Install a Security Server - VMware View: Chapter 17

Install a Security Server - VMware View

Despite the fact that Connection Servers offer an encrypted, certificates-based SSL Tunnel from the client to the virtual desktop, they are not appropriate for being patched to a DMZ. This is for two reasons:

  • They are members of the corporate Active Directory Domain, and as such have domain privileges to a private network
  • Ports are open to allow Active Directory communication which a hacker could utilize to facilitate other attacks

As an answer to the problem, VMware View has the Security Server role – it can be left in a workgroup and does not require domain access. It only responds to 443 requests and allows the firewall administrator to only open (inbound) secure ports to the external firewall. As with installing a second Connection Server, installing a Security Server is very easy. It is possible to have more than one for fault tolerance, however, a Security Server has a relationship with only one Connection Server at any one time. As you might recall, there is no built-in load balancing feature for either the Connection Server or Security Server from VMware, as such you will need some sort of third-party load balancing solution.

The installation of the Security Server differs quite a bit from both a Connection Server and a Transfer Server. Firstly, during the installation you will be asked for a pairing password. This is a one-off session-based password that expires after a configurable period, and is used to ensure that Security Servers and Connection Servers properly trust each other. However, no SSL Key exchange or SHA thumbprints are used in this process, unlike the case when you add an ESX host into vCenter, for example. Having successfully completed this verification process, you will be asked to set the “External DNS” name of the Security Server. This is to mask the true identity of the Security Server so, for example, my Security Server’s true FQDN is ss01.corp.com, but it will respond to the identity of view.corp.com. This external identity must be resolvable by public-facing DNS servers for it to work.

Want to read more of this guide?

Download the full “Administering VMware View 4.5” Guide (21 Chapters). The full guide contains additional step-by-step instructions and screen shots in each chapter.

This was last published in September 2010

Dig Deeper on VMware Resources

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchServerVirtualization

SearchVirtualDesktop

SearchDataCenter

SearchCloudComputing

Close