Forum Discussion

mali77_57143's avatar
mali77_57143
Icon for Nimbostratus rankNimbostratus
Feb 11, 2013

VMWare View deployment with LTM

We are looking to deploy VMWare view with Big IP LTM 1600. I was going over the documentation and it was talking about different options. And there was a step in there related to the certificates. We will only be deploying this on the LAN so only internal users will be accessing VMWare view, can it just use its own certificate ?

 

Secondly in a scenario like this what would be the best and easy option I should go with? SSL Offload or Bridging? Seems like if I do SSL Offload I only have to worry about the SSL cert on the F5 and the View Servers will just accept un encrypted traffic. This way I do not have to worry about managing certificates on to many devices?

 

cloud
vmware

7 Replies

Sort By
  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Feb 11, 2013
    SSL offload is a good way to go, you will remove the encryption overhead on your View servers and you will be able to maintain your certs in one location. Using an internal certification authority server is ok; just make sure your CA server is a trusted publisher on your internal clients.

     

     

  • Paul_Pindell's avatar
    Paul_Pindell
    Icon for Employee rankEmployee
    Feb 11, 2013

    The current versons of the VMware View client require SSL encryption between the client and the BIG-IP. You can choose to offload or bridge the SSL connection on the server side to the View Servers. Either option will work.

     

    If you are using PCoIP as the display protocol, the SSL certificate is not only used for the SSL nogotiation, but is also used to calculate the PCoIP session token. You must have the same certificates on the BIG-IP client side SSL profile and on the View servers in order for PCoIP to function. This means that if you have more than one View Server, you can not simply use the default certificates generated by View during install, since there are different certificates for each View server. You have to have an SSL certificate that has each View server FQDN, and the BIG-IP virtual server FQDN listed in the Subject Alternative Name. These can be SSL certificates generated by your Active Directory Certificate Services Enterprise CA.

     

    Paul

     

  • mali77_57143's avatar
    mali77_57143
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2013
    Ok here is the issue we do not have a CA setup within our company. So since we are using PCoIP we will either need to also deploy a CA or get a third party certificate from Verisign or Godaddy etc?
  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Feb 11, 2013

    Yes, you will need to get a certificate from either source. There is a section in the View documentation that discusses the specifics that may be helpful: http://pubs.vmware.com/view-51/index.jsp?lang=en. The section "Obtaining SSL Certificates for VMware View Servers" discusses how to obtain a certificate from a CA, how to import the certificate onto your View servers, and more specifically what type of certificate to use. The type to use, as Paul mentions, is (SAN) subject alternative names.

     

  • mali77_57143's avatar
    mali77_57143
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2013
    Posted By Greg Crosby on 02/11/2013 11:34 AM

     

    Yes, you will need to get a certificate from either source. There is a section in the View documentation that discusses the specifics that may be helpful: http://pubs.vmware.com/view-51/index.jsp?lang=en. The section "Obtaining SSL Certificates for VMware View Servers" discusses how to obtain a certificate from a CA, how to import the certificate onto your View servers, and more specifically what type of certificate to use. The type to use, as Paul mentions, is (SAN) subject alternative names.

     

     

    Thank you again, my apologies but I forgot to ask something related previously. So if we are using PCoIP I can't use the SSL Offload option because I have to install the certificate not only on the F5 but also on the view servers? Or can I still just install the Certificate on the F5 and don't have to worry about installing it on the view servers because F5 will be sending the un encrypted information?

     

  • Paul_Pindell's avatar
    Paul_Pindell
    Icon for Employee rankEmployee
    Feb 11, 2013
    Mali77,

     

     

    View uses the certificates for two separate functions. one is for SSL session negotiation, and the second is to use the SSL certificate as a hash when generating the PCoIP Session token. It is possible to offload the SSL session negotiation function from the View servers. It is even advisable to do so as this will reduce the amount of SSL processing the View servers will have to do. Even so the View Server will still require the SSL Certificate in order to perform the second function (PCoIP Session token generation)

     

     

    You are correct that in a normal SSL certificate implementation if you were to use the F5 device to preform SSL offload, you would not need to install the SSL certificate on the Servers that the F5 device is sitting in front of. It just so happens that View has this second function it performs with the SSL certificate, and thus needs the SSL certificate installed in order to perform this secondary function.

     

     

    Paul
  • mali77_57143's avatar
    mali77_57143
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2013
    Awesome information thanks so much. Looks like there are a few different moving parts to this project going to be interesting I'm sure I'll be posting more questions as I move more into it. Thank you so much again for all your help guys.