Sunday, 6 May 2012

Installing VMware View 5.0 Security Server & SSL Certificate with PCoIP


Considerations:

DMZ or not?
DMZ is highly recommended for security reasons and a best practice.

Domain or workgroup?
No best practices supporting one or the other. On the domain has advantages regards manageability, just needs additional firewall ports opened from the DMZ to talk to DC & DNS server(s).

Are clients already using an internal web address?
If yes then clients will need to be migrated to using the external address; alternatively can create an additional View Connection Server for the link to the Security Server and external URL. Remember the View Connection Server just brokers the connection.

How many clients?
One Security Server can support up to 2000 connections, beyond this will need additional Security Servers and hardware load balancing with something like F5 load balancers (F5 also make a load balancer virtual appliance.)

Pre-requisites:
  • Public IP address
  • Public DNS A record – say view.company.com
  • Internal (DMZ) IP address for View Security Server
  • NAT from Public IP to Internal IP
  • SSL certificate for view.company.com
  • VMware-viewconnectionserver....exe (here using VMware-viewconnectionserver-x86_64-5.0.1-640055.exe)
  • Windows 2008 R2 operating system (from VMware View 5.0 Installation Guide - “if you want to use the PCoIP Secure Gateway component, the operating system must be Windows Server 2008 R2”)
  • Pentium IV 2.0GHz processor or higher (recommended 4 CPUs)
  • Minimum 4GB RAM for Security Server (at least 10GB RAM for deployments of 50 or more View desktops)
External Firewall Ports Required Open (from VMware View 5.0 Architecture Planning document):
Abbr.: Any source to Security Server on ports 80, 443, TCP 4172, UDP 4172.

Internal Firewall (DMZ to LAN) Ports Required Open (from VMware View 5.0 Architecture Planning document):
Abbr. 1: Security Server to Transfer Server on ports 80, 443.
Abbr. 2: Security Server to View Connection Server on ports 8009, 4001.
Abbr. 3: Security Server to View Desktop on ports 3389, TCP 4172, UDP 4172, TCP 32111.

Installation
The following step-by-step walkthrough specifically runs through installing one View Security Server into an existing View 5 environment, with an Autocsr Domain Wildcard SSL certificate (for say *.company.com) obtained from Globalsign. There is no Transfer Server in this environment.

1. Set up pairing on View Connection Server
1.1 Login to the View Administrator Console portal at http:///admin
1.2 Under View Configuration > Servers, select the View Connection Server > More Commands and click 'Specify Security Server Pairing Password...' and then enter the pairing password.

2. Install View Security Server
2.1 On the View Security Server, double click on the VMware-viewconnectionserver-x86_64-5.0.1-640055.exe and follow through the prompts to install the View Security Server, entering the pairing password when prompted.
This stage will require the public IP address and public URL to be input.

3. Install SSL Certificate and Intermediate
3.1 Obtain PKCS#12 wildcard certificate *.pfx from SSL certificate provider, and intermediate.cer file.
3.2 On the View Security Server add keytool to the System Path:
Right-click 'My Computer' > Properties > Advanced System Settings > Environment Variables … >
Edit Path and add: ;C:\Program Files\VMware\VMare View\Server\jre\bin
Click OK > OK > OK

3.3 Copy the keystore file DomainWildcardSSLPKCS#12.pfx to C:\Program Files\VMware\VMare View\Server\sslgateway\conf
3.4 In the folder C:\Program Files\VMware\VMare View\Server\sslgateway\conf use a text editor to create and save a file called locked.properties with the following contents:

keyfile=DomainWildcardSSLPKCS#12.pfx
keypass=THEPASSWORD
storetype=pkcs12

Example:
3.5 Restart the VMware View Security Server service.
3.6 Start > Run > MMC
Add the Certificates (Local Computer) Snap-in and import the intermediate.cer file to 'Intermediate Certification Authorities.'

4. Configure View Connection Server
Finally, back in the View Administration Console, edit the View Connection Server properties so that the ExternalURL and PCoIP External URL settings match with the View Security Server, and tick the 'Use PCoIP Secure Gateway for PCoIP connections to desktop'.
And we're done!

Essential Further Reading

VMware View Installation View 5.0 PDF currently available from:

VMware View Architecture Planning View 5.0 PDF currently available from:

2 comments:

  1. I really like your blog and have one with similar information. If you have time check it out.
    security company

    ReplyDelete
  2. This was a really great read, appreciation for taking the time to put it together! Touched on some very good...

    ReplyDelete