Method 1: Source IP Affinity
This is the simplest configuration as it uses standard port numbers and a single load balanced VIP. It relies on the FortiADC to route secondary protocols to the same CS appliance as was selected for the primary Horizon protocol. It can do this on the basis of repeat connections coming from the same Horizon client IP address.
In this example, the IP address of virtual server is 10.107.1.86 (cs.fortihorizon.com). And you should change the configurations of all the CS's as shown in the below table.
CS Appliance |
Configuration Item |
Value |
---|---|---|
CS01 |
tunnelExternalURL |
https://cs.fortihorizon.com:443 |
blastExternalURL |
https://cs.fortihorizon.com:8443 |
|
pcoipExternalURL |
10.107.1.86:4172 |
|
CS02 |
tunnelExternalURL |
https://cs.fortihorizon.com:443 |
blastExternalURL |
https://cs.fortihorizon.com:8443 |
|
pcoipExternalURL |
10.107.1.86:4172 |
You need to create two virtual-server with same VIP, different ports and different profiles. And you should change the Port to 0 for the members of Real Server Pool.
For the external clients, you can use the DNAT Packet Forwarding Method not same as the internal clients. It will replace the destination IP address with the IP address of the backend CS selected by the FortiADC, so you need add the FortiADC interface IP as the gateway in all the used CSes, this will guarantee the response packets will route to FortiADC. According the Horizon protocols and ports, you need to create one TCP and one UDP virtual servers.
TCP Virtual Server
- Go to Server Load Balance > Virtual Server > Virtual Server, click the Create New > Advanced Mode button.
- In the Basic settings, fill the Name, use the default Packet Forwarding Method DNAT.
- In General settings, set the virtual server Address and Port (443 4172 8443), and select the Interface in which the virtual server will work. Use the default profile LB_PROF_TCP. For keeping the primary and secondary protocol packets from one client to the same CS, you should select Persistence with LB_PERSIS_HASH_SRC_ADDR. Select the Real Server Pool created before.
- Keep other fields to the default values or you can change them as you need.
TCP virtual server CLI configuration
config load-balance virtual-server
edit "HORIZON_TCP_VS"
set interface port3
set ip 10.107.1.86
set port 443 4172 8443
set load-balance-profile LB_PROF_TCP
set load-balance-persistence LB_PERSIS_SRC_ADDR
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool HORIZON_CS_POOL
set traffic-group default
next
end
UDP Virtual Server
- Go to Server Load Balance > Virtual Server > Virtual Server, click the Create New > Advanced Mode button.
- In the Basic settings, fill the Name, use the default Packet Forwarding Method DNAT.
- In General settings, set the virtual server Address (same as the TCP VIP) and Port (4172 8443), and select the Interface (same as TCP VS) in which the virtual server will work. Select the profile LB_PROF_UDP. For keeping the primary and secondary protocol packets from one client to the same CS, you should select Persistence with LB_PERSIS_HASH_SRC_ADDR. Select the Real Server Pool created before.
- Keep other fields to the default values or you can change them as you need.
Unfortunately, this method doesn't work in all situations. For example, with certain Network Service Providers or NAT devices, the source IP address is not available for this affinity configuration. If source IP affinity can't be used in your environment, then one of the other two methods should be used as they don't rely on source IP affinity.
UDP virtual server CLI configuration
config load-balance virtual-server
edit "HORIZON_UDP_VS"
set interface port5
set ip 10.107.1.86
set port 4172
set load-balance-profile LB_PROF_UDP
set load-balance-persistence LB_PERSIS_HASH_SRC_ADDR
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool CS1_4172
set traffic-group default
next
end