Streaming Gateway Appliance

Overview

Organizations using the Frame platform may have users accessing Frame-managed workloads from within their private network or from the Internet. If the users are on the Internet, then the customer can require users to access these through a corporate VPN or deploy Nutanix Frame Streaming Gateway Appliance (SGA), a secure reverse proxy that supports the Frame Remoting Protocol (FRP). The SGA provides organizations the option to grant their users secure access to their virtualized applications and/or desktops without the use of a VPN.

The following documents will guide organizations through the design, installation, and configuration scenarios for the Streaming Gateway Appliance, accounting for varying infrastructure and networking combinations. These guides assume that the customer has an existing Frame customer entity or organization entity.

Use the links in the drop-down menu below to jump to different sections of this guide.

Network Requirements

To deploy an SGA, the company’s network must allow Internet traffic to reach the SGA VM in the DMZ and from the SGA VM to the network containing the Frame-managed workloads (e.g., Sandbox, production pools, Utility Servers). The SGA VM or VMs (if high-availability is required) are assumed to be deployed in a DMZ which is separate from the workload network.

SGA for AHV

Consult the network protocol and port summary for SGA on AHV using the desired FRP version to ensure that network routing requirements are satisfied before continuing.

SGA for Public Cloud

Consult the network protocol and port summary for SGA in Public Cloud with Private Networking using the desired FRP version to ensure that network routing requirements are satisfied before continuing.

Installation

Use the tabs below to select the version of SGA you would like installation instructions for.

SGA 3 is the newest iteration of Frame’s Streaming Gateway Appliance. Customers wishing to use SGA 3 will find the following improvements:

  • Support for both FRP7 (WebSocket) and FRP8 (WebRTC) Early Access

  • Improved management and monitoring features

  • SGA 3 is provisioned as a persistent VM, which enables any configuration settings and logs to persist in the event the SGA VM must be rebooted. SGA 3 is intended for use on a VM only.

  • Improved reliability in automatic provisioning of Let’s Encrypt-issued TLS certificates when automatically provisioning SGAs in public cloud.

Additional enhancements can be found in our official release notes.

SGA 3 - AHV and Public Cloud

Warning

SGA 2 will be deprecated by the end of 2022. Nutanix Frame strongly recommends using SGA 3 in your network configuration. SGA 2 documents are still available for reference, however, customers using SGA 2 should plan to move to SGA 3 in the near future following the auto-deployed or manually deployed SGA upgrade instructions.

Sizing Recommendations

For customers who are manually deploying SGA VMs, they can start with a VM configuration of 2 vCPUs and 4 GB RAM for each SGA VM. A 2 vCPU VM is able to process ~1 Gbps bandwidth of Frame Remoting Protocol data. Nutanix recommends a sizing target of 500 Mbps per 2 vCPUs to allow users to burst their bandwidth consumption.

The total number of concurrent users for the 500 Mbps bandwidth per 2 vCPU budget is dependent on the bandwidth consumed for the Frame sessions. Bandwidth consumption may be estimated based on user workload profiles:

  • 1 Mbps per Frame session for office productivity applications, CPU-only VMs, under 30 fps, 2K or less monitors

  • 5 Mbps per Frame session for CAD applications, GPU-backed VMs, up to 60 fps, 2K or less monitors

  • 10 Mbps or greater per Frame session for video editing/animation/sustained playback, GPU-backed VMs, up to 60 fps, 2K or less monitors

In an office productivity use case, for example, where CPU-only VMs are used with standard 1920 x 1080 displays, the default (2 vCPU, 4 GB RAM) VM configuration could support 500 concurrent users. For 1,000 concurrent users, the same organization would need to leverage at least a 4 vCPU, 8 GB RAM VM. An 8 vCPU, 16 GB RAM VM could support 2,000 concurrent users for this use case.

High Availability

SGA can be deployed in a high availability configuration for redundancy and scale-out by placing the SGA VMs behind a load balancer solution. The recommended solution is comprised of one or two load balancers (physical or virtual) and two or more SGA VMs.

../../_images/SGA_diagram3.png

A set of public IP addresses must be assigned and configured within the appropriate network components:

  • Wildcard DNS A record (e.g., *.sga.company.com) needs to resolve to a public IP address, either on the firewall or on the load balancer, for the SGA VMs.

  • The public SGA IP address is network address translated (NAT) to the virtual SGA IP address (LBVIP, in the above) on the load balancer.

  • For FRP8, each SGA VM has its own public IP address which then is network address translated to the SGA VM private IP address. Once FRP8 finishes its protocol negotiation using HTTPS, the FRP8 UDP traffic does not go through the load balancer.

The load balancer must be configured, as follows:

  • SSL/TLS Passthrough (terminate SSL/TLS on SGA VMs, not on Load Balancer)

  • Virtual SGA IP address maps to one of the private IP addresses of the SGA VM(s) within the load balancer

  • Persistent SSL traffic from virtual SGA IP address to an SGA VM based on client (user) IP address and SSL session

Warning

Customer must take care to minimize the possibility that the load balancer switches a user’s Secure WebSocket connection (when using FRP7) from one SGA VM to another SGA VM. Switching of the Secure WebSocket connection while a user is in a FRP7 session may cause the session to disconnect and require the end user’s browser or Frame App to reconnect.

Health Check URL

Customers can configure their load balancer to query the following internal endpoint to check the health of the SGA. It is highly recommended to use external access controls (firewalls, security groups) to restrict access to this service to trusted sources only.

http://<sga hostname or IP>:8888/_frame_sga_health

The endpoint will return a HTTP response status code of 200 if SGA instance is healthy or 500 if there are any issues with the SGA.

Version URL

Customers can query the following internal endpoint to obtain the version of the SGA. It is highly recommended to use external access controls (firewalls, security groups) to restrict access to this endpoint to trusted sources only.

http://<sga hostname or IP>:8888/_frame_sga_version

The endpoint will return the product name and version. For example,

{
  "prod_name":"Nutanix Frame Streaming Gateway Appliance",
  "prod_version":"3.0.0-RC1+e48adcb.aws"
}

User Flow Example

A Frame user logs in to the Frame Platform and is directed to their Launchpad. When the user clicks the desktop or application icon in their Launchpad, Frame Platform directs the user’s browser to an FQDN based on the SGA subdomain, as configured by Nutanix Frame Support, for the Frame account.

For example, if the subdomain was sga.company.com and the workload VM had a private IP address of 10.2.1.3, the workload FQDN would be 10-2-1-3.sga.company.com. This workload FQDN resolves to the public IP address on the customer’s firewall. The firewall performs NAT and sends the request to the virtual SGA IP address (LBVIP). One of the load balancer receives the request and forwards the request to one of the SGA VMs. The load balancer is configured to persist any HTTPS requests and Secure WebSocket connection for that user on the assigned SGA VM.

Internal Access to SGA-enabled Workloads

Frame administrators may want users within their private network to access the workloads of an SGA-enabled Frame account at the same time users on the Internet are accessing workloads in the same Frame account.

../../_images/SGA_internal_users.png

To enable users on your private network to use the SGA-enabled Frame account, configure your internal DNS servers to return the private IP address of the SGA VM (or the virtual private IP address of the SGA on your load balancer) for the SGA subdomain. Simply add the SGA subdomain as a wildcard DNS A record in your private DNS server as you did in your public DNS server.

Note

Depending on your network security policies, you may need to update your firewall rules so end users on your private network can reach the SGA VMs. Refer to the network configuration requirements for Frame on AHV, Frame Guest Agent 8 with FRP7 (with SGA), or Frame on public cloud, Public Cloud with Private Networking and SGA, row “End user to SGA” for the specific protocols and ports that must be allowed to the SGA VM or the load balancer (if more than one SGA VM). The source IP address of the end user’s endpoint would be private IP addresses, instead of a public IP address.

Multi-Frame Account Support

A manually-deployed SGA can be configured to serve as the reverse proxy for multiple Frame accounts. The configuration procedure is dependent on the SGA version. Use the tabs below to select the SGA version you’re using:

When providing the Frame workloads VLAN CIDR in the SGA Toolbox, specify a CIDR value that covers the CIDRs for the individual Frame accounts. For example, if Frame Account #1 uses 10.0.0.0/24 and Frame Account #2 users 10.0.1.0/24, then specify a CIDR of 10.0.0.0/23 for the SGA.

Warning

SGA 2 will be deprecated by the end of 2022. Nutanix Frame strongly recommends using SGA 3 in your network configuration. SGA 2 documents are still available for reference, however, customers using SGA 2 should plan to move to SGA 3 in the near future following the auto-deployed or manually deployed SGA upgrade instructions.

Use the steps below to configure your SGA 2 for multiple Frame accounts:

  1. Configure the memory and vCPU using the SGA sizing recommendations above on your SGA to account for scaling up.

  2. Log in to the SGA VM.

  3. SSH into your SGA or use the AHV console to navigate to /etc/nginx and cp your nginx.conf to nginx.conf.bck

  4. Verify that from a networking perspective, you can ping/reach/route to the Frame workloads in the other networks or subnets from the SGA. Do not continue until you confirm your SGA can reach the additional account workload networks.

  5. Execute the following command as root on the SGA VM:

cd /usr/local/bin && ./gen_proxy_config.py --domain sga.company.com --cidr 10.0.1.0/24 10.0.2.0/24 > /etc/nginx/nginx.conf

systemctl restart nginx

Note

The command line syntax above assumes that you have Python in your path and the latest gen_proxy_config.py downloaded.

  1. Submit a support ticket following the instructions in Step 7.