7.0
Table Of Contents
- View Architecture Planning
- Contents
- View Architecture Planning
- Introduction to View
- Planning a Rich User Experience
- Feature Support Matrix for Horizon Agent
- Choosing a Display Protocol
- Using Hosted Applications
- Using View Persona Management to Retain User Data and Settings
- Using USB Devices with Remote Desktops and Applications
- Using the Real-Time Audio-Video Feature for Webcams and Microphones
- Using 3D Graphics Applications
- Streaming Multimedia to a Remote Desktop
- Printing from a Remote Desktop
- Using Single Sign-On for Logging In
- Monitors and Screen Resolution
- Managing Desktop and Application Pools from a Central Location
- Advantages of Desktop Pools
- Advantages of Application Pools
- Reducing and Managing Storage Requirements
- Application Provisioning
- Deploying Individual Applications Using an RDS Host
- Deploying Applications and System Updates with View Composer
- Deploying Applications and System Updates with Instant Clones
- Managing VMware ThinApp Applications in View Administrator
- Deploying and Managing Applications Using App Volumes
- Using Existing Processes or VMware Mirage for Application Provisioning
- Using Active Directory GPOs to Manage Users and Desktops
- Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments
- Virtual Machine Requirements for Remote Desktops
- View ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- RDS Host Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- vSphere Clusters
- Storage and Bandwidth Requirements
- View Building Blocks
- View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting Remote Desktop Access
- Using Group Policy Settings to Secure Remote Desktops and Applications
- Using Smart Policies
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding View Communications Protocols
- Overview of Steps to Setting Up a View Environment
- Index
Preparing to Use a Security Server
A security server is a special instance of View Connection Server that runs a subset of View Connection
Server functions. You can use a security server to provide an additional layer of security between the
Internet and your internal network.
IMPORTANT With Horizon 6 version 6.2 and later releases, you can use Access Point appliances in place of
security servers. Access Point appliances are deployed as hardened virtual appliances, which are based on a
Linux appliance that has been customized to provide secure access. For more information about Access
Point virtual appliances, see Deploying and Configuring Access Point.
A security server resides within a DMZ and acts as a proxy host for connections inside your trusted
network. Each security server is paired with an instance of View Connection Server and forwards all traffic
to that instance. You can pair multiple security servers to a single connection server. This design provides an
additional layer of security by shielding the View Connection Server instance from the public-facing
Internet and by forcing all unprotected session requests through the security server.
A DMZ-based security server deployment requires a few ports to be opened on the firewall to allow clients
to connect with security servers inside the DMZ. You must also configure ports for communication between
security servers and the View Connection Server instances in the internal network. See “Firewall Rules for
DMZ-Based Security Servers,” on page 90 for information on specific ports.
Because users can connect directly with any View Connection Server instance from within their internal
network, you do not need to implement a security server in a LAN-based deployment.
NOTE Security servers include a PCoIP Secure Gateway component and a Blast Secure Gateway component
so that clients that use the PCoIP or Blast Extreme display protocol can use a security server rather than a
VPN.
For information about setting up VPNs for using PCoIP, see the VPN solution overviews, available in the
Technology Partner Resources section of the Technical Resource Center at
http://www.vmware.com/products/view/resources.html.
Best Practices for Security Server Deployments
You should follow best practice security policies and procedures when operating a security server in a
DMZ.
The DMZ Virtualization with VMware Infrastructure white paper includes examples of best practices for a
virtualized DMZ. Many of the recommendations in this white paper also apply to a physical DMZ.
To limit the scope of frame broadcasts, the View Connection Server instances that are paired with security
servers should be deployed on an isolated network. This topology can help prevent a malicious user on the
internal network from monitoring communication between the security servers and View Connection Server
instances.
Alternatively, you might be able to use advanced security features on your network switch to prevent
malicious monitoring of security server and View Connection Server communication and to guard against
monitoring attacks such as ARP Cache Poisoning. See the administration documentation for your
networking equipment for more information.
Security Server Topologies
You can implement several different security server topologies.
The topology illustrated in Figure 5-2 shows a high-availability environment that includes two load-
balanced security servers in a DMZ. The security servers communicate with two View Connection Server
instances inside the internal network.
Chapter 5 Planning for Security Features
VMware, Inc. 87