What is Omnissa Horizon #

Omnissa Horizon is a versatile suite of products designed to securely deliver virtual desktops and applications through a modern, adaptable architecture that supports both on-premises and cloud deployments. It enables organizations to optimize collaboration, support a variety of client devices, and ensure a seamless user experience regardless of location or network conditions. Omnissa Horizon offers centralized management of desktops and apps, emphasizing strong security, streamlined patching, and comprehensive access control, making it ideal for remote and hybrid work environments. It also includes advanced solutions like Desktop as a Service (DaaS) and hybrid cloud management, with core platforms such as Horizon 8 and Horizon Cloud Service – next-gen, all of which can be enhanced with additional tools like App Volumes and Workspace ONE.

Horizon Components #

Understanding the key components involved in a Horizon connection is essential for managing and configuring the system effectively. Below is a detailed overview of these components:

Horizon Client #

The Horizon Client is the application installed on a user’s device, allowing access to Horizon-managed systems. It establishes a connection with the Horizon environment where the Horizon Agent is installed. For devices where installing the Horizon Client is not feasible, users have the option to use a web browser as an HTML client, providing a flexible access method.

Horizon Agent #

Installed on the guest operating system of target machines, the Horizon Agent is crucial for enabling communication between the Horizon infrastructure and the virtual or physical desktops. This agent allows the Connection Servers to manage these machines and facilitates the creation of a protocol session between the Horizon Client and the target system. The Horizon Agent can be deployed on various types of machines, including virtual desktops, Remote Desktop Session Hosts (RDS Hosts), physical desktop PCs, and blade PCs.

Connection Server #

The Horizon Connection Server acts as the central broker, securely managing and directing user connections to the Horizon Agent installed on desktops and RDS Hosts. It handles user authentication through Active Directory and ensures that requests are routed to the appropriate resources based on user entitlements. This server plays a pivotal role in establishing and maintaining the connection between users and their virtual or remote desktop environments.

Unified Access Gateway #

The Unified Access Gateway (UAG) is a virtual appliance designed to provide secure remote access from external networks to internal resources, including those managed by Horizon. It can be deployed in the corporate DMZ or internal network and functions as a proxy for connections to company resources. The UAG processes authenticated requests, directing them to the appropriate resources while blocking unauthenticated ones. It can also perform authentication itself, adding an extra layer of security when configured to do so.

Each of these components plays a critical role in ensuring a seamless and secure Horizon experience, from user access to system management and resource allocation.

Why load balance Omnissa Horizon #

Load balancing is crucial for Omnissa Horizon because it significantly enhances both service availability and scalability, ensuring a robust and seamless user experience. By deploying a load balancer, you can horizontally scale your environment, adding additional Connection Servers (CS) or Unified Access Gateways (UAG), which directly increases the number of concurrent sessions the system can support. This scalability is essential for accommodating growing user demands without compromising performance.

Moreover, load balancing improves service availability by automatically redirecting traffic to available components if a CS or UAG goes offline. This ensures continuous access and minimizes downtime, maintaining a consistent and reliable service for users. Additionally, a load balancer allows users to access the service through a single URL, simplifying the experience and removing the need for them to know specific server URLs.

Beyond these core benefits, some load balancers offer advanced features like SSL offloading, enhanced security, real-time analytics, and more, which can further optimize and secure the Horizon environment. Understanding these capabilities is vital, as they can influence the overall architecture and effectiveness of your deployment.

Hence, the benefits of Omnissa Load Balancing are:

• Optimized Performance: Load balancing helps prevent any single server from becoming overwhelmed by distributing workloads evenly. This optimizes the performance of Omnissa Horizon, ensuring that users experience fast, reliable access to virtual desktops and applications, even during peak usage times.
• High Availability: By spreading the load across multiple servers, load balancing enhances the availability of Omnissa Horizon services. If one server fails or experiences issues, the load balancer can redirect traffic to other healthy servers, minimizing downtime and ensuring continuous access for users.
• Scalability: As demand for virtual desktops and applications grows, load balancing allows Omnissa Horizon to scale effectively. It can dynamically adjust to increased workloads by balancing traffic across additional servers, ensuring that the platform can handle growing user bases and fluctuating workloads without compromising performance.
• Enhanced Security: Load balancing can also play a role in security by distributing traffic in a way that mitigates the risk of distributed denial-of-service (DDoS) attacks. By spreading out requests, it reduces the likelihood that any single server becomes a point of failure due to malicious traffic.
• Resource Efficiency: Efficient load distribution ensures that the resources within Omnissa Horizon are utilized optimally. This prevents underutilization of some servers while others are overburdened, leading to better overall system efficiency and cost-effectiveness.

In summary, load balancing is essential for maintaining the performance, availability, scalability, security, and efficiency of Omnissa Horizon, ensuring that it can meet the demands of modern enterprises and provide a seamless user experience.

Different ways of Horizon load balancing #

Horizon can leverage load balancers in three key areas:

Load Balancing Horizon 8 Connection Servers #

In a Horizon deployment, load balancing the Connection Servers (CS) is crucial for distributing user session requests evenly across multiple servers. This not only enhances the environment’s capacity to handle more concurrent sessions but also ensures continuous service availability. If one Connection Server goes offline, the load balancer redirects new sessions to the remaining active servers, preventing downtime and maintaining a seamless user experience.

Load Balancing Unified Access Gateways (UAG) #

Unified Access Gateways are essential for secure remote access to Horizon environments. By load balancing the UAGs, you can distribute incoming remote user connections across multiple gateways, ensuring that no single UAG is overwhelmed. This setup increases the number of users that can connect simultaneously while also enhancing security and reliability. Should a UAG fail, the load balancer reroutes connections to other available gateways, maintaining uninterrupted access.

Load Balancing App Volumes Managers #

App Volumes Managers are responsible for managing and delivering applications and user profiles in a Horizon environment. Load balancing these managers ensures that application delivery remains efficient and scalable, even as user demand grows. Although this post won’t delve into the details of load balancing App Volumes Managers, it’s worth noting that implementing this can further optimize the performance and reliability of your Horizon deployment.

Each load balancer or load balancer-as-a-service operates differently, and the architecture may need to be tailored to achieve the desired outcomes in your specific Horizon environment. In this article, we’ll walk you through how to load balance Horizon using the RELIANOID Load Balancer, addressing all the specific requirements your project may need.

Understanding Horizon Connectivity Protocols #

Understanding the protocols involved in a Horizon connection is crucial for grasping how the system operates. A Horizon connection involves multiple protocols and unfolds in two distinct phases:

Primary Protocol: XML-API over HTTPS #

The initial phase of a Horizon connection employs the XML-API protocol over HTTPS. This primary protocol is responsible for:

• Authentication: Verifying user credentials.
• Authorization: Ensuring the user has the appropriate permissions.
• Session Management: Handling the setup and maintenance of the user session.

Once the user is successfully authenticated using this primary protocol, the system transitions to the secondary protocols for ongoing communication.

Secondary Protocols: Session Protocol Traffic #

After successful authentication, the Horizon Client establishes a session using one or more secondary protocols to interact with the resource. These protocols include:

• PCoIP (PC-over-IP): Optimized for delivering high-quality desktop experiences with minimal latency.
• Blast: Designed for efficient performance and bandwidth utilization.
• HTTPS Tunnel: Handles side-channel traffic such as Client Drive Redirection (CDR) and Multimedia Redirection (MMR), facilitating additional functionalities during the session.

Internal Connections #

In internal network scenarios, the Horizon Client connects directly to the Connection Server and subsequently to the Horizon Agent on the target machine. This setup typically involves:

• Initial Authentication: The Horizon Client communicates with the Connection Server for user authentication.
• Secondary Protocol Session: Following authentication, the Horizon Client establishes a direct session with the Horizon Agent on the desktop or RDSH server.

Communication Flow Overview #

1. User Login and Authentication:

• The Horizon Client logs into the Connection Server.
• The Connection Server verifies user entitlements.
• The user selects a desktop or application to access.

1. Session Establishment:
The Horizon Client then connects to the Horizon Agent running on the selected desktop or RDSH server, using the appropriate secondary protocols for the session.

This dual-phase process ensures secure, efficient, and seamless access to Horizon-managed resources, both within internal networks and through external connections.

Network Ports for Horizon Connectivity #

Proper configuration of network ports is crucial for ensuring seamless communication between components in a Horizon deployment. Understanding these port requirements helps facilitate successful connections and efficient data transfer. Below is a detailed overview of the network port requirements for different connection types within a Horizon environment.

Network Port Requirements #

1. Horizon Connection Servers Port: TCP 443
2. Horizon Agent (Desktop or RDS Host) Ports:

• Blast Extreme Protocol Session: TCP 22443, and optional UDP 22443
• PCoIP Protocol Session: TCP and UDP 4172
• RDP Protocol Session: TCP 3389

Please note that Horizon uses bidirectional UDP protocols, meaning that firewalls must be configured to handle traffic in both directions.

By understanding and properly configuring these network port requirements, you can ensure reliable and efficient connectivity across your Horizon deployment.

External Connections #

When dealing with external connections, communication typically occurs through a Unified Access Gateway (UAG) appliance. This setup ensures secure remote access to Horizon-managed resources. Here’s a detailed look at how the connection process works:

Connection Process #

1. Initial Authentication:

• Horizon Client to Unified Access Gateway: The connection starts when the Horizon Client communicates with the Unified Access Gateway. This phase involves user authentication and initial session setup.
• Unified Access Gateway to Connection Server: Once authenticated, the Unified Access Gateway forwards the request to the Connection Server to verify user entitlements and resource access.

2. Protocol Session Connection:

• Horizon Client to Unified Access Gateway: After the initial authentication, the Horizon Client establishes a protocol session connection through the Unified Access Gateway.
• Unified Access Gateway to Horizon Agent: The session then continues from the Unified Access Gateway to the Horizon Agent on the target desktop or Remote Desktop Session Host (RDSH).

Gateway Services #

The Unified Access Gateway can support several gateway services, including: Blast Secure Gateway, PCoIP Secure Gateway, HTTPS Secure Tunnel.

When deployed in a Horizon environment, Unified Access Gateway (UAG) High Availability (HA) utilizes a Round Robin approach combined with Source IP Affinity to manage traffic distribution among UAGs. However, this method only ensures high availability for XML-API over HTTPS traffic. It does not extend high availability to session protocol traffic, such as Blast or PCoIP.

While it is valid to place a load balancer between UAGs and Connection Servers, it prevents the UAG from detecting failures of individual Connection Servers. This can complicate troubleshooting and impact the reliability of the connection.

Important Note: Ensure that the Blast Secure Gateway and PCoIP Secure Gateway are not also enabled on the Connection Server itself. If both are enabled on the UAG and Connection Server, it would result in a double-hop scenario for protocol traffic, which is unsupported and can lead to connection failures.

1. User Authentication:

• The user logs into the Connection Server via the Horizon Client, which first connects through the Unified Access Gateway.
• The Connection Server checks user entitlements and resources.

2. Resource Access:

• After authentication, the user selects a desktop or application.
• The Horizon Client then establishes a connection to the Horizon Agent running on the selected desktop or RDSH, routing through the Blast Secure Gateway on the same Unified Access Gateway where authentication occurred.

Horizon Load Balancing Architecture #

When implementing load balancing for Horizon traffic across multiple Unified Access Gateway (UAG) appliances, it is critical to manage both primary and secondary protocols effectively to ensure a seamless user experience. Here’s a comprehensive overview of the considerations and strategies involved:

Primary and Secondary Protocol Routing #

1. Primary Protocol Load Balancing:
The primary XML-API connection protocol, which handles authentication, authorization, and session management, must be load balanced to ensure users are directed to the correct UAG appliance.

2. Secondary Protocol Session Routing:

• Consistent Session Handling: Once authenticated, secondary protocol traffic (e.g., Blast or PCoIP) must be routed to the same UAG appliance that handled the primary XML-API connection. This consistency allows the UAG to correctly manage the session based on user credentials and session state.
• Misrouting Issues: If secondary protocol sessions are directed to a different UAG appliance, the session will not be authorized. This misrouting can cause connections to be dropped and sessions to fail. Proper configuration of the load balancer is essential to avoid these issues.

3. Load Balancer Affinity:
The load balancer must ensure that all traffic related to a session (typically lasting up to 10 hours) continues to be routed to the same UAG appliance. This is achieved through session affinity mechanisms such as source IP persistence.

4. Routing Secondary Protocols:
There are two primary methods for managing secondary protocol traffic:

• Through the Load Balancer: With advanced load balancers like VMware NSX Advanced Load Balancer (formerly Avi), both primary and secondary protocol traffic can be managed through the same service engines, using source IP affinity to maintain correct routing. This method requires only a single public IP address.
• Direct Routing: If the load balancer does not support this or if source IP affinity is not feasible, an alternative is to use dedicated IP addresses for each UAG appliance. This approach, often referred to as the N+1 VIP method, involves using a load-balanced VIP for the primary protocol while routing secondary protocol traffic directly to specific UAG IPs.

Network Ports for External Connections #

Proper network port configuration is essential for successful external connections in a Horizon deployment. Understanding the required ports ensures correct communication between components:

1. Unified Access Gateways Ports:

• Authentication Protocol: TCP or UDP 443
• Session Protocol: TCP and/or UDP 8443, or TCP 443

Horizon Load Balancing Configuration with RELIANOID #

Configuring the Horizon Connection Servers Farm and Unified Access Gateways Farm in the RELIANOID Load Balancer is straightforward. It involves simply creating two distinct layer 4 farms and ensuring that the networking requirements of the Horizon solution are properly addressed.

Horizon Connection Servers Load Balancing Configuration #

To set up a Horizon Connection Servers Farm in the RELIANOID Load Balancer, you would need to create a Layer 4 farm configured on TCP port 443. The service settings should include Round Robin as the scheduling method, with persistence based on Source IP to ensure consistent routing for user sessions.

Horizon Connection Servers Load Balancing Configuration #

To configure a Unified Access Gateway Servers Farm in the RELIANOID Load Balancer, you should create a Layer 4 farm set to use both TCP and UDP on port 443. The service settings should include Round Robin as the scheduler, with persistence based on Source IP to maintain consistent session routing.

Advanced Load Balancing Features #

Using RELIANOID Load Balancer for Horizon environments brings several additional advantages, particularly in terms of high availability (HA), security, and management:

• High Availability with Clustering: RELIANOID supports clustering, which allows multiple load balancers to work together seamlessly. This ensures that if one load balancer goes down, others in the cluster can take over without any disruption to the Horizon services. This clustering enhances the overall reliability and uptime of the Horizon deployment.
• Advanced Health Checks: RELIANOID offers advanced health checks that continuously monitor the status of Horizon Connection Servers and Unified Access Gateways. These checks go beyond basic connectivity, verifying that each server is functioning correctly before directing traffic to it. If a server fails a health check, it is automatically taken out of rotation until it recovers, ensuring that users are only directed to healthy, functioning servers.
• Real-Time Notifications: With RELIANOID, administrators can receive real-time notifications about the status of the load balancer and the servers it manages. This allows for proactive management, where issues can be addressed before they impact end users. Notifications can be customized to alert on various events, such as server failures, high traffic loads, or SSL certificate expirations.
• SSL Traffic Management: RELIANOID handles SSL offloading, which means it can terminate SSL connections on behalf of the Horizon servers. This reduces the processing burden on the Horizon infrastructure, freeing up resources to handle more user sessions. Additionally, SSL offloading simplifies certificate management and enhances security by ensuring that all traffic between the load balancer and end-users is encrypted.
• Enhanced Security Features: RELIANOID integrates several security features that protect the Horizon environment from various threats. It can enforce strict access controls, provide DDoS protection, and include Web Application Firewall (WAF) capabilities to shield Horizon servers from malicious traffic. The load balancer can also manage and renew SSL certificates, ensuring that all connections remain secure.

These additional capabilities make RELIANOID an excellent choice for enhancing the scalability, reliability, and security of Horizon deployments. Try relianoid load balancer for your Horizon deployments.