Securing a VMware Horizon View environment is one of the major requirements most organizations have in configuring VMware Horizon View. The Horizon View Security Server is an integral part of securing VMware Horizon View for clients coming from the public internet. Let's take a look at installing VMware Horizon View Security Server.

There are many moving parts to a successful VMware Horizon View deployment. As we have discussed in previous posts, we have the Connection Server as well as the Composer Server. These provide core VMware Horizon View functionality as well as cloning capabilities. In addition to the core VMware Horizon View components, other Horizon View components offer additional functionality including security.

The VMware Horizon View Security Server is another component of the Horizon View infrastructure that provides an additional layer of security between the Internet and the internal Horizon View infrastructure. In this post, we will look at VMware Horizon View Security Server installation and the requirements to integrate the Horizon View Security Server within the Horizon topology.

What is VMware Horizon View Security Server? ^

As the name "Security Server" describes, this component of Horizon View has the sole purpose of securing the VMware Horizon environment especially when it is public facing. The Horizon View Security Server is actually a special kind of Horizon View Connection Server that runs a small subset of the Horizon View Connection Server functions.

As per best practices in VMware documentation, a Horizon View Security Server generally sits in the demilitarized zone (DMZ) network and acts as a proxy for Horizon View connections destined for the internal Horizon View Connection Server(s). This minimizes the attack surface on the internal Horizon View Connection Server(s) as well as the ports opened to the outside world.

VMware Horizon View Security Server Network topology ^

As mentioned, the Horizon View Security Server sits in the DMZ network that proxies Horizon View traffic. Per best practices for a highly available system, you will want to configure multiple Horizon View Security Servers for redundancy and use a load balancer for incoming connections. Below is the recommended/typical Horizon View Security Server topology layout from a network standpoint using multiple Horizon View Security Servers behind a network load balancer.

Horizon View Security Server topology (courtesy of VMware)

Horizon View Security Server topology (courtesy of VMware)

Per the VMware View Ports and Network Connectivity documentation, Horizon View Security Servers or the exposed load balancer IP address will require the following ports to be open from the front-end firewall:

SourceDestinationPortProtocol
Any external IPSecurity Server80HTTP
Any external IPSecurity Server443HTTPS
Any external IPSecurity Server4172PC-over-IP (PCoIP)
(TCP and UDP)

VMware Horizon View Security Server installation ^

If you look for the Horizon View Security Server installation from VMware downloads, you will not find it. This is because the Horizon View Security Server installation is part of the Horizon View Connection Server installation. Download and launch the Connection Server installation on the server you have configured for Horizon View Security Server.

Make sure:

  • You are not installing the Horizon View Security Server on the same server as the Connection or Composer Server
  • The server you are installing the Security Server on does not have the Terminal Services role installed
  • You have administrative privileges on the machine
  • You have a static IP address assigned

Supported operating systems:

Operating SystemVersionEdition
Windows Server 2008 R2 SP164-bitStandard Enterprise Datacenter
Windows Server 2012 R264-bitStandard Datacenter
Windows Server 201664-bitStandard Datacenter

Below, we see the Horizon View Connection Server installation kick off from the downloaded Horizon View Connection Server installation from VMware.

Horizon View Security Server is part of Connection Server

Horizon View Security Server is part of Connection Server

The Horizon View Connection Server installation wizard begins. As mentioned, the Horizon View Security Server is part of the Horizon View Connection Server.

Horizon Security Server installation begins

Horizon Security Server installation begins

Next, we accept the end-user license agreement (EULA) presented before moving on in the installation.

Accept the EULA

Accept the EULA

After accepting the EULA, we next choose the destination folder for the binaries on our Horizon View Security Server. Here, we are accepting the defaults, which will be fine for most.

Choose the installation directory

Choose the installation directory

On the Installation Options page, we are able to specify the Horizon 7 Security Server option as well as the IP protocol version we want to use in the installation of the Security Server.

Choose to install Horizon View Security Server

Choose to install Horizon View Security Server

The Connection Server installation takes a moment to configure the installation for the Security Server install.

Horizon View Connection Server configuration begins

Horizon View Connection Server configuration begins

Next, we reach the Paired Horizon 7 Connection Server screen. Here is where we actually "pair" the Horizon View Security Server with an internal Horizon View Connection Server. Remember, we can pair more than one Security Server to a Connection Server.

Enter an existing Connection Server to pair with

Enter an existing Connection Server to pair with

Before we move on in the Security Server configuration, we need to create a Security Server Pairing Password. This is a special password only used in the pairing process during the installation of the Horizon View Security Server. In fact, by default, it expires after a specified amount of time. To set the pairing password, we go over to a Connection Server and launch View Administrator. Navigate to View Configuration > Servers > Connection Servers and click your Connection Server. After clicking the Connection Server, under More Commands click Specify Security Server Pairing Password.

Specify the Security Server Pairing Password in View Administrator

Specify the Security Server Pairing Password in View Administrator

We enter the Pairing password and confirm it. Notice the Password timeout. The default value is 30 minutes. Also, note the warning concerning IPsec. If the Windows Firewall is not enabled, IPsec will not be configured for communication between the Horizon View Security Server and the Connection Server.

Make sure you configure the firewall to enable IPsec

Make sure you configure the firewall to enable IPsec

Now we are able to jump back to our Horizon View Security Server installation where we can enter the pairing password configured in View Administrator.

Enter the Security Server pairing password in the installer

Enter the Security Server pairing password in the installer

You will see the below the Windows Firewall was not enabled for the active profile. You will also see the warning that IPsec is not going to be configured for communication between the Security Server and the Connection Server.

IPsec warning due to the firewall not being enabled

IPsec warning due to the firewall not being enabled

After pairing communication between the Security Server and Connection Server, we will see the External URLs configuration screen. Here we can define the URLs for the Security Server, both External, PCoIP, and Blast External connectivity.

Specify or customize the Horizon Security Server URLs

Specify or customize the Horizon Security Server URLs

Next, we can allow the installation to configure the Windows Firewall automatically for incoming TCP ports connectivity, the recommended approach.

Configure the firewall automatically during installation

Configure the firewall automatically during installation

The Horizon View Security Server installation is ready to begin. Click the Install button to begin it.

Horizon View Security Server installation is ready to begin

Horizon View Security Server installation is ready to begin

After the installation finishes, click the Finish button, selecting either to display or not display release notes.

Horizon View Security Server installation completes

Horizon View Security Server installation completes

We can test connectivity through the security server by browsing out to the external URL of the security server. We should see the VMware Horizon splash screen.

The Horizon View Security Server should be accessible via the URLs

The Horizon View Security Server should be accessible via the URLs

Horizon View Security Server SSL configuration ^

The setup installs the Horizon View Security Server with a self-signed certificate. If you want to replace this certificate with a proper certificate from a certificate authority, the first step is simply to import the new certificate into the Windows certificate store.

Install an SSL certificate for Horizon View Security Server

Install an SSL certificate for Horizon View Security Server

By default, the friendly name on the self-signed certificate is vdm. Remove the friendly name from the default certificate and apply it to the new proper certificate.

Remove the friendly name from the self-signed certificate and apply it to a new certificate

The final step is to restart the VMware Horizon 7 Security Server service.

Restart the Horizon View Security Server service

Restart the Horizon View Security Server service

To test the new certificate, make sure you close out the browser session from before. Reopen your browser and navigate to the external URL of your Horizon View Security Server.

Verify after installing the certificate there are no certificate warnings

Verify after installing the certificate there are no certificate warnings

Thoughts ^

The Horizon View Security Server plays an important role in the VMware Horizon View infrastructure. It bolsters security of the Horizon View infrastructure by proxying connections for clients coming from the public internet.

Subscribe to 4sysops newsletter!

The requirements for installation are the same as the Horizon View Connection Server since the Security Server component is a subcomponent of the Connection Server. Pay attention to the network design and firewall port requirements. The installation itself is fairly straightforward. Most will want to provision a certificate from a certificate authority so clients are able to connect without error via SSL.

+1
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account