In this blog post, I would like to write up the procedure for setting up an NSX Edge Load Balancer for a VMware Identity Manager cluster. Like discussed in this post and this post, NSX Edge Load Balancers will be all over the place in a Workspace ONE platform environment. And this is one place…
I am also working on testing the available persistence configuration of Workspace ONE NSX Edge load balancers (heads up to a blog post), and adding to the NSXHorizonJumpstart script more Workspace ONE firewall sections and load balancing configuration. If only my new year’s resolution was to grow four extra brains and hands, this would be published a little faster….
Identity Manager, Hmmmm?
For the Workspace ONE user access or identity management service, VMware Identity manager (IDM) is needed. And not just user access, also the application catalog. It is the layer your users sessions will hit first (well after enrolling their devices). And with that presumably, some availability requirements, insert a cluster of IDM ergo a High Available IDM. A cluster of IDM is a minimum of 3 nodes and this needs a load balancer. But how? Well after the first node is deployed, you will configure IDM to have an external database, for active-active on an MSSQL Always-On. When that is running an identity source should be configured, for example, connected to an Active Directory. And have a load balancer setup and FQDN filled. Then after a correct configuration shut down the node and clone to an identity manager cluster.
Need some more information on the steps than the above TL;DR? Read on
Create a cluster and Load Balancer configuration
First step: deploy an IDM appliance. Well actually, before this check if the DNS names of IDM nodes, and the FQDN virtual server name, are correctly registered as forward and reverse pointer records in the DNS service. If not, please first add these. With the virtual appliance deployment, fill in all the required vAPP properties, such as hostname, IP address and DNS servers of the vIDM appliance. And of course in which cluster and networking to be deployed. After the deployment completes successfully start the appliance. Do the initial IDM configuration wizard and connect to an external SaaS database on MSSQL. When this is all a-okay, add an identity provider to Active Directory. Join the connector to the Active Directory. And check if an AD user can be authenticated as required.
NSX Edge Configuration
Next head over to PowerNSX or vSphere Web client, and deploy an NSX Edge HA pair with a configure the interfaces with the VIP address (for example as secondary).
Create a Load Balancer configuration
- In Manage Settings, Certificates add certificates
- Add the PEM certificate chain (include CA chain)
- Add RSA key
- Enable Load Balancing
- Create Application Profile
- Type HTTPS
- Do not select Enable SSL Passthrough
- Set Persistence, for example source IP. (needed for IDM functionality)
- Set Timeout
- If the timeout setting is too low, you might see this error, “502 error: The service is currently unavailable.” For example 36000 seconds like the default 600-minute timeout of Horizon.
- Select Insert-X-Forwarded-For-HTTP header
- This determines the authentication method, needed for IDM.
- Select Enable Pool Side SSL
- Select the added certificate in Virtual Server Certificate and select the added certificate in Pool Certificates.
- Add the first IDM appliance to the server pool.
Head to the IDM Appliance:
- Change FQDN on IDM https://idmhostname:8443/cfg/workspaceUrl to the Load Balancer address. The fully qualified domain name to access VMware Identity Manager should be the same in all data centers.In a global and local site load balancer setup enter the FQDN of the global load balancer (as top-level master load balancer) you are using
- Wait for changes to be applied and go.
- Check if you can reach the node over the FQDN address for the portal. Check if the configuration pages (for example ID or node configuration) head to the node hostnames.
Note: If a CA root certificate is not trusted, you can add the root CA on the IDM. To be completely honest, this should not be needed.
Clone Identity Manager
You can now shutdown the first node and clone to the next nodes. Do not power on the cloned node yet. The cloned nodes must be changed to her own hostname and IP address in the vAPP options of the virtual appliances. When cloning, in the second-last page, the Customize vApp properties page, expand Networking Properties.
Change the hostname and IP address for the new appliance. Click Next, and Finish.
Rinse and repeat this procedure for the other IDM nodes.
(Alternatively, you can change the vAPP options after the clone operation has been completed)
Afterwards, first start the primary node. Have a little patience until this one has been started before starting the next.
When these are all started, the nodes should be added to the same cluster. You will need to check if the nodes are part of the same cluster.
And a few minutes of waiting until the Elasticsearch cluster is created before adding the cloned virtual appliance to the load balancer. This Elasticsearch, a search and analytics engine, is embedded in the virtual appliance. Checking the cluster count of the IDM appliances:
- Log in to the cloned virtual appliance.
Check the Elasticsearch cluster:
curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true’
- Log in to the cloned virtual appliance.
- In the output verify that the result matches the number of nodes and status is green (see above snippet).
Next, add the newly cloned virtual appliances to the NSX Edge load balancer configuration server pool.
Some more configuration
In IDM, join the cloned virtual appliances to the domain configured in the (IWA) identity connector, Identity & Access Management – Setup. Here you will see Connectors screen that the two newly created clones are not joined (they have the green join domain button). Click and join.
If the vSphere cluster has DRS, add DRS VM separation rules to separate virtual appliances on hosts.
VMware Identity Manager is now highly available. Traffic is distributed to the virtual appliances in your cluster based on the load balancer configuration. Authentication to the service is highly available.
For the directory sync feature of the IDM service, however, in the event of a service instance failure, you will need to manually enable directory sync on another (cloned) service instance.