Secure Global Desktop 4.40 Administration Guide > SGD Servers, Arrays, and Load Balancing > Load Balancing User Sessions

Load Balancing User Sessions

User session load balancing is concerned with choosing a SGD server to log in to. You can use a number of mechanisms to choose an SGD server, such as an external hardware load balancer or round-robin DNS.

When load balancing user sessions, the most important factor is session persistence. A user session begins when a user logs in to an SGD server and the session is owned by that server. As the user interacts with SGD, further HTTP requests are sent over the webtop connection to the SGD Web Server. If network connections are load-balanced, webtop HTTP requests might be directed to any SGD server in the array. If a webtop HTTP request goes to an SGD server that does not own the user session, this can cause the user session to transfer to that SGD server (sometimes called session grabbing) and the windows of any running applications might disappear, or the request can cause the visible state of the user's session to be incorrect. This means to load balance user sessions successfully, webtop HTTP requests must persist so that they always go to the correct SGD server.

In a default SGD installation, additional configuration using a load-balancing JavaServer Page (JSP) is required to make webtop HTTP connections persistent. The JSP contains a JavaScript script that sets a cookie, and that cookie is used to redirect webtop HTTP requests to the correct server.

The load-balancing JSP can only be used if the following conditions are met:

Web browsers must have cookies and JavaScript enabled.
The Sun Secure Global Desktop Client must be in webtop mode. Integrated mode is not supported.

The load-balancing JSP can be used in two ways:

The JSP selects an SGD server from a list using a round-robin mechanism.
The JSP supports an external mechanism for selecting an SGD server.

Using The Load-Balancing JSP to Distribute User Sessions

To use the load-balancing JSP to distribute user sessions, one member of the array acts as the load distribution server. The following configuration uses the primary server in the array.

On the Primary SGD in the array, log in as superuser (root).
Copy the load-balancing JSP files to the /sgd web application directory.
```
# cd /opt/tarantella/webserver/tomcat/*/webapps/sgd/
# cp -rp admin/loaddist/ swcd/
```
Note When you copy the files, ensure you use the -p option to preserve the file permissions.
Edit the load-balancing JSP (swcd.jsp).
1. Add the external DNS names of the SGD servers to be load balanced.
  Amend the hosts = new Array section, for example:
```
hosts[0] = "http://www1.example.com"
hosts[1] = "http://www2.example.com"
...
hosts[4] = "http://www5.example.com"
```
  If you are using secure connections, ensure the URLs begin https://.
  
  Note Only include the primary server in the list if you want the primary server to host user sessions.
2. Set the LBHOST variable.
  Remove the first comment marks (//) as follows:
```
var LBHOST = null // Not in Load Balancer/Round Robin DNS mode
```
3. Save the changes.
Configure the entry point JSP to use the load-balancing JSP.
1. Edit index.jsp and change the first line to the following:
```
<%@ include file="swcd/swcd.jsp" %>
```
2. Save the change.
Tell users the login URL to use, for example http://primary.example.com/sgd.
The login URL must be the primary server.

Note The http://primary.example.com URL can also be used, but this URL cannot be used in a Client Profile.

To configure HTTPS connections:

Use an HTTP connection to the primary SGD serve.
Configure HTTPS URLs for the hosts in the load-balancing JSP

If needed, users can log in to the primary server by using the URL of the webtop as the login URL, for example use http://primary.example.com/sgd/standard.jsp for the standard webtop.

Using an External Mechanism to Distribute User Sessions

When using an external mechanism, such as a hardware load balancer or round-robin DNS, for load balancing user sessions, the following factors are important:

External DNS names - The SGD servers in the array must be directly accessible using their external DNS names. If an external load balancer is acting as a firewall, a switch or a router, it must be configured to allow access using the external DNS names.
Adaptive Internet Protocol (AIP) connections - As with webtop HTTP connections, AIP connections must go to a particular SGD server. An external load balancer must not distribute the connections to different SGD servers in the array.
AIP is not HTTP - If you have enabled SGD security services, AIP connections are encrypted using SSL. If an external load balancer decrypts the SSL for an AIP request, it cannot handle the remaining contents.
URL re-writing - An external load balancer can be configured re-write URLs. The impact of a connection to SGD using a URL containing a host name that does not match the external DNS name of the SGD server is not known.
Virtual hosting multiple HTTPS connections - To use HTTPS connections to an external load balancer and the SGD Web Server requires two certificates: one for the load balancer DNS name and one for the external DNS name of the SGD server. You can only do this by using virtual hosting to create two web servers on the same host each with a different DNS name. However, the web servers must use either different TCP ports or different IP addresses.

The following configuration is an example of using the load-balancing JSP with an external hardware load balancer. The load balancer is also an SSL accelerator. The load balancer has also been configured to allow access to the SGD servers using their external DNS names. With this configuration:

Users make HTTPS connections to the load balancer DNS name.
The load balancer decrypts the SSL request and forwards it as an HTTP request to the external DNS name of the selected SGD server.
The load-balancing JSP on the array member checks for the load-balancing cookie and redirects the HTTP request as needed.

You configure the load-balancing JSP as follows:

Log in as superuser (root) on the host.
Copy the load-balancing JSP files to the /sgd web application directory.
```
# cd /opt/tarantella/webserver/tomcat/*/webapps/sgd/
# cp -rp admin/loaddist/ swcd/
```
Note When you copy the files, ensure you use the -p option to preserve the file permissions.
Edit the load-balancing JSP (swcd.jsp).
1. Add the external DNS names of the SGD servers to be load balanced.
  Amend the hosts = new Array section, for example:
```
hosts[0] = "http://www1.example.com"
hosts[1] = "http://www2.example.com"
...
hosts[4] = "http://www5.example.com"
```
2. Set the LBHOST variable.
  Remove the first comment marks (//) and enter the external DNS name of the host, for example:
```
var LBHOST = "http://www1.example.com"" // LB mode
```
3. Save the changes.
Configure the entry point JSP to use the load-balancing JSP.
1. Edit index.jsp and change the first line to the following:
```
<%@ include file="swcd/swcd.jsp" %>
```
2. Save the change.
Repeat steps 1 to 4 on each SGD server in the array, including the primary server.
Tell users the login URL to use, for example https://loadbalancer.indigo-insurance.com/sgd.
The login URL must contain the load balancer DNS name.

Note The https://loadbalancer.example.com URL can also be used, but this URL cannot be used in the client profile.

To use HTTPS connections to the SGD servers, ensure that the URLs in the load-balancing JSP begin https://. Then perform either of the following configuration:

Configure the external load balancer to terminate the load-balanced HTTPS connection and then regenerate the connection as an HTTPS connection to the external DNS name of the SGD server.
Assign an additional IP address to the SGD host and configure the host to use this address. Configure the SGD Web Server to listen on the additional IP address and associate the certificate for the load balancer with this address. Configure the SGD Web Server to associate the external DNS name of the SGD server with the original IP address of the server. Configure the load balancer to use the additional IP addresses.

Using SGD in firewall forwarding mode can also help to simplify the configuration needed when using an external load balancer. With firewall forwarding, the HTTP and AIP connections to SGD are made over a single port, usually TCP port 443. The SGD server listens on this port for any AIP traffic and forwards all other traffic to the SGD Web Server.

Load Balancer Decrypts SSL Connections

If SGD security services are enabled and the external load balancer is configured to decrypt SSL connections and forward them as unencrypted connections, you must configure each SGD server in the array to accept plain text connections on the secure port. You do this as follows:

In the SGD Administration Console, click the Secure Global Desktop Servers tab and select an Secure Global Desktop server.
Click the Security tab.
Select the SSL Accelerator Support check box.
Click Save.
Repeat these steps for each SGD server in the array.
Install the security certificate for each SGD server in the array on the external load balancer.

Alternatively, use the following command:

$ tarantella config edit --array --security-acceptplaintext 1

This configuration allows the SGD SSL daemon to accept plain text on the port configured for secure connections and forward it to SGD as SSL traffic it had decrypted itself.

Additional Configuration

This section describes the additional configuration available for the load-balancing JSP.

Using Another Webtop

By default, the standard webtop is used. To use another webtop, for example a customized webtop, amend the following line:

var TARGET="/sgd/standard.jsp"

Localized Splash Screen

By default, the load-balancing JSP displays a splash screen in English using the images in the /sgd/swcd/ directory. To display a localized splash screen, change the default location of the splash screen images as follows:

// ** Location of gif files
<%
// If the gifs are located in the locale dependent resource use the Path below
String path = getContextPath(request) + "/resources/images/splash/locale=" + getBestSupportedLocale(request) + "/";

// Default location
//String path = "swcd/";
%>

Other Variables

The following tables lists the other variables used by the load-balancing JSP.

Variable	Default	Description
`SGDLDCOOKIE`	`SGD_SWCDCOOKIE`	The name of the cookie used for load balancing purposes.
`TIMEOUT`	10000	The time in milliseconds the load-balancing JSP waits for a response from the SGD Web Server on the selected host. If the timeout period elapses, the next host in the list is tried.
`TESTGIF`	`/sgd/resources/images/webtop/secure.gif`	The file the load-balancing JSP attempts to get from the web server on the selected host. This is used to check whether the host is available.

Related Topics
Understanding Load Balancing