VMware Horizon 7.1.0 Security Server

Last Modified: Mar 23, 2017 @ 5:58 pm


💡 = Recently Updated


Security Servers are intended to be deployed in the DMZ.

Horizon Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Unified Access Gateway (formerly known as Access Point). Note: Some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Pubs.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If your load balancer (e.g. NetScaler, F5) is able to provide persistence across multiple port numbers, then you only need one public IP. For example, in NetScaler, this is called Persistency Groups.

If your load balancer doesn’t support persistence across multiple port numbers, then create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.


Firewall Rules for View Connection Server at VMware Pubs.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP and UDP 8443 (for Blast)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at VMware Pubs.
  • TCP 8009 (AJP13) to the paired internal Horizon Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon Agents.
  • TCP and UDP 22443 (HTML Blast) to all internal Horizon Agents.
  • TCP 9427 (MMR) to all internal Horizon Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at pubs.vmware.com

Pairing Password

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands, and click Specify Security Server Pairing Password.
  4. Enter a temporary password, and click OK.

Install – Security Server

  1. Ensure the Horizon Security Server has 10 GB of RAM and 4 vCPU.
  2. Login to the Horizon Security Server.
  3. Go to the downloaded Horizon 7 Connection Server, and run VMware-viewconnectionserver-x86_64-7.1.0.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  5. In the License Agreement page, select I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, select Horizon 7 Security Server, and click Next.
  8. In the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  9. In the Paired Horizon 7 Connection Server Password page, enter the pairing password specified earlier, and click Next.
  10. In the Horizon 7 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN, while the middle URL is an IP address. These can be changed later. Click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.


Security Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the public FQDN of the Security Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon 7 Security Server service.

Global Accepted Ciphers

VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products: The default global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all Horizon Connection Server instances in a replicated group and all security servers paired with them. To change a global policy, you can edit View LDAP on any Horizon Connection Server instance.

For details about how to navigate to the correct View LDAP attributes, see the topics called Global Acceptance and Proposal Policies Defined and Change the Global Acceptance and Proposal Policies in the View Security guide.

SSL Ciphers – Horizon Security Server

This probably only applies to Horizon 6 and older. Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

If this Horizon Security Server is publicly accessible, check it at ssllabs.com.

Disable RC4 – Blast Secure Gateway

VMware 2122359 Disable RC4 on Blast Secure Gateway: RC4 is already disabled in Horizon 6.2 and newer. Follow this procedure for older versions of Horizon View.

  1. Run an elevated text editor and open the file C:\Program Files\VMware\VMware View\Server\appblastgateway\lib\absg-config.js.
  2. Scroll down to line 111 and change :RC4: to :!RC4:.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server that is paired with the Security Server and click Edit. Note: you can’t configure this directly on the Horizon Security Server, and instead must configure it on the paired Horizon Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to machine. Also, make sure HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

8 thoughts on “VMware Horizon 7.1.0 Security Server”

  1. I’m having an issue connecting from the outside, I set up 2 factor with our Radius Server. I get the prompt for our token and it takes it, but it just spins at Authenticating after i enter my Domain login. I have ports 1812 and 1813 open but im not sure if their is another port i need to open. I can login internally with no issues.

    1. Does it work through Security Server without RADIUS configured?

      RADIUS is enabled on the paired Connection Server. Does it work when pointing the client to the paired server?

      What Horizon Client version?

  2. Carl,
    just a question.
    We configured two security servers in DMZ paired with two dedicated connection servers.
    Everything works with horizon View client installed on a pc and by webclient but using ipad/android app always go to timeout.
    We configured a load balancer following your guide and it’s working too, only mobile client go to timeout.
    Any ideas?


    1. I came across similar situation where I use Blast Extreme protocol on my android phone and i always got timeout.

      At security server settings, make sure your Blast External URL matches your external FQDN/IP address and change the port 8443 to custom port if port forwarding is configured at firewall.

      Horizon Mobile Client address: https://vdi.abc.com

      Then your Blast External URL will be: https://vdi.abc.com:8443 (If custom port for 8443 is configured at firewall, just change the port number)

      Same if IP Address is used instead of FQDN.

      in my case, I used ip address.

    1. 8443 should only be used if you are connecting through a browser. Do you have the same issue with Horizon Client?

      You can also use procmon on the client to verify the ports that are being used. If TCP, netstat will show you the connection. If UDP, then netstat won’t help you.

  3. How can I use Blast Extreme protocol? I heard its uses only port 443 .This simplifies access and allows users to access it in many locations where ports 8443 and 8172 are blocked. I did not see any where to select this protocol. I saw only Blast and it needs port 8443 .

    most places only port 443 is opened and no way you can access view desktops . any Solution for this?

    1. Are you using Horizon 7? Edit your pool and set Blast as the protocol. It defaults to TCP 443 but you can use a GPO to enable UDP 443.

Leave a Reply