In this blog post, I want to describe the manual steps on how to deploy and configure an NSX load balancer for the Platform Service Controllers (PSC). Hey wait, weren’t you doing PowerNSX automation stuff before? Yes and I still mean to do so. But with automation comes checking if the procedure actually works before attempting to automate that procedure. Garbage in is a lot of garbage out with automation….

Implementing NSX for desktop, whether for micro-segmentation or Load Balancing, takes time and effort to design and implement, that’s why I started the HorizonJumpstart to help with a starting point and hopefully some guidance. This post is about the Load Balancing part and the start-up of some additions to NSXHorizonJumpstart to include NSX Edge Gateway Load Balancers.

Load Balancers in EUC

Depending on what we do in or for the EUC stack, or how our deployment model is, there can be quite a few load balancing requirements:

Platform Services Controllers (PSC)

Connection Servers

Unified Access Gateways (UAG)

Identity Manager (vIDM) internally and proxied via Identity Manager Proxy for external connections

App Volumes

AirWatch Device Servers

vROPS for Horizon UI

And you will probably do this from more than one block/pod. But like said, first deploy manual before automating.

Manual Implementing a PSC NSX Load Balancer pair

Deploying an NSX Edge Gateway is two-fold, first, you first have to deploy the appliance HA pair and secondly, you will enable and configure Load balancing for this application.

Before deploying Edges it is required to have one vCenter (that will be repointed later to the PSC LB name) and an NSX Manager for that cluster. And a proper NSX License installed. Next, the hosts need to be prepared.

Furthermore, some information will also come in handy:

ESG Name

IP Address (primary ESG Uplink address)

HA IP (internal network, /30 IPs)

LB Name

LB IP (secondary ESG Uplink address)

Uplink vDPortgroup, Place to deploy, HA vDPortgroup, Size, ESG Admin CLI password to set.

DNS Registration of the VIP names and IPs (forward and reverse).

Specifically for the PSC the following should be in order:

Installed and configured first PSC

Optionally configure as a subordinate VMCA in your PKI (an excellent write up for this can be found here: https://www.vmbaggum.nl/2016/12/configure-vcenter-6-5-subordinate-ca/). It is highly recommended to do this first when you have the chance, it makes signing the PSC LB name certificates much easier.

Connect a vCenter (to be repointed later to the load balanced address) and an NSX Manager (again chicken and egg, you will need these to deploy the NSX Edge Gateways). O yes, and a license and prepped hosts.

The second PSC deployed as a replication partner of the first PSC (added to the same site).

Next up create a new machine certificate for a PSC HA pair. Follow the following procedure (using VMCA if possible): https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2147626.

And next, deploy and configure the NSX Load Balancer. The next paragraphs have their origin in the following VMware KB: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2113315.

Configure the NSX Load Balancer

Deploy a new NSX Edge Navigate to Networking & Security > NSX Edges. Click the + icon. Select Install Type Edge Services Gateway. Enter the name. Select Deploy NSX Edge. Select Enable High Availability. (or you can do this after the Edge is deployed, doesn’t really matter) Click Next. Settings Enter the username and the password. Enable or Disable SSH Access. Set desired logging level. Click Next. Configure Deployment Select the Datacenter location. Select the Appliance Size depending on your environment. Click the + icon and select the Cluster, Datastore, ESXi Host and the folder to deploy to. Click OK, Next. Configure Interfaces Click the + icon. Provide a name for the interface. Select Type Uplink. Click Select next to Connected to and select the port group. Click the + icon and enter the IP Address and Prefix Length for the Edge Appliance and a secondary IP for the PSC VIP. Or use the same for both. Click OK, click Next. Enter the default gateway for the PSC VIP. Click Next. Repeat this for the HA internal interface. However, you don’t need to put an IP here. Firewall and HA Select Configure Firewall default policy. Change the Set Default Traffic Policy to Accept. Under Configure HA Parameters, select the HA internal vNIC. Set the Management IPS (in a /30 subnet) Click Next. Ready to complete. You will see two new NSX Edge virtual machines being deployed in the environment. If you have DRS an anti-affinity rule between the edges will be created as well. The new NSX Edge will appear as Deployed in the NSX edges listing. Enable Edge Load Balancer Double-Click the deployed Edge. Navigate to Manage > Load Balancer. Click Edit. Select Enable Load Balancer. Select Logging and set the required logging level. Click OK. Application Profiles Select Application Profiles. Click the + icon. Enter the name. Select type TCP. If you want to include an HTTP SSL offloading Application Profile at the NSX Edge, you can follow the steps in this scenario. Under Persistence, select Source IP. Click OK.

The Application Profile must be displayed in the list of profiles. Pools Select Pools. Click the + icon. Enter the name. Select the ROUND-ROBIN algorithm. Select the default_tcp_monitor. Click the + icon. Enter the name for the node member. Enter the IP Address of the First PSC node. Ensure Port is left blank. Enter Monitor Port 443. Click OK. Add a second member for the Additional PSC node. You must have two members listed. Click OK. Virtual Servers Select Virtual Servers. Click the + icon. In the Application Profile, select the PSC Application Profile just created. Enter the name, I normally add the VIP FQDN name (replace the . with -) Enter the PSC HA VIP IP Address. Select the TCP protocol. Enter these 443,389,636,2012,2014,2020 port numbers. Note: If you would only allow secure LDAP, don’t add the 389 in the range. In the Default Pool, select the PSC Pool just created Click OK. The Virtual Server is displayed in the list. Test if you can reach the PSC LB VIP name via HTTPS for example. Completing the PSC Load Balancing configuration The PSC configuration needs to be finished to fully use the PSC in a Load Balancing set-up. Steps on the PSC: Configure the PSC for High Availability https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2147384. Run the scripts on all PSC’s and the second on just one.

Repoint the vCenter to the PSC LB Name: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2113917. Note: New vCenter instances can be pointed from the installer to the PSC LB name. Repoint the NSX Lookup to the PSC LB. From within the home of the NSX Manager, go to Manage vCenter Registration . Edit the Lookup Service URL to the PSC LB VIP Name .

. Edit the Lookup Service URL to the . Check if it is connected correctly Done, now your PSC is load balanced via the NSX Edge and the vCenter and NSX are repointed to the PSC load balanced name.

Scripting the Edge Deployment

I will go a little more in-depth on this part in a next blog post, but just a little sneak preview what I am working on. If you want to take a peek or contribute go there: NSXHorizonJumpstart you are looking for the Paikke-EdgeLB branch (well if it is still there, else look in the master branch ;)). The script is momentarily only deploying the edge appliance (and just the first as no High Availability is yet configured).

And little peak (see more at GitHub):

$NSXConnection = Connect-NsxServer -vCenterServer $nsxManager -username $nsxUser -Password $nsxPass #-DefaultConnection:$false ### NSX Edge

# Build the uplink specifications

$uplink = New-NsxEdgeInterfaceSpec -Name UplinkVDI -Type Uplink -ConnectedTo (Get-vDPortgroup -Name $uplinkpg) -PrimaryAddress $uplinkaddress -SubnetPrefixLength 24 -Index 0 # Then Build the internal specifications

$internal1 = New-NsxEdgeInterfaceSpec -Name haint -Type Internal -ConnectedTo (Get-vDPortgroup -Name $uplinkpg) -Index 1 # New Large

New-NsxEdge -Name $edgename -Datastore (Get-Datastore -Name $edgedatastore) -cluster (Get-Cluster -Name $cluster) -Username admin -Password VMware1!VMware1! -FormFactor Large -AutoGenerateRules -FwEnabled -Interface $uplink,$internal1 -Connection $NSXConnection

In short, it connects and builds the Uplink and internal interface specifications where these are in settings variables like which port group to use. As some parameters take ID’s as input there are some (Get-) cmdlets. The New-NsxEdge takes these specifications along with other settings variables and kicks off creating the Edge in Large format.

The script currently takes its parameter settings from the script itself or human input (vCenter, password and such). I have begun to think about the YAML structure for input (just like the DFW rules) but not nearly there.

Hope this helps your PSC Load Balancing as well

Well if you were here only looking for the procedure to add a PSC load balancer to NSX I hope you could cope a bit with my ramblings about PowerNSX and the NSXHorizonJumpstart.

If you have ideas or other input to NSXHorizonJumpstart or NSX for Desktop, please do get in touch here or on GitHub. Looking forward to that!

– Enjoy your load balancers!

Sources: vmware.com