Secure Global Desktop 4.31 Administration Guide > Arrays, servers and load balancing > Load balancing webtop sessions

Load balancing webtop sessions

Webtop session load balancing is concerned with choosing a Secure Global Desktop server to log in to. You can use a number of mechanisms to choose an Secure Global Desktop server, such as an external hardware load balancer or round-robin DNS.

When load balancing webtop sessions, the most important factor is webtop session persistence. A webtop session begins when a user logs in to a Secure Global Desktop server and the session is owned by that server. As the user interacts with Secure Global Desktop, further HTTP requests are sent over the webtop connection to the Secure Global Desktop Web Server. If network connections are load-balanced, webtop HTTP requests might be directed to any member of the array. If a webtop request goes to an array member that does not own the webtop session, this can cause the webtop session to transfer to that array member (sometimes called session grabbing) and the windows of any running applications might disappear, or the request can cause the visible state of the user's webtop session to be incorrect. This means to load balance webtop sessions successfully, webtop requests must persist so that they always go to the correct Secure Global Desktop server.

In a default Secure Global Desktop installation, additional configuration using a load-balancing JavaServer Page (JSP) is required to make webtop connections persistent. The JSP contains a JavaScript script that sets a cookie, and that cookie is used to redirect webtop HTTP requests to the correct server.

The load-balancing JSP can only be used if the following conditions are met:

Web browsers must have cookies and JavaScript enabled.
The Sun Secure Global Desktop Client must be in webtop mode. Integrated mode is not supported.

The load-balancing JSP can be used in two ways:

The JSP selects an Secure Global Desktop server from a list using a round-robin mechanism.
The JSP supports an external mechanism for selecting an Secure Global Desktop server.

Using the load-balancing JSP to distribute webtop sessions

To use the load-balancing JSP to distribute webtop sessions, one member of the array acts as the load distribution server. The following configuration uses the primary server in the array.

On the Primary server in the array, log in as superuser (root).

Copy the load-balancing JSP to the /sgd web application directory.

# cd /opt/tarantella/webserver/tomcat/*/webapps/sgd/
# cp -r admin/loaddist/ swcd/

Edit the load-balancing JSP.
- Add the external DNS names of the Secure Global Desktop servers to be load balanced.
  Amend the hosts = new Array section, for example:
```
hosts[0] = "http://www1.indigo-insurance.com"
hosts[1] = "http://www2.indigo-insurance.com"
...
hosts[4] = "http://www5.indigo-insurance.com"
```
  If you are using secure connections, ensure the URLs begin https://.
  
  Note Only include the primary server in the list if you want the primary server to host webtop sessions.
- Set the LBHOST variable.
  Remove the first comment marks (//) as follows:
```
var LBHOST = null // Not in Load Balancer/Round Robin DNS mode
```
- Save the changes.
Configure the entry point JSP to use the load-balancing JSP.
- Edit index.jsp and change the first line to the following:
```
<%@ include file="swcd/swcd.jsp" %>
```
- Save the change.
Tell users the login URL to use, for example http://primary.indigo-insurance.com/sgd.
The login URL must be the primary server.

Note The http://primary.example.com URL can also be used, but this URL cannot be used in a Client Profile.

To configure HTTPS connections:

Use an HTTP connection to the primary Secure Global Desktop server.
Configure HTTPS URLs for the hosts in the load-balancing JSP.

If needed, users can log in to the primary server by using the URL of the webtop as the login URL, for example use http://primary.indigo-insurance.com/sgd/standard.jsp for the standard webtop.

Using an external mechanism to distribute web sessions

When using an external mechanism for load balancing, such as a hardware load balancer or round-robin DNS, the following factors are important:

External DNS names - The Secure Global Desktop servers in the array must be directly accessible using their external DNS names. If an external load balancer is acting as a firewall, a switch or a router, it must be configured to allow access using the external DNS names.
Adaptive Internet Protocol (AIP) connections - As with webtop connections, AIP connections must go to a particular Secure Global Desktop server. An external load balancer must not distribute the connections to different members of the array.
AIP is not HTTP - If you have enabled Secure Global Desktop security services, AIP connections are encrypted using SSL. If an external load balancer decrypts the SSL for an AIP request, it cannot handle the remaining contents.
URL re-writing - An external load balancer can be configured re-write URLs. The impact of a connection to Secure Global Desktop using a URL containing a host name that does not match the external DNS name of the Secure Global Desktop server is not known.
Virtual hosting multiple HTTPS connections - To use HTTPS connections to an external load balancer and the Secure Global Desktop Web Server requires two certificates: one for the load balancer DNS name and one for the external DNS name of the Secure Global Desktop. You can only do this by using virtual hosting to create two web servers on the same host each with a different DNS name. However, the web servers must use either different TCP ports or different IP addresses.

The following configuration is an example of using the load-balancing JSP with an external hardware load balancer. The load balancer is also an SSL accelerator. The load balancer has also been configured to allow access to the Secure Global Desktop servers using their external DNS names. With this configuration:

Users make HTTPS connections to the load balancer DNS name.
The load balancer decrypts the SSL request and forwards it as an HTTP request to the external DNS name of the selected Secure Global Desktop server.
The load-balancing JSP on the array member checks for the load-balancing cookie and redirects the HTTP request as needed.

You configure the load-balancing JSP as follows:

Copy the load-balancing JSP to the /sgd web application directory.

# cd /opt/tarantella/webserver/tomcat/*/webapps/sgd/
# cp -r admin/loaddist/ swcd/

Edit the load-balancing JSP.
- Add the external DNS names of the Secure Global Desktop servers to be load balanced.
  Amend the hosts = new Array section, for example:
```
hosts[0] = "http://www1.indigo-insurance.com"
hosts[1] = "http://www2.indigo-insurance.com"
...
hosts[4] = "http://www5.indigo-insurance.com"
```
- Set the LBHOST variable.
  Remove the first comment marks (//) and enter the external DNS name of the host, for example:
```
var LBHOST = "http://www1.indigo-insurance.com"" // LB mode
```
- Save the changes.
Configure the entry point JSP to use the load-balancing JSP.
- Edit index.jsp and change the first line to the following:
```
<%@ include file="swcd/swcd.jsp" %>
```
- Save the change.
Repeat steps 1 to 4 on each member of the array, including the primary server.
Tell users the login URL to use, for example https://loadbalancer.indigo-insurance.com/sgd.
The login URL must contain the load balancer DNS name.

Note The https://loadbalancer.example.com URL can also be used, but this URL cannot be used in the Client Profile.

To use HTTPS connections to the Secure Global Desktop servers, ensure that the URLs in the load-balancing JSP begin https://. Then perform either of the following configuration:

Configure the external load balancer to terminate the load-balanced HTTPS connection and then regenerate the connection as an HTTPS connection to the external DNS name of the Secure Global Desktop server.
Assign an additional IP address to the Secure Global Desktop host and configure the host to use this address. Configure the Secure Global Desktop Web Server to listen on the additional IP address and associate the certificate for the load balancer with this address. Configure the Secure Global Desktop Web Server to associate the external DNS name of the Secure Global Desktop with the original IP address of the server. Configure the load balancer to use the additional IP addresses.

Using Secure Global Desktop in firewall forwarding mode can also help to simplify the configuration needed when using an external load balancer. With firewall forwarding, the HTTP and AIP connections to Secure Global Desktop are made over a single port, usually TCP port 443. The Secure Global Desktop server listens on this port for any AIP traffic and forwards all other traffic to the Secure Global Desktop Web Server.

If Secure Global Desktop security services are enabled and the external load balancer is configured to decrypt SSL connections and forward them as unencrypted connections, you must configure each array member to accept plain text connections on the secure port. In Array Manager, on each array member's Security panel, check Accept plaintext on secure port. Also the security certificate for each array member must be installed on the external load balancer. This allows the Secure Global Desktop SSL daemon to accept plain text on the port configured for secure connections and forward it to Secure Global Desktop as SSL traffic it had decrypted itself.

Additional Configuration

This section describes the additional configuration available for the load-balancing JSP.

Using another webtop

By default, the standard webtop is used. To use another webtop, for example a customized webtop, amend the following line:

var TARGET="/sgd/standard.jsp"

Localized splash screen

By default, the load-balancing JSP displays a splash screen in English using the images in the /sgd/swcd/ directory. To display a localized splash screen, change the default location of the splash screen images as follows:

// ** Location of gif files
<%
// If the gifs are located in the locale dependent resource use the Path below
String path = getContextPath(request) + "/resources/images/splash/locale=" + getBestSupportedLocale(request) + "/";

// Default location
//String path = "swcd/";
%>

Other variables

The following tables lists the other variables used by the load-balancing JSP.

Variable	Default	Description
`SGDLDCOOKIE`	`SGD_SWCDCOOKIE`	The name of the cookie used for load balancing purposes.
`TIMEOUT`	10000	The time in milliseconds the load-balancing JSP waits for a response from the Secure Global Desktop Web Server on the selected host. If the timeout period elapses, the next host in the list is tried.
`TESTGIF`	`/sgd/resources/images/webtop/secure.gif`	The file the load-balancing JSP attempts to get from the web server on the selected host. This is used to check whether the host is available.

Related topics
Introducing webtop and emulator session load balancing Introducing application server load balancing