Implementing PCoIP Proxy as a Security Server/Access Point Alternative Overview VMware s Horizon Security Server and Access Point provides secure access to sessions over an unsecured WAN and/or Internet connection. Typically, the Security Server/Access Point is placed within an organization s DMZ. F5 BIG-IP Access Policy Manager (APM) makes it possible to take advantage of PCoIP technology while simplifying your VMware Horizon with View architecture, improving security, and increasing scalability.
Harden Security and Increase Scalability F5 BIG-IP Access Policy Manager is the industry s first Application Delivery Networking solution that brings full PCoIP proxy capabilities certified by Teradici to the market. This permits IT administrators to replace the View Security Server with a more secure and highly scalable solution in support of their end-user computing deployments. BIG-IP APM is an ICSA Labs certified flexible, high-performance access and security solution that provides unified global access to your applications and network. BIG-IP APM converges and consolidates remote access, LAN access, and wireless connections within a single management interface and provides easy-to-manage access policies. These capabilities help you free up valuable IT resources and scale cost-effectively. Simplifying Your Horizon Architecture Because BIG-IP APM removes the pairing dependency between Security Servers and Connection Servers, the overall architecture can not only be simplified, but a higher level of scalability can be achieved. In addition to BIG-IP APM, F5 BIG-IP Local Traffic Manager (LTM) can provide intelligent traffic management and load balancing to the Connection Servers. The reduction in the overall number of components that need to be managed results in increased productivity for IT administrators, which is especially critical for multi-site or multipod VMware Horizon deployments.
Traffic Flow The diagram outlines the traffic flow of an external Horizon Client connection when using the BIG-IP Access Policy Manager (APM) Module as a Security Server/Access Point alternative: 1. Device connects in from the untrusted network. 2. Connection to APM made over HTTPS using the client or the F5 APM WebTop Portal. 3. User logs in. 4. APM processes the authentication (single/multi-factor) to AD and/or other authentication source (LDAPS/RADIUS, etc.) 5. Once user is validated, APM sends a request to the load balanced pool of Connection Servers to get a list of authorized applications and desktops using HTTPS or HTTP. 6. The user is then presented with the list of available and authorized desktops and applications. 7. User selects the application or desktop to launch. 8. Request then sent from client and proxied to View Connection Server via HTTPS client receives desktop and/or application source machine info (including the public/client facing IP address if using NAT). 9. Client establishes a connection to the virtual desktop or RDS application server to the APM via PCoIP, or HTML 5 (using HTML
Access) using HTTPS. The APM proxies this connection back to the virtual desktop or RDS application server. Before Getting Started It s important to ensure the firewall rules are opened to permit communications between the client and the BIG-IP, and the BIG-IP and the internal Horizon View resources. VMware has done a pretty good job of itemizing the ports and traffic flows. For the most part, the BIG-IP pretty much uses the same ports and protocols. UDP 4172 needs to be open in both directions between the client and the BIG-IP s pubic IP Address or virtual server IP address. HTTPS needs needs to be open inbound from the client to the BIG-IP s IP Address or virtual server IP address. HTTPS (or HTTP, if doing SSL offload) needs to be open inbound from the BIG-IP self IP addresses to the connection servers. UDP 4172 needs to be open in both directions between the BIG- IP self IP addresses and the Horizon virtual desktop and RDS hosts. TCP 22443 needs to be opened from the BIG-IP Self IP Addresses to the virtual desktops/rds hosts to support HTML5 connections. TCP 4172 is not required for the BIG-IP PCoIP Proxy implementation, nor are any of the pairing ports/protocols used by Security Server. It s also key to remember these 2 points: The connection between the client and the BIG-IP connection used for the PCoIP Proxy can be NAT d. The connections between the BIG-IP PCoIP Proxy Self IP Addresses and the internal Horizon resources must be ROUTED. Source Address Translation (SNAT) features on the BIG-IP can also be used. If you attempt to do traditional firewall NAT with the connections between the RDS hosts/virtual desktops and the BIG-IP, you will not be able to make a PCoIP connection.
Disable HTTPS, PCoIP and BLAST Proxy Services for each Connection Server When using PCoIP Proxy with BIG-IP Access Policy Manager (APM), APM functions just like a Horizon Client. Not only does the APM proxy the traffic, it also handles all the authentication - including two-factor methods, such as RSA and RADIUS. In addition, there is no pairing requirement between the APM and Connection Servers, as is required when using Security Servers. Therefore, the is no need to have dedicated Connection Servers for external access when using the BIG- IP PCoIP Proxy. Connection Servers can then be used for BOTH internal and external client access. For Connection Servers that will authenticate users and enumerate applications using PCoIP Proxy with F5 BIG-IP: Secure Gateway boxes for each Connection Server need to be unchecked. Disable any RSA or RADIUS authentication on the Connection Servers used by APM PCoIP Proxy.
Disable Secure Tunneling on Horizon Connection Server Once you are in the View Administrator, perform the following: 1. On the left side, click the down-arrow by View Configuration, then click Servers. 2. Click on the Connection Servers Tab. 3. Highlight the first Connection Server in the list. 4. Click Edit
5. Make sure the "Check Box" next to Use Secure Tunnel Connection to machine is UNCHECKED. 6. Make sure the "Check Box" next to Use PCoIP Secure Gateway for PCoIP to machine is UNCHECKED. 7. Make sure the "Check Box" next to Use Blast Secure Gateway for HTML access to machine is UNCHECKED. 8. When completed, click OK. 9. Highlight the other Connection Servers in the list, then repeat steps 4 through 8. Uploading the Latest Horizon iapp and SSL Certificates Before systems on a network can authenticate one another using SSL through a BIG-IP, you must install one or more SSL certificates on the BIG-IP system. An SSL certificate is an SSL certificate that a BIG-IP system device presents to another device on the network, for authentication purposes. An SSL certificate can be either a self-signed certificate or a trusted CA certificate. iapps is the BIG-IP system framework for deploying services-based, template-driven configurations on BIG-IP systems running version 11.0.0 and later. iapps help BIG-IP administrators quickly and efficiently deploy configurations for industry-standard applications. Through the use of wizard-driven questions, administrators are asked a series of configuration questions. Based on the responses to those questions, all the necessary objects are automatically created and configured on the BIG-IP - rather than configuring each component or object individually. This makes application configuration with the BIG- IP simple and easy. Benefits of iapps include: Easy editing of configurations and cleanup Simplicity and repeatability Reduced configuration errors Quick "time to deployment" of applications through the BIG-IP Cradle-to-grave configuration management for industry-leading applications Strictness protects against accidental changes to the configuration
Community support for DevCentral hosted templates It consists of three components: Templates, Application Services, and Analytics. Benefits of iapps include: An iapps Template is where the application is described and the objects (required and optional) are defined through presentation and implementation language. An iapps Application Service is the deployment process of an iapps Template which bundles all of the configuration options for a particular application together. You would have an iapps Application Service for SharePoint, for example. iapps Analytics include performance metrics on a per-application and location basis.
Uploading the current iapp for Horizon Make sure you visit F5 downloads to get the latest version of the iapp for Horizon View. This iapp is regularly updated. To upload an iapp template, perform the following steps: 1. From the main screen, click on iapps --> Templates. 2. On the right side of the screen, click Import. 3. Click Choose File
4. Browse to the location where you have the latest Horizon View iapp and choose the F5 VMware View iapp. Make sure it also has a version number. This example chooses the F5.VMWARE_VIEW.V1.3.0.TMPL file. 5. Click Open. 6. Click Upload. 7. Click the drop-down in the bottom right corner of the screen and choose Page 3. 8. You should see the VMware View iapp with a version number in the list. The iapp is then loaded up for future use. Uploading the PFX and Root CA Certificates The next two steps walk you through uploading a certificate and private key (combined in a PFX file) and the Root CA. These certificates will be used when setting up load balancing and PCoIP proxy functionality on the BIG-IP.
In this step, we'll upload a PFX Certificate (including the private key) to the BIG-IP. 1. On the menu bar, click on System --> File Management --> SSL Certificate List --> Import 2. Select PKCS-12 from the drop-down list. 3. Type in certificate and key name. This example uses CORP.LOCAL_WILDCARD for the name.
4. Click on Choose File to upload the PFX file containing the private key and certificate. 5. Browse to the location where your certificate is; Choose your PFX cert from the list, and click Open. This example uses the CORP.LOCAL_WILDCARD Certificate. 6. Type in the password for the certificate. 7. Click Import. You should see the certificate appear in the list!
Uploading the Root CA Certificate In this step, we'll upload a Root Certificate (CA) to the BIG-IP. 1. On the menu bar, click on System --> File Management --> SSL Certificate List --> Import 2. Select Certificate from the drop-down list. 3. Type in the CA certificate name. This example uses CORP.LOCAL_CA as the CA Certificate Name.
4. Check "Upload File" and then click on Choose File to upload the CER file containing the private key and certificate. 5. Browse to the location where you certificate is and click Open. 6. Click Import. 7. You should see the Root CA appear in the list. Create iapp Application Service for Connection Server Load Balancing Next, we will configure load balancing of Connection Servers for internal users using the Horizon iapp. 1. Once logged in to the BIG-IP, click on iapps 2. Click Application Services. 3. On the right side of the screen, click Create.
Configuring the iapp for PCoIP Proxy Let's configure the iapp. 1. Type in a name for the Virtual Server/iApp, then select the latest View iapp Template from the list that you uploaded to the BIG-IP in the previous step. The latest BIG-IP iapp for Horizon View will use a version number in the name. This example chooses the VMware View iapp with a version number (don t use the f5.vmware_view in the list). Observe the iapp populate the screen with the next set of questions. This example uses PROXY as the name for the iapp/big- IP objects.
Configuring the iapp for PCoIP Proxy (Continued) 1. Scroll down to the Template Options section - under "Which configuration mode do you want to use?" - choose "Advanced - configure advanced options". 2. Scroll down to the BIG-IP Access Policy Manager section - under "Do you want to deploy BIG-IP Access Policy Manager" - choose "Yes, Deploy BIG-IP Access Policy Manager". 3. To allow HTML access to desktops, next to the "Do you want to support browser based connections including the HTML5 client?" question choose "Yes, support HTML 5 View clientless browser connections".
Configuring the iapp for PCoIP Proxy (Continued) 1. Scroll down to "Should the BIG-IP system support RSA SecurID two-factor authentication" choose the appropriate option. If you choose to use RSA you will need to ensure the RSA server is setup prior to running through the iapp. Additional information on setting up the RSA with Horizon can be found here: https://devcentral.f5.com/articles/so-you-want-to-use-rsa-securidwith-apms-pcoip-proxy-module For this configuration, we ll assume no RSA SecurdID select "No, do not support RSA SecurID two-factor authentication. 2. Next, choose whether you want a logon banner to be presented with the PCoIP Proxy. In this example, we will select "No, do not add a message during logon".
3. In the box "If external clients use a network translated address to access View, what is the public-facing IP address", enter the public, Internet-facing address here (similar to the IP address you would enter for the external PCoIP URL used with Security Server). 4. For the next to the question "Do you want the BIG-IP system to support multiple domains", choose whether you will have one or more domains supported for Horizon View access. For this configuration, we will use only one Active Directory - select "No, my View Environment uses a single Active Directory Domain" 5. Enter your NETBIOS Active Directory domain name in the box next to "What is the NetBIOS domain name for your environment?" Setting up the Active Directory Component for Authentication
Next, let's create the Active Directory objects that will perform the user authentication. 1. Scroll down to "Create a new AAA Server object or select an existing one" - choose "Create a new AAA Server Object" 2. Next, enter the FQDN of the domain controller (the example shows "controlcenter.corp.local") and its IP address (the example shows 192.168.110.10) when asked "Which Active Directory servers (IP and host name) are used for user credential authentication". 3. Type the Active Directory domain name. The example shows "corp.local" (without quotes) as the Active Directory. 4. Choose Yes or No when asked "Does your Active Directory domain require credentials". This example shows "Yes, credentials are required for binding". 5. Enter the user account used for the binding (if Yes was selected in step #4). The account requires Domain User privileges. " 6. Enter the password. 7. Scroll down to the section referring to "Create a new monitor for the Active Directory servers." You can choose whether to have an intelligent monitor that binds to LDAP and simulates a connection to ensure the health of AD, or checks AD with an ICMP Ping. This example chooses "Yes, create a simple ICMP monitor."
Configuring SSL 1. Continue scrolling down until you get to SSL Encryption section. You can choose to SSL Offload and use HTTP to communicate with the Horizon Connection Servers or SSL Bridging which decrypts the traffic on the BIG-IP, re-encrypts and transmit the traffic to the Horizon Connection servers using HTTPS. This example uses SSL Bridging choosing "Terminate SSL for clients, re-encrypt to View servers (SSL bridging)" next to "How should the BIG-IP system handle encrypted traffic?" 2. Scroll down to "Which Client SSL profile do you want to use?" and choose "Create a new Client SSL profile". 3. Scroll down to "Which SSL certificate do you want to use?" and choose the certificate you ve uploaded to the BIG-IP. This example uses "CORP.LOCAL_WILDCARD.crt". 4. Continue scrolling down to "Which SSL private key do you want ot use?" and choose the SSL certificate key you ve uploaded to the BIG-IP. This example uses and choose "CORP.LOCAL_WILDCARD.key".
5. Finally, scroll to "Which intermediate certificate do you want to use?" and choose the Intermediate certificate you ve uploaded to the BIG-IP. This example uses and choose "CORP.LOCAL_CA.crt". Virtual Server Configuration 1. Next, scroll down to the Virtual Servers/Pools section - What virtual server IP address do you want to use for remote, untrusted clients". Normally, this is the NAT d internal/dmz IP address clients will connect to. Typically, firewalls will NAT to this address in the DMZ. If the BIG-IP is directly on the Internet, this would be the Internetfacing public IP address. 2. Type in the FQDN that will be used to access the BIG-IP by the Horizon Clients. This example uses 'view-apm.corp.local" (without quotes).
Horizon Connection Server Settings 1. Scroll down to "Which servers should be included in this pool". In the first box, type in the Horizon Connection Server IP address. This example uses 192.168.100.123 (this is the IP of the 1st Connection Server), then click Add. In the second box, type in 192.168.100.122 (this is the IP of the 2nd Connection Server). 2. Scroll down to "Where will the virtual servers be in relation to the View servers?". Choose "BIG-IP virtual server IP address and View servers are on different subnets or "BIG-IP virtual server IP address and View servers are on the same subnets depending on where the Horizon Connection Servers are placed. 3. Next, choose the appropriate option when asked "How have you configured routing on your View servers?" Basically, does the default gateway of the Connection Servers point to the BIG-IP or another router. This example chooses "View servers do not have a route to clients through the BIG-IP", as the default gateway of the Connection Servers points to another router and not the BIG-IP.
Application Health Monitor Next, we'll setup the intelligent health monitoring. This monitor logs in as a user to Horizon to ensure key components and functioning as expected. You will need a user account that has a desktop and/or application assigned to it. 1. Scroll down to the Application Health section. Next to "Create a new health monitor or use an existing one?" - choose "Create an advanced health monitor". 2. Type in the designated user account. In this example, we used "Administrator" (without quotes) next to "What user name should the monitor use?". 3. Type in the password of the designated user account. 4. Scroll down enter the NETBIOS domain name next to "What is the NetBIOS domain name for your environment? This example uses "CORP" (without quotes).
Application Health Monitor (Continued) Scroll down until you see the section of the iapp with "Published Resources" as shown in the picture. 1. Under the section "What published application(s) or pool(s) should the BIG-IP system expect in the monitor response?" type in the display name of the application or desktop. 2. Click the "Add" button to add additional applications. 3. Repeat steps 1 and 2 the example shows two additional entries of Windows 8 Desktop in the 2nd box and then Calculator in the 3rd box. 4. Under the section "Do all published applications or desktop pools listed need to be available", you can choose whether to require all applications to be available or only one from the list. This example chooses "Only one of the application or desktop pools listed need to be returned".
Finish the iapp 1. Scroll down to the bottom of the screen; click Finished. 2. Next, you will see the "Components" screen that will show you a summary of your configuration and all the objects created on the BIG-IP. Scroll down and make sure the PROXY_icmp nodes are displayed as shown in the picture. 3. Scroll down and make sure the PROXY_adv_view_eav nodes are displayed as shown in the picture.
Test Access Test access to the virtual desktops by connecting to the public IP address using the Horizon Client. If successful, you will be able to establish a PCoIP connection. To test the HTML access, put in the IP Address or FQDN of the BIG-IP s PCoIP Proxy address. Login and then select the desktop you wish to access using HTML. If configured properly, you will be asked to choose the Horizon Client or HTML to launch the desktop. Choose HTML - If successful, you will be able to establish an HTTPS connection in the browser window.