Considerations:
DMZ or not?
DMZ
is highly recommended for security reasons and a best practice.
Domain or workgroup?
No
best practices supporting one or the other. On the domain has
advantages regards manageability, just needs additional firewall
ports opened from the DMZ to talk to DC & DNS server(s).
Are clients already
using an internal web address?
If
yes then clients will need to be migrated to using the external
address; alternatively can create an additional View Connection
Server for the link to the Security Server and external URL. Remember
the View Connection Server just brokers the connection.
How many clients?
One
Security Server can support up to 2000 connections, beyond this will
need additional Security Servers and hardware load balancing with
something like F5 load balancers (F5 also make a load balancer
virtual appliance.)
Pre-requisites:
- Public IP address
- Public DNS A record – say view.company.com
- Internal (DMZ) IP address for View Security Server
- NAT from Public IP to Internal IP
- SSL certificate for view.company.com
- VMware-viewconnectionserver....exe (here using VMware-viewconnectionserver-x86_64-5.0.1-640055.exe)
- Windows 2008 R2 operating system (from VMware View 5.0 Installation Guide - “if you want to use the PCoIP Secure Gateway component, the operating system must be Windows Server 2008 R2”)
- Pentium IV 2.0GHz processor or higher (recommended 4 CPUs)
- Minimum 4GB RAM for Security Server (at least 10GB RAM for deployments of 50 or more View desktops)
External Firewall
Ports Required Open (from
VMware View 5.0 Architecture Planning document):
Abbr.: Any source to
Security Server on ports 80, 443, TCP 4172, UDP 4172.
Internal Firewall
(DMZ to LAN) Ports Required Open
(from
VMware View 5.0 Architecture Planning document):
Abbr. 1: Security
Server to Transfer Server on ports 80, 443.
Abbr. 2: Security
Server to View Connection Server on ports 8009, 4001.
Abbr. 3: Security
Server to View Desktop on ports 3389, TCP 4172, UDP 4172, TCP 32111.
Installation
The following
step-by-step walkthrough specifically runs through installing one
View Security Server into an existing View 5 environment, with an
Autocsr Domain Wildcard SSL certificate (for say *.company.com)
obtained from Globalsign. There is no Transfer Server in this
environment.
1. Set up pairing on
View Connection Server
1.1 Login to the View
Administrator Console portal at http:///admin
1.2 Under View
Configuration > Servers, select the View Connection Server >
More Commands and click 'Specify Security Server Pairing Password...'
and then enter the pairing password.
2. Install View
Security Server
2.1 On the View
Security Server, double click on the
VMware-viewconnectionserver-x86_64-5.0.1-640055.exe
and follow through the prompts to install the View Security Server,
entering the pairing password when prompted.
This
stage will require the public IP address and public URL to be input.
3. Install SSL
Certificate and Intermediate
3.1 Obtain PKCS#12
wildcard certificate *.pfx from SSL certificate provider, and
intermediate.cer file.
3.2 On the View
Security Server add keytool to
the System Path:
Right-click 'My
Computer' > Properties > Advanced System Settings >
Environment Variables … >
Edit Path and add:
;C:\Program Files\VMware\VMare
View\Server\jre\bin
Click OK > OK >
OK
3.3 Copy the keystore
file DomainWildcardSSLPKCS#12.pfx to
C:\Program Files\VMware\VMare
View\Server\sslgateway\conf
3.4 In the folder
C:\Program Files\VMware\VMare
View\Server\sslgateway\conf use a text editor to create
and save a file called locked.properties with the following contents:
keyfile=DomainWildcardSSLPKCS#12.pfx
keypass=THEPASSWORD
storetype=pkcs12
Example:
3.5 Restart the VMware
View Security Server service.
3.6 Start > Run >
MMC
Add the Certificates
(Local Computer) Snap-in and import the intermediate.cer file to
'Intermediate Certification Authorities.'
4. Configure View
Connection Server
Finally, back in the
View Administration Console, edit the View Connection Server
properties so that the ExternalURL and PCoIP External URL settings
match with the View Security Server, and tick the 'Use PCoIP Secure
Gateway for PCoIP connections to desktop'.
And we're done!
Essential Further
Reading
VMware View
Installation View 5.0 PDF currently available from:
VMware View
Architecture Planning View 5.0 PDF currently available from:
I really like your blog and have one with similar information. If you have time check it out.
ReplyDeletesecurity company
This was a really great read, appreciation for taking the time to put it together! Touched on some very good...
ReplyDelete