Deploying and Configuring Access Point Access Point 2.5 Access Point 2.6 VMware Horizon This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
Deploying and Configuring Access Point You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015, 2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Deploying and Configuring Access Point 5 1 Introduction to Access Point 7 Firewall Rules for DMZ-Based Access Point Appliances Access Point Topologies 12 8 2 System Requirements and Deployment 17 Access Point System Requirements 17 Preparing View Connection Server for Use with Access Point 19 Deploy the Access Point Appliance 19 Using VMware OVF Tool to Deploy the Access Point Appliance 23 Access Point Deployment Properties 27 3 Configuring Access Point 31 Using the Access Point REST API 31
Deploying and Configuring Access Point Configure RADIUS Authentication on the Access Point Appliance 63 Index 4 67 VMware, Inc.
Deploying and Configuring Access Point ® Deploying and Configuring Access Point provides information about designing a VMware Horizon deployment that uses Access Point for secure external access to your organization's applications, including Windows applications, software as a service (SaaS) applications, and View desktops. This guide also provides instructions for deploying Access Point virtual appliances and changing the configuration settings after deployment, if desired.
Deploying and Configuring Access Point 6 VMware, Inc.
Introduction to Access Point 1 Access Point functions as a secure gateway for users who want to access remote desktops and applications from outside the corporate firewall. Access Point appliances typically reside within a DMZ and act as a proxy host for connections inside your company's trusted network. This design provides an additional layer of security by shielding View virtual desktops, application hosts, and Horizon servers from the public-facing Internet.
Deploying and Configuring Access Point This chapter includes the following topics: n “Firewall Rules for DMZ-Based Access Point Appliances,” on page 8 n “Access Point Topologies,” on page 12 Firewall Rules for DMZ-Based Access Point Appliances DMZ-based Access Point appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Access Point services are set up to listen on certain network ports by default.
Chapter 1 Introduction to Access Point Figure 1‑1. View Components and Protocols with Access Point Client Devices RDP Client Horizon Client PColP Blast HTTP(S) HTTP(S) Access Point Appliance View Secure Protocol Handlers PColP Blast RDP, Framework, MMR, CDR...
Deploying and Configuring Access Point Figure 1‑2.
Chapter 1 Introduction to Access Point Table 1‑1. Front-End Firewall Rules (Continued) Source Default Port Protocol Destination Destination Port Horizon Client TCP Any UDP Any PCoIP Access Point appliance TCP 4172 UDP 4172 External client devices connect to an Access Point appliance within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP.
Deploying and Configuring Access Point Table 1‑2. Back-End Firewall Rules (Continued) Source Port Default Port Protocol Destination Destination Port Access Point appliance TCP or UDP Any Blast Extreme Remote desktop or application TCP or UDP 22443 Access Point appliances connect to remote desktops and applications on TCP and UDP port 22443 to exchange Blast Extreme traffic.
Chapter 1 Introduction to Access Point Figure 1‑3. Access Point Appliance Pointing to a Load Balancer Client Device External Network DMZ load balancing Access Point Appliance load balancing Horizon Server Microsoft Active Directory ESXi hosts running Virtual Desktop virtual machines vCenter Management Server You can alternatively have one or more Access Point appliances point to an individual Horizon server instance.
Deploying and Configuring Access Point Figure 1‑4. Access Point Appliance Pointing to a Horizon Server Instance Client Device External Network DMZ load balancing Access Point Appliance Horizon Server Microsoft Active Directory ESXi hosts running Virtual Desktop virtual machines vCenter Management Server The following figure illustrates Access Point integration with VMware Identity Manager. You can configure Web Reverse Proxy service to use Access Point 2.6 with VMware Identity Manager.
Chapter 1 Introduction to Access Point Figure 1‑5. VMware Identity Manager components with Access Point Laptop DMZ HTTPS (443) PC HTTPS (443) mycompany.vmwareidentity.com Access Point Appliance Corporate Zone PC Internal Load Balancer myconnector.mycompany.com HTTPS (443) Corporate LAN users HTTPS (443) Connector-va cluster DNS/NTP services VMware, Inc.
Deploying and Configuring Access Point 16 VMware, Inc.
System Requirements and Deployment 2 You deploy an Access Point appliance in much the same way that you deploy other VMware virtual appliances.
Deploying and Configuring Access Point VMware Identity Manager 2.6 VMware Identity Manager 2.6 has been qualified to support Access Point 2.6. Refer to the product release notes for the latest information about compatibility, and refer to the VMware Product Interoperability Matrix at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php. Information in the release notes and interoperability matrix supersede information in this guide.
Chapter 2 System Requirements and Deployment Preparing View Connection Server for Use with Access Point If you plan to use Access Point with Horizon 6 or Horizon 7, or with Horizon Air Hybrid-mode, you must perform specific tasks to ensure that View Connection Server works correctly with Access Point. NOTE If you plan to use Access Point only as a reverse Web proxy, a feature that is available with Access Point 2.6 and later releases, do not perform the tasks listed in this topic.
Deploying and Configuring Access Point n Determine how many network interfaces and static IP addresses to configure for the Access Point appliance. See “Networking Requirements,” on page 18. IMPORTANT If you use the vSphere Web Client, you can also specify the DNS server, gateway, and netmask addresses for each network. If you use the native vSphere Client, verify that you have assigned an IP pool to each network.
Chapter 2 System Requirements and Deployment 4 Follow the wizard prompts, and take the following guidelines into consideration as you complete the wizard. Text on each wizard page explains each control. In some cases, the text changes dynamically as you select various options. NOTE If you use the vSphere Web Client, for assistance you can also click the context-sensitive help button, which is a question mark (?) icon in the upper-right corner of the wizard. VMware, Inc.
Deploying and Configuring Access Point Option Description Setup Networks/Network Mapping If you are using vSphere Web Client, the Setup Networks page allows you to map each NIC to a network and specify protocol settings. a Select the first row in the table (Internet) and then click the down arrow to select the destination network. b c After you select the row, you can also enter IP addresses for the DNS server, gateway, and netmask in the lower portion of the window.
Chapter 2 System Requirements and Deployment 6 When deployment is complete, verify that end users will be able to connect to the appliance by opening a browser and entering the following URL: https://FQDN-of-AP-appliance In this URL, FQDN-of-AP-appliance is the DNS-resolvable, fully qualified domain name of the Access Point appliance. If deployment was successful, you will see the Web page provided by the Horizon server that Access Point is pointing to.
Deploying and Configuring Access Point Prerequisites for Access Point Deployment n Familiarize yourself with the deployment options available. See “Access Point Deployment Properties,” on page 27. The following options are required: static IP address for the Access Point appliance, IP address of the DNS server, password for the root user, and the URL of the Horizon server or load balancer that this Access Point appliance will point to.
Chapter 2 System Requirements and Deployment Following is an example of a command for deploying an Access Point appliance using OVF Tool on a Linux client machine: ovftool --X:enableHiddenProperties \ --powerOffTarget \ --powerOn \ --overwrite \ --vmFolder=folder1 \ --net:Internet="VM Network" \ --net:ManagementNetwork="VM Network" \ --net:BackendNetwork="VM Network" \ -ds=PERFORMANCE-X \ --name=name1 \ --ipAllocationPolicy=fixedPolicy \ --deploymentOption=onenic \ --prop:ip0=10.20.30.41 \ --prop:DNS=192.
Deploying and Configuring Access Point --prop:ip0=10.20.30.41 ^ --prop:DNS=192.0.2.1 ^ --prop:adminPassword=P@ssw0rd ^ --prop:rootPassword=vmware ^ --prop:settingsJSON="{\"edgeServiceSettingsList\": { \"edgeServiceSettingsList\": [ ^ { ^ \"identifier\": \"VIEW\", ^ \"enabled\": true, ^ \"proxyDestinationUrl\": \"https://192.0.2.2\", ^ \"proxyDestinationUrlThumbprints\": \"sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b dc 34\", ^ \"pcoipEnabled\": true, ^ \"pcoipExternalUrl\": \"10.20.30.
Chapter 2 System Requirements and Deployment "tunnelExternalUrl": "https://ap1.example.com:443", \ "proxyPattern":"/" } ] } \ }' \ euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova \ vi://root:password@vc.example.com/ExampleDC/host/ap IMPORTANT To use the View edge service, you must configure the external URLs for the secure tunnel, the PCoIP Secure Gateway, and the Blast Secure Gateway at deployment time. This configuration step must be done before you can use Access Point for View traffic.
Deploying and Configuring Access Point Table 2‑1. Deployment Options Access Point (Continued) Deployment Property OVF Tool Option Description DNS server addresses --prop:DNS=ip-of-name-server1[ ip-of-nameserver2 ...] (Required) Specifies one or more space-separated IPv4 addresses of the domain name servers for this virtual machine (example: 192.0.2.1 192.0.2.2). You can specify up to three servers.
Chapter 2 System Requirements and Deployment Table 2‑1. Deployment Options Access Point (Continued) Deployment Property OVF Tool Option Description Horizon server URL --prop:proxyDestinationURL=URL (Required) Specifies the destination URL of the load balancer or Horizon server. The Access Point appliance directs traffic to the server at this destination. The destination URL must contain the protocol, host name or IP address, and port number (example: https://load-balancer.example.
Deploying and Configuring Access Point 30 VMware, Inc.
Configuring Access Point 3 You use the Access Point REST API to configure Access Point. IMPORTANT After deployment, the first configuration task is to configure the clock (UTC) on the Access Point appliance so that the appliance has the correct time. For example, open a console window on the Access Point virtual machine and use arrow buttons to select the correct time zone.
Deploying and Configuring Access Point "proxyDestinationUrlThumbprints": "sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b dc 34", "healthCheckUrl": "/favicon.ico", "pcoipEnabled": true, "pcoipExternalUrl": "10.20.30.40:4172", "blastEnabled": true, "blastExternalUrl": "https://ap1.example.com:8443", "tunnelEnabled": true, "tunnelExternalUrl": "https://ap1.example.
Chapter 3 Configuring Access Point In this example, P@ssw0rd is a password that is at least 8 characters long, contains at least one uppercase and one lowercase letter, one digit, and one special character, which includes ! @ # $ % * ( ). When the admin server reboots, it generates the following message in the /opt/vmware/gateway/logs/admin.log file: Successfully set initial settings from firstboot.properties.
Deploying and Configuring Access Point Table 3‑1. REST API Properties for the SystemSettings Resource (Continued) REST API Property Description and Example Default Value locale Specifies the local to use for localized messages. en_US n en_US for English n ja_JP for Japanese n fr_FR for French n de_DE for German n zh_CN for Simplified Chinese n zh_TW for Traditional Chinese n ko_KR for Korean syslogUrl Specifies the Syslog server used for logging Access Point events.
Chapter 3 Configuring Access Point Table 3‑3. REST API Properties for the EdgeServiceSettings resource REST API Property Description and Example Default Value enabled If set to TRUE, specifies that the edge service is enabled. FALSE identifier Specifies the type of edge service. The following values are valid for the property: None n VIEW uses the edge service for servers that use the View XML protocol.
Deploying and Configuring Access Point Table 3‑3. REST API Properties for the EdgeServiceSettings resource (Continued) REST API Property Description and Example Default Value authMethods Specifies the type of authentication to use. Set this property to one of the following values unless you want to use pass-through authentication: By default, authentication is passed through to the Horizon server, which can be configured for AD password, RSA SecurID, RADIUS, or SAML.
Chapter 3 Configuring Access Point Table 3‑4. REST API Properties for the EdgeServiceSettings Resource for View (Continued) REST API Property Description and Example Default Value pcoipExternalUrl Specifies an external URL of the Access Point appliance, which clients will use for secure connections through the PCoIP Secure Gateway. This connection is used for PCoIP traffic. applianceIP:4172 (applianceIP is the IPv4 address of the Access Point appliance.
Deploying and Configuring Access Point Table 3‑5. REST API Properties for the EdgeServiceSettings Resource for Web Reverse Proxy for vIDM (Continued) 38 REST API Property Description and Example Values proxyDestinationUrl Specifies the URL of the proxy requests that the users request to Access Point to access a service. For example, https://vidmserver.example.com. None healthCheckUrl Specifies the URL that the load balancer connects to and checks the health of Access Point. /favicon.
Chapter 3 Configuring Access Point Table 3‑5. REST API Properties for the EdgeServiceSettings Resource for Web Reverse Proxy for vIDM (Continued) REST API Property Description and Example Values unSecurePattern Specifies an unsecured URL pattern for a login page. This is static content. /catalogportal(.*)|/|/SAAS/|/SAAS |/SAAS/API/1.0/GET/image(. *)|/SAAS/horizon/css(.*) |/SAAS/horizon/angular(.*) |/SAAS/horizon/js(.*)|/SAA S/horizon/jslib(.*)|/SAAS/auth/login(.
Deploying and Configuring Access Point Configuring TLS/SSL Certificates for Access Point Appliances TLS/SSL is required for client connections to Access Point appliances. Client-facing Access Point appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates. TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator.
Chapter 3 Configuring Access Point Certificates that you import into the Access Point appliance must be trusted by client machines and must also be applicable to all instances of Access Point and any load balancer, either by using wildcards or by using Subject Alternative Name (SAN) certificates.
Deploying and Configuring Access Point 4 Use the following UNIX command to convert each .pem file to a value that can be passed in a JSON string to the Access Point REST API: awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem In this example, cert-name.pem is the name of the certificate file. The new format places all the certificate information on a single line with embedded newline characters.
Chapter 3 Configuring Access Point Procedure 1 Create a JSON request for submitting the certificate to the Access Point appliance. { "privateKeyPem": "string", "certChainPem": "string" } In this example, the string values are the JSON one-line PEM values that you created as described in the prerequisites. 2 Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST API and store the certificate and key on the Access Point appliance.
Deploying and Configuring Access Point 2 Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST API and configure the protocols and cipher suites. The following example uses a curl command. In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point appliance, and ciphers.json is the JSON request you created in the previous step.
Chapter 3 Configuring Access Point These settings are included in the EdgeServiceSettings resource. The URL is https://access-point-appliance.example.com:9443/rest/v1/config/edgeservice/view In this URL, access-point-appliance.example.com is the fully qualified domain name of the Access Point appliance.
Deploying and Configuring Access Point 46 VMware, Inc.
Collecting Logs from the Access Point Appliance 4 You can enter a URL in a browser to get a ZIP file that contains logs from your Access Point appliance. Use the following URL to collect logs from your Access Point appliance. https://access-point-appliance.example.com:9443/rest/v1/monitor/support-archive In this example, access-point-appliance.example.com is the fully qualified domain name of the Access Point appliance.
Deploying and Configuring Access Point 48 VMware, Inc.
Setting Up Smart Card Authentication 5 By default, Access Point uses pass-through authentication, so that users enter their Active Directory credentials, and these credentials are sent through to a back-end system for authentication. You can, however, configure the Access Point appliance to perform smart card authentication. With smart card authentication, a user or administrator inserts a smart card into a smart card reader attached to the client computer and enters a PIN.
Deploying and Configuring Access Point Generate Access Point SAML Metadata You must generate SAML metadata on the Access Point appliance and exchange metadata with the Horizon server to establish the mutual trust required for smart card authentication. The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains.
Chapter 5 Setting Up Smart Card Authentication 2 Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST API and generate Access Point metadata. The following example uses a curl command. In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point appliance, and ap-metadata.json is the JSON request you created in the previous step.
Deploying and Configuring Access Point Procedure 1 In View Administrator, select Configuration > Servers. 2 On the Connection Servers tab, select a server instance to associate with the SAML authenticator and click Edit. 3 On the Authentication tab, select a setting from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator. Option Description Disabled SAML authentication is disabled.
Chapter 5 Setting Up Smart Card Authentication Create a SAML Authenticator on View Connection Server 6.2 For Horizon 6 version 6.2 servers, you must create a manual SAML authenticator in View Connection Server. You copy the SAML metadata generated on Access Point and then use the ADSI Edit utility on the View Connection Server host to edit the View LDAP and paste in the metadata. You also edit the View LDAP to change the expiration period for SAML assertions.
Deploying and Configuring Access Point 8 Double-click the CN=name object and edit the following attributes. Attribute Description pae-SAMLLabel Supply a name of the SAML authenticator. This label will appear in View Connection Server, in the View Connection Server authentication settings. pae-SAMLMetaDataXml Paste in the SAML metadata that you generated on the Access Point appliance. Make sure metadata does not contain escape characters before double quotes.
Chapter 5 Setting Up Smart Card Authentication In this example, number-of-days is the number of days that can elapse before a remote View Connection Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML metadata must be repeated.
Deploying and Configuring Access Point Obtain the Certificate Authority Certificates You must obtain all applicable CA (certificate authority) certificates for all trusted user certificates on the smart cards presented by your users and administrators. These certificates include root certificates and can include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.
Chapter 5 Setting Up Smart Card Authentication Configure Smart Card Settings on the Access Point Appliance On the Access Point appliance, you must enable smart card authentication, copy in the certificate, and change the authentication type to smart card authentication. Prerequisites n Get the trusted CA issuer certificate that was used to sign the X.509 certificates for the smart cards. See “Obtain the Certificate Authority Certificates,” on page 56.
Deploying and Configuring Access Point 3 Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST API and store the certificate on the Access Point appliance and enable smart card authentication. The following example uses a curl command. In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point appliance, and smartcard.json is the JSON request you created in the previous step.
Chapter 5 Setting Up Smart Card Authentication When you use the REST API to get the configuration data for smart card authentication, you see a list of the items you can configure. For example, you can use a GET request with the following URL: https://access-point-appliance.example.com:9443/rest/v1/config/authmethod/certificate-auth If you have not changed any configuration settings, the following default settings are returned.
Deploying and Configuring Access Point Table 5‑1. Smart Card Certificate Properties That You Can Configure (Continued) Property Name Description Valid Values sendOCSPNonce Specifies whether to include a nonce in the OCSP request and require that the nonce be included in the response. A nonce is an arbitrary number used only once in a cryptographic communication. true or false enabled (Required) Specifies whether to use smart card certificate authentication. You must change this setting to true.
Setting Up Two-Factor Authentication 6 You can configure an Access Point appliance so that users are required to use RSA SecurID authentication or RADIUS (Remote Authentication Dial-In User Service) authentication. Because two-factor authentication solutions such as RSA SecurID and RADIUS work with authentication managers, installed on separate servers, you must have those servers configured and accessible to the Access Point appliance.
Deploying and Configuring Access Point Procedure 1 After downloading the sdconf.rec file from the RSA Secure Authentication Manager server, use the following commands to change the file format into Base64 and convert that format to a one-line format that can be passed in a JSON string to the Access Point REST API. a Use a command such as the Linux base64 command to produce the Base64 encoding format for the sdconf.rec file: base64 sdconf.rec > sdconfBase64.
Chapter 6 Setting Up Two-Factor Authentication 5 Paste this information into a JSON request for enabling RSA SecurID authentication for the Horizon server and add the authMethods property. { "identifier": "VIEW", "enabled": true, "proxyDestinationUrl": "https://horizon-server.example.com", "proxyDestinationUrlThumbprints": "sha1=40 e6 98 9e a9 d1 bc 6f 86 8c c0 ad b1 ea ff f7 4a 3b 12 8c", "authMethods": "securid-auth" } This example shows only some of the properties that are common to all edge services.
Deploying and Configuring Access Point n nameIdSuffix - Specifies the nameId which enables View to provide TrueSSO experience. It is empty by default. The properties shown in the following example are the required properties to configure. You can also change the defaults for the other properties. { "enabled": "true", "name": "radius-auth", "hostName": "10.10.10.10", "hostName_2": "20.20.20.
Chapter 6 Setting Up Two-Factor Authentication 3 Property Description accountingPort Set this port to 0 unless you want to enable RADIUS accounting. Set this port to a non-zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages and you set this port to a nonzero number, the messages will be sent and ignored and retried a number of times, resulting in a delay in authentication.
Deploying and Configuring Access Point 66 VMware, Inc.
Index A S Access Point overview 7 Access Point documentation 5 admin password for the REST API 32 authentication 49 SAML 50, 51 SAML 2.
Deploying and Configuring Access Point 68 VMware, Inc.
