VMware Horizon 7 Security Server

Last Modified: Sep 17, 2016 @ 2:58 pm



Security Servers are intended to be deployed in the DMZ.

Horizon View Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Access Point.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If there are two Security Servers and you intend to load balance them, create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

Note: your load balancer might be able to provide persistence across multiple port numbers and thus there’s no need for the server-specific public IPs. For example, in NetScaler this is called Persistency Groups.

Firewall Rules for View Connection Server at pubs.vmware.com.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP and UDP 8443 (for Blast Extreme)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at pubs.vmware.com.
  • TCP 8009 (AJP13) to the paired internal Horizon 6 Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon 6 Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (HTML Blast) to all internal Horizon View Agents.
  • TCP 9427 (MMR) to all internal Horizon View Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at pubs.vmware.com

Pairing Password

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands and click Specify Security Server Pairing Password.
  4. Enter a password and click OK.

Install – Security Server

  1. Ensure the Horizon Security Server has 10 GB of RAM and 4 vCPU.
  2. Login to the Horizon Security Server.
  3. Go to the downloaded Horizon 7 Connection Server and run VMware-viewconnectionserver-x86_64-7.0.2.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, select Horizon 7 Security Server and click Next.
  8. In the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  9. In the Paired Horizon 7 Connection Server Password page, enter the pairing password specified earlier and click Next.
  10. In the Horizon 7 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN while the middle URL is an IP address. These can be changed later. Click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.


Security Server Certificate

  1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine. Or run certlm.msc.
  2. Request a new certificate with a common name that matches the FQDN of the HTTPS Secure Tunnel URL or import a wildcard certificate. If using a load balancer, the FQDN must match the load balancer FQDN, not the Security Server FQDN. Also, the private key must be exportable.
  3. Note: the private key must be exportable. You can either click Details to mark the key as exportable or use IIS to create the certificate.
  4. After creating the certificate, try exporting it. If the option to export the private key is grayed out then this certificate will not work.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
  6. On the General tab, clear the Friendly name field and click OK.
  7. Right-click your Certificate Authority-signed certificate and click Properties.
  8. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
  9. Then restart the VMware Horizon 7 Security Server service.
  10. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.

Global Accepted Ciphers

VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products: The default global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all Horizon Connection Server instances in a replicated group and all security servers paired with them. To change a global policy, you can edit View LDAP on any Horizon Connection Server instance.

For details about how to navigate to the correct View LDAP attributes, see the topics called Global Acceptance and Proposal Policies Defined and Change the Global Acceptance and Proposal Policies in the View Security guide. Note that although these links point to the 6.2 version of the guide, the topics are the same as those in the 5.2/5.3 and 6.0 versions of the guide.

  • Change the pae-ClientSSLSecureProtocols attribute and the pae-ServerSSLSecureProtocols attribute as follows:
    pae-ClientSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
    pae-ServerSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"

    This setting enables TLSv1.2 by default, to make use of the new cipher suites you will be adding when you set the next attributes.

  • Change the pae-ClientSSLCipherSuites attribute and the pae-ServerSSLCipherSuites attribute as follows:
    pae-ClientSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    pae-ServerSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

Note that although these cipher suites are shown on separate lines to improve readability, when you edit this attribute, enter the cipher suites on one line with no spaces after the commas.

Also note that the last cipher suite shown in the list, SSL_RSA_WITH_RC4_128_SHA, should be omitted if all connecting clients support AES cipher suites.

To add 256-bit versions of the cipher suites, follow the instructions in the topic JCE Policy Files to Support High-Strength Cipher Suites in the View Security guide.

SSL Ciphers – Horizon Security Server

This probably only applies to Horizon 6 and older. Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

If this Horizon Security Server is publicly accessible, check it at ssllabs.com.

Disable RC4 – Blast Secure Gateway

VMware 2122359 Disable RC4 on Blast Secure Gateway: RC4 is already disabled in Horizon 6.2 and newer. Follow this procedure for older versions of Horizon View.

  1. Run an elevated text editor and open the file C:\Program Files\VMware\VMware View\Server\appblastgateway\lib\absg-config.js.
  2. Scroll down to line 111 and change :RC4: to :!RC4:.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server that is paired with the Security Server and click Edit. Note: you can’t configure this directly on the Horizon 6 Security Server and instead must configure it on the paired Horizon 6 Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to desktop. Also, make sure Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

8 thoughts on “VMware Horizon 7 Security Server”

  1. I’m having an issue connecting from the outside, I set up 2 factor with our Radius Server. I get the prompt for our token and it takes it, but it just spins at Authenticating after i enter my Domain login. I have ports 1812 and 1813 open but im not sure if their is another port i need to open. I can login internally with no issues.

    1. Does it work through Security Server without RADIUS configured?

      RADIUS is enabled on the paired Connection Server. Does it work when pointing the client to the paired server?

      What Horizon Client version?

  2. Carl,
    just a question.
    We configured two security servers in DMZ paired with two dedicated connection servers.
    Everything works with horizon View client installed on a pc and by webclient but using ipad/android app always go to timeout.
    We configured a load balancer following your guide and it’s working too, only mobile client go to timeout.
    Any ideas?


    1. I came across similar situation where I use Blast Extreme protocol on my android phone and i always got timeout.

      At security server settings, make sure your Blast External URL matches your external FQDN/IP address and change the port 8443 to custom port if port forwarding is configured at firewall.

      Horizon Mobile Client address: https://vdi.abc.com

      Then your Blast External URL will be: https://vdi.abc.com:8443 (If custom port for 8443 is configured at firewall, just change the port number)

      Same if IP Address is used instead of FQDN.

      in my case, I used ip address.

    1. 8443 should only be used if you are connecting through a browser. Do you have the same issue with Horizon Client?

      You can also use procmon on the client to verify the ports that are being used. If TCP, netstat will show you the connection. If UDP, then netstat won’t help you.

  3. How can I use Blast Extreme protocol? I heard its uses only port 443 .This simplifies access and allows users to access it in many locations where ports 8443 and 8172 are blocked. I did not see any where to select this protocol. I saw only Blast and it needs port 8443 .

    most places only port 443 is opened and no way you can access view desktops . any Solution for this?

    1. Are you using Horizon 7? Edit your pool and set Blast as the protocol. It defaults to TCP 443 but you can use a GPO to enable UDP 443.

Leave a Reply