Главная » Linux

Workspace one uem linux profile

Содержание
  1. Load Balancing Workspace ONE UEM Components
  2. Overview
  3. Recommended Configuration Settings
  4. Health Monitor Recommendations
  5. Load Balancing Workspace ONE UEM Admin Console
  6. 1. Creating a Custom Health Monitor
  7. 2. Creating a Persistence Profile
  8. 3. Creating Pool
  9. 4. Creating Application Profile
  10. 5. Installing SSL Certificate for L7 Virtual Service
  11. 6. Creating a L7 Virtual Service
  12. Load Balancing Workspace ONE UEM Admin API
  13. 1. Creating a Custom Health Monitor
  14. 2. Creating a Persistence Profile
  15. 3. Creating Pool
  16. 4. Creating an Application Profile
  17. 5. Installing SSL Certificate for L7 Virtual Service
  18. 6. Creating a L7 Virtual Service
  19. Load Balancing Workspace ONE UEM Device Services
  20. 1. Creating a Custom Health Monitor
  21. 2. Creating a Persistence Profile
  22. 3. Creating a Pool
  23. 4. Creating an Application Profile
  24. 5. Installing SSL Certificate for L7 Virtual Service
  25. 6. Creating a L7 Virtual Service
  26. Load Balancing AirWatch Cloud Messaging
  27. 1. Creating a Custom Health Monitor
  28. 2. Creating Pool
  29. 3. Creating an Application profile
  30. 4. Creating a DataScript
  31. 5. Creating a L7 Virtual Service
  32. Load Balancing VMware Tunnel (Tunnel Proxy)
  33. 1. Creating Health Monitor
  34. 2.Creating Persistence Profile
  35. 3. Creating Pool
  36. 4. Creating Application profile
  37. 5. Creating L4 virtual service
  38. Load Balancing VMware Tunnel (Per-App VPN)
  39. Creating Health Monitor
  40. 2.Creating Persistence Profile
  41. 3. Creating Pool
  42. 4. Creating Application profile
  43. 5. Creating L4 virtual service

Load Balancing Workspace ONE UEM Components

Overview

This article explains the deployments modes when all the Workspace ONE UEM components or services are deployed on different servers and a separate load balancer VIP is configured for each components. Avi Vantage is used to load balance the followings Workspace ONE UEM components:

For details on various Workspace ONE UEM application module, refer to Avi Vantage and VMware Workspace ONE UEM.
Avi Vantage also supports deployment with the Secure Email Gateway V2 and the VMware Content Gateway. For more information, refer to Integrating Secure Email Gateway and Content Gateway with Avi Vantage.

Workspace ONE UEM Components Type (L4 or L7 Virtual Service Ports Virtual Service Name Algorithm Persistence and Persistence Timeput Back-end Servers Port
Workspace ONE UEM Admin Console L7 SSL 443 VIP1 Least connections HTTP Cookie/ 60 minutes 443
Workspace ONE UEM Admin API L7 SSL 443 VIP2 Least connections Source IP 443
Workspace ONE UEM Device Services L7 SSL 443 VIP3 Least connections Source IP Address/ 20 minutes 443
AWCM L7 SSL 443/2001 VIP4 Consistent Hash with custom string DataScript for persistence 2001
Tunnel Proxy L4 Tunnel proxy – 8443(TCP and UDP), 2020(TCP).
Fast-path is recommended.		 VIP5 Least Connections Source IP/30 minutes 8443/2020
Tunnel Per-App VPN L4 Tunnel Per app – 443 (TCP and UDP).
Fast-path recommended		 VIP6 Least Connections Source IP 443

Notes:

  • All components are running on different servers and on Load balancer we have different VIP for each component.
  • The timeout value should be less than policy retrieval interval for some services (for example, Secure Email Gateway)
  • Persistence is not required when all the users are coming through the NAT as they have the same source IP address.

Health Monitor Recommendations

Workspace ONE UEM Components Method Response Code Monitoring Interval/Timeout
Workspace ONE UEM Admin Console GET to https:// /airwatch/awhealth/v1 200 OK Default
Workspace ONE UEM Admin API GET to https:// /api/help/#!/apis 200 OK Default
Workspace ONE UEM Device Services GET to https:// /deviceservices/awhealth/v1 200 Ok Deafult
AWCM GET to https:// /awcm/status 200 OK Default
Tunnel (Proxy) https:// :2020/ and TCP:8443 407 Default
Tunnel (Per-App VPN) TCP:443 NA Default

Note: Change the monitoring interval as per the deployment requirement.

Load Balancing Workspace ONE UEM Admin Console

Note:
The steps and navigation path mentioned for various configuration parameters are same for the configuration of other Workspace ONE UEM applications. A few of the attributes differ as mentioned in the tables mentioned above.

1. Creating a Custom Health Monitor

Login to Avi UI and navigate to Templates > Profiles > Health Monitors. Follow the steps as mentioned below.

  • Click on Create.
  • Select the vCenter cloud that was created for UEM.
  • Enter the details in the New Health Monitor as shown below:

Click on Save and proceed to the next step of creating a persistence profile.

2. Creating a Persistence Profile

For Workspace ONE UEM Admin Console, Source IP persistence or cookie-based persistence is preferred with timeout value set as 60 minutes.

To create the persistence profile, navigate to Templates > Profiles > Persistence and click on Create. Add the following details to new persistence profile as shown below.

Читайте также:  Тачпад драйвер для asus windows 10 64 bit

Click on Save and proceed for the creating a pool as explained in the next section.

3. Creating Pool

Navigate to Applications > Pools.

  • Select the cloud from the Select Cloud sub-screen and Click on Next.
  • Click on Create Pool and select load balancing algorithm as Least Connections and select the persistence profile created in the previous step.
  • To bind the monitor, click on Add Active Monitor and select the custom HTTPS monitor that was created in the previous step.

For SSL offload, the Enable SSL option on the pool level is not required as traffic goes to the back-end servers in plan text. If the back-end server listens only on SSL, then the requirement is to send traffic in encrypted form, then you need to enable SSL on the pool level. Select the Enable SSL checkbox, select the appropriate SSL profile, and click on Next.

In the Servers tab, add IP addresses of the servers,and click on Next.

  • Navigate to Step 3: Advanced tab >Step 4: Review, click on Next and then click on Save.

    • 4. Creating Application Profile

    As a best practice, all HTTP requests should be redirected to HTTPS. Load Balancers for UEM must be configured to set the XFF header with Client’s Source IP. Other options are not mandatory, they depend on the requirement. The default System-Secure-HTTP profile can also be used instead of creating a new application profile.

    Navigate to Templates > Profiles > Application, click on Create, and add the details as shown below.

    Note: Select the X-Forwarded-For checkbox.

    Select the Security tab and enable HTTP-to-HTTPS Redirect and the other options as shown below. Click on Save to proceed further to install the SSL certificate.
    If not required, some of these options can be disabled.

    • Click on Save. Some services like Device Service and Admin Console might require HTTP Strict Transport Security. Select the HTTP Strict Transport Security (HSTS) if required.

    5. Installing SSL Certificate for L7 Virtual Service

    The SSL connections are terminated at Avi virtual service. Therefore, the SSL certificate must be assigned to the virtual service. It is advised to install a certificate which is signed by a valid certificate authority instead of using self-signed certificates. Install the certificate in Avi Vantage and ensure the CA certificate is imported and linked. For instructions, refer to Import Certificates.

    Note: For this set up, a certificate named UEM_Certificate has been installed.

    6. Creating a L7 Virtual Service

    Follow the below steps to create a Layer 7 virtual service for Workspace ONE UEM Admin console.

    • Navigate to Applications >Virtual Services, click on Create Virtual Service >Advanced Setup. Select the followings:
      • Application Profile: UEM-L7-ApplicationProfile (created in the previous section)
      • Port: 80 and 444 (SSL)
      • Pool: UEM-Admin-Pool (created previously)

    • For SSL profile, use the default SSL profile, or create a new one as per the requirement. For SSL certificate, install the certificate and bind it to the virtual service as shown above.
    • Click on Next and rest of the settings can be default. Click on Next and Click Save.

    Load Balancing Workspace ONE UEM Admin API

    1. Creating a Custom Health Monitor

    Follow the navigation path mentioned for health monitor section for Workspace ONE UEM Admin Console.

    Enter the details in the New Health Monitor as shown below:

    Click on Save and proceed to the next step of creating a persistence profile.

    2. Creating a Persistence Profile

    Follow the navigation path mentioned for the Creating a Persistence Profile section for Workspace ONE UEM Admin Console.
    Recommended persistence method – Source IP persistence or cookie-based persistence with the timeout value less than the policy retrieval interval for some services (for an example, Secure Email Gateway).

    • Click on Save and proceed to create the required pool as shown in the next section.

    3. Creating Pool

    Follow the navigation path mentioned for the Creating Pool section for Workspace ONE UEM Admin Console.

    • Load balancing algorithm: Least Connections
    • Persistence profile: Created in the previous step. Add Active Monitor and select the custom HTTPS monitor that was created in previous step.

    For SSL offload, the Enable SSL option in not required at the pool level as traffic goes to the back-end in plan text. If the back-end server listens only on SSL and the requirement is to send traffic in encrypted form, then enable SSL on the pool level. Select the Enable SSL checkbox, select the appropriate SSL profile, and click on Next.

    Add servers details.

    4. Creating an Application Profile

    As a best practice, all HTTP requests should be redirected to HTTPS. Load balancers for UEM must be configured to set the XFF header with Client’s Source IP address. Other options are not mandatory. It depends on the requirement. The default System-Secure-HTTP profile can also be used as instead of creating a new profile.

    Navigate to Templates > Profiles > Application, click on Create, and add the details as shown below.

    Note: Select the X-Forwarded-For checkbox.

      Select the Security tab and enable HTTP-to-HTTPS Redirect and other options as shown below.

    Some of these options can be skipped if not required.

  • Click on Save and proceed to the next step of installing a certificate.

    • 5. Installing SSL Certificate for L7 Virtual Service

    Refer to the Installing SSL Certificate for L7 Virtual Service section for Workspace ONE UEM Admin API.

    6. Creating a L7 Virtual Service

    Follow the navigation path mentioned for Creating a Layer 7 virtual service for Workspace ONE UEM Admin Console.

    Select the followings:

    • Application Profile: UEM-L7-ApplicationProfile (created in the previous section)
    • Port: 80 and 444 (SSL)
    • Pool: UEM-API-Pool(created previously)

    • For SSL profile, use the default SSL profile, or create a new one as per the requirement. For SSL certificate, install the certificate and bind it to the virtual service as shown above.

    Load Balancing Workspace ONE UEM Device Services

    1. Creating a Custom Health Monitor

    Follow the same navigation path as mentioned above for other applications.

    Enter the details for the new health monitor as shown below:

    Click on Save and proceed to the next step of creating a persistence profile.

    2. Creating a Persistence Profile

    Preferred persistence method: Source IP persistence with timeout value set as 20 minutes.

    3. Creating a Pool

    Select the following options while creating a pool for Workspace ONE UEM Device Services

    • Load balancing algorithm : Least Connections
    • Persistence profile : UEM-DeviceService-Persistence (created in the previous step)
    • Custom HTTPS monitor: UEM-DeviceService-Monitor that was created in previous step

    For SSL offload, the Enable SSL option in not required at the pool level as traffic goes to the back-end in plan text.
    If the back-end server listens only on SSL and the requirement is to send traffic in encrypted form, then enable SSL on the pool level. Select the Enable SSL checkbox, select the appropriate SSL profile, and click on Next.

    4. Creating an Application Profile

    As a best practice, all HTTP requests should be redirected to HTTPS. Load balancers for UEM must be configured to set the XFF header with Client’s Source IP address. Other options are not mandatory. It depends on the requirement. The default System-Secure-HTTP profile can also be used as instead of creating a new profile.

    Navigate to Templates > Profiles > Application, click on Create, and add the details as shown below.

    Note: Select the X-Forwarded-For checkbox.

      Select the Security tab and enable HTTP-to-HTTPS Redirect and other options as shown below.

    Some of these options can be skipped if not required.

  • Click on Save and proceed to the next step of installing a certificate.

    • 5. Installing SSL Certificate for L7 Virtual Service

    Refer to the previous section for installing SSL certificates.

    6. Creating a L7 Virtual Service

    Use the same steps as mentioned in the previous section to create a L7 virtual service.

    Click on Next and the rest of the settings can be default. Click on Next and Click Save.

    Load Balancing AirWatch Cloud Messaging

    For load balancing AirWatch Cloud Messaging (AWCM), the requirement is to persist the connections based on awcmsessionid present in cookie, URI or HTTP header. This can be done using the followings:

    • Consistent Hash (covered in this document)
    • Using DataScript to maintain persistence tables

    1. Creating a Custom Health Monitor

    Navigation path is same as used for other applications mentioned above.

    2. Creating Pool

    Follow the same steps as mentioned in the previous section of creating a pool.

    As AWCM needs persistence-based on parameter awcmsessionid in either the URI or header. In this example, Consistent hash based on the custom string is used. The custom string is defined in the following steps using DataScript.

    Click on Next and add the required servers. .Click on Next and click on Save.

    3. Creating an Application profile

    As a best practice, all HTTP requests should be redirected to HTTPS. Load balancers for UEM must be configured to set the XFF header with Client’s Source IP address. Other options are not mandatory, they are based on the requirement. The default System-Secure-HTTP profile can also be used as instead of creating a new profile.

    Navigate to Templates > Profiles > Application, click on Create, and add the details as shown below.

    Note: Select the X-Forwarded-For checkbox.

    Some of these options can be skipped if not required.

    For AWCM,it is required is to keep the front-end connection for 2 minutes. Navigate to the DDos tab and change the HTTP Keep-Alive Timeout to 120 seconds..

    4. Creating a DataScript

    Follow the steps below to create a DataScript and associate it with the AWCM pool:

    Navigate to Templates > Scripts > DataScripts, and click on Create.

    Add a data script in the Request Event section and bind the AWCM Pool to the Datascript.

    Use the following string:
    query = avi.http.get_query(«awcmsessionid»)
    header = avi.http.get_header(«awcmsessionid»)
    cookie = avi.http.get_cookie(«awcmsessionid»)
    if query

    = «true» then
    avi.vs.log(‘QUERY HASH: ‘.. query)
    avi.pool.select(«AWCM-Pool»)
    avi.pool.chash(query)
    elseif header

    = nil then
    avi.vs.log(‘HEADER HASH: ‘.. header)
    avi.pool.select(«AWCM-Pool»)
    avi.pool.chash(header)
    else if cookie

    = nil then
    avi.vs.log(‘COOKIE HASH: ‘..cookie)
    avi.pool.select(«AWCM-Pool»)
    avi.pool.chash(cookie)
    else
    avi.vs.log(‘NIL HASH’)
    avi.pool.select(«AWCM-Pool»)
    end
    end

    5. Creating a L7 Virtual Service

    Select the followings for creating a virtual service for AWCM:

    • Application Profile: UEM-L7-ApplicationProfile (created in the previous section)
    • Port: 443 and 2001 (SSL)
    • Pool: UEM-API-Pool(created previously)

    Click on Next and navigate to the DataScript tab. Create a new DataScript and use the script AWCM-DataScript created in the previous step.


    Click on Save DataScript.

    Load Balancing VMware Tunnel (Tunnel Proxy)

    1. Creating Health Monitor

    Create two health monitors — an HTTPS monitor on port 2020 and a TCP monitor on port 8443.

    HTTPS Monitor on port 2020

    TCP Monitor on port 8443

    2.Creating Persistence Profile

    For VMware Tunnel — Tunnel (Proxy), Client IP Address persistence is recommended with timeout value set as 30 minutes.

    Click on Save and proceed to the next step of creating a pool for servers.

    3. Creating Pool

    Navigation path is the same as mentioned for creating pool for other applications as mentioned above. Select the followings while creating the pool:

    • Load balancing algorithm: Least Connections and select the
    • Persistence profile: Tunnel-Persistence-Profile (created in the previous step).
    • The Enable SSL option is not required for the pool.
    • Custom HTTPS monitor: Tunnel-HTTPS that was created in previous step.

    Select the Disable Port Translation checkbox as shown below.

    4. Creating Application profile

    For tunnel service, SSL pass-through is required. Create a L4 application profile or use the default System-L4-Application profile.

    5. Creating L4 virtual service

    To create the new L4 virtual service, use the below steps:

    Navigate to Applications > Virtual Services and select the Advanced Setup.

    Select the System-L4-Application as the Application Profile and configure the virtual service as shown below:

    • TCP/UDP Profile: System-TCP-Fast-Path
    • Port: 8443 (select Override TCP/UDP) and 2020(UDP)
    • Pool: Tunnel-service-pool (created in the previous step)

    Load Balancing VMware Tunnel (Per-App VPN)

    Creating Health Monitor

    Login to Avi UI and navigate to Templates > Profiles > Health Monitors. Follow the steps as mentioned below to create a TCP monitor on port 443.

    2.Creating Persistence Profile

    Client IP Address persistence is recommended with timeout value set as 30 minutes.

    3. Creating Pool

    Select the followings while creating a pool for VMware Tunnel Per-App VPN.

    • Load balancing algorithm : Least Connections
    • Persistence profile : Tunnel-Persistence-Profile (created in the previous step).

    Click on Add Active Monitor and select the TCP monitor Tunnel-TCP.

    4. Creating Application profile

    For tunnel service, SSL pass-through is required. Create a L4 application profile or use the default System-L4-Application profile.

    5. Creating L4 virtual service

    To create a new L4 virtual service, use the below steps:

    Оцените статью
    © 2024 Советы по настройке компьютера