February 21, 2012 - Sven Huisman

Free Load balancing for VMware View with Citrix Netscaler VPX Express

A load balancer for VMware View is not a requirement in a VMware View infrastructure with less than 2000 users. Even when there are multiple VMware View Connection servers for high availability, a single VMware View Connection server can handle up to 2000 connections so it’s not a big deal that the sessions are not evenly balanced. You do however want to have multiple VMware View Connection servers for high availability and to be able to access multiple VMware View Connection servers from a single point of access. A load balancer provides that functionality but is often expensive and gives additional functionality not needed for smaller deployments, like SSL Offloading. There is however a free “Enterprise-ready” load balancer available from Citrix: Netscaler VPX Express. There is a 5 Mbit throughput limit, but that is not an issue and in this article I explain why.

DISCALAIMER: I’m not a netscaler or “load-balancing” expert nor am I a networking guru. I’ve researched and tested the described solution and it works. I’ve not tested this solution with a large amount of users (yet). If you think information in this article is incorrect or if you think you know a better configuration or solution, please let me know.

VMware View and High availability

In a VMware View infrastructure there are a couple of components that you want to be high available. First of all there is the vCenter server, which is out of scope for this article. It is not a requirement in most cases for the vCenter to be high available because users can connect to a virtual desktop once the View agent in the virtual desktop has been registered to a VMware View connection server. The vCenter server needs to be online to be able to power on/off, deploy and refresh virtual desktops. Once virtual desktops are powered on and registered, they are available for users to connect. VMware vSphere HA will be able to provide high availability for vCenter. Alternatively VMware vCenter heartbeat can be used.

To be able to connect to a virtual desktop a VMware View Connection server needs to be available. It is highly recommended to have at least two connection servers in a VMware View Infrastructure. It doesn’t matter to which connection server a user connects to, the configuration is the same and stays the same because of the LDAP replication taking place between all the connection servers. A user connects to a VMware View connection with a VMware View client. This is where a load balancer is recommended. A load balancer will be able to provide a single point of access to connect to one of the available VMware View Connection servers. For example, a user always connects to “view.company.corp” and the load balancer takes care of the connection to “CS01.company.corp” or “CS02.company.corp”. The load balancer also checks the health of the connection servers so it will not service connections to VMware View connection servers which are unavailable. An alternative is to use DNS Round Robin (DNS-RR) but the downside of DNS-RR is that it will not check if one of the connection servers is unavailable and a client could could get a “connection failed”:

View-connection-failed

Microsoft Network Load Balancing (NLB) is not recommended to use for load balancing. Ask your network specialist for details, but in short: it will pollute your network, switches don’t like it, static ARP required on switches, overhead, strange behavior after VMotion and angry networking guys can be the result of using Microsoft NLB.

Once the connection has been made and the user starts a session to a virtual desktop, the VMware View client connects directly to the virtual desktop (a secure connection through a connection server is also possible, but best practice for internal clients is a direct PCoIP connection to the desktops).

When using VMware View Security servers for external access to the virtual desktops the session to the virtual desktop will always be tunneled through a VMware View security server.

In short: do you need a load balancer for VMware View Connection servers and VMware View Security servers if you have less than 2000 users? No, you could use DNS RR create a single point of access to the users, the user could get a connection failed when one of the servers is not available, when a user tries a second time the connection will succeed (most likely).

To improve user experience (to guarantee a successful connection all the time for the users) you can add a load balancer which is able to check the health of the servers and services. I have found an excellent load balancer in Citrix Netscaler VPX express, which is available for free. It comes with a throughput limit of 5 Mbit, but that is not an issue for internal connection servers (where the session will go directly to the virtual desktop) or security servers (where the session will be tunneled through a connection server).

Citrix Netscaler VPX Express

The Citrix Netscaler VPX Express is a virtual appliance available for Citrix Xenserver and VMware vSphere. It is has the same features as the standard Netscaler, only with a throughput limit of 5 Mbit. For an overview of the capabilities of the Netscaler, take a look at the Netscaler information page. The feature I’m interested in is the load balancing functionality of this appliance. Download the Citrix NetScaler VPX Express for free and deploy it using the getting started guide. You don’t want the Netscaler appliance to be a single point of failure so you need to set up an active-passive failover cluster. A Netscaler VPX Express license is valid for one year, so don’t forget to renew your license each year!

VMware View and load balancing

What is important to know that VMware View uses two phases to establish a connections:

  • Phase 1: Initial connection establishment, login entitlement, etc…
  • Phase 2: Tunnel connection

connectionsequence

Both phases needs to be handled by the same connection server and this is important to know when you are putting a load balancer in front of VMware View connection servers or security servers! There are two excellent video’s available which explain load balancing VMware View in general and load balancing VMware View Security servers. Important thing to remember is that PCoIP traffic does not need to go through the load balancer, even when tunneled through a VMware View security server. This means that you don’t have to worry about the 5 Mbit throughput limit of the Netscaler VPX Express.

Load balancing with Citrix Netscaler VPX Express

Setting up load balancing with the Netscaler VPX appliance can be done in many different ways. However, as this free version has certain limitations, like throughput limit, max. SSL connections, etc, you don’t want to put a heavy load on the netscaler VPX and you definitely do not want to route PCoIP traffic through the netscaler VPX. This leaves us with two methods: default ip based or Direct Server Return mode (DSR mode, MAC based). To be honest, I first tested the DSR mode because I wanted the traffic from both phases of connection to be redirected directly to a connection or security server. However, this added the complexity of adding a loopback adapter to each server and enable forwarding on the network interfaces. And in the end, using the default method works very good, for internal connection servers (PCoIP directly to virtual desktops) and external security servers (PCoIP tunneled directly through security server). So KISS (Keep It Simple Stupid).

Setup internal VMware View connection servers

Setting up the internal VMware View connection for load balancing is straight forward because the best practice is to use direct connections for PCoIP sessions anyway. Make sure the “Use PCoIP Secure Gateway for PCoIP connections to desktop” is not checked.

connserver

Setup VMware View Security servers

This picture shows the setup of a load balancer in front of security servers:

loadbalancing-sec

The View Security servers are placed in the DMZ and have a mapped external ip-address. The load balancer is also placed in the DMZ and has a mapped external ip-address and a DNS record which can be resolved by external clients. This means you need an external ip-address for each security server plus one for the load balancer. So the minimum is three. When installing the VMware View Security servers, set the external URL and the PCoIP External URL to the own external ip-address (not the external load balancer address). See the picture below:

sec-server

Setup Netscaler for Connection and Security servers

Because the Netscaler setup for load balancing VMware View Connection servers is the same as for Security servers, I will describe this once for both. This does not mean you can (or need to) load balance the connection servers which are connected to security servers!

After the basic setup of the netscaler, these are the steps for load balancing VMware View Connection servers:

Step 1: create a virtual server for the connection/security server

Netscaler > Load Balancing > Servers > Add…

ns-server

Step 2: Create a Monitor for each connection/security server

Netscaler > Load Balancing > Monitors > Add…

  • Type: HTTP
  • Destination IP: 192.168.1.1
  • Destination port: 443
  • Check Secure

ns-monitor

Special parameters:

  • HTTP Request: HEAD /?page=noclient.jsp
  • Respond codes: 200

ns-monitor-2

Step 3: Create a service for each VMware View Connection/Security server

Netscaler > Load Balancing > Services > Add…

  • Protocol: ANY
  • Server: SS01
  • Port: *
  • Monitors: SS01-HTTPS

NS-service

Step 4: Create a virtual server

Netscaler > Load Balancing > Virtual Servers > Add…

  • Protocol: ANY
  • IP Address: 192.168.1.9
  • Port: *
  • Services: Select the corresponding services

Method and Persistence:

  • Method: Least Connection
  • Persistence: SOURCEIP
  • Time-out: 5
  • IPv4 Netmask: 255.255.255.255

virtualserver1

It’s important to select sourceip for persistence. See also VMware KB 1032661. The time-out of 5 minutes is important because I noticed the connection to the connection/security server will time out when the default of 2 minutes is used. It seems that there is a keep-alive to the connection/security server every 3 or 4 minutes or so. When setting this to 5 minutes on the load balancer, you don’t have to re-authenticate when you want to switch desktops or connect USB-devices.

And that’s it!

Virtual Desktop Connection Server / Load Balancer / load balancing / Netscaler VPX / PCoIP / Security Server / VMware View /

Comments

  • Really looking forward to researching implementatiion with our 100 endpoint VDI and our Netscaler VPX-200. Great article.

  • anon says:

    good article..if we not use cert what is the impact ?..we use ssl_bridge for the protocol…
    is there any free cert that can be generate from vmware view connection server ?.

    thanks sir

  • ibrar says:

    How is it offloading PCoIP onto the desktops?

  • Sven-

    I have been able to get my Netscaler VPX-200s working with VMware View (4.6). Can I ask you a question? When your client makes the connection with the vserver IP on the load balancer, does it maintain that connection and transmit all traffic through that IP address over HTTPS or will the client also make a second connection with the security server and only transmit packets over HTTPS on that connection?

    Maybe View doesn’t work that way, but I was hoping all traffic would be routed through the vserver IP address on the Netscaler VPX, and then the Security Server after that. I am interested to see how your client behaves. Perhaps I have configured my Netscaler incorrectly?

    Thank you very much!

    • Sven-

      I watched the #8 video again and found (at 21:00) where they talked about sticky sessions and exposing only one VIP on the load balancer. I am going to find out whether the VPXs can support that.

    • Sven Huisman says:

      In my configuration, the second connection goes over the security server directly. That’s the way I want it with the free Netscaler VPX, because of the 5 Mbit limit. You could use a single VIP setup, but I haven’t tested that configuration. Take a look at video #3 at about 38 minutes. I will try that setup later this week.

  • […] month I wrote an article on how to use Netscaler VPX Express to load balance VMware View. Netscaler VPX Express is a free virtual appliance from Citrix which can be used to do a lot of […]

  • […] about using pfSense as a (free) load balancer in a VMware View environment. Sven has written a great article on using the free Citrix Netscaler VPX Express in a VMware View environment. The question is: Is […]

  • Ben says:

    Great article and I hope to test this out. One question/though I have is regarding internal users. In the past I’ve used split DNS so that internally our users go direct to the connection server and externally they hit the security server but that was always a small scale 1 security server and 1 connection server type setup.

    Could/should that be utilized in this case or am I thinking of this wrong? If a user is inside the network (in the building) and goes to view.companyname.com there isn’t any reason to hit the DMZ ip of the load balancer but at the same time I’d like those connections to balance between the 2 connection servers.

  • Ben-

    We have implemented this solution with Netscaler VPX-200s. You make a good point about split DNS. We do the same thing with MS Exchange. I think you hit the nail on the head when doing a split-DNS using 2 VIPs (one DMZ, one inside), it will still need to hit your Security Servers which also might be in the DMZ. That is where the traffic goes through. Creating an internal VIP, that load balances your internal connection servers instead, avoiding your DMZ Security Servers altogether should do the trick. You could even use the same connection servers that your DMZ Security Servers are paired with. That way you won’t need to install any additional systems.

  • Ben says:

    Matt – that makes perfect sense. Basically you’d end up with 1 vpx-200 in the DMZ load balancing against the 2 Security servers (which connect to connection servers A and B) and then a 2nd vpx-200 internally which load balances directly against connection servers A and B again.

  • Ben-

    Our Netscalers actually straddle the DMZ and Inside. The VPXs have 2 vNICs, one using a DMZ-based port group, and the other using an inside-based port group. That way you can have both DMZ and inside VIPs on the same Netscaler (or in our case, the same Netscaler HA pair).

    Matt

  • Alex says:

    Great article! I was wondering if this would maybe work with vCloud director cells load balancing?

  • Manoj says:

    I am quite familiar with Citrix XenApp and a little bit with Netscaler. but I am totally new to working with VMware View product and so I am trying to set it up in a lab and while searching for load balancing View Connection servers I came across your blog and I would like to thank you for sharing this information with the community. Keep up the good work.

    In my lab environment I have just built a simple setup which started with just the primary View connection server (CS1) and while going through your blog I decided to add the replica connection server (CS2). But what I found is for some reason I do not see the second (replica) server in the list when I view on the Admin Console of the (CS1)primary connection server. However, when I view it from CS2 server console I see both listed. I have rebooted both servers but still the same behaviour. I was just curious to know if this was by design or there is something wrong with my installation?

    I want to now add the 2 Security servers in the lab and try and add the Netscaler VPX using your configuration details. I would like to know whether you need to install any SSL certs on the View Security Servers? Or you can do with just the SSL cert on the Netscaler VPX?

    Thanks,
    Manoj