Redundancy needs to be a consideration when building and deploying business critical systems. As user’s desktops are moved into the data center, Horizon View becomes a Tier 0 application that needs to be available 24/7 as users will not be able to work if they can’t get access to a desktop.
Horizon View is built with redundancy in mind. A single View Pod can have up to 7 Connection Servers to support 10000 active desktop sessions, and the new View Cloud Pod features allows up to four View Pods to be stretched across two geographic sites.
Just having multiple connection servers available for users isn’t enough. That doesn’t help users if they can’t get to the other servers or if a load-balancing technology like DNS Round Robin tries to send them to an offline server.
Load Balancers can be placed in front of a Horizon View environment to distribute connections across the multiple Connection Servers and/or Security Servers. There are some gotcha’s to be aware of when load balancing Horizon View traffic, though.
VMware doesn’t appear to provide any publicly available documentation on load balancing Horizon View traffic, and most of the documentation that is available appears to be from the various load balancing vendors. After reading through a few different sets of vendor documentation, a few commonalities emerge.
Horizon View Network Communications
Before we can go into how to load balance Horizon View traffic , let’s talk about how clients communicate with the Horizon View servers and the protocols that they use.
There are three protocols used by clients for accessing virtual desktops. Those protocols are:
- HTTPS – HTTPS (port 443) is used by Horizon clients to handle user authentication and the initial communications with the Connection or Security server.
- PCoIP – PCoIP (port 4172) is the remote display protocol that is used between the Horizon Client and the remote desktop.
- Blast – Blast (port 8443) is the remote display protocol used by HTML5-compatible web browsers.
Remote Desktop Protocol (RDP) is also a connectivity option.
When a user connects to a Horizon View environment using either the web client for Blast or the Horizon Client application for PCoIP, the initial communications take place over HTTPS. This includes authentication and the initial pool or application selection. Once a pool or application has been selected and the session begins, communications will switch to either Blast or PCoIP.
In the example above, the user connects to the fully-qualified domain name of the security server. After authenticating, they select a pool and connect using the protocol for that pool. If they’re connecting over PCoIP, they connect to the IP address of the server, and if they connect over Blast, the connection goes through the URL of the server.
The URLs used by clients when connecting through a security server. The PCoIP URL is the external IP address used by the server.
When a load balancer is inserted into an environment to provide high availability for remote access, things change a little. The initial HTTPS connection hits the load balancer first before being distributed to an available connection or security server. All PCoIP and/or Blast traffic then occurs directly with the security server.
This can have some implications for the certificates that you purchase and install on your servers, especially if you plan to use Blast to allow users to access desktops from a web browser. If you choose not to use HTTPS offloading, the certificate that is installed on the load balancer also needs to be installed on the security servers. This may require a SAN certificate with the main external URL and the Blast URLs for all servers.
Load Balancing Requirements
There are a few requirements for load balancing your Horizon View environment. These requirements are:
- At least 2 Security or Connection Servers
- A load balancer that supports HTTPS persistence, usually JSESSIONID
If you’re load balancing external connections, you’ll need an IP address for each security server and an IP address for the load balancer interface. If you have two security servers, you will need a total of three public IP addresses.
In an upcoming post, I will walk through the steps of load balancing a Horizon View environment using a Kemp virtual Load Master.