UAG.

Thanks,
Aresh

NSX Load Balancing for VMware Unified Access Gateway – Part1

5 Mar

This blog post will be a two part series showing you step by step on how to load balance VMware Unified Access Gateway (UAG) using the VMware NSX. There are quite a few options such as F5, KEMP etc. available to do the load balancing of the UAG appliance but in this post we shall deep dive into NSX Load balancing. The objective in a production deployment is to load balance multiple UAG appliances deployed in the DMZ.

UAG Load BalancingLoad Balancing of multiple VMware UAG Appliances

There are plenty of guidance available on how to create the NSX Edge to do the load balancing. I am not going to cover those steps in this blog. Instead I will fast forward to the Load Balancing configurations required to do Unified Access Gateway.

Pre-Installation Checklist

This list should include everything that needs to be available BEFORE we start to install the UAG Load Balancer.

  • A pair of UAG Appliances should be deployed
  • The admin page of both the UAG appliances should be accessible
  • Create a X-Large NSX Edge and make sure its deployed using HA (Active/Passive)
  • Enable Syslog on the NSX Edge
  • Reserve the VIP IP address used by NSX

Step-by-Step guide (Part1 – We shall cover Global Configuration, Application Profiles and Service Monitoring)

1. Configure the Load Balancing – Global Configuration

  • Log into the Edge GW you need to configure and go to the Manage tab then the Load Balancer tab.
  • Click on Global Configuration
    • Check the Enable Load Balancer checkbox
    • Check the Enable Acceleration checkbox
    • Check the Logging checkbox
    • Change the Log Level dropdown to Warning
    • Leave the rest as the default
    • Click Ok
      Global Configuration

2. Configure the Load Balancer – Application Profiles

  • Overall we will be creating three Profiles – HTTPS, TCP and UDP as follows:
    Application Profiles
  • Click on the green plus sign to add the HTTPS profile
    • Set the Name to XX_External-SSL_Offload
    • Set the Type to HTTPS
    • Set Enable SSL Passthrough
    • Persistent to Source IP
    • Expires in (seconds): 28800 (Preferably match it from Horizon Administrator – Global Configuration Settings)
    • Everything else should be blank, grayed out, or None
    • Click Ok
      SSL_Offload
  • Click on the green plus sign to add the TCP profile
    • Set the Name to XX_External-TCP
    • Set the Type to TCP
    • Persistent to Source IP
    • Everything else should be blank, grayed out, or None
    • Click Ok
      TCP_Profile
  • Click on the green plus sign to add the UDP profile
    • Set the Name to External-UDP
    • Set the Type to UDP
    • Persistent to Source IP
    • Everything else should be blank, grayed out, or None
    • Click Ok
      UDP_Profile

3. Configure the Load Balancer – Service Monitoring

  • Overall we will be creating three Service Monitors – HTTPS, TCP and UDP as follows:
    Service_Monitoring
  • Click on the green plus sign to add the Access Point TCP Monitor.  This one monitor will be used for all APs.
    • Set the Name to default_tcp_monitor
    • Set the Interval to 5
    • Set the Timeout to 15
    • Set the Max Retries to 3
    • Set the Type to TCP
    • Click Ok
      TCP_Monitor
    • Click on the green plus sign to add the Access Point HTTP Monitor.  This one monitor will be used for all APs.
      • Set the Name to default_http_monitor
      • Set the Interval to 5
      • Set the Timeout to 15
      • Set the Max Retries to 3
      • Set the Type to HTTP
      • Set the Method to GET
      • Click Ok
        HTTP_Monitor
      • Click on the green plus sign to add the Access Point HTTPS Monitor.  This one monitor will be used for all APs.
        • Set the Name to default_https_moinitor
        • Set the Interval to 5
        • Set the Timeout to 15
        • Set the Max Retries to 3
        • Set the Type to HTTPS
        • In the Expected field, type:  HTTP/1.1 200 (note there is a space between the 1.1 and 200)
        • Set the Method to GET
        • In the URL field, type /favicon.ico
        • Click Ok
          HTTPS_Monitor

Remaining configuration around the “Pools” and “Virtual Servers” to be continued in the NSX Load Balancing for VMware Unified Access Gateway – Part2

I hope you find these steps useful and don’t have to invent the wheel when it comes to NSX LB for VMware UAG.

Thanks,
Aresh

Persistence Profile – F5 LTM Load Balancing for VMware Unified Access Gateway Appliance

18 Oct

If you are using F5 LTM in the DMZ to load balance (LB) the VMware Unified Access Gateway (UAG) appliance, it is very important to use the iAPP or the F5 Deployment guide to set the Persistence Profile options properly or/else you might end up with issues.

Background:

The F5 LTM VIP for UAG Appliance was created manually without using the f5_vmware_view iApp and the Persistence Profile settings were manually configured. (I highly recommend to use the iApp and go through the F5 deployment guides)

Issue1:

The BLAST connection fails in the backend. The original SessionID request was going to UAG1 and due to the LB in the front the next request for the same SessionID was going to UAG2.

Log Snippet UAG1:
[2017-XX-XX 12:50:33.428] [INFO]    2289 [absg-master] – Added route 810DF5FF-*** to target 10.x.x.x|22443

Log Snippet UAG2:
[2017-XX-XX 12:50:35.589] [ERROR]    2723 [absg-worker] – Failed to resolve proxying route: 810DF5FF-***

As noted above the SessionID is the same but the initial BLAST connection request is going to different UAG appliance instead of going to the same appliance which it originally initiated.

Issue2:
You might time to time receive an Error Message “Your session has expired. Please re-connect the server” while entering the username, password and 2-factor authentication details on UAG landing page. It has to do with the timeout value on the F5 persistence profile – Source IP Address

Session has expired

Solution:
Whenever you have F5 LTM as the Load Balancer in front of UAG make sure you handle these three settings carefully to not run into the above described issue:

Timeout Value: Specifies the duration of the persistence entries.
This value should match the Horizon Administrator(Global Settings – View Administrator session timeout) time out value. The default value set on the F5 LTM is 180 seconds = 3 mins

Example – If the View Administrator session timeout is 480 mins

View Admin Session Timeout
Then we should set the same value under the F5 Timeout value in seconds

F5 Timeout Value

Mirror Persistence: If the active unit goes into the standby mode, the system mirrors any persistence records to its peer.

Mirror Persistence

We had this option un-check as it was a manually configured persistence profile

Match Across Services: All persistent connections from a client IP address that go to the same virtual IP address also go to the same node. The default is disabled

Match Across Services

We had this option un-check as it was a manually configured persistence profile

How does the overall Persistence of the profile look:
Persistence Profile f5

If you are using the F5 Horizon iApp for the configuration of the UAG VIP then you might not end-up with the above issue.

I hope you find these tips useful during the F5 LTM VIP creation for VMware Unified Access Gateway Appliance.

Thanks,
Aresh Sarkari