During deployment, Workspace is set up inside the internal network. If you want to provide access to Workspace for users connecting from outside networks, you must install a load balancer, such as Apache, nginx, F5, and so on, in the DMZ.
This process is unfortunately outside of VMware’s Documentation scope as every environment is different and we do not recommend a particular vendor/service over another.
NGINX, however, is a free and robust option that can at least get you up and running for your external users fairly quickly. This won’t be a comprehensive how-to, but should certainly be useful in getting you started!
In this example, we’ll be using Ubuntu Server 12.04 for the NGINX server. I performed a default install and enabled only the OpenSSH service during install. Once Ubuntu is installed and has the desired IP and hostname, go ahead and install nginx: sudo apt-get install nginx
Now you can configure nginx.conf to include all the reverse proxy information in a single file, however, in my setup, NGINX needs 3 things in order to work with Workspace:
- SSL Certificates
Here is a copy of what my nginx.conf looks like: /etc/nginx/nginx.conf (HUGE thanks to Tomi Vakala from vReality)
# nginx configuration file
# User to run nginx processes as. Ensure this user exists on your system!
# Worker processes
error_log /var/log/nginx/error.log warn;
# Use epoll on Linux, kqueue on *BSD and Mac OS X
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
access_log /var/log/nginx/access.log main;
# Enable sendfile for improved performance on Linux
# Enable nagle algorithm to buffer more data before sending
# Setup client buffers
# Enable gzip compression
gzip_buffers 128 8k;
- server_name (this is the public facing FQDN)
- ssl_certificate (your certificate’s full chain)
- proxy_pass (what nginx is proxying to – the internal Workspace instance name)
- [Updated] proxy_redirect off;
— I originally missed number 5 here in my config and it caused issues when enabling Kerberos in my environment. More on proxy_redirect here