john harpell

Recently, a client wanted to implement Horizon View for their workforce and use their existing Cisco ASA Web SSL VPN to provide access to the desktops. That’s not an unreasonable constraint; they have an existing investment and a system that works, and they don’t want to throw that away. The end users like the capability to connect using a web browser and set up a secure connection to internal resources and use of the AnyConnect client was a non-starter, politically.

Unfortunately, research revealed that the Cisco ASA Web SSL VPN tunnel is TCP based and does not support UDP based traffic. In order to use DTLS and tunnel UDP packets with a Cisco ASA, each user must use the AnyConnect client. The issue is that PCoIP is a UDP based protocol and therefore could not be used across the specified VPN connection (the importance of this is covered here: At this point, I decided for a reality check and contacted Cisco to find out how they recommended implementing Horizon View desktops across a Cisco ASA based VPN.

They confirmed the issue, communicated that they were perfectly aware of it, and knew of no plans to do anything about it. I was not really feeling the love for Cisco at this point. They did have some suggestions for workarounds. Notable alternatives for consideration included using the Blast protocol, or RDP, or requiring the users to use the AnyConnect client. Placing Horizon View Security Servers accessible to the external users was another idea, but the security vetting process concerns and increased infrastructure to implement/manage made that a difficult choice.

None of these alternatives was optimal, though all are viable, and it was time to think outside the box. I was simply stunned that the Cisco ASA Web SSL VPN would not support UDP traffic, so I looked at other vendors to see if there were alternatives that would support what the client wanted by integrating properly with the Horizon View PCoIP protocol. There are. And I also found out that the client’s Cisco ASAs were approaching EOL – suddenly an elegant solution came into focus.

Some benefits of the F5 Big IP (Local Traffic Managers) LTMs with the (Access Policy Manager) APM module:

  • integrates easily with Horizon
  • provides a browser based VPN connection that supports DTLS and therefore PCoIP
  • provides load-balancing capability
  • supports 2F
  • client-side compliance checks
  • connects with AD/ADFS as an identity source.

F5 has worked closely with VMware on the solution, and maintains a reference architecture, deployment guide and additional technical documentation.

As a technical solution, it is outstanding, both performance and feature rich. And as it turned out, the networking team was actively moving in the direction of F5, and had a pair of LTMs in production already. We were able to fund a scale-up of the LTMs and additional APM licensing for the network team, and they are helping us with the design, security documentation and implementation of the remote access portion of the new Horizon View implementation.

We will implement configuration changes to the APM module on the LTMs for a pilot group of users, allowing them to authenticate and be authorized for Horizon View desktops and RDSH hosted apps.  The APM module will manage load balancing, authentication and authorization, and application access management. It can be configured for SAML/etc., and can provide SSO access to all internal applications, cloud or SaaS applications, and virtual desktops.

So, if you run into a situation where you need to deliver Horizon View desktops via a Cisco ASA Web SSL VPN, you have choices; workarounds or a new VPN solution like F5.

Categories: Technology
© 2015 GANTECH

EUC Roadmap White Paper