Horizon View provides a secure method for granting users access to their desktops from anywhere with an Internet connection on any device without needing a VPN connection. Now that a desktop pool has been set up and desktops are provisioned, it’s time to set up that remote access.
The Security Server
The View Security Server is VMware’s method of addressing remote access. This component of the Horizon View environment contains a subset of the Connection Server components, and it is designed to sit in a DMZ and act as a gateway for Horizon View Clients. It’s essentially a reverse proxy for your View environment.
Each Security Server that is deployed needs a corresponding Connection Server, and they are paired during the installation process. Because the Security Server is an optional component, each Connection Server is not required to have one, and a Connection Server cannot be paired to more than one Security Server.
Each Security Server also needs a static IP address. If it is externally facing, it will need to have a publicly addressable static IP. This IP address does not need to be configured on the server’s network card as both Static 1:1 NAT and PAT work with Horizon View.
Security Server Firewall Ports
In order to enable remote access, a few ports need to be opened on any firewalls that sit between the network where the Security Server has been deployed and the Internet. If the server is deployed into a DMZ, the firewall will also need to allow traffic between the Security Server and the Connection Server.
The rules that are required on the front-end, Internet-facing firewall are:
- HTTP – TCP 80 In
- HTTPS – TCP 443 In
- HTTPS – TCP 8443 both directions (if Blast is used)
- PCoIP – TCP 4172 In, UDP 4172 both directions
If you are deploying your Security Servers in a DMZ configuration with a back-end firewall, you need to configure your firewall to allow IPSEC traffic to the Connection Servers. These rules depend on whether network address translation is used between the DMZ and Internal network. For more information on the rules that need to be enabled, please see this VMware KB article.
The Security Server will also need to communicate with the Horizon View desktops. The following ports will need to be opened to facilitate this:
- PCoIP – TCP/UDP 4172 both directions
Note: If you’re using application-aware firewalls like Palo Alto Networks devices, make sure that any application protocols required by Horizon View aren’t blocked between the DMZ and Internal network. Also, updates to the application signatures or the PCoIP protocol may impact users’ access to virtual desktops.
Configuring Horizon View for a Security Server
The Security Server installation will prompt for a Connection Server to be paired with and a pairing password during the install process. This must be set up before the installation starts. To set up the pairing password, take the following steps:
1. In View Administrator, go to View Configuration –> Servers
2. Click on the Connection Servers tab and select the Connection Server you want to pair with.
3. Click on More Commands and select “Specify Security Server Pairing Password.”
4. Specify your pairing password. When you do this, you will also be able to configure how long that password will be valid for. If the password is not entered in that time period, or if you encounter errors with the install that are not resolved before the timeout period expires, you will need to create a new password.
Note: Pairing passwords can time out or be invalidated by hitting the back button during the Security Server installation after the pairing password has been entered. If this happens, the password will need to be recreated using the steps above.
Installing the View Security Server
Once the pairing password is set up, you can start the Security Server installation.
1. Double-click the installer to start the installation.
2. Accept the license agreement
3. The next screen gives you the option to change the installation directory by clicking the Change button. For this installation, we’ll be installing to the default location, so click Next.
4. Select Security Server
5. Enter the hostname or IP address of the Connection Server the Security Server will be paired with.
6. Enter the pairing password.
7. In order for View Clients to properly connect to the Security Server, you need to configure the External URLs for the server. The items that need to be configured are:
- External URL – the fully-qualified public domain name and port such as view.remotedomain.com:443
- PCoIP External URL – the public IP address and port number. If this server is behind a NAT, this should be the IP address that can be reached from the Internet. Example: 4.4.4.4:4172
- Blast External URL – the fully-qualified public domain name and port used by VMware Blast such as html5desktop.remotedomain.com:8443
8. The View Installer will give you the option to automatically configure the Windows Firewall for View. Click Next to allow the installer to set up the Windows Firewall. If you do not want the installer to configure the firewall, you will need to configure these rules manually after installation.
Note: This also configures the IPSec Rules that are needed for secure communication between the Security Server and the Connection Server.
9. Click Install to finish the installation.
10. Click Finish to close the installer.
11. If you log back into View Administrator and go to View Configuration –> Servers –> Security Servers, you should see your newly added Security Server.
Comments
Post a Comment