Despite the fact that Connection Servers offer an encrypted, certificates-based SSL Tunnel from the client to the virtual desktop, they are not appropriate for being patched to a DMZ. This is for two reasons:
- They are members of the corporate Active Directory Domain, and as such have domain privileges to a private network
- Ports are open to allow Active Directory communication which a hacker could utilize to facilitate other attacks
As an answer to the problem, VMware View has the Security Server role – it can be left in a workgroup and does not require domain access. It only responds to 443 requests and allows the firewall administrator to only open (inbound) secure ports to the external firewall. As with installing a second Connection Server, installing a Security Server is very easy. It is possible to have more than one for fault tolerance, however, a Security Server has a relationship with only one Connection Server at any one time. As you might recall, there is no built-in load balancing feature for either the Connection Server or Security Server from VMware, as such you will need some sort of third-party load balancing solution.
The installation of the Security Server differs quite a bit from both a Connection Server and a Transfer Server. Firstly, during the installation you will be asked for a pairing password. This is a one-off session-based password that expires after a configurable period, and is used to ensure that Security Servers and Connection Servers properly trust each other. However, no SSL Key exchange or SHA thumbprints are used in this process, unlike the case when you add an ESX host into vCenter, for example. Having successfully completed this verification process, you will be asked to set the “External DNS” name of the Security Server. This is to mask the true identity of the Security Server so, for example, my Security Server’s true FQDN is ss01.corp.com, but it will respond to the identity of view.corp.com. This external identity must be resolvable by public-facing DNS servers for it to work.
|Want to read more of this guide?
Download the full “Administering VMware View 4.5” Guide (21 Chapters). The full guide contains additional step-by-step instructions and screen shots in each chapter.