2.7

ManualsBrandsVMware ManualsComputer equipmentACE

Table Of Contents

ACE Management Server Administrator’s Manual

VMware, Inc. 17

Chapter 2 Planning an ACE Management Server Deployment

VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates

withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis

running.Instead,itreliesonacompletecertificationchainthatisincludedintheACE

package.Theuseof

self‐signedcertificatesisadequateformostsecurityneeds.

If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor

commercial),youcansetupthattypeofkey‐certificatepairfortheACEpackagestouse.Acertificateauthority,

orCA,isanentitythatissuesandsignspublic‐keycertificates,typicallyforafee.

Accessing ACE Management Server from Outside the Corporate

Firewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution

usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement

Servertraffic.

BecauseofthenumberofdataconnectionsthattheACEManagementServermustmake

onthebackend

(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan

relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.

Figure 2-2. Recommended Deployment for External Access

ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

 ApacheProxy–Usingmod_proxy

 ZeusTechnologyLoadBalancer–Acommerciallyavailableloadbalancerandtrafficmanagement

solution

AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:

 SSLTermination–IfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey

andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement

ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.

Anexample

ofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusload‐balancing

productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE

ManagementServer.

 MultipleACEManagementServerSSLcertificates–IfyouaredeployingmultipleACEManagement

Serverinstancesbehindaload‐balancingsolution,allACEManagementServerinstancesmustusethe

sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature

toembedeverySSLcertificate

verificationchainintotheACEpackage.

 DNSresolution–WhenyoucreateanACE‐enabledvirtualmachine,youmustspecifyahostnamefor

ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland

externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolveto

the

HTTPSproxyserver.

BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you

candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou

designyourdeployment,thinkofACEManagementServerasaWebserverwith

securetraffic.

HTTPS

proxy server

external client

ODBC

NETBIOS (port 137)

DNS

KRB5 (port 88)

LDAP (port 389)

HTTPS traffic

(443)

HTTPS traffic

(443)

external

firewall

AMS server

internal

firewall