SIMPLIFY, SCALE, AND SECURE YOUR PCoIP ARCHITECTURE FOR VMWARE HORIZON VIEW WITH F5 Marc Chisinevski, F5 Solution Engineer, VMware Alliance

2© F5 Networks, Inc. Today’s Agenda Quick Introduction to Application Delivery Controllers (ADC) What’s new in APM v11.4 What is PC-over-IP (PCoIP) Proxy How F5 adds Value to VMware Horizon View Questions, answers, and Key Takeaways

3© F5 Networks, Inc. F5 Delivers an Intelligent Services Framework An integrated device with STRATEGIC AWARENESS Understands and adapts application resources based on user context and expected application behavior Full application state visibility and complete session inspection Provides total control of all user and application traffic in and out of the data center APPLICATION AWARENESS Provides real-time traffic management decisions based on application performance Assists with capacity planning Delivers true application delivery optimization without the need to rewrite applications RESOURCES AWARENESS Proxies and inspects 100% of inbound user traffic Determines user environment such as device type and location Applies application delivery policies based on real-time business needs USER AWARENESS

4© F5 Networks, Inc. Full Intelligence Requires a Full Proxy Network Session Application Physical OSI Stack IT = Complete Control Business = Reduced Delivery Costs Network Session Application Physical OSI Stack

5© F5 Networks, Inc. Centralized layered image management for local deployment Multi-device workspace for IT services HORIZON SUITE The platform for workforce mobility Horizon View Horizon Mirage Horizon Workspace Complete desktop and application virtualization NEW v5.2 NEW v4.0 NEW v1.0 F5 + HORIZON SUITE Support for VMware validated solutions  Mobile Secure Desktop  Business Process Desktop  AlwaysOn Desktop  Branch Office Desktop Unique F5 solutions  PCoIP Proxy  Single Namespace  Username Persistence Intelligent traffic management and security  Local and global traffic management  Multi-site and multi-pod deployments  Access management and data center firewall Horizon View Intelligent Services Framework Secure Fast Available Anywhere, any service, any device IntelligentDynamic, agile, adaptive Horizon Mirage Horizon Workspace VMVDI

6© F5 Networks, Inc. PC-over-IP (PCoIP) Overview What is PCoIP? How does it relate to other protocols? What is the PCoIP proxy?

7© F5 Networks, Inc. Three separate connections HTTPS 443 authHTTPS 443 auth SSL Negotiation, PCoIP Control Channel setupSSL Negotiation, PCoIP Control Channel setup PCoIP Session negotiation – 4172 TCPPCoIP Session negotiation – 4172 TCP PCoIP Session – 4172 UDPPCoIP Session – 4172 UDP

8© F5 Networks, Inc. View Authentication and PCoIP Protocol Client en- us Server ok ok a824b347-29a4-46a3-a d9e3837 kerberos USSJ- windows- password domain BD1 Client windows- password username ee domain BD1 password password

9© F5 Networks, Inc. Server ok S false 15 true Client RDP PCOIP Server ok 11A90FA2_0B36_4FB9_8976_E656585ADFA bd.f5.com:443 4 SHA-1 be:ba:ca:d4:6e:c9:83:48:57:46:81:17:40:ae:20:ba:00:f6:a3:38 ok CN=ussj-pod1- finance,OU=Applications,DC=vdi,DC=vmware,DC=int Finance in Pod 1 in San Jose sticky disconnected BD1\dd(cn=s aa902dee2b79,ou=servers,dc=vdi,dc=vmware,dc=i

10© F5 Networks, Inc. PCoIP protocols PCoIP Session negotiation – 4172 TCPPCoIP Session negotiation – 4172 TCP Client:Client: Using the DNS name, Desktop Name, Connection- id, and Certificate thumbprint on 4172 TCPUsing the DNS name, Desktop Name, Connection- id, and Certificate thumbprint on 4172 TCP Server:Server: Performs secret layer of Teradici security mechanismsPerforms secret layer of Teradici security mechanisms Sends client instructions on how to connect to desktopSends client instructions on how to connect to desktop PCoIP External URL which is IP.PCoIP External URL which is IP. PCoIP Session – 4172 UDPPCoIP Session – 4172 UDP Client:Client: Established third connection using PCoIP Ext URL.Established third connection using PCoIP Ext URL.

11© F5 Networks, Inc.

12© F5 Networks, Inc. VMware Horizon View Value Adds Marc Chisinevski, Solution Engineer, VMware Alliance

13© F5 Networks, Inc. PCoIP Proxy – Simplify Your Architecture F5 Access Policy Manager (APM) offers full proxy support for PCoIP Removes Security Servers Unified global access to all allowed applications and network locations Before After

14© F5 Networks, Inc. PCoIP Proxy – Simplify Your Architecture Reduce Windows Licensing CostsReduce Windows Licensing Costs Reduce Operational CostsReduce Operational Costs Initial Security Hardening TasksInitial Security Hardening Tasks Maintenance/PatchingMaintenance/Patching SSL Cert ManagementSSL Cert Management Reduced set of FW Rules / ACLs / NATsReduced set of FW Rules / ACLs / NATs Conserve ResourcesConserve Resources Public IP AddressesPublic IP Addresses

15© F5 Networks, Inc. Three separate connections HTTPS 443 authHTTPS 443 auth SSL Negotiation, PCoIP Control Channel setupSSL Negotiation, PCoIP Control Channel setup PCoIP Session negotiation – 4172 TCPPCoIP Session negotiation – 4172 TCP PCoIP Session – 4172 UDPPCoIP Session – 4172 UDP 443 TCP

16© F5 Networks, Inc. Hardened Security for VMware Horizon View BIG-IP Advanced Firewall Manager (AFM) Protect with a full-proxy firewall Simplify security architecture Ensure application availability

17© F5 Networks, Inc. Username Persistence Use Case Username Persistence is a Solution.Username Persistence is a Solution. Active/Active Multi-Data Center View solutionActive/Active Multi-Data Center View solution Enhances VMware’s “AlwaysOn” SolutionEnhances VMware’s “AlwaysOn” Solution Co-engineering effort with VMware Field and PSOCo-engineering effort with VMware Field and PSO Uptake in Hospitals, and Large EnterpriseUptake in Hospitals, and Large Enterprise

18© F5 Networks, Inc. User view.company.com view.company.com Desktop

19© F5 Networks, Inc. User Desktop BIG-IP Global Traffic Manager DNS Query: view.company.com DNS Query: view.company.com

20© F5 Networks, Inc. User Desktop BIG-IP Global Traffic Manager iQuery Health Check to Both Pods: East & West iQuery Health Check to Both Pods: East & West EAST Pod WEST Pod

21© F5 Networks, Inc. User Desktop BIG-IP Global Traffic Manager User has lowest latency to West Pod. DNS Answer: “view.company.com. IN A ” DNS Answer: “view.company.com. IN A ” WEST Pod

22© F5 Networks, Inc. BIG-IP LTM APM User Desktop WEST Pod User NameCurrent Pod? Bob SmithWest Fran KellyEast Jim AdamsNone etc… Writes data to internal table View Events Database LTM uses OOB method to query View Events DBs.

23© F5 Networks, Inc. BIG-IP LTM APM User Desktop Password is cached using 256 bit encryption WEST Pod PW

24© F5 Networks, Inc. User Desktop WEST Pod BIG-IP LTM APM User NameCurrent Pod? Bob SmithWest Fran KellyEast Jim AdamsNone etc… LTM looks up User. LTM looks up User.

25© F5 Networks, Inc. User Desktop WEST Pod BIG-IP LTM APM APM queries Active Directory. APM queries Active Directory. UN PW AD User’s Group Membership AD User’s Group Membership APM Obtains User’s Current Pod & Pool Member Username & Password are sent to AD. Active Directory

26© F5 Networks, Inc. BIG-IP LTM APM WEST Pod User Desktop Based on the Pod & Pool info in AD, LTM sends the user to the correct View server View Servers

27© F5 Networks, Inc. BIG-IP LTM APM User Desktop The View Server replies with a user token. View Servers WEST Pod Client uses that token to automatically reconnect directly to the View server.

28© F5 Networks, Inc. Questions, Answers, and Key Takeaways APM offers full proxy support for PC-over-IP Simplifies VMware Horizon View architectures Delivers hardened security and increased scalability Username Persistence is the only multi-pod, Multi- Data Center View solution F5 is the first and only to provide this functionality

29© F5 Networks, Inc. Where to Find More info… F5 Documentation:F5 Documentation: VMware Documentation:VMware Documentation: Third Party Documentation:Third Party Documentation:

30© F5 Networks, Inc. devcentral.f5.com facebook.com/f5networksinc linkedin.com/companies/f5-networks twitter.com/f5networks youtube.com/f5networksinc