VMware Horizon View Security Server is another component of the Horizon View which provides and additional layer security between Internet and the internal network you have deployed Horizon View infrastructure. In this post I will be sharing the information about Horizon View Security Server , installation and integration with Connection Server .
Security Server is one of the important component of Horizon View when it is publishing to external network . Security server main role is to secure the VMware Horizon environment by minimizes the attack surface on the internal network in View Connection Server and the ports opened to the outside world .
As a best practice Security Server should be on demilitarized zone (DMZ) network and from DMZ security server will allow the connection to for the internal Horizon View Connection Server.
Supported Operating System
Operating System | Version | Edition |
Windows Server 2008 R2 SP1 | 64-bit | Standard , Enterprise , Datacenter |
Windows Server 2012 R2 | 64-bit | Standard , Datacenter |
Windows Server 2016 | 64-bit | Standard , Datacenter |
Note:-If you prefer a Linux appliance, you may use VMware Unified Access Gateway (UAG) . Also you may install one or more security servers to be connected to a View Connection Server instance ( Not covered on this Post )
Minimum and Recommended Hardware Configuration
Hardware Component | Minium Requirement | Recommended |
Processor | 1.4 GHz or faster processor with 2 CPUs | 2GHz or faster and 4 CPUs |
Networking | One or more 10/100Mbps NICs | 1Gbps NICs |
Memory | 4GB RAM or higher | 10 GB RAM or Higher |
Disk space | 40GB | 60GB |
Firewall Ports Details
You have to refer the VMware KB article to under stand the port requirements for Connection Server instances and security servers.
Important Points to be checked before installation
Login to View Administrator and Navigate to View Configuration -> Servers -> Connection Servers
Select the Connection Server to which the Security Server will be paired and click More Commands, and click Specify Security Server Pairing Password option
Hostname – Fully Qualified Domain Name of Connectyion Server
IP Address – IP address of the Connection server which is resolving by FQDN
Note :- You may see warnings like below if Windows Firewall was not enabled for the active profile , IPsec is not going to be configured for communication between the Security Server and the Connection Server . You have to Click OK Continue
For example: https://view.example.com:443
PCoIP External URL – It is the external URL of the security server for client endpoints that use the PCoIP display protocol. In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172. In an IPv6 environment, you can specify an IP address or a fully qualified domain name, and the port number 4172. In either case, do not include a protocol name.
For example, in an IPv4 environment: 10.20.30.40:4172 , Clients must be able to use the URL to reach the security server.
Blast External URL – It is the external URL of the security server for users who use HTML Access to connect to remote desktops. The URL must contain the HTTPS protocol, client-resolvable host name, and port number.By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this security server.
For example: https://myserver.example.com:8443
Option | Action |
Configure Windows Firewall automatically | Let the installer configure Windows Firewall to allow the required network connections. |
Do not configure Windows Firewall | Configure the Windows firewall rules manually.Select this option only if your organization uses its own predefined rules for configuring Windows Firewall. |
And you can see HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled don’t change that and if it is not enabled you have to enable that .
Note: you will not able to configure this directly on the Horizon Security Server .
Once all the ports are opened and completed NAT you can configure the external settings on both Security and Connection Servers.
Note :- You have use the same external IP and URLs on Connection Server also , Follwo the same steps on the Enable PCoIP Secure Gateway and add the details.
And finally you have to Configure an SSL server certificate for the security server refer Configuring SSL Certificates for View Servers perform this .
Now you can access the Horizon view Desktop From External Network
Below are the security server services are installed on the Windows Server
For information about these services, see the Horizon View documentation
The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.
Below are some information from VMware website which will help to understand what actions hs to taken while reinstallation of security server or any error occurred while deployment .
Installation is cancelled or aborted
You might have to remove IPsec rules for the security server before you can begin the installation again. Take this step even if you already removed IPsec rules prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, Refer Remove IPsec Rules for the Security Server.
You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See Configuring Horizon Client Connections and Sizing Windows Server Settings to Support Your Deployment.
Reinstallation security server
If you are reinstalling the security server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.
Refer Horizon 7 Deployment Guide for More Details
Suggested Posts
What’s New with VMware Horizon View 7.5
Nakivo has released its new Backup and Replication solution Nakivo v10.8, which includes support for…
Oracle Cloud VMware Solution (OCVS) provides a customer-managed, native VMware-based cloud environment hosted in Oracle…
Vinchin is a professional provider of data protection solutions for enterprises. It provides a series…
In my previous blog post, I have explained about VMware Cloud Disaster Recovery (VCDR) Onboarding and…
vRealize Network Insight helps you build an optimized, highly available, and secure network infrastructure across…
Can you believe it's here again? SysAdmin Day is back, and with it comes endless gratitude…