Horizon NSX-T

SAML Authentication with Workspace ONE Access: Part 3 Load Balancer Configuration

This is the 3rd part to my series on setting up SAML Authentication using Workspace ONE Access. During this article, we will configure the NSX-T Load Balancer for our Workspace ONE Access cluster. If you need to catch up, here are links to the prior articles in this series:

IMPORTANT NOTE: This is not how I would prefer to setup my Load Balancer. However, there is a HUGE restriction when using an Evaluation License with your #HomeLab NSX-T environment: You cannot terminate SSL connections or configure an HTTPS Active Monitor. In a production environment, both of these characteristics would be critical to ensuring your Load Balancer is leveraging active nodes in a HA/LB cluster and all SSL certificates are presented to the user at the right level. I would stick to the VMware Validated Designs when fielding a production system. As of this writing, version 6.2 is the current VVD release.

The first step in this *abbreviated* process will be to create an Active Monitor to provide a simple means to test whether the servers in our server pool are active on the network. You are going to configure an Active Monitor here, but not the one I would recommend for production use. An Active Monitor provides NSX-T with a mechanism to determine if your service/server is active and accepting connections. In a production environment, you would use a HTTP or HTTPS Active Monitor and leverage a REST-based API call. In the case of Workspace ONE Access, the following API endpoint is designed for this exact purpose:

HTTP Method: Get
HTTP request URL: /SAAS/API/1.0/REST/system/health/heartbeat
HTTP request version: 1.1

You would send this HTTP request to the HTTPS Port (443) of the Workspace ONE Access node to determine if it is healthy (HTTP Response Code 200, ok).

NSX-T 3.1 supports the following kinds of Active Monitors: HTTP, HTTPS, ICMP, TCP, UDP. If you can describe the packet to send and the expected response, you can support this. In our #HomeLab environment, we are going to use a simple ICMP Active Monitor to test that the servers are active on the network. Caution: This test will not tell you if the service is active, just whether the server is alive on the network. It’s better than nothing. Log into the NSX-T Manager appliance and select the “Networking” tab. Scroll down to get to the “Load Balancing” item on the left-hand menu (under Network Services). Click on “Monitors” tab as shown here:

Click on the drop-down for “Add Active Monitor” and select “ICMP”:

Fill in the details for the Active Monitor as shown in the image below. This will send an ICMP packet every 3 seconds with a 10 second timeout. It will mark a node “Down” after 3 failed checks. It will mark a “Down” node “Up” after 3 successful checks. The interval and timeout are from the VVD.

Click “Save” and click over to the “Server Pool” tab shown below to configure a Server Pool that contains the servers supported by this Load Balancer. This should show you a screen like this:

Click on the “Add Server Pool” button. This will bring up a fillable page where you can describe your new Server Pool:

The default option for LB Algorithm is “Round Robin.” I chose the “Least Connection” option to mirror the VVD for this application. The available options are listed here:

Round RobinIncoming client requests are cycled through a list of available servers capable of handling the request. Server pool member weights are ignored (if configured).
Weighted Round RobinEach server is assigned a weight value that signifies how that server performs relative to other servers in the pool. The load balancing algorithm focuses on fairly distributing the load among the available server resources.
Least ConnectionDistributes client requests to multiple servers based on the number of connections already on the server. New connections are sent to the server with the fewest connections.
Weighted Least ConnectionEach server is assigned a weight value that signifies how that server performs relative to other servers in the pool. The load balancing algorithm focuses on fairly distributing the load among the available server resources.
IP HashSelects a server based on a hash of the source IP address and the total weight of all the running servers.
Source: VMware NSX-T 3.1 Administration Guide

Click on the “Set” link next to “Active Monitors”. When you do, you will see a dialog with the configured Active Monitors, including the one you created earlier. Check the block next to “icmp-active-monitor” and click “Apply.”

This brings us back to the Server Pool configuration page.

Now we need to add the members of the Server Pool. We are going to add Individual Members, but you could easily use a NSX-T group. With the “Enter individual members” radio button selected, click on “Add Member”. Fill in the details for all of the Workspace ONE Access nodes. At this point, we’ve created only the first node. However, we need to add the details for the other two nodes prior to their deployment, as shown in the next two images. Click “Apply” when you’re done.

Once all of the options are set for the Server Pool, click “Save” to save the server pool.

From now on, you can either create the Load Balancer or the Virtual Server next. However, if you create the Virtual Server first, you will have to go back to it’s configuration in order to assign the Load Balancer. In this case, we’re going to start with the Load Balancer and move forward. Select the “Load Balancers” tab

Click the “Add Load Balancer” button to create a new Load Balancer. Fill in the details for your setup. I am connecting this Load Balancer to my primary T1 gateway. You will need to size the Load Balancer to meet your needs. However, most #HomeLab environments will be fine with a “Small” setup. Click “Save” to save the basic settings.

Click “Yes” to continue configuring the Load Balancer. We’re going to add the Virtual Server next. This is going to be IP address that you will use as the Workspace ONE Access URL. I created a DNS entry for with the IP shown below. Select the “Set” button to create and assign the Virtual Server. When the “Set Virtual Servers” dialog comes up, select the “Add Virtual Server” drop down. This is another change from what I would recommend for a Production environment. With our Evaluation License, we are unable to create a “L7 HTTP” virtual server because of the restrictions on SSL usage. Instead, we are going to create a “L4 TCP” Virtual Server.

Configure the name, IP address, and port as shown below. Select the Server Pool you created previously. For the “Application Profile”, I just chose the default TCP Load Balance profile. Click “Save” when you’re done.

Once the virtual server is created, it will show as “Degraded” once initialized. That is because we only have 1 of the 3 appliance nodes established. This will be resolved once you bring the other two nodes online.

Click “Close” to return to the Load Balancer configuration. We are not going to configure a Virtual IP (VIP) for the administrative port (8443). This port is reserved for each individual node. We’re done with our configuration, so go ahead and click “Save”. That’s it! You have successfully created a Load Balancer for your Workstation ONE Access cluster.

For a #HomeLab environment, this setup will work VERY well. It will provide you with a flexible LB for your lab needs. It will provide a means to sample load balancing various workloads and the ability to have a basic health check capability. Enjoy creating Load Balancers for your #HomeLab testing needs!

One reply on “SAML Authentication with Workspace ONE Access: Part 3 Load Balancer Configuration”

Leave a Reply