VMware's View Manager Security server is a component of the View architecture which provides secure access to VMware View sessions over an unsecured WAN and/or Internet.  Use of the Security server allows protection to the connection broker from the public Internet while also creating a secure mechanism for remote users to access the View environment.  For deployments where two-factor authentication is desired, the Security Servers can also be configured with RSA SecurID integration.

The Security server basically acts like a proxy to securely connect outside hosts to the trusted inside network. In a typical deployment, the Security server(s) is placed in the DMZ.  Although not required, it is best practice to deploy two Security servers, a Standard Security server and a Replica Security server, for a fault tolerant configuration.  When using a fault tolerant configuration, a 3rd party load balancer must also be deployed to manage connection state and fail-over between the Standard and Replica servers.

The following diagram illustrates the components for deployment:

As a prerequisite for deployment, one or more View Manager Connection servers must be present and configured with their associated dependencies satisfied (Active Directory, Virtual Center and an ESX host/cluster deployed).  Please see our knowledge base for further details on the configuration of these dependencies.

Because the Security servers only offer a small subset of the features offered by the View Connection server, there is no need for the Security server to have or be a part of the Active Directory domain.  Further more, these servers do not contain LDAP schemas or other repositories for Active Directory or RSA Authentication Manager (if deployed with two-factor authentication) enforcing a strong security posture that is protected from possible compromise.

Firewall Configuration

In order for communications between the remote clients, Security server(s), View Connection server(s) and desktop pools, the following ports and protocols must be allowed through your front and back-end firewalls:

The following diagram illustrates these communications further:

Security Server Installation

We are now ready to install our first Security server.  The following steps will walk you through the initial install:

1. Locate and run the VMware-viewconnectionserver-*.exe:

2. A installation wizard will appear.  Click Next:

3. Read and then accept the license terms and click Next:

4. Select a destination folder for the install and click Next:

5. On the Installation Options screen, select Security Server and then click Next:

6. Each Security server is paired with a View Connection Server to which it forwards all its inbound traffic.  On the Paired View Connection Server screen, enter the FQDN (fully qualified domain name) or IP address of your Standard or Replica View Connection Server.

7.  Confirm your install and then click Next:

8. Once the installer has completed, click Finish:

If you plan to deploy a replica sever, you will need to repeat steps 1-8 on the replica server.

Connection Server Configuration

When external clients connect to View via the Security server, they must be able to resolve the FQDN of the Connection server.  This can present a problem because the FQDN of our Connection server is different on our inside network than what is advertised on the Internet.

For example, in our configuration thus far, our DMZ Security server has a FQDN of vdi-security-01.tcpdump.com and our internal Connection server has a FQDN of vdm-01.tcpdump.com.  However, in our external DNS, we advertise view.tcpdump.com with a NAT from the external IP address of view.tcpdump.com to vdi-security-01.tcpdump.com.  Additionally, we have no NAT in place for our Connection server as we want the Security server to act as a proxy for all external users.

We overcome this obstacle by configuring the Connection server with an external FQDN that matches the external FQDN of our Security server (https://view.tcpdump.com).

Using your web-browser, access your View Administrator Console (this is the IP address or hostname of your Connection server followed by '/admin'.  For example:

http://vdm-01.tcpdump.com/admin.

You may also access the administration console via the following URL from the console of your View Connection server:

http://localhost/admin

Log in with a domain user that has administrative privileges to the View Connection server.  By default, the domain administrator account will have the necessary privileges (unless previously configured otherwise).

After you have logged-in, click the "Configuration" icon from the navigation panel:

In the View Servers window, highlight your Connection server and click "Edit".  This will provide a configuration window that will allow you to enter the external FQDN of your Security server.

* Note: You must provide the full URL and protocol in the External URL field.  i.e. https://view.tcpdump.com:443

Click Ok to save your changes.

We must now restart the View Connection service for the changes to take affect.

Security Server Configuration

Now that we have deployed the Security server and configured the Connection server, we need to establish communications between the Security server located in the DMZ and the Connection server located within our internal network.  We first begin by creating a locked.properties file.  The locked.properties file provides inbound connection details so that the Security server can communicate with the Connection server.  We will use the View Administrator interface to generate the locked.properties file.

(If you are not on the Configuration screen from the View Administrator Console, use your web brower and navigate there now.)

Highlight the name of your Security Sever and then click the "Create Configuration File" link:

Your web browser will prompt you to save the file.  Save the file as locked.properties (with no extension.)  Ensure the Save as type is set to "All Files".  If the save as type is not set to All Files, Windows will attempt to append a .txt to the filename and you will have to rename the file after you have saved it.

Copy the locked.properties file to the following location on the Security server:

C:\Program Files\VMware\VMware View\Server\sslgateway\conf

* Note: Your actual path may vary if you changed the default installation folder when installing the Security server.

Once the locked.properties file has been copied to the Security server, restart the View Security Server service from the Security Server for the changes to take affect.

Test your newly configured View Security server from a external host using a web browser or the View client with the external address of the Security server (https://view.tcpdump.com).  Great work!  Now go grab a beer!

Add this page to your favorite website

Comments

Add New Search

Brian |13/07/2009 21:58:55 Great guide! Is there an alternative way to let RDP connections from the security server to an RDP broker server instead of virual PCs? Reply | Quote

thirt |15/07/2009 17:55:01 Hi Brian, I’m not exactly sure what you question is. Are you asking if you can use the security server to manage RDP connection to non VMware servers/workstations? Similar to Microsoft’s Small Business Servers Remote Web Workplace? If so, you cannot. However, you could use the security server to broker connections to a Terminal Services Desktop Pool. Let me know what you are trying to do and perhaps I can suggest a solution. Best, Tom Reply | Quote

Martin Zardecki  - Version differences? |20/08/2009 17:06:30 Hi, nice article. We implemented this as a trial using VMware View products version 3.1.1. Inside our firewall everything works nicely but we can't get it going outside our firewall. We've forwarded ports 80 and 443 to the View Connection server and there no longer appears to be a View Security server product (explicitly at least). When using View Client we can connect to the View Connection server and authenticate properly but whenever we try connecting to an actual desktop the process times out. We have a small office and are only using Active Directory, ESXi, and are now trying View. We do not have vCenter or any of those products nor could we afford them anyways. Any advice or tips? TIA. Martin mpzarde@truecool.com Reply | Quote

Martin Zardecki |20/08/2009 17:11:07 Shoot, I just found the security server deployment step, sorry. I guess is a security server required for Internet Access? Reply | Quote

thirt  - re: |21/08/2009 12:10:06 Hi Martin, I'm not sure I understand your question: Martin Zardecki wrote: I guess is a security server required for Internet Access? You don't have to have Internet access to use the security server. You might use a security server on the WAN/LAN to broker connections for your internal clients as well. The security server just adds another layer of security between your clients and the VI infrastructure/domain. Hope this answers your question! Best, Tom Reply | Quote

Martin Zardecki |21/08/2009 16:32:19 We're a small company and many of our people are on the road a lot. So the key advantage to us is if we can provided with some kind of desktop access remotely. So far we've been unable to provide access through View Connection Server to any desktops from outside our firewall (from the internet). So then is the Security server required to get access from the Internet? TIA. Reply | Quote

Anonymous |21/08/2009 17:13:12 I think I just answered my own question, I finished setting up as per your scenario and still no joy I can connect (using View Client to the View Server OR the Security Server) and control a desktop fine but only from inside our firewall. No joy from outside our firewall; I can connect and authenticate to Security Server or the View Server but then it times out trying to connect to a desktop. I have ports 80 and 443 forward to the Security Server but not sure what else to try on the Firewall. Any tips? Thanks. Reply | Quote

thirt  - Moved to the forums! |24/08/2009 11:37:28 Hi Martin, Lets use the forums to discuss this one further. I started a thread for us here: http://www.tcpdump.com/forums/virtualization/virtual-desktop/cant-connect-to-view-security-server-from-outside-firewall.html?p=1#p4 Thanks, Tom Reply | Quote

redmount |22/10/2009 13:06:32 Hi I am having similar issues did you manage to resolve this for Martin ? if so are there any details published or could you provide info ? If required I can provide a summary of the exact problem I am having. regards Redmount Reply | Quote

Scott  - Sr Systems Engineer |11/11/2009 13:27:32 We are looking at deploying View, but we are a Verisign shop (no direct VMware View integration). Can we use our existing F5/Verisign two factor authentication environment to bring our users inside our firewall, and then fro there connect directly to VMware View as an authenticated user? This would negate the need for Security servers right? One challenge we may have is the need to use a virtually "stateless" think client type device in the field. Something along the lines of HP Thin OS that runs a very limited Linux based OS. I am not sure if we can confiigure such a client to connect up via our F5/Verisgn environment and then connect to our View servers. Most of these devices are pre-configured to connect directly to a small number of VDO brokers only. Reply | Quote

thirt |12/11/2009 09:48:21 Hi Scott, I'm not familiar with the F5/Verisign environment you are using, but assuming this is a VPN of some sort, I don't see why you couldn't leverage it and by pass the use of the Security server. Remember the purpose of the Security Server is to handle remote access (WAN/Internet) into the environment. But if your users connect to your network via some sort of VPN, there would be no reason after they have authenticated and connected to your network that they wouldn't be able to then use the internal address of the View connection server. After your authenticated, so long as you can launch an application or web browser from the clients desktop that can connect to an internal address on your network (and of course the client system meets all the requirements for View) you should be just fine. -Tom Reply | Quote

visak  - virtual support eng |05/02/2010 04:37:50 I am using view 3.11 server with the security server,work fine at the movement I have requirment that I have two diffrent user login groups to same virtual desktop from extrenal connection ,But now I need to block one of the user group to login from extrenally but need to allow that group login internally.Can we achive this setup. Any advice will helpfull Reply | Quote

dgbf |28/11/2011 21:25:33 ngfxngn Reply | Quote

Write comment
Name:
Email:	do not notifynotify
Website:
Title:
UBBCode:	-color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge
	Please input the anti-spam code that you can read in the image.

!joomlacomment 4.0 Copyright (C) 2009 Compojoom.com . All rights reserved."