Specifications
An administrator can create folders to subdivide desktop pools and delegate the administration of specific
desktop pools to different administrators in View Administrator. An administrator configures administrator
access to the resources in a folder by assigning a role to a user on that folder. Administrators can only access
the resources that reside in folders for which they have assigned roles. The role that an administrator has on
a folder determines the level of access that the administrator has to the resources in that folder.
View Administrator includes a set of predefined roles. Administrators can also create custom roles by
combining selected privileges.
Preparing to Use a Security Server
A security server is a special instance of View Connection Server that runs a subset of View Connection Server
functions. You can use a security server to provide an additional layer of security between the Internet and
your internal network.
A security server resides within a DMZ and acts as a proxy host for connections inside your trusted network.
Each security server is paired with an instance of View Connection Server and forwards all traffic to that
instance. This design provides an additional layer of security by shielding the View Connection Server instance
from the public-facing Internet and by forcing all unprotected session requests through the security server.
A DMZ-based security server deployment requires a few ports to be opened on the firewall to allow clients to
connect with security servers inside the DMZ. You must also configure ports for communication between
security servers and the View Connection Server instances in the internal network. See “Firewall Rules for
DMZ-Based Security Servers,” on page 60 for information on specific ports.
Because users can connect directly with any View Connection Server instance from within their internal
network, you do not need to implement a security server in a LAN-based deployment.
NOTE As of View 4.6, security servers include a PCoIP Secure Gateway component so that clients that use the
PCoIP display protocol can use a security server rather than a VPN.
For information about setting up VPNs for using PCoIP, see the following solutions overviews, available on
the VMware Web site:
n
VMware View and Juniper Networks SA Servers SSL VPN Solution
n
VMware View and F5 BIG-IP SSL VPN Solution
n
VMware View and Cisco Adaptive Security Appliances (ASA) SSL VPN Solution
Best Practices for Security Server Deployments
You should follow best practice security policies and procedures when operating a security server in a DMZ.
The DMZ Virtualization with VMware Infrastructure white paper includes examples of best practices for a
virtualized DMZ. Many of the recommendations in this white paper also apply to a physical DMZ.
To limit the scope of frame broadcasts, the View Connection Server instances that are paired with security
servers should be deployed on an isolated network. This topology can help prevent a malicious user on the
internal network from monitoring communication between the security servers and View Connection Server
instances.
Alternatively, you might be able to use advanced security features on your network switch to prevent malicious
monitoring of security server and View Connection Server communication and to guard against monitoring
attacks such as ARP Cache Poisoning. See the administration documentation for your networking equipment
for more information.
Chapter 5 Planning for Security Features
VMware, Inc. 57