Using NginX as a load-balancer for VMWare Horizon View security servers | Blah, Cloud

[mylesagray]

Written on 04/07/2014 13:32:53

URL: https://blah.cloud/infrastructure/using-nginx-load-balancer-vmware-horizon-view-security-servers/

[mylesagray]

Comment written by lihak on 06/07/2014 00:04:52

Great Article - even if I am new to view - nginx! I would like to know, if possible - how do you determine the worker-connections setting in relation to the expected amount of viewclients? Let's say I want a view setup for ~ 500 clients.
One more thing that makes me my head scratchin is the ssl configuration between the connection servers and the load balancers. Can you provide some suggestions on this subject? Thank you

[mylesagray]

Comment written by Myles Gray on 06/07/2014 13:22:06

Hey lihak,

Well it depends on your keep-alive timeout (as this determines how long after disconnection a connection stays open), but if you have a maximum of 500 clients it comes down to a few factors:

1) Set up 1 NginX worker per CPU core/thread - so on a quad core VM set it up to be 4 worker_processes.

2) The worker_connections directive tells NginX how many connections to maintain per worker process - there are of course 2 per client connection (one to client, one to the proxied server) so 1024 is fine as this would give you 512 clients per worker process - or a total of 2048 client connections without too much server load. (If you are concerned you can load test your solution and see how it reacts with something like LoadImpact: http://loadimpact.com/ it will tell you all you'll ever need to know about your config)

This article is good for explaining what NginX directives do what: http://blog.martinfjordvald...

Not sure what problems you're having with the SSL config between connection servers and LBs - all you have to do is set up the NginX "upstream" directive as above and as all connections for "view.company.com" go straight to the NginX box (because you set up your DNS to do that initially) when NginX gets a request for view.company.com it then proxies the connections to the backend "upstream" servers - you don't need any explicit config on the Security or Connection servers.

This is different from VMWare Horizon Workspace which you need to add "use external load balancer" into the config but that's not related and for another article.

Does that help any?

[mylesagray]

Comment written by lihak on 06/09/2014 13:07:41

Oh yes - it helps a lot especially for a " beginner"! Thanks for the fast reply, explanation and links. First of all, I have sucessfully implemented your config and it works pretty well.
Concerning the ssl config, we have used certs for the security server (dmz without lb) so I was curios and wondering if anything else should be applied, but it was just a lack of understanding. You gave a clear explanation. Thanks again - I will read "Fjordvald's" article to become more familiar with nginx range of features.

[mylesagray]

Comment written by Nicolae Iosif (@nicolae_iosif) on 10/15/2015 12:40:25

Thanks a lot, this help me in openstack.

[mylesagray]

Comment written by jer on 03/22/2016 21:51:49

wondering if a site has two connections and the security server is in FT, do you really need two security servers? I ask because I haven't setup up nginx yet so I am wondering if I need to really to have two security servers. Max clients is around 40 users from the outside. We would like to setup nginx in the colo to add some load balancing on the internet connections for the office.

[mylesagray]

Comment written by Myles Gray on 03/23/2016 21:12:22

You mean you have VMware FT on the Security Server?

If so, strange application of it, FT is generally only useful if:

1) Your app is not natively highly available (security servers are with redundant LB)
2) You have 10Gig networking
3) There is no feasible other way to provide redundancy to the app

What is the reasoning for not having two security servers - admin overhead is almost nothing?

[mylesagray]

Comment written by fchapeau on 10/13/2016 17:57:15

Very cool stuff, but I still can't get it to work. I'm running Horizon in my home lab and I can't login to it from the outside. In my case, I don't use two security servers, I only have one, so I proxy_pass directly to my security server. But when I do that, I am unable to connect to the server. I can access it from the web, but when I try to login with the Horizon Client, it asks me for my username/password, which I gladly provide, then it tells me that it could not establish the tunnel connection. It does this from the inside and from the outside of the network. I managed to make it work by forwarding all https traffic to the security server, but that disables my ability to host websites, which is a bit annoying, so I really want to go through a reverse proxy. Any insight?

So: [External client] -> [Gateway] -> [Nginx reverse proxy] -> [Horizon Security Server] -> [Horizon connection server]

[mylesagray]

Comment written by Myles Gray on 10/13/2016 19:56:39

Have you checked against the list of ports required for security server to clients?

https://kb.vmware.com/selfs...

Have a feeling the client may be trying to connect on a port other than 80/443 - you can also try looking at the TCP connections to the server and see if that's the case?

[mylesagray]

Comment written by jonkensy on 03/07/2017 21:56:45

Having issues with this as well. I have Horizon 7 deployed. If I NAT HTTPS (443) to the Security Server, everything works great. If I NAT HTTPS (443) to the NGINX LB/reverse proxy, I just get "Could not establish tunnel connection." I know the SSL reverse proxy on NGINX is working properly because I have other sites using it on the same setup. Any thoughts?

[mylesagray]

Comment written by Juan Alfonso Valdes Jr. on 02/12/2018 03:22:16

Did you ever figure out the reverse proxy with Horizon? I came across the same issue