VMware Horizon View Security Server is another component of the Horizon View which provides and additional layer security between Internet and the internal network you have deployed Horizon View infrastructure. In this post I will be sharing the information about Horizon View Security Server , installation and integration with Connection Server .
Why Security Server ?
Security Server is one of the important component of Horizon View when it is publishing to external network . Security server main role is to secure the VMware Horizon environment by minimizes the attack surface on the internal network in View Connection Server and the ports opened to the outside world .
As a best practice Security Server should be on demilitarized zone (DMZ) network and from DMZ security server will allow the connection to for the internal Horizon View Connection Server.
Supported Operating System
|Windows Server 2008 R2 SP1||64-bit||Standard , Enterprise , Datacenter|
|Windows Server 2012 R2||64-bit||Standard , Datacenter|
|Windows Server 2016||64-bit||Standard , Datacenter|
Note:-If you prefer a Linux appliance, you may use VMware Unified Access Gateway (UAG) . Also you may install one or more security servers to be connected to a View Connection Server instance ( Not covered on this Post )
Minimum and Recommended Hardware Configuration
|Hardware Component||Minium Requirement||Recommended|
|Processor||1.4 GHz or faster processor with 2 CPUs||2GHz or faster and 4 CPUs|
|Networking||One or more 10/100Mbps NICs||1Gbps NICs|
|Memory||4GB RAM or higher||10 GB RAM or Higher|
Firewall Ports Details
You have to refer the VMware KB article to under stand the port requirements for Connection Server instances and security servers.
Important Points to be checked before installation
- Generate a Pairing Password from Connection Server for establishing connection with the security server .
- Security server software shouldn’t be install with any other Horizon 7 software component, including replica server, Connection Server, View Composer, Horizon Agent, or Horizon Client.
- Terminal Services role should not be enabled / installed on the Security Server
- Static IP address for Security server
- Fully Updated Windows Operation System
- Fully qualified domain name (FQDN) reachable from a clients
- Windows Firewall with Advanced Security is set to on in the active profiles.
- TLS certificate with Friendly name ” vdm” should be installed on Server or replace self signed one.
- Certain ports must be opened on the firewall for Connection Server instances and security servers , Reference
- If Security server on DMZ network allow required communication from connection server ,refer firewall port details
Login to View Administrator and Navigate to View Configuration -> Servers -> Connection Servers
Select the Connection Server to which the Security Server will be paired and click More Commands, and click Specify Security Server Pairing Password option
- Enter a pairing password , password timeout value and click OK.
Security Server Installation
- Download the View Connection Server installer file from the VMware download which includes View Connection Server component .
- Login to the Server you are planning to configure as security server and run the VMware-viewconnectionserver-x86_64-7.5.o.XXX.exe
- From the Horizon 7 Connection Server Installation Wizard Click Next to Continue
- Accept the end-user license agreement (EULA) and Click Next
- Choose the destination folder for the binaries or continue with defaults by Clicking next
- Select the Horizon 7 Security Server option from Installation Options page and desired IP protocol version you want to use in the installation of the Security Server.
- Enter the FQDN of Horizon Connection Server that will be paired with Security Server from Paired Horizon 7 Connection Server page and Click Next.
Hostname – Fully Qualified Domain Name of Connectyion Server
IP Address – IP address of the Connection server which is resolving by FQDN
- You have to enter the pairing password you have created from the Horizon view Administrator window and click Next.
Note :- You may see warnings like below if Windows Firewall was not enabled for the active profile , IPsec is not going to be configured for communication between the Security Server and the Connection Server . You have to Click OK Continue
- After the successful pairing between the Security Server and Connection Server you can see the External URLs for External, PCoIP, and Blast External connectivity.You may edit the URLs as appropriate which is externally accessible , also modification on this can be done later Click Next.
For example: https://view.example.com:443
PCoIP External URL – It is the external URL of the security server for client endpoints that use the PCoIP display protocol. In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172. In an IPv6 environment, you can specify an IP address or a fully qualified domain name, and the port number 4172. In either case, do not include a protocol name.
For example, in an IPv4 environment: 10.20.30.40:4172 , Clients must be able to use the URL to reach the security server.
Blast External URL – It is the external URL of the security server for users who use HTML Access to connect to remote desktops. The URL must contain the HTTPS protocol, client-resolvable host name, and port number.By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this security server.
For example: https://myserver.example.com:8443
- Next is Firewall configuration and as a recommended approach allow the installation to configure the Windows Firewall automatically for incoming TCP ports connectivity by Click Next to continue
|Configure Windows Firewall automatically||Let the installer configure Windows Firewall to allow the required network connections.|
|Do not configure Windows Firewall||Configure the Windows firewall rules manually.Select this option only if your organization uses its own predefined rules for configuring Windows Firewall.|
- Click the Install option to begin the Horizon View Security Server installation
- Once installation completed click the Finish button , you may select either to display or not display release notes.
- From View Administrator navigate to Configuration -> Servers -> Connection Server
- Select the Connection Server that is paired with the Security Server, and click Edit.
- From General tab select the check the box ” Use PCoIP Secure Gateway for PCoIP connections to machine ” , if it is enabled no need to do any changes .
And you can see HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled don’t change that and if it is not enabled you have to enable that .
Note: you will not able to configure this directly on the Horizon Security Server .
Modify Edit Security/Connection External URL
Once all the ports are opened and completed NAT you can configure the external settings on both Security and Connection Servers.
- From View Administrator navigate to Configuration -> Servers -> Security Server and click on Security server name select Edit option
- Modify the fields to your external DNS name and external IP address with ports and Click Ok .
Note :- You have use the same external IP and URLs on Connection Server also , Follwo the same steps on the Enable PCoIP Secure Gateway and add the details.
And finally you have to Configure an SSL server certificate for the security server refer Configuring SSL Certificates for View Servers perform this .
Now you can access the Horizon view Desktop From External Network
Below are the security server services are installed on the Windows Server
- VMware Horizon View Security Server
- VMware Horizon View Framework Component
- VMware Horizon View Security Gateway Component
- VMware Horizon View PCoIP Secure Gateway
- VMware Blast Secure Gateway
For information about these services, see the Horizon View documentation
The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.
Below are some information from VMware website which will help to understand what actions hs to taken while reinstallation of security server or any error occurred while deployment .
Installation is cancelled or aborted
You might have to remove IPsec rules for the security server before you can begin the installation again. Take this step even if you already removed IPsec rules prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, Refer Remove IPsec Rules for the Security Server.
You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See Configuring Horizon Client Connections and Sizing Windows Server Settings to Support Your Deployment.
Reinstallation security server
If you are reinstalling the security server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.
Refer Horizon 7 Deployment Guide for More Details