Transcript Something

SIMPLIFY, SCALE, AND SECURE
YOUR PCoIP ARCHITECTURE FOR
VMWARE HORIZON VIEW WITH F5
Marc Chisinevski, F5 Solution Engineer, VMware Alliance
Today’s Agenda
• Quick Introduction to Application Delivery Controllers (ADC)
• What’s new in APM v11.4
• What is PC-over-IP (PCoIP) Proxy
• How F5 adds Value to VMware Horizon View
• Questions, answers, and Key Takeaways
F5 Delivers an Intelligent Services Framework
An integrated device with STRATEGIC AWARENESS
APPLICATION AWARENESS
•
Understands and adapts
application resources based on
user context and expected
application behavior
USER AWARENESS
•
•
•
Proxies and inspects 100% of
inbound user traffic
Determines user environment such
as device type and location
Applies application delivery policies
based on real-time business needs
•
•
Full application state visibility and
complete session inspection
Provides total control of all user
and application traffic in and out of
the data center
RESOURCES AWARENESS
•
•
•
Provides real-time traffic
management decisions based on
application performance
Assists with capacity planning
Delivers true application delivery
optimization without the need to
rewrite applications
Full Intelligence Requires a Full Proxy
OSI Stack
OSI Stack
Application
Application
Session
Session
Network
Network
Physical
Physical
IT = Complete Control
Business = Reduced Delivery Costs
HORIZON SUITE
The platform for workforce mobility
Horizon
View
NEW
v5.2
Complete desktop and application
virtualization
Horizon
Mirage
Horizon NEW
v1.0
Workspace
NEW
v4.0
Centralized layered image management
for local deployment
Multi-device workspace for IT services
F5 + HORIZON SUITE
VM
VDI
Support for VMware validated solutions
 Mobile Secure Desktop
 Business Process Desktop
 AlwaysOn Desktop
 Branch Office Desktop
Unique F5 solutions
 PCoIP Proxy
 Single Namespace
 Username Persistence
Intelligent traffic management and security
 Local and global traffic management
 Multi-site and multi-pod deployments
 Access management and data center firewall
Horizon View
Horizon Mirage
Intelligent Services
Framework
Secure • Fast • Available
Horizon Workspace
Anywhere, any
service, any device
Intelligent
Dynamic, agile,
adaptive
PC-over-IP (PCoIP) Overview
• What is PCoIP?
• How does it relate to other protocols?
• What is the PCoIP proxy?
Three separate connections
• HTTPS 443 auth
• SSL Negotiation, PCoIP Control Channel setup
• PCoIP Session negotiation – 4172 TCP
• PCoIP Session – 4172 UDP
View Authentication and PCoIP Protocol
Client
<?xml version="1.0"?><broker version="5.0"><get-configuration/><set-locale><locale>enus</locale></set-locale></broker>
Server
<?xml version="1.0"?> <broker version="6.0”><set-locale><result>ok</result></setlocale><configuration> <result>ok</result><broker-guid>a824b347-29a4-46a3-a86853006d9e3837</broker-guid><broker-service-principal><type>kerberos</type><name>[email protected]</name></broker-service-principal>
<authentication><screen><name>windowspassword</name><params><param><name>domain</name>
<values><value>BD1</value></values></param></params></screen></authentication></config
uration></broker>
Client
<?xml version="1.0" encoding="UTF-8"?> <broker version="6.0”><do-submitauthentication><screen>
<name>windowspassword</name><params><param><name>username</name><values><value>ee</value>
</values></param><param><name>domain</name><values><value>BD1</value></values></p
aram><param><name>password</name><values><value>password</value></values></param
></params></screen></do-submit-authentication></broker>
Server
<?xml version="1.0"?><broker version="6.0”><submit-authentication><result>ok</result><usersid>S-1-5-21-3758468571-3340120723-2926298490-1116</user-sid><offline-ssodisabled>false</offline-sso-disabled><offline-sso-cache-timeout>15</offline-sso-cachetimeout><logout-on-host-suspend-enabled>true</logout-on-host-suspend-enabled></submitauthentication></broker>
Client
<?xml version="1.0"?><broker version="5.0"><get-tunnel-connection/><getdesktops><supportedprotocols><protocol><name>RDP</name></protocol><protocol><name>PCOIP</name></proto
col></supported-protocols></get-desktops><get-user-global-preferences/></broker>
Server
<?xml version="1.0"?><broker version="6.0”><tunnelconnection><result>ok</result><connectionid>11A90FA2_0B36_4FB9_8976_E656585ADFA8</connection-id><status-port>16748</statusport>
<server1>https://USSJ-DEMO-VSS1.bd.f5.com:443</server1><server2></server2><generation>4</generation>
<certificatethumbprint-algorithm>SHA-1</certificate-thumbprint-algorithm><certificatethumbprint>be:ba:ca:d4:6e:c9:83:48:57:46:81:17:40:ae:20:ba:00:f6:a3:38</certificatethumbprint></tunnel-connection><desktops><result>ok</result><desktop><id>CN=ussj-pod1finance,OU=Applications,DC=vdi,DC=vmware,DC=int</id><name>Finance in Pod 1 in San
Jose</name>
<type>sticky</type><state>disconnected</state><sessionid>BD1\dd(cn=s-1-5-21-3758468571-3340120723-29262984901116,cn=foreignsecurityprincipals,dc=vdi,dc=vmware,dc=int)/2@cn=ad6d4eb8-93c5-43cc-92faaa902dee2b79,ou=servers,dc=vdi,dc=vmware,dc=i
PCoIP protocols
• PCoIP Session negotiation – 4172 TCP
• Client:
• Using the DNS name, Desktop Name, Connectionid, and Certificate thumbprint on 4172 TCP
• Server:
• Performs secret layer of Teradici security
mechanisms
• Sends client instructions on how to connect to
desktop
• PCoIP External URL which is IP.
• PCoIP Session – 4172 UDP
• Client:
• Established third connection using PCoIP Ext URL.
VMware Horizon View Value Adds
Marc Chisinevski, Solution Engineer, VMware Alliance
PCoIP Proxy – Simplify Your Architecture
Before
• F5 Access Policy Manager
(APM) offers full proxy
support for PCoIP
• Removes Security Servers
• Unified global access to all
allowed applications and
network locations
After
PCoIP Proxy – Simplify Your Architecture
• Reduce Windows Licensing Costs
• Reduce Operational Costs
• Initial Security Hardening Tasks
• Maintenance/Patching
• SSL Cert Management
• Reduced set of FW Rules / ACLs / NATs
• Conserve Resources
• Public IP Addresses
Three separate connections
• HTTPS 443 auth
• SSL Negotiation, PCoIP Control Channel setup
• PCoIP Session negotiation – 443
4172TCP
TCP
• PCoIP Session – 4172 UDP
Hardened Security for VMware Horizon
View
• BIG-IP Advanced Firewall
Manager (AFM)
• Protect with a full-proxy firewall
• Simplify security architecture
• Ensure application availability
Username Persistence Use Case
• Username Persistence is a Solution.
• Active/Active Multi-Data Center View solution
• Enhances VMware’s “AlwaysOn” Solution
• Co-engineering effort with VMware Field and PSO
• Uptake in Hospitals, and Large Enterprise
view.company.com
DNS Query:
view.company.com
iQuery
Health Check to
Both Pods:
East & West
10.1.1.20


192.168.2.20
DNS Answer:
User has lowest latency
to West Pod.
“view.company.com. IN A 192.168.2.20”
192.168.2.20
User Name
Current
Pod?
Bob Smith
West
Fran Kelly
East
Jim Adams
None
etc…
LTM uses OOB method to
query View Events DBs.
Writes data to internal
table
Password is cached using
256 bit encryption
PW
User Name
Current
Pod?
Bob Smith
West
Fran Kelly
East
Jim Adams
None
etc…
LTM looks up User.
<Current Assignment>
APM Obtains User’s Current
Pod & Pool Member
APM queries
Active Directory.
Username
& Password
are sent to AD.
AD User’s
Group
Membership
Domain
Active
Directory
UN
PW
Domain
View
Servers
Based on the Pod & Pool info in
AD, LTM sends the user to the
correct View server
View
Servers
The View Server replies with a user
token.
Client uses that token to automatically
reconnect directly to the View server.
Questions, Answers, and Key Takeaways
• APM offers full proxy support for PC-over-IP
• Simplifies VMware Horizon View architectures
• Delivers hardened security and increased scalability
• Username Persistence is the only multi-pod, MultiData Center View solution
• F5 is the first and only to provide this functionality
Where to Find More info…
• F5 Documentation:
•
http://f5.com/view
• VMware Documentation:
•
http://www.vmware.com/solutions/desktop/business-process-desktop/partners.html
•
http://www.vmware.com/solutions/desktop/mobile-secure-desktop/partners.html
•
http://www.vmware.com/solutions/desktop/remote-branch/partners.html
•
http://www.vmware.com/solutions/desktop/always-on-desktop/partners.html
• Third Party Documentation:
•
http://public.dhe.ibm.com/common/ssi/ecm/en/xsb03031usen/XSB03031USEN.PDF
•
https://communities.netapp.com/docs/DOC-23032