agsandrew - Fotolia


VMware Access Point allows safe access to end-user computing resources

VMware Access Point relies on authentication, verification and isolation to create a secure gateway through which users can access end-user computing resources.

When VMware Access Point was first released in 2015, many were left wondering if the product had any major differences from View Security Server. The answer to that is a bit complex -- though they are similar, they aren't exactly the same.

In fact, Access Point servers and View Security Servers were designed with entirely different purposes in mind. As the popularity of automation and the adoption of virtual desktop infrastructure booms, management tools need to evolve to fulfill new functions.

Access points were made to be quick to deploy and easy to automate, and are scalable by design. Since they are hardened by Linux-based appliances, access points are also secure by design. Access points come with a built-in RESTful application programming interface so that programmatic access is simple. They also offer a single point of authentication for users and can function as a reverse proxy for authentication purposes; you can isolate authenticated traffic to certain networks. Access points are easy to replace and perform a stripped-down core function.

There are several reasons to deploy VMware Access Point, one of which is that access servers allow single sign-on (SSO) integration so that a user need only log on once to access all of her resources. This means you no longer need to build complex setups such as add-in cards for load balancers to allow SSO.

In VMware's own words, "The main difference from View security server is that Access Point is implemented as a hardened, locked down, preconfigured Linux-based virtual machine, as opposed to software running on a general-purpose Windows operating system." Access Point also scales differently than View.

Above all, VMware Access Point integrates tightly with Horizon to provide access only to the services and desktops to which the user is entitled. This occurs only after the user has been authenticated and verified.

VMware Access Point supports several authentication schemes out of the box, including Active Directory (AD), RSA SecurID and RADIUS, to name a few. The Access server never talks to the AD server, but uses the Horizon server as a reverse proxy for requests. Load balancing is not a part of Access Point, but is critical for large environments.

Access points were made to be quick to deploy and easy to automate, and are scalable by design.

Access points are deployed using Dynamic Host Configuration Protocol addresses from a preconfigured pool and simple pre-emptive firewall setup. This means you can automate deployment if you so choose.

Deploying the appliance is a straightforward process, one that is code first. An administrator could deploy it from the Web Client, but that isn't recommended -- it's better to use PowerShell.

Before you do anything, you will need to configure IP address pools with Domain Name System (DNS) configuration. The appliance can have several configurations depending on how many network interface cards (NIC) the VM was given. Being a security appliance, the VM can have separate NICs to keep different traffic types separate -- for example, keeping authentication and management traffic separate from VDI traffic.

To deploy a basic setup, start by downloading the Open Virtualization Format (OVF), right-click the cluster that you want to install the server on, and then click Deploy OVF. Select the downloaded OVF, give it a good name and click Next.

VMware Access Point OVF package
Figure A. Downloading the OVF package.

Next, choose a location and the name for the server such as the one shown in Figure B.

VMware Access Point server location
Figure B. Choosing a name and location for the server.

Once this is complete, configure the NICs. As mentioned earlier, the administrator can tailor the configuration to their requirements. For this example I will only use the one server.

VMware Access Point configure NICs
Figure C. Configuring the NICs.

Choose the appropriate storage location, and then click Next.

At this point, you can set up the configuration of the server networks. Since I am only using one network, I will need to use the drop-down for each source and set them to the network.

VMware Access Point server networks
Figure D. Setting up server networks.

You will also need to configure DNS servers, network mask and gateway.

You can configure several options unique to your infrastructure on the penultimate page of the deployment. You need to configure is the Secure Sockets Layer (SSL) thumbprint usage unless you use a known certificate authority. If you use a self-signed certificate, you can copy the SSL thumbprint into the configuration. This prevents any SSL related errors popping up. The administrator will also have to configure the Horizon Server URL.

Once you're happy with your setup, click Next and select Power On after deployment.

The server should now be useable. However, there isn't much to see because it has no graphical user interface. All management is done via REST.

In short, VMware Access Point can provide a useful addition to some sites, especially those that need to scale. If nothing else, it is worth investigating when you set up your environment.

Next Steps

Explore VMware Horizon 7 security policies

What sets Horizon 6 apart from previous versions?

Test your knowledge of internet authentication

Dig Deeper on VMware and networking