Horizon View Security Server

VMware Horizon View Security Server is another component of the Horizon View which provides and additional layer security between  Internet and the internal network you have deployed Horizon View infrastructure. In this post I will be sharing the information about Horizon View Security Server ,  installation and integration with Connection Server .

Why Security Server ?

Security Server is one of the important  component of Horizon View when it is publishing to external network . Security server main role is to secure the VMware Horizon environment by minimizes the attack surface on the internal network in  View Connection Server  and the ports opened to the outside world .

As a best practice Security Server should be on demilitarized zone (DMZ) network and from DMZ  security server will allow  the connection to  for the internal Horizon View Connection Server.

Supported Operating System

Operating System Version Edition
Windows Server 2008 R2 SP1 64-bit Standard , Enterprise , Datacenter
Windows Server 2012 R2 64-bit Standard , Datacenter
Windows Server 2016 64-bit Standard , Datacenter

Note:-If you prefer a Linux appliance, you may use  VMware Unified Access Gateway  (UAG) . Also you may install one or more security servers to be connected to a View Connection Server instance ( Not covered on this Post )

Minimum and Recommended Hardware Configuration

Hardware Component Minium Requirement Recommended
Processor 1.4 GHz or faster processor with 2 CPUs 2GHz or faster and 4 CPUs
Networking One or more 10/100Mbps NICs 1Gbps NICs
Memory 4GB RAM or higher 10 GB RAM or Higher
Disk space 40GB 60GB

Firewall Ports Details

You have to refer the VMware KB  article to under stand the port requirements for Connection Server instances and security servers.

Important Points to be checked before installation

  • Generate a Pairing Password from Connection Server  for establishing connection with the security server .
  • Security server software shouldn’t be install with any other Horizon 7 software component, including replica server, Connection Server, View Composer, Horizon Agent, or Horizon Client.
  • Terminal Services role should not be enabled / installed on the Security Server
  • Static IP address for Security server
  • Fully Updated Windows Operation System
  • Fully qualified domain name (FQDN) reachable from a clients
  • Windows Firewall with Advanced Security is set to on in the active profiles.
  • TLS certificate with Friendly name ” vdm” should be installed on Server or replace self signed one. 
  • Certain ports must be opened on the firewall for Connection Server instances and security servers , Reference
  • If Security server on DMZ network allow required communication from connection server ,refer firewall port details

Pairing Password

Login to  View Administrator and Navigate to View Configuration -> Servers  -> Connection Servers

Select the  Connection Server to which the Security Server will be paired and click More Commands, and click Specify Security Server Pairing Password option

  • Enter a pairing  password ,  password timeout value  and click OK.

Security Server Installation

  • Download the  View Connection Server installer file from the VMware download which includes View Connection Server component .

  • Login to the Server you are planning to configure as security server and run the VMware-viewconnectionserver-x86_64-7.5.o.XXX.exe

  • From the Horizon 7 Connection Server Installation Wizard Click Next to Continue

  • Accept the end-user license agreement (EULA) and Click Next

  • Choose the destination folder for the binaries or continue with defaults by  Clicking next

  • Select the  Horizon 7 Security Server option from Installation Options page  and desired IP protocol version you  want to use in the installation of the Security Server.

  • Enter the FQDN of Horizon Connection Server that will be paired with Security Server from Paired Horizon 7 Connection Server page  and  Click Next.

Hostname   – Fully Qualified Domain Name of Connectyion Server

IP Address  – IP address of the Connection server which is resolving by FQDN

  • You have to enter the pairing password you have created from the Horizon view Administrator window and click Next.

Note :- You may see warnings like below if Windows Firewall was not enabled for the active profile  , IPsec is not going to be configured for communication between the Security Server and the Connection Server . You have to Click OK Continue

  • After the successful  pairing between the Security Server and Connection Server you can see the External URLs  for External, PCoIP, and Blast External connectivity.You may edit the URLs as appropriate which is externally accessible , also modification on this can be done later  Click Next.
External URL  –  It is the external URL of the security server for client endpoints that use the RDP or PCoIP display protocols. The URL will contain the protocol, client-resolvable security server name, and port number. Tunnel clients that run outside of your network use this URL to connect to the security server.

For example: https://view.example.com:443

PCoIP External URL –  It is the external URL of the security server for client endpoints that use the PCoIP display protocol. In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172. In an IPv6 environment, you can specify an IP address or a fully qualified domain name, and the port number 4172. In either case, do not include a protocol name.

For example, in an IPv4 environment: ,  Clients must be able to use the URL to reach the security server.

Blast External URL –  It is the external URL of the security server for users who use HTML Access to connect to remote desktops. The URL must contain the HTTPS protocol, client-resolvable host name, and port number.By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this security server.

For example: https://myserver.example.com:8443

  • Next is Firewall configuration and as a recommended  approach allow the installation to configure the Windows Firewall automatically for incoming TCP ports connectivity by Click Next to continue
Option Action
Configure Windows Firewall automatically Let the installer configure Windows Firewall to allow the required network connections.
Do not configure Windows Firewall Configure the Windows firewall rules manually.Select this option only if your organization uses its own predefined rules for configuring Windows Firewall.
  • Click the Install option to begin the Horizon View Security Server installation
  • Once installation completed  click the Finish button , you may select either to display or not display release notes.
Access the Horizon View Client 
Open a Web browser and use the FQDN or IP address of your Security server and you will get horizon view page
Publishing to External Network 
Next you have to NAT on  your firewall   Public IP to Security Server IP with required ports and refer the VMware KB  for Firewall Ports Details  . After completing the step you can access the Horizon Client using Published URL . Note that you have configure published IP and URL on the public DNS , else you will not able to reach to URL .
Enable PCoIP Secure Gateway
  • From View Administrator navigate to Configuration -> Servers -> Connection Server
  • Select the Connection Server that is paired with the Security Server, and click Edit.
  • From General tab select the check the box  ” Use PCoIP Secure Gateway for PCoIP connections to machine ” , if it is enabled no need to do any changes .

And you can see  HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled don’t change that  and  if it is not enabled you have to enable that .

Note: you will not able  to configure this directly on the Horizon Security Server .

Modify Edit Security/Connection External URL

Once all the ports are opened and completed NAT you can configure the external settings on both Security and Connection Servers.

  • From View Administrator navigate to Configuration -> Servers -> Security Server and click on Security server name  select Edit option
  • Modify the fields to your external DNS name and external IP address with  ports and  Click Ok .

Note :- You have use the same external IP and URLs on Connection Server also , Follwo the same steps on the Enable PCoIP Secure Gateway  and add the details.

And finally you have to Configure an SSL server certificate for the security server refer Configuring SSL Certificates for View Servers  perform this .

Now you can access the Horizon view Desktop From External Network

Additional Information 

Below are the security server services are installed on the Windows Server

  • VMware Horizon View Security Server
  • VMware Horizon View Framework Component
  • VMware Horizon View Security Gateway Component
  • VMware Horizon View PCoIP Secure Gateway
  • VMware Blast Secure Gateway

For information about these services, see the Horizon View documentation

The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.

Below are some information from VMware website  which will help to understand what actions hs to taken while reinstallation of security server  or any error occurred while deployment .

Installation is cancelled or aborted

You might have to remove IPsec rules for the security server before you can begin the installation again. Take this step even if you already removed IPsec rules prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, Refer Remove IPsec Rules for the Security Server.

You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See Configuring Horizon Client Connections and Sizing Windows Server Settings to Support Your Deployment.

Reinstallation security server

If you are reinstalling the security server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.

Refer  Horizon 7 Deployment Guide for More Details

Suggested Posts

What’s New with VMware Horizon View 7.5

Horizon View Connection Server

Horizon View Composer Server