Horizon View 5.3 Part 10 – Installing and Configuring the View Security Server

People want to work from home.  Ok…maybe they don’t always WANT to work from home, but there are times where the convenience is nice.  If you live in Wisconsin today for instance, you would almost want to work from home.

One other big trend that you hear about today is Bring-Your-Own-BeerDevice.  There is a growing trend, especially amongst younger workers, to want to use their own personal devices at work.  The iPad and other tablets have really enabled this trend.

VDI enables both of these trends.  If my desktop and all of my applications and files exist in a “cloud” of some sort, it doesn’t matter what device my endpoint is or where I work.  The problem with this, though, is one of security.  Bringing untrusted machines and devices onto a corporate network, either directly onsite or through a VPN, is a huge security risk.

The View Security Server is VMware’s method of addressing this.  This component of the Horizon View environment contains a subset of the Connection Server components, and it is designed to sit in a DMZ and act as a gateway for Horizon View Clients.  It’s essentially a reverse proxy for your View environment.

In my last role, we had enabled access to our virtual desktops through the firewall by using the Security Server setup since we had people traveling all over the world.  One of their biggest successes with rolling out virtual desktops was when a number of senior managers went to Rome with only their iPads.  They were still able to log in and work as if they were in the office. 

Security Server Requirements

Security Servers are considered Connection Servers in the Horizon View documentation.  They don’t list separate hardware requirements for this application, so I would use the requirements for the Connection Server. 

Each Security Server that is deployed needs a corresponding Connection Server, and they are paired during the installation process.  Because the Security Server is an optional component, each Connection Server is not required to have one, and a Connection Server cannot be paired to more than one Security Server.

On of the best practices for both Security Servers and Connection Servers is to keep the Windows Firewall turned on.  If the firewall on either server is turned off, View will not be able to use IPSEC when communicating.

Each Security Server also needs a static IP address.  If it is externally facing, it will need to have a publicly addressable static IP.  This IP address does not need to be configured on the server’s network card as both Static 1:1 NAT and PAT work with Horizon View.

There are some firewall rules for Security Servers.  The following rules are required on your front-end Internet-facing firewall:

  • HTTP – TCP 80 In
  • HTTPS – TCP 443 In
  • PCoIP – TCP 4172 In, UDP 4172 both directions

If you are deploying your Security Servers in a DMZ configuration with a back-end firewall, you need to configure your firewall to allow IPSEC traffic.  ISAKMP (UDP 500) and the ESP protocol need to be allowed through the firewall.

Configuring Horizon View for a Security Server

Before a Security Server can be installed, it must be paired with a Connection Server.  This is accomplished with a password that is used to authenticate the Security Server to the Connection Server.  To set up the pairing password, take the following steps:

1. In View Administrator, go to View Configuration –> Servers

1. View Configuration

2. Click on the Connection Servers tab and select the Connection Server you want to pair with.

2. Connection Servers Tab

3. Click on More Commands and select “Specify Security Server Pairing Password.”

3. Specify Security Server Pairing Password

4. Specify your pairing password.  When you do this, you will also be able to configure how long that password will be valid for.  If the password is not entered in that time period, or if you encounter errors with the install that are not resolved before the timeout period expires, you will need to create a new password.

4. Password Screen

Installing the View Security Server

Once the pairing password is set up, you can start the Security Server installation.

1. Launch the installation program.

2. Accept the license agreement

5. License Agreement

3. The next screen gives you the option to change the installation directory by clicking the Change button.  For this installation, we’ll be installing to the default location, so click Next.

6. Directory

4. Select Security Server

7. Select Security Server

5. Enter the hostname or IP address of the Connection Server the Security Server will be paired with.

8. Hostname

6. Enter the pairing password.

9. Pairing Password

7. In order for View Clients to properly connect to the Security Server, you need to configure the External URLs for the server.  The items that need to be configured are:

  • External URL – the fully-qualified public domain name and port such as view.remotedomain.com:443
  • PCoIP External URL – the public IP address and port number.  If this server is behind a NAT, this should be the IP address that can be reached from the Internet.  Example: 4.4.4.4:4172
  • Blast External URL – the fully-qualified public domain name and port used by VMware Blast such as html5desktop.remotedomain.com:8443

10. External URL

8. The View Installer will give you the option to automatically configure the Windows Firewall for View.  Click Next to allow the installer to set up the Windows Firewall.  If you do not want the installer to configure the firewall, you will need to configure these rules manually after installation.

11. Firewall

9. Click Install to finish the installation.

12. Ready to Install

10. Click Finish to close the installer.

12. Finished

11. If you log back into View Administrator and go to View Configuration –> Servers –> Security Servers, you should see your newly added Security Server.

14. Security Tab

That’s it for the server components.  For now, anyway.  The next post or two will be about configuring the desktops and setting up a pool.