When I started to work with VDI solutions, I often looked for the term “Public IP” in the solution’s documentation for VDI external access. However, after having designed and implemented multiple Digital Workspace/End-User Computing (EUC) solutions for Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS), I have quite some knowledge on this topic. I figured I’d share it for others starting in the EUC space to give them a fair bit of an idea of what to look for and how the external access works.
“External address” is the term you should be looking in this case. With VMware Horizon, Unified Access Gateway (UAG) facilitates the external access for end-users to consume their apps and desktops. While, it is the Citrix Gateway (CGW) in case of Citrix Virtual Apps and Desktops (CVAD). In production environments, there will be 2 of these sitting in a DMZ forwarding the traffic to Connection Servers or StoreFront with the respective solutions. There will be a Load Balancer (LB) appliance before the UAG and CGW.
UAG in latest Horizon versions (at least v7 and above) have an HA feature that can provide L4 LB functionality. If full L4-L7 LB capabilities are needed then an external LB such as NSX Advanced LB (Avi), Citrix ADC, F5 BIG IP LB etc should be used.
Horizon
If HA feature is used, and say you have 2 UAGs, then 3 Public IPs will be needed – 1 for each UAG’s DMZ Internet/External facing IP and 1 for the HA VIP, which is again from the DMZ segment. Now you will create a Public DNS record with your Public DNS hosting provider for VDI Access URL say vdi.company.com pointing to the UAG HA VIP Public IP. On your Network Firewall device, Public IP will be NAT’d to UAG HA VIP Private IP in DMZ.
If LB is used, then the process is similar except that instead of UAG HA VIP IP addresses, UAG LB VIP will be used. With an LB, there are options to perform PAT instead of NAT, which will reduce the count of Public IP to 1. Ref VMware KB 2146312.
Citrix
Here, an LB will be required to load balance the CGW appliances. Since last few years Citrix has combined the setup file of ADC and CGW. So it is a single appliance file and we can enable the functionality of the required component either ADC or CGW or both. In case of ADC/CGW, there will be mainly 3 IPs – NSIP (NetScaler IP: Appliance Mgmt IP), SNIP (Subnet IP: Back-end communication to Citrix infra, existing services and components) and the VIP (Virtual IP: Internet facing interface in DMZ). This VIP will be the NAT’d to the Public IP.
Split DNS
If you wish to keep the same VDI access URL for both internal and external users, you need to make use of Split DNS. For this, you create a zone eg. company.com in both the internal and external/Public DNS servers. In the Public DNS server, a host (A) record eg. vdi.company.com will be created to point to the Public IP of the LB or UAG or CGW as the case may be. In the internal DNS server, a host (A) record eg. vdi.company.com will be created to point to the Connections Server(s) (or their LB) or StoreFront(s) (or their LB) as the case may be.
IT Findings 