5.2
Table Of Contents
- VMware Horizon View Architecture Planning
- Contents
- VMware Horizon View Architecture Planning
- Introduction to Horizon View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- Horizon View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- Storage and Bandwidth Requirements
- Horizon View Building Blocks
- Horizon View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding Horizon View Communications Protocols
- Overview of Steps to Setting Up a Horizon View Environment
- Index
Preparing to Use a Security Server
A security server is a special instance of View Connection Server that runs a subset of View Connection Server
functions. You can use a security server to provide an additional layer of security between the Internet and
your internal network.
A security server resides within a DMZ and acts as a proxy host for connections inside your trusted network.
Each security server is paired with an instance of View Connection Server and forwards all traffic to that
instance. You can pair multiple security servers to a single connection server. This design provides an
additional layer of security by shielding the View Connection Server instance from the public-facing Internet
and by forcing all unprotected session requests through the security server.
A DMZ-based security server deployment requires a few ports to be opened on the firewall to allow clients to
connect with security servers inside the DMZ. You must also configure ports for communication between
security servers and the View Connection Server instances in the internal network. See “Firewall Rules for
DMZ-Based Security Servers,” on page 72 for information on specific ports.
Because users can connect directly with any View Connection Server instance from within their internal
network, you do not need to implement a security server in a LAN-based deployment.
NOTE With VMware View 4.6 and later releases, security servers include a PCoIP Secure Gateway component
so that clients that use the PCoIP display protocol can use a security server rather than a VPN.
For information about setting up VPNs for using PCoIP, see the VPN solution overviews, available in the
Technology Partner Resources section of the Technical Resrouce Center at
http://www.vmware.com/products/view/resources.html.
Best Practices for Security Server Deployments
You should follow best practice security policies and procedures when operating a security server in a DMZ.
The DMZ Virtualization with VMware Infrastructure white paper includes examples of best practices for a
virtualized DMZ. Many of the recommendations in this white paper also apply to a physical DMZ.
To limit the scope of frame broadcasts, the View Connection Server instances that are paired with security
servers should be deployed on an isolated network. This topology can help prevent a malicious user on the
internal network from monitoring communication between the security servers and View Connection Server
instances.
Alternatively, you might be able to use advanced security features on your network switch to prevent malicious
monitoring of security server and View Connection Server communication and to guard against monitoring
attacks such as ARP Cache Poisoning. See the administration documentation for your networking equipment
for more information.
Security Server Topologies
You can implement several different security server topologies.
The topology illustrated in Figure 5-2 shows a high-availability environment that includes two load-balanced
security servers in a DMZ. The security servers communicate with two View Connection Server instances
inside the internal network.
Chapter 5 Planning for Security Features
VMware, Inc. 69