View Connection Server Config with UAG

I'm setting this up now, and yes you only really need one cluster. You'll need seperate vips, X vips for public stuff and X vips for the internal stuff. There's zero reason these have to live on different clusters. It took me a while to convince the VMWare SE of that, as he has his script and that's all they know.

You could even do it all on the same VIPs, but that would be more complicated than it needs to be (via an iRule to separate traffic based on source IP).

R. Marc

Thanks R Marc, Here is how I want to make it work, and wondering if your setup is similar.

All our clients will connect to VM desktop/app through UAGs VIP (external IP). This is because we do not trust our internal clients to directly connect to connection severs. So all clients will establish connections as follows:

client-> UAGs cluster VIP -> Connection server cluster VIP ->VM desktop/app

Our UAGs and Conn severs are on separate subnets, so having them on the same LTM seems OK, and you confirmed this too.

I'm also willing to use iApp for both - 1 iApp for UAG, and 1 for Connection servers, basically load balancing both clusters. The guides i have shared before - http://docs.hol.vmware.com/HOL-2017/hol-1759-use-3_html_en/ talk about LB for either UAG, or Connection servers, but not the case when I want to do both via separate iApps, and have this work.

Wondering if the above is supported approach, although i see no reason this to be an issue. What's your take?

-Pete

I do not use iApps (I've had nothing but trouble with them). My use case might be a touch different, as this is for a mobile MDM thingy + application VPN. I think there are other uses for UAG, but this is the only place I use it. But yeah, the second cluster in their diagram is completely unnecessary as it has to cross the firewall either way, having a second LTM cluster, physically, is redundant. You could do with two separate iApps on the same F5 cluster, which is effectively what I'm doing, minus the iApps.