- Local password manager with Bitwarden unified - Mon, Feb 6 2023
- Prepare AD synchronization with Azure Active Directory using IdFix - Tue, Jan 31 2023
- Manage Windows security and optimization features with Microsoft’s free PC Manager - Mon, Jan 23 2023
There are many moving parts to a successful VMware Horizon View deployment. As we have discussed in previous posts, we have the Connection Server as well as the Composer Server. These provide core VMware Horizon View functionality as well as cloning capabilities. In addition to the core VMware Horizon View components, other Horizon View components offer additional functionality including security.
The VMware Horizon View Security Server is another component of the Horizon View infrastructure that provides an additional layer of security between the Internet and the internal Horizon View infrastructure. In this post, we will look at VMware Horizon View Security Server installation and the requirements to integrate the Horizon View Security Server within the Horizon topology.
What is VMware Horizon View Security Server?
As the name "Security Server" describes, this component of Horizon View has the sole purpose of securing the VMware Horizon environment especially when it is public facing. The Horizon View Security Server is actually a special kind of Horizon View Connection Server that runs a small subset of the Horizon View Connection Server functions.
As per best practices in VMware documentation, a Horizon View Security Server generally sits in the demilitarized zone (DMZ) network and acts as a proxy for Horizon View connections destined for the internal Horizon View Connection Server(s). This minimizes the attack surface on the internal Horizon View Connection Server(s) as well as the ports opened to the outside world.
VMware Horizon View Security Server Network topology
As mentioned, the Horizon View Security Server sits in the DMZ network that proxies Horizon View traffic. Per best practices for a highly available system, you will want to configure multiple Horizon View Security Servers for redundancy and use a load balancer for incoming connections. Below is the recommended/typical Horizon View Security Server topology layout from a network standpoint using multiple Horizon View Security Servers behind a network load balancer.
Per the VMware View Ports and Network Connectivity documentation, Horizon View Security Servers or the exposed load balancer IP address will require the following ports to be open from the front-end firewall:
Source | Destination | Port | Protocol |
Any external IP | Security Server | 80 | HTTP |
Any external IP | Security Server | 443 | HTTPS |
Any external IP | Security Server | 4172 | PC-over-IP (PCoIP) (TCP and UDP) |
VMware Horizon View Security Server installation
If you look for the Horizon View Security Server installation from VMware downloads, you will not find it. This is because the Horizon View Security Server installation is part of the Horizon View Connection Server installation. Download and launch the Connection Server installation on the server you have configured for Horizon View Security Server.
Make sure:
- You are not installing the Horizon View Security Server on the same server as the Connection or Composer Server
- The server you are installing the Security Server on does not have the Terminal Services role installed
- You have administrative privileges on the machine
- You have a static IP address assigned
Supported operating systems:
Operating System | Version | Edition |
Windows Server 2008 R2 SP1 | 64-bit | Standard Enterprise Datacenter |
Windows Server 2012 R2 | 64-bit | Standard Datacenter |
Windows Server 2016 | 64-bit | Standard Datacenter |
Below, we see the Horizon View Connection Server installation kick off from the downloaded Horizon View Connection Server installation from VMware.
The Horizon View Connection Server installation wizard begins. As mentioned, the Horizon View Security Server is part of the Horizon View Connection Server.
Next, we accept the end-user license agreement (EULA) presented before moving on in the installation.
After accepting the EULA, we next choose the destination folder for the binaries on our Horizon View Security Server. Here, we are accepting the defaults, which will be fine for most.
On the Installation Options page, we are able to specify the Horizon 7 Security Server option as well as the IP protocol version we want to use in the installation of the Security Server.
The Connection Server installation takes a moment to configure the installation for the Security Server install.
Next, we reach the Paired Horizon 7 Connection Server screen. Here is where we actually "pair" the Horizon View Security Server with an internal Horizon View Connection Server. Remember, we can pair more than one Security Server to a Connection Server.
Before we move on in the Security Server configuration, we need to create a Security Server Pairing Password. This is a special password only used in the pairing process during the installation of the Horizon View Security Server. In fact, by default, it expires after a specified amount of time. To set the pairing password, we go over to a Connection Server and launch View Administrator. Navigate to View Configuration > Servers > Connection Servers and click your Connection Server. After clicking the Connection Server, under More Commands click Specify Security Server Pairing Password.
We enter the Pairing password and confirm it. Notice the Password timeout. The default value is 30 minutes. Also, note the warning concerning IPsec. If the Windows Firewall is not enabled, IPsec will not be configured for communication between the Horizon View Security Server and the Connection Server.
Now we are able to jump back to our Horizon View Security Server installation where we can enter the pairing password configured in View Administrator.
You will see the below the Windows Firewall was not enabled for the active profile. You will also see the warning that IPsec is not going to be configured for communication between the Security Server and the Connection Server.
After pairing communication between the Security Server and Connection Server, we will see the External URLs configuration screen. Here we can define the URLs for the Security Server, both External, PCoIP, and Blast External connectivity.
Next, we can allow the installation to configure the Windows Firewall automatically for incoming TCP ports connectivity, the recommended approach.
The Horizon View Security Server installation is ready to begin. Click the Install button to begin it.
After the installation finishes, click the Finish button, selecting either to display or not display release notes.
We can test connectivity through the security server by browsing out to the external URL of the security server. We should see the VMware Horizon splash screen.
Horizon View Security Server SSL configuration
The setup installs the Horizon View Security Server with a self-signed certificate. If you want to replace this certificate with a proper certificate from a certificate authority, the first step is simply to import the new certificate into the Windows certificate store.
By default, the friendly name on the self-signed certificate is vdm. Remove the friendly name from the default certificate and apply it to the new proper certificate.
Remove the friendly name from the self-signed certificate and apply it to a new certificate
The final step is to restart the VMware Horizon 7 Security Server service.
To test the new certificate, make sure you close out the browser session from before. Reopen your browser and navigate to the external URL of your Horizon View Security Server.
Thoughts
The Horizon View Security Server plays an important role in the VMware Horizon View infrastructure. It bolsters security of the Horizon View infrastructure by proxying connections for clients coming from the public internet.
Subscribe to 4sysops newsletter!
The requirements for installation are the same as the Horizon View Connection Server since the Security Server component is a subcomponent of the Connection Server. Pay attention to the network design and firewall port requirements. The installation itself is fairly straightforward. Most will want to provision a certificate from a certificate authority so clients are able to connect without error via SSL.