VMtoday

VMware News, Views, and How-To's from vExpert Josh Townsend

You are here: Home / Archives for Networking

Networking

vShield Endpoint with vSphere 6.0

by 5 Comments

I’ve heard some questions regarding vShield Endpoint being supported with vSphere 6.0.  Some of the confusion has come from various announcements of End of Availability and End of Support for vCloud Networking and Security.  Before I answer the question of using vShield Endpoint with vSphere 6.0, let’s first look at the history of the vShield product line to see where the confusion may come from.  There has been many changes due to the rapid pace of innovation and developments in virtual networking and security:

  • May 2009: vShield Zones 1.0 released, providing an application-aware firewall built for VMware vCenter Server integration.  vSphere 4.0 is the current version of vSphere.  vSphere Advanced, Enterprise and Enterprise Plus editions are entitled to vShield Zones.
  • August 2010: VMware vShield 4.1 is released along with vSphere 4.1.  vShield Edge, App and Endpoint are introduced and packaged with vShield Zones. All vShield components are managed by vShield Manager. vShield (Suite) is available as add-on licenses.  vShield Zones remains a part of vSphere Enterprise and Enterprise Plus licensing.
  • July 2011: vShield Data Security is announced.
  • September 2011: VMware vShield 5.0 is released, along with vSphere 5.0.  vShield 5.0 adds vShield Data Security capabilities.  If you were running ESX 4.1 with vShield Zones 4.1, and wanted to upgrade to ESXi 5.0, you must manually uninstall vShield Manager 4.1 and Zones 4.1, upgrade to ESXi 5.0, then install vShield Manager 1.0 and Zones 1.0 that were released with vSphere 5.0.  Yes, this is confusing at best….  vShield Endpoint is made available as part of the VMware View 4 Premier Edition bundle.
  • August 2012: vShield Zones 4.1 reaches End of Availability (EOA) and End of General Support (EOS).  However, vShield Zones 1.0 that was released with vSphere 5.0 remains available for download through vSphere 5.1.  The vShield Zones virtual firewall provided very basic segmentation and traffic filtering capabilities using the VMsafe API, which is deprecated (thus further investment for feature development or support can not be justified). VMware plans to continue to invest in vCloud Networking and Security, which covers the majority of use cases for vShield Zones.
  • July 2012: VMware acquires Nicira for $1.26 Billion.  VMware NSX will eventually come from this acquisition.
  • August 2012: vShield Endpoint is now included in every vSphere Edition (except vSphere Essentials).  The licensing change makes vShield Endpoint available for all customers, with an active SnS, running vSphere 5.1.x, vSphere 5.0.x, or vSphere 4.1 U3! 
  • August 2012: vSphere 5.1 and vCloud Networking and Security (vCNS) 5.1 are announced.  vCNS includes vShield Edge, App and Endpoint.  vCNS is available as an add-on license to vSphere, and is included with vCloud Director.  With the general availability of VMware vCloud Networking and Security 5.1 in September 2012, VMware announced an end of availability date of October 15, 2012 for the standalone vShield family of products (i.e, vShield Edge, vShield App, vShield Data Security and vShield Endpoint.) VMware will continue to support maintenance releases for the vShield products until September 1, 2013.
    • vCloud Networking and Security is sold in two editions:
      • Standard Edition -­‐ provides the following features: firewall, VPN, VXLAN, vCloud Ecosystem framework, Network Address Translation, and Dynamic Host Control Protocol.
      • Advanced Edition – Provides all the features of Standard Edition plus high availability, load balancing, and data security.
  • August 2012: vCloud Suite 5.1 is announced.  This first iteration of the vCloud Suite bundled vSphere, vCloud Director, vCloud Connector, vFabric Application Director, vCloud Networking and Security 5.1, vCenter Operations Management Suite, vCenter Site Recovery Manager and vCloud Automation Center.  VMware offered a $1 upgrade from vSphere Enterprise Plus to vCloud Suite Standard – customers who took advantage of this deal are now licensed for vCloud Networking and Security through the vCloud Suite.
    • With vCloud Suite, VMware is now selling vCloud Networking and Security with two licensing options: bundled with the vCloud Suites and licensed per processor; or sold stand alone, and licensed per VM.
  • September 2013: vCloud Suite 5.5 is released.  vCloud Suite 5.5 includes vCloud Networking and Security 5.5; vCloud Networking and Security 5.5 is only available as part of VMware vCloud Suite 5.5 and is not available as a standalone product.  At the same time, VMware announced the End of Availability (“EOA”) of the VMware vCloud Networking and Security 5.1 Standard and Advanced editions for sale as standalone products effective September 30, 2013.
  • September 2013: VMware announces general availability of VMware NSX.  NSX is a stand-alone product with some functionality that overlaps vCNS.
  • March 2015: vSphere 6.0 and vCloud Suite 6.0 are announced.
    • vCloud Networking and Security is removed from the vCloud Suite bundle – this means that vCNS has reached End of Availability because it was only available through the vCloud Suite bundle. However, vCNS 5.5 remains supported through September 2016 for customers who were already licensed.
    • NSX is not included in the vCloud Suite.  vCloud Suite customers who are ready to take advantage of advanced software-defined networking and security services have the option to purchase NSX for vSphere at a reduced add-on price. NSX provides layer 2 to layer 7 network virtualization, with security policies that follow workloads across the data center for faster network provisioning and management.

And that brings us to today – At first glance, it would appear that all vShield and vCloud Networking and Security products are end of availability and not available for use with vSphere 6.0.  vShield Manager, a component of vCNS, is needed to deploy and mange the vShield Endpoint agent on ESXi hosts, so customers began to question whether vShield Endpoint was licensed and compatible with vSphere 6.0 (and I suspect some of our security partners also began to wonder).  So what’s the deal?

[Read more…] about vShield Endpoint with vSphere 6.0

PCoIP Packet Loss? Don’t Blame the Network!

by 12 Comments

PCoIP Packet Loss Don't Blame The NetworkSeveral months ago I was called into a new customer to diagnose some odd behavior in their VMware View environment. The organization was struggling with constant disconnects and generally poor performance on their View desktops. When users weren’t being randomly disconnected from their desktops, the users experienced lag when dragging windows between multiple monitors, ‘choppy’ graphics/video, and slow application launching. The problems occurred with local and remote users (both WAN and LAN could be involved).  The customer had done some troubleshooting, worked with VMware Support and the their local account team but the problems persisted. Without a resolution and increasingly frustrated users, the local VMware account team recommended that ClearPath be engaged to perform a rapid, yet comprehensive health check and analytic troubleshooting service on the View environment, as well as the related storage, network, and vSphere components.  The customer asked for a 24 hour turn-around on identifying and fixing the problems in the environment, so I had my work cut out for me.

The customer had done a lot of things right – starting with choosing VMware View and pushing a virtual desktop solution to a variety of use cases across the organization. Their vSphere environment was well designed, network was highly redundant and the storage backing View had recently been upgraded to an all-flash array to try to resolve the slowness observed by VDI users. The customer had also implemented VMware vCenter Operations (vCOps) for View and Xangati’s VDI Dashboard to help identify the root cause of the problems. The only major thing that either of the tools showed was major PCoIP packet loss (upwards of 30% much of the time, with spikes much higher) and high PCoIP latency (even on the LAN with sub-1ms latency). Armed with this basic information and admin level access to vSphere and View I rolled up my sleeves and got to work.

Network Analysis

Knowing that high packet loss has been an ongoing condition, I started my investigation with the network. Teradici, the makers of the PC-over-IP Protocol (PCOIP), recommends that packet loss within a single PCoIP protocol session should target less than 0.1%. Higher levels of packet loss can exhibit the behavior experienced by the users. I started with interviewing the network team to understand the topology and configuration. The network team insisted that their network had never lost a packet, and indeed the network was sound. Buffers were not being overflowed and networking gear did not show packet loss at all. Packets did not seem to be re-ordered upstream, a condition that can cause poor PCoIP performance. I also verified that remote users were direct connecting to the View Security Servers without bring wrapped in a TCP/SSL VPN as this can re-order and re-transmit packets when the UDP-based PCoIP stream is wrapped in TCP. Teradici has a knowledge base article titled ‘What Can Cause Packet Loss in a PCoIP Deployment’. I reviewed that, but everything in the article was already eliminated during my time with the network team. Finally, I walked through the PC-over-IP® Protocol Virtual Desktop Network Design Checklist with the team and found a few areas for improvement. With ample bandwidth, no latency, no packet loss, no re-ordering, and almost everything in the checklist already done, I felt fairly confident that the problem was not LAN/WAN related.

So now I have PCoIP packet loss according to View Connection Servers and View desktops, but it isn’t on the network; Now that is interesting. Time to shake up my train of thought on this problem – think outside the box. What if the problem wasn’t really PCoIP packet loss, packet loss was merely a symptom? That’s like treating the sneeze while ignoring the flu. Time to dig deeper into the other components of the environment.

VMware ESXi Host with missing storage connectivityStorage Analysis

Next up: storage. As I mentioned, the customer had recently implemented an all-flash array. I found a few issues with how the array, fabric, and hosts were configured. First, the array was not connected to the hosts with full redundancy as pictured to the right. This setup did not provide multiple paths to the storage array. Having multiple paths not only provides redundancy and resiliency, but can improve performance by taking advantage of additional storage buffers, array cache on both controllers, and greater concurrency of IO activity if using a third-party multipathing plugin like PowerPath/VE.

I looked at the array and found that it was performing well – it was satisfying all of the IOPS being requested by the workload. Cache hits were high, no errors, VMware ESXi Host with Fully Redundant Storage Array Connectivitydropped frames, etc. The storage fabric was 8Gb fiber channel, and was not being taxed as far as throughput was concerned.  Flash is well suited for the high random IO patterns you see in virtual desktops, and great for View Linked Clones where the shared replica disk is hit very hard from an IO perspective.

The flash array did not support VAAI (a firmware update was released the same week to enable VAAI, but it wasn’t on when I started my analysis), so I expected some View Composer operations to be a bit slow, and some SCSI reservation issues if there were too many VMs in a VMFS datastore.  The customer had less than 64 Linked Clones per datastore, so I wasn’t terribly concerned.

I encouraged the customer to patch in all ports on the array to the storage fabric, as well as both HBAs on their hosts, for greater redundancy and better scalability as pictured to the left, but otherwise the storage array and FC switches had a clean bill of health.

View Infrastructure Analysis

Now onto the View management components – vCenter, Composer, Connection Servers and Security Servers. I reviewed the topology to make sure servers were placed on the network in the correct way as shown below:

VMware Horizon View Architecture Diagram Blocks and Pod

The topology was fine, so I looked at the individual servers. Composer and vCenter were configured correctly, and could not be directly implicated in any performance problems on View desktops.

The Connection Servers and Security Servers were not configured with the recommended amount of vRAM and vCPU. While there was no sign of pressure on the servers by my analysis (Windows Perfmon, analyzed by my View PAL tool), I wanted to eliminate any potential problems now (and in the future). VMware recommends 4 or more CPUs and 10GB or more memory on Connection Servers for deployments of more than 50 desktops. I was dealing with several hundred desktops here, so more resources were in order. The customer was able to add resources without downtime. Cross another thing off the list.

vSphere Health Check

Next up I turned my focus to the vSphere environment. I used the vSphere Health Analyzer to quickly access the environment. vSphere Health Analyzer is a tool available to VMware Partners like Clearpath for health check services (a View specific Desktop Health Analyzer, as well as a new version of View Planner – a load testing tool for sizing View environments has since been made available). The tool uncovered about 30 potential issues with vSphere. Out of those, only two could have a significant impact on desktop performance: 1.) NTP was not configured properly on the ESXi hosts, and 2.) many View Desktops were configured to use VMware Tools to get their time from the host. This meant that the desktops were getting invalid time from the hosts. To make matters worse, the Windows Time service was running and trying to get time from the Active Directory hierarchy. This could lead to time flapping as VMware Tools and the Windows Time service fight to set the time. With time flapping occurring, I could see in the Windows event logs that some scripts, GPO processing and other startup tasks were long-running or not completing. This explained the slow booting the IT group saw, but not significant on-going performance issues. I passed on all my findings to the customer and moved on to analyze the desktops themselves.

Horizon View Desktop Analysis

To analyze the desktops I used a combination of Windows Event Viewer logs and Perfmon, which I analyzed in my View PAL tool. Again, a bunch of findings, with several of interest:

  1. The VMware View Optimization for Windows 7 script had not run correctly, so some optimizations were not applied.
  2. AFD Driver adjustment: A simple registry tweak can greatly improve multimedia performance in UDP-based PCoIP View desktops. The registry change is documented here: Low throughput for UDP workloads on Windows virtual machines (2040065)
  3. Lag when dragging windows between multi-monitor View desktops. Users report lag when dragging Windows’ windows between physical monitors. I detailed the fix for this problem here: Lag When Dragging a Window Between Monitors in VMware View. No downtime is required to fix.
  4. Low Paged Pool Memory available per View PAL analysis.
  5. Occasional high kernel times for CPU in perfmon.
  6. High disk latency and disk queue in perfmon.

The first three findings could correct a few of the reported problems, but not the bulk of the problems – especially the constant disconnects during periods of PCoIP packet loss. The last three findings, however, peaked my interest. Low paged pool memory could be related to poor Windows pagefile performance, and high kernel times could be related to poor disk performance – we may have a storage problem after all! High disk latency and queue length backed this up – let’s focus on storage, again.

Putting the Pieces Together

The storage array and fabric were OK, so the only thing left to investigate on the SAN was the HBAs. I also wanted to have another look at the ESXi hosts. The esxtop and vmkernel.log files provides a good way to get a peek at both, so I enabled SSH on the hosts and grabbed a copy of the logs for analysis and watched esxtop for a bit. Here’s what I found:

  1. In esxtop, SCSI Command Termination on storage. Above-0 values observed for Command Aborts in the environment. If the Command Aborts value on any vSphere datastore is greater than zero, storage is overloaded on the storage device hosting that datastore. The main causes of overloaded storage are: a.) Placing excessive demand on the storage device, and b.) Misconfigured storage.
  2. VMFS / File locking. Vkernel.log file on ESXi hosts indicate frequent VMFS file system or VMDK file locking. Error messages in vmkernel.log are similar to the following:

    2013-02-03T04:46:37.833Z cpu38:16655)DLX: 3394: vol ‘VDI_HQ_07’: [Req mode 1] Checking liveness of [type 10c00001 offset 180404224 v 272, hb offset 3256320
    gen 493, mode 1, owner 510d222f-88581291-1c0e-d4ae527fc5d6 mtime 16758 nHld 0 nOvf 0]
    2013-02-03T04:46:41.837Z cpu49:16655)DLX: 3901: vol ‘VDI_HQ_07’: [Req mode: 1] Not free; Lock [type 10c00001 offset 180404224 v 272, hb offset 3256320
    gen 493, mode 1, owner 510d222f-88581291-1c0e-d4ae527fc5d6 mtime 16758 nHld 0 nOvf 0]

  3. Frequent (several times per hour or greater) resets of storage path. Entries such as those in the following example indicate HBA Firmware problems:

    2013-02-03T04:23:05.988Z cpu52:16101)NMP: nmp_ThrottleLogForDevice:2318: Cmd 0x93 (0x412541519180, 8310) to dev “eui.373333656665362d” on path “vmhba5:C0:T4:L0” Failed: H:0x7 D:0x0 P:0x0 Possible sense data: 0x0 0x0 0x0. Act:EVAL
    2013-02-03T04:23:05.988Z cpu52:16101)WARNING: NMP: nmp_DeviceRequestFastDeviceProbe:237:NMP device “eui.373333656665362d” state in doubt; requested fast path state update…
    2013-02-03T04:23:05.988Z cpu52:16101)ScsiDeviceIO: 2324: Cmd(0x412541519180) 0x93, CmdSN 0xde66 from world 8310 to dev “eui.373333656665362d” failed H:0x7 D:0x0 P:0x0 Possible sense data: 0x0 0x0 0x0.

I first checked out VMware’s KB on Interpreting SCSI Sense Codes in ESXi/ESX (289902). The host code of 0x7 could be interpreted as ‘Internal error detected in the host adapter’ per the KB. I then searched the VMware Knowledge Base for possible meanings for this. I found this: When using Emulex HBAs, SCSI commands fail with the status: Storage Initiator Error (1029456).

A quick check and I find that the environment has Emulex HBA’s with seriously outdated firmware. I think I can conclude that the most likely cause of these error messages is an outdated firmware revision on the hosts’ Emulex Fiber Channel Host Bus Adapters (HBA). Other causes may include fiber issues (broken fiber) or FC switch health/configuration, but as the problem can be seen on all hosts, and against both the older EMC array and the new Whiptail array, it is safe to assume that the problem lies upstream from the arrays.

Now I’ve got something really interesting – storage problems on the ESXi hosts. Furthermore, I can observe that at the times when the storage path is reset (timestamps in the logs), VM’s running on connected datastores temporarily freeze. Users perceive this freeze as a Windows hang or as lag. This also explains the poor storage performance and high kernel times in the View desktops. When storage connectivity was lost, VMs couldn’t perform any IO for a bit.

But the big question is, does this HBA issue explain the View disconnects? The answer is yes, and this is how: When storage connectivity was lost via a path reset, IO in the VM stops. When IO in the VM stops the PCoIP Server component of the View Agent on each desktop stops receiving PCoIP packets. The virtual NIC on each desktop was receiving PCoIP packets on the vSwitch port, but the View PCoIP software wasn’t processing those packets. This condition manifests itself as PCoIP Packet Loss when observed through monitoring tools such as VMware vCenter Operations for View or Xangati.

The fix was simple – put the hosts into maintenance mode, shut down the hos,tboot to the Emulex update media, apply the new firmware, and reboot the host.  Rinse and repeat.  After applying the most recent firmware (check the recommended version from your server, storage, FC switch vendor first), the error messages on the hosts stopped appearing and the disconnects, hangs, and sluggishness on the virtual desktops stopped.

Extend the Fix

Now let’s stairstep (the finalstep in my analytic troubleshooting methodology) the cause a bit. Once the PCoIP Server component started dropping a ton of PCoIP packets, View determined that the desktop was disconnected. An ‘automatically logoff after disconnect’ policy was set on the Linked Clone pools, with a setting of ‘immediately’. Then, a policy of ‘Delete desktop on logoff was set’. When PCoIP packets dropped, View logged off users (causing loss of work), then deleted the desktop, and then re-created new desktops to replace those deleted to meet the minimum number of active desktops for the pool. This happened to all desktops on the host when the storage path was reset. Re-provisioning a few hundred desktops per host takes a while, so users had to wait to get back onto their desktop. Not only were users disconnected, but they lost work, then had to wait (sometimes up to an hour) to get onto a new desktop. Angry users are not fun.

Finally, that lack of redundant storage paths that I eliminated as a problem early on? Yeah, that was a bigger problem than I had originally thought. Had more paths been available, it is possible that a path reset might not have caused a chain reaction in the View pools – it may have been just a little blip of unresponsiveness.

Lessons Learned:

  1. Design for redundancy, even if you think you’ll not need it.
  2. The obvious symptom may not immediately explain the problem, so use an analytic troubleshooting methodology to find the root cause.  This looked like a PCoIP packet loss problem, with the network as the obvious culprit at the beginning.  It ended up being an HBA firmware issue that caused storage connectivity problems!
  3. Check your vmkernel.log files often. I almost always find something that is a problem or could be improved on when I look at a customer’s log files.  This is where the new VMware vCenter Log Insight could come in very handy!
  4. While all flash arrays are fast and sexy, they don’t solve all your problems. I wish the customer would have called before dropping the cash for a new array as the existing EMC would have been more than enough.
  5. Engage an expert – a second set of eyes can often uncover issues there you missed.  Not only was I able to identify the root cause of the major issues in the environment, but I was able to provide the customer with a ton of other info (a 50 page report) with other improvements, best practices recommendations, etc.

While the exact problem this customer experienced may not hit your environment, I hope my methodology and lessons learned help you if you experience performance issues, disconnects, or other problems in your VMware Horizon View environment.

Questions? Critiques? Leave a comment below!

Updated HAProxy Load Balancer Virtual Appliance

by 9 Comments

VMware View with HAProxy Load Balanced Security Servers and Connection ServersLast year I shared a free load balancer virtual appliance for VMware View that I created on SuSE Studio.  The load balancer uses HAProxy and came with a very basic configuration for use with VMware Horizon View Connection Servers or Security Servers.  The appliance has been downloaded a few hundred times and has been useful to me in my own home lab.

Since publishing the appliance I have made several changes to the configuration and thought I would share those updates.

You can download the latest version of the appliance in OVF format here: https://susestudio.com/a/R42GDM/vmtoday-vmware-view-load-balancer.

Instructions for setting up and configuring the appliance are on the original post here: https://vmtoday.com/2012/09/free-vmware-view-load-balancer-using-suse-studio-and-haproxy/.

I’ve been asked whether or not this is appropriate for production use; that’s a hard one to answer.  My intent was to provide a simple way to set up load balancing for test/pilot environments.  Here are some thoughts on running this for production/internet facing use:

  • HAProxy is stable and used by many organizations (Reddit, Instagram, Egnyte, RedHat OpenShift, Twitter).
  • I am not a linux guy and as such have not done anything to harden this virtual appliance other than enable the firewall, but a good *nix admin could probably tighten it up a bit.
  • This is a single point of failure unless you create a second instance and use something like keepalived and maybe mercurial to keep configs in sync.
  • No commercial support for my build.  I’ll do what I can to help if you ask nicely, but I do have a day job and family.
  • Logging is not very robust in my build – you would probably want to implement Logwatch, syslog or another mechanism to monitor it.

I’ll leave it up to you to weigh the pros and cons of running my appliance in an internet facing role or in production.

I’ve also been asked if this appliance can support SSL offloading.  The short answer is no.  The long answer is that HAProxy 1.5 (still in development) will offer SSL Offloading, SSL health checks, ACLs and a bunch of other features.  I have also heard of people using Pound with HAProxy to handle SSL offloading, but have not done it myself.  I’m working on a couple articles that describe architectures and options for Horizon View Security Servers and Connection Servers with load balancers and DMZs.  You may find that SSL offloading for VMware Horizon View is not a requirement (at least for those who are using this appliance in a test environment).

Change Log (as of 0.2.16 of the appliance)

  1. Updated HAProxy to 1.4.24-1 as the older version had some vulnerabilities (CVE-2013-2175).  I built the RPM from source for this version as it was not in any public repositories for SLES 11.  Previous versions of my appliance used HAProxy version 1.4.21-3.1.
  2. Cleaned up some of the extraneous packages and old repositories for a leaner build.
  3. Updated VMware Tools to the latest version.
  4. Updated the HAProxy config to:
  • Establish a proper frontend / backend configuration – this will help with the web based admin interface to enable/disable Connection / Security servers during maintenance windows.
  • Removed session stickyness – not working well and really not needed
  • Switched to source-based balancing instead of round robin as some folks reported problems
  • Added some comments to help with configuration.

Here’s the updated configuration for anyone who is rolling their own HAproxy:

### VMware Horizon View LoadBalancer vApp
### HAproxy config by Josh Townsend
### Visit http://vmtoday.com for more info

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
pidfile /var/run/haproxy.pid
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/run/haproxy.stat mode 600

defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
option redispatch
maxconn 3000
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s

userlist UsersFor_HAProxyStatistics
group admin users haproxy
user haproxy insecure-password HA@VmView5
user stats insecure-password letmein

listen stats *:1936
mode http
stats enable
#stats scope http
#stats scope www
#stats scope static
#stats scope static_httpclose
#stats realm Haproxy\ Statistics
stats uri /haproxy?stats
#stats auth haproxy:HA@VmView5
stats refresh 20s
stats show-node
stats show-legends
acl AuthOkay_ReadOnly http_auth(UsersFor_HAProxyStatistics)
acl AuthOkay_Admin http_auth_group(UsersFor_HAProxyStatistics) admin
stats http-request auth realm HAProxy-Statistics unless AuthOkay_ReadOnly
stats admin if AuthOkay_Admin

#————–FRONTEND———————————————–
#———————————————————————
# redirect http to https as View Security Servers don’t listen on 80
# change URL to the DNS name your users use to connect to View
#———————————————————————
frontend inbound-http *:80
mode http
redirect location https://desktop.example.com/
option http-server-close
option forwardfor except 127.0.0.0/8
option httplog
#———————————————————————
# listen for View HTTPS inbound
# use OpenSSL to create cert request, import .pem, uncomment #ssl crt
#———————————————————————
frontend inbound-https
bind :443 #ssl crt ./my_view_cert.pem
mode tcp
option tcplog
default_backend view_https

#———————————————————————
# listen for View PCoIP inbound <- ignore, we don't blanace UDP # PCoIP Secure Gateway Config will tell client which broker to talk to #--------------------------------------------------------------------- #frontend inbound-pcoip # bind :4172 # mode tcp # default_backend view_pcoip #--------------------------------------------------------------------- # listen for View RDP inbound #--------------------------------------------------------------------- #frontend inbound-rdp # bind :3389 # mode tcp # default_backend view_rdp #-----------BACKEND--------------------------------------------------- #--------------------------------------------------------------------- # Define your View Security or Connection Servers here # balance source will use source IP to send to a backend - this may not # be the most equally balanced, but it works reliably. Play with roundrobin # if you are the adventerous type. #--------------------------------------------------------------------- backend view_https mode tcp option tcplog option ssl-hello-chk #make sure we can talk SSL, not just TCP balance source #-- Balance roundrobin with stickyness with 3 lines below------------ #balance roundrobin #stick store-request src #stick-table type ip size 200k expire 30m #--------------------------------------------------------------------- # Add View Security and/or Connection Servers below and uncomment #--------------------------------------------------------------------- #server ALIAS HOSTNAME_OR_IP:443 check id 1 inter 10s rise 5 fall 2 #server ALIAS HOSTNAME_OR_IP:443 check id 2 inter 10s rise 5 fall 2 #server ALIAS HOSTNAME_OR_IP:443 check id 3 inter 10s rise 5 fall 2 #No need for this in my configuration.... #backend view_pcoip # mode tcp # option tcplog # balance roundrobin #--------------------------------------------------------------------- #Next line sticks clients that enter through https-backend to same server for PCoIP. #Session sticking doesn't quite work the way I want, and View is flexible to let me #define a PCoIP Secure Gateway without having to pass thru my load balancer, so #I'll just comment this out and ignore until (if?) I get HAproxy 1.5 with SSL support #when I'll be able to run everything through HAproxy #stick match src table view_https #--------------------------------------------------------------------- # Add View Security and/or Connection Servers below and uncomment #--------------------------------------------------------------------- #server ALIAS HOSTNAME_OR_IP:4172 check id 1 #server ALIAS HOSTNAME_OR_IP:4172 check id 2 #server ALIAS HOSTNAME_OR_IP:4172 check id 3 #No need for this in my configuration....you can play with different protocols if you want... #backend view_rdp # mode tcp # option tcplog # balance roundrobin # stick-table type ip size 200k expire 30m # stick on src #--------------------------------------------------------------------- # Add View Security and/or Connection Servers below and uncomment #--------------------------------------------------------------------- #server ALIAS HOSTNAME_OR_IP:4172 check id 1 #server ALIAS HOSTNAME_OR_IP:4172 check id 2 #server ALIAS HOSTNAME_OR_IP:4172 check id 3 [/sourcecode] The source for my HAProxy RPM build, HAProxy cfg and other files for the appliance are now in a GitHub Repository if you want to check it out or fork it.

OVF Import The specified operating system identifier "(id:83)" is not supportedOne final note – when you import the OVF into vSphere, you may get a warning stating that “The specified operating system identifier “(id:83)” is not supported on the selected host.”  I’m not sure why, but this is easily fixed.  Don’t power up the VM on import.  After the import is completed, edit the settings of your VM.  On the Options tab, click General Options, then change the Linux Version to SuSE Linux Enterprise 11 (64-bit).  Power up your VM and everything should be just fine.

Change VM linux version

Special thanks to Mark K for some suggestions for improving the configuration.  Let me know if you have any problems, questions, or suggestions for improvement.  Also feel free to leave a comment below to let me know of some creative ways you are using this appliance.