A couple months ago F5 came out with a very intriguing announcement when they released full proxy support for PCoIP on the latest Access Policy Manager code version, 11.4. Traditional Horizon View environments use “Security Servers” to proxy PCoIP connections from external users to desktops residing in the datacenter. Horizon View Security Servers will reside in the DMZ and the software is installed on Windows hosts. This new capability from F5 completely eliminates the need for Security Servers in a Horizon View architecture and greatly simplifies the solution in the process.
In addition to eliminating Security Servers and getting Windows hosts out of your DMZ, this feature simplifies Horizon View in other ways that aren’t being talked about as much. One caveat to using Security Servers is that they must be paired with Connection Servers in a 1:1 relationship. Any sessions brokered through these Connections Servers will then be proxied through the Security Servers they are paired with. Because Security Servers are located in the DMZ, this setup works fine for your external users. For internal users, a separate pair of Connection Servers are usually needed so users can connect directly to their virtual desktop after the brokering process without having to go through the DMZ. To learn more about this behavior see here and here.
Pictured below is a traditional Horizon View deployment with redundancy and load balancing for all the necessary components:
What does this architecture look like when eliminating the Security Servers altogether in favor of using F5’s ability to proxy PCoIP?
As you can see, this is a much simpler architecture. Note also that each Connection Server supports up to 2000 connections per server. I wouldn’t recommend pushing that limit but the above servers could easily support around 1500 total users (accounting for the failure of one Connection Server). If you wanted full redundancy and automatic failover with Security Servers in the architecture, whether it was for 10 or 1500 external users, you would still need at least 2 Security and 2 Connection servers. A lot of times they are not there so much for increased capacity but just for redundancy for external users, so eliminating them from the architecture can easily simplify your deployment.
But could this be simplified even further?
In this scenario the internal load balancers were removed in favor of the load balancers in the DMZ having an internal interface configured with an internal VIP for load balancing. Many organizations will not like this solution because it will be considered a security risk for the device in the DMZ to have interfaces physically outside the DMZ. ADC vendors and partners will claim their device is secure but most customers still aren’t comfortable with this solution. Another solution for small deployments with limited budget would be to just place that VIP in the above picture in the DMZ. Internal users will still connect directly to their virtual desktops on the internal network and the DMZ VIP is only accessed during the initial load balancing process for the Connection Servers. Regardless of whether you use an internal VIP or another set of load balancers, this solution greatly simplifies and secures a Horizon View architecture.
Overall, I’m really excited by this development and am interested in seeing if other ADC vendors offer this functionality for PCoIP in the near future or not. To learn more, see the following links: