VMware Identity Manager Load Balancing

Last Modified: Sep 1, 2016 @ 8:23 am

This topic assumes you’ve already setup one Identity Manager appliance as detailed atĀ http://www.carlstalhood.com/vmware-identity-manager/


šŸ’” = Recently Updated

NetScaler Configuration

TLS 1.0 is disabled in Identity Manager 2.6 and newer. If your load balancer does not support TLS 1.2, then seeĀ 2144805Ā Enabling TLS 1.0 protocol in VMware Identity Manager 2.6. NetScaler MPX/SDX added TLS 1.2 on the back end in 10.5 build 58. NetScaler VPX added TLS 1.2 on the back end in 11.0 build 65.

In Identity Manager 2.7 and newer, VMware recommends a minimum of three nodes. SeeĀ Recommended Number of Nodes in VMware Identity Manager Cluster at VMware PubsĀ  šŸ’”

Setup the load balancing before you clone the appliance. GUI instructions in this section. Or skip to the CLI Commands.

  1. In your NetScaler, go to Traffic Management > Load Balancing > Monitors and add a monitor.
  2. Give it a name and select HTTP as the Type.

  3. On the Standard Parameters tab check the box next to Secure.
  4. On the Special Parameters tab set the HTTP request to GET /SAAS/auth/login.
  5. Go to Traffic Management > Load Balancing > Servers and add a server that points to the IP address of your Identity Manager appliance.

  6. Go to Traffic Management > Load Balancing > Service Groups and add a Service Group.
  7. Give it a name.
  8. The protocol is SSL. Note: if you configured certificate-based client authentication in Identity Manager, then use SSL_BRIDGE instead of SSL.
  9. Bind a Member to it and specify port 443.
  10. On the right, add the Settings section.
  11. Check the box for Client IP and enter X-Forwarded-For.
  12. Bind a monitor and select the Identity Manager monitor you created earlier.
  13. Go to Traffic Management > SSL > Certificates and install a certificate.
  14. Go to Traffic Management > Load Balancing > Virtual Servers and add a Virtual Server.
  15. Give it a name and enter a VIP.
  16. Protocol = SSL.Ā Note: if you configured certificate-based client authentication in Identity Manager, then use SSL_BRIDGE instead of SSL.
  17. Bind the Service Group created earlier.
  18. Bind the certificate. This certificate must match the name users will use to access Identity Manager.
  19. On the right add Persistence.
  20. Select SSLSESSION and give it a timeout of 60 minutes or more.
  21. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.
    bind ssl vserver MyvServer -certkeyName MyCert
    set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
    unbind ssl vserver MyvServer -cipherName ALL
    bind ssl vserver MyvServer -cipherName Modern
    bind ssl vserver MyvServer -eccCurveName ALL
    bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE
  22. Create another Load Balancing Virtual Server on HTTP port 80. Configure it to redirect HTTP to HTTPS.

CLI Commands

Here are the CLI Commands for the configuration shown above:

add server IM01
add server IM02
add server IM03
add server
add lb monitor Identity HTTP -respCode 200 -httpRequest "GET /SAAS/auth/login" -secure YES
add service AlwaysUp HTTP 80
add serviceGroup svcgrp-IM SSL -cip ENABLED X-Forwarded-For
bind serviceGroup svcgrp-IM IM01 443
bind serviceGroup svcgrp-IM IM02 443
bind serviceGroup svcgrp-IM IM03 443
add lb vserver lbvip-IM-SSL SSL 443 -persistenceType SSLSESSION -timeout 60
add lb vserver identity.corp.com-HTTP-SSLRedirect HTTP 80
add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"
add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
bind lb vserver identity.corp.com-HTTP-SSLRedirect AlwaysUp
bind lb vserver lbvip-IM-SSL svcgrp-IM
bind lb vserver identity.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
set ssl vserver lbvip-IM-SSL -sslRedirect ENABLED -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
bind ssl vserver lbvip-IM-SSL -cipherName Modern
bind ssl vserver lbvip-IM-SSL -certkeyName WildCorpCom
bind ssl vserver lbvip-IM-SSL -eccCurveName ALL

Load Balancing FQDN

  1. In the Identity Manager appliance, go to Appliance Settings > Manage Configuration.
  2. On the left, click Install Certificate.
  3. On the right, switch to the Terminate SSL on a Load Balancer tab.
  4. Paste in the root certificate in PEM (Base64) format. Click Save.
  5. Click OK to restart the appliance.

  6. On the left, click theĀ Identity Manager FQDNĀ page.
  7. Enter the FQDN that resolves to the VIP on the load balancer and click Save.
  8. The appliance will restart.
  9. Connect to the load balanced DNS name, select Local Users, and login as admin.
  10. Go toĀ Catalog > Settings.
  11. On the left, clickĀ New End User Portal UI.
  12. On the right, clickĀ Enable New Portal UI.
  13. You should then be able to login to the portal and get your list of apps.

Clone Appliance

In Identity Manager 2.7 and newer, VMware recommends a minimum of three nodes. SeeĀ Recommended Number of Nodes in VMware Identity Manager Cluster at VMware PubsĀ  šŸ’”

  1. Login to the appliance console.
  2. If you see the file /etc/udev/rules.d/70-persistent-net.rules, delete it.
  3. Shut down the original Identity Manager appliance.
  4. Clone the Identity Manager appliance.
  5. Give the cloned appliance a name and select a folder.
  6. In the Select clone options page, do not customize. Check the box next to Power on virtual machine and click Next.
  7. In the Customize vApp properties page, expand Networking Properties.
  8. Change the hostname and IP address for the new appliance. Click Next and Finish.

  9. After cloning is complete, the original Identity Manager appliance can be powered on.
  10. Once bothĀ appliances are booted, login to one of them and run curl ā€“XGET 'http://localhost:9200/_cluster/health?pretty=true'. Make sure it says two nodes and status is green.Ā It might take a couple minutes before the two nodes become clustered.
  11. Also run rabbitmqctl cluster_status and make sure it shows both nodes.

Additional Connector

  1. In the Admin Portal, go to Identity & Access Management > Setup > Connectors.Ā Find the new cloned Connector and click Join Domain.
  2. Select the domain name.
  3. Enter credentials that can join the domain and click Join Domain.
  4. On the Connectors tab, click the blue hostname link for the original Connector.
  5. Switch to the Auth Adapters tab and note which ones are enabled.
  6. Click each enabled adapter and note its settings.
  7. Back in the Connectors screen, click the blue link for the hostname of the new cloned Connector.
  8. Switch to the Auth Adapters tab.
  9. Click the link for any adapter you want to enable and configure it.
  10. Repeat for any other adapters that need to be enabled and configured.
  11. If you go back to Identity & Access Management > Setup > Connectors, notice that both connectors are enabled for Authentication but only one of them is enabled for Sync. Only one Connector can perform directory sync. To change the configured Connector, see Enabling Directory Sync on Cloned Instance in the Event of a Failure at pubs.vmware.com.

Add to NetScaler

  1. In NetScaler, go to Traffic Management > Load Balancing > Servers and add a Server for the new appliance.

  2. Go to Traffic Management > Load Balancing > Service Groups and edit the existing Identity Manager Service Group.
  3. Bind a new Member and select the new appliance on Port 443. The rest of Load Balancing should already have been configured.


For multi-datacenter, see Deploying VMware Identity Manager in Secondary Data Center with Active-Active Read-Only Capability at pubs.vmware.com.

    • The database in the primary datacenter is replicated to the secondary datacenter.
    • The Identity Manager appliances in the secondary datacenter have read-only connectivity to the database in the secondary datacenter.
    • Horizon Connection Server groups are configured in failover order.
    • NetScaler GSLB or F5 GTM handles failover of the Identity Manager DNS name.

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

13 thoughts on “VMware Identity Manager Load Balancing”

  1. I know it’s been a while since anyone posted on this….

    First Thanks for all the amazing wealth of info you post on here.

    Just wondered if you wanted to update with new best practice to deploy 3 IDM appliances for the Elasticsearch functionality not working with only 2 nodes. Other than that amazing!!!!


    That’s it, again can’t say enough how much I appreciate your step by steps and the sheer amount of time to screenshot and document.

  2. Hello Carl. Thank you for your answer.

    Yes, I use SAML and all icons are OK. When I click on it, the browser open “an URL” (the Connection Server Name…). This *must* be a balanced/public name? In effect, internally it works (DNS resolution is OK), but externally no. What are the best practices you know to implement access from externally?

    Please let me know and many thank you for your patience.


    1. Your internal “Network Range” should use an internal DNS name that is load balancing Connection Servers. The external “Network Ranges” should use a DNS name that resolves to the Access Point that can proxy the PCoIP connection to the internal Agents.

      1. Than you for your suggestion. I think this is the problem I have… For now, I have a unique FQDN (load balancer) that is resolved with a public IP externally (Secure Gateways) and with an internal IP from internal (Connection Server).

        Just another “little” question. I have an internal Connection Server that is on a separate POD that (for license problems) has two RDSH Servers configured. This CS is configured under the previous IM.

        When I click on an RDSH application, I have the previous problem: the URL is mapped with the name/IP of my RDSH. I must do the same configuration (load balancer vs RDSH Servers)?

        Many thanks.

  3. Hello Carl. Thank you very much for your articles!

    A “little” question. I would like to access to my Horizon View desktops/RDSH application throw Identity Manager (IM).

    I have configured an Access Point appliance that acts as reverse proxy vs IM. Under IM, I have configured my 4 Connections Servers (2 standard CS and 2 Secure Gateway).

    From internal it’s all OK (it seems…) because the internal name of CS are resolved. But from external?

    How must configure IM to resolve this?

    Thank you


    1. Are you not able to see View icons in Identity Manager? Or are you not able to launch icons? For launching, you edit the Network Range to specify the external URL for View.

      1. Hello Carl. I have not tried, but from external we have RSA enabled. My doubts are: when I access from Internt throw AP and, then, to IM, how can IM directs this request of authentication to the correct CS? And after: from Internet the name of the CS used must be resolved. It’s true?

        Thank you very much

        1. Hello Carl,

          any idea? I would like to clarify. From external, I “must” resolve my Connection Servers name (when I logon to Identity manager). It’s true? How can accomplish this goal?

          Thank you very much

          1. Identity Manager is connected to the Connection Servers using SAML authentication, correct? Is this the problem you’re having? So you don’t see any of the View Pools in Identity Manager? The IM Connector is responsible for communicating with View Connection Servers.

            After the icons are displayed, when you click one of them, the PCoIP connection goes through the URL (Access Point) defined in the Network Range.

  4. Hey Carl. I’ve been trying to figure something out…. In your setup, you mention “Paste in the root certificate in PEM (Base64) format”. Where did you get this certificate from?

    1. Double-click the certificate. On the Certification Path tab, double-click the top Cert. On the Details tab, click Copy to File and export it in Base-64 format.

  5. Good Afternoon Carl, I have a question regarding Netscaler Gateway 11 and Identity Management. One of our clients purchased Netscaler Gateway Universal license for their Horizon Suite Implementation. They thought it was needed to load balance their Identity Management and Security Servers. My understanding is the Netscaler Gateway can only be used for a Citrix XenApp/XenDesktop environment due to the STA’s. Is there any use for the Netscaler Gateway if our customer is using Identity Mangement connecting to their Horizon Environment? I am unable to find any information on it while researching, but hoping there can be some use to this. The licenses were quite expensive… Thank You

    1. Maybe if they’re using Identity Mgr with XenApp. Or maybe if they want a VPN tunnel. Otherwise Identity Mgr just needs regular SSL reverse proxy (load balancing) and Security Server or Access Point handles the PCoIP connection.

Leave a Reply