VMware Horizon 7.8 Security Server

Last Modified: Mar 16, 2019 @ 11:05 am


This post applies to all VMware Horizon versions 7.0 and newer, including 7.5.2 (ESB), and 7.8.

đź’ˇ = Recently Updated

Change Log


Security Servers are intended to be deployed in the DMZ.

Horizon Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Unified Access Gateway (formerly known as Access Point). Note: Some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If your load balancer (e.g. NetScaler ADC, F5) is able to provide persistence across multiple port numbers, then you only need one public IP. For example, in NetScaler, this is called Persistency Groups.

If your load balancer doesn’t support persistence across multiple port numbers, then create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

Firewall Rules for View Connection Server at VMware Docs.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP and UDP 8443 (for Blast)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at VMware Docs.
  • TCP 8009 (AJP13) to the paired internal Horizon Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon Agents.
  • TCP and UDP 22443 (HTML Blast) to all internal Horizon Agents.
  • TCP 9427 (MMR) to all internal Horizon Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at VMware Docs

Pairing Password

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands, and click Specify Security Server Pairing Password.
  4. Enter a temporary password, and click OK.

Install – Security Server

  1. Ensure the Horizon Security Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported for the Horizon Security Server 7.8 and newer.
  3. Login to the Horizon Security Server.
  4. Download Horizon 7.8.0 View Connection Server or Horizon 7.5.2 View Connection Server (ESB).

  5. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.8.0.exe or VMware-viewconnectionserver-x86_64-7.5.2.exe.

  6. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Installation Options page, select Horizon 7 Security Server, and click Next.
  10. In the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  11. In the Paired Horizon 7 Connection Server Password page, enter the pairing password specified earlier, and click Next.
  12. In the Horizon 7 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN, while the middle URL is an IP address. These can be changed later. Click Next.
  13. In the Firewall Configuration page, click Next.
  14. In the Ready to Install the Program page, click Install.
  15. In the Installer Completed page, click Finish.


Security Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the public FQDN of the Security Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon 7 Security Server service.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Right-click the Connection Server that is paired with the Security Server, and click Edit. Note: you can’t configure this directly on the Horizon Security Server, and instead must configure it on the paired Horizon Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to machine. Also, make sure HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

20 thoughts on “VMware Horizon 7.8 Security Server”

  1. Carl,
    Thanks for a very helpful article! I do have one question on the certificate portion of this:

    We purchased a GeoTrust wildcard certificate for our domain. As such, I did not go through the export portion of the certificate process that you outlined above (steps 1-6, notably the portions where you described how to make the private key exportable, then exported the certificate).

    I did update the friendly name of the self-signed certificate by setting it to blank, then imported my GeoTrust certificate in to the same Personal->Certificates store, and set its friend name to vdm, and restarted the services.

    However, when I then tried to access the server, I got an SSL error stating “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”, along with a message that the site couldn’t provide a secure connection.

    Any idea on what I might have done wrong, or any procedure changes that apply when using an existing wildcard certificate?

    I set the friendly names back to their original settings and restarted the service, which allows me access to the security server again (with an invalid cert message). I’m no expert on certificates, so if I’ve made some basic mistake with this process, I won’t be terribly surprised…

    Thanks in advance for any assistance you’re willing to provide.

    1. Does your GeoTrust certificate have a private key? If you double-click it, on the first tab, on the bottom, there should be a message that there’s a private key.

      1. Carl,
        Thanks for following up on this. Looks like my default certificate did not have a private key. I’m going to refresh it with one that does include a private key. However, when I start that process (right click Certificates + All tasks + Request New Certificate), the first thing that pops up is the process that creates a new Certificate Enrollment Policy. That process prompts me for an Enrollment Policy Server URI. As the Horizon Security Server is not currently part of an A/D forest, does that mean that I need to install the Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service on this machine?

        If these topics are extraneous, I do apologize. My experiences with SSL certificates is pretty limited.

        Thanks again!

        1. You should be able to go to any IIS Server, run IIS Console, click the server, in the middle click Server Certificates and create a CSR. After you get the CSR signed, complete it in IIS, export the certificate from IIS, and then import to your Connection Servers.

  2. I noticed this error “The service has minor issue.The PCOIP Secure Gateway is not working properly” in dashboard for 1 Connection Server which is paired with Security Server. Another Connection Server is working fine which is not paired is working fine. Disabling PCOIP tunneling in Connection Server settings has been a workaround. However, it is recommended to keep PCOIP tunneling checked. Any insight on this ?

        1. Was a resolution for this found? I have the same on 2 new connection servers.

          Version: 7.6.0
          Status: The service has minor issue.The PCOIP Secure Gateway is not working properly.

  3. Hi Carl,
    I am in need of some help here, Security server and Connection server are in place, Certificates are installed, access to virtual desktops from within the network is fine, users connect to virtual desktops using Horizon client and Connectionserver.domain.com as the address.
    There is need to provide external access as well, i.e., from internet. the subdomain is available and configured, public IP is configured and Firewall is in place.
    Front end firewall NAT the traffic to DMZ network (192.168.2.x) where security server is located ( the same firewall NAT traffic again to Production network(10.10.10.x) where connection server is located (
    I can see traffic on firewall coming to security server on port 443 TCP, from security server to connection server 8009 and 4002., But there is no traffic logged from connection server to security server.

    User experience: open horizon client, enter url view.domain.com, user is prompted to provide credentials, upon providing credentials the error message immediately pops “You are not Entitled to use the system” the same user can access from within the network.

    1. Apart from Desktop Pool Entitlements, you have to add the users under “Remote Access” tab found in “Users and Groups” section (left navigation menu). These are the users whom you want to be able to access desktops over internet or VPN.

  4. I’m having an issue connecting from the outside, I set up 2 factor with our Radius Server. I get the prompt for our token and it takes it, but it just spins at Authenticating after i enter my Domain login. I have ports 1812 and 1813 open but im not sure if their is another port i need to open. I can login internally with no issues.

    1. Does it work through Security Server without RADIUS configured?

      RADIUS is enabled on the paired Connection Server. Does it work when pointing the client to the paired server?

      What Horizon Client version?

  5. Carl,
    just a question.
    We configured two security servers in DMZ paired with two dedicated connection servers.
    Everything works with horizon View client installed on a pc and by webclient but using ipad/android app always go to timeout.
    We configured a load balancer following your guide and it’s working too, only mobile client go to timeout.
    Any ideas?


    1. I came across similar situation where I use Blast Extreme protocol on my android phone and i always got timeout.

      At security server settings, make sure your Blast External URL matches your external FQDN/IP address and change the port 8443 to custom port if port forwarding is configured at firewall.

      Horizon Mobile Client address: https://vdi.abc.com

      Then your Blast External URL will be: https://vdi.abc.com:8443 (If custom port for 8443 is configured at firewall, just change the port number)

      Same if IP Address is used instead of FQDN.

      in my case, I used ip address.

    1. 8443 should only be used if you are connecting through a browser. Do you have the same issue with Horizon Client?

      You can also use procmon on the client to verify the ports that are being used. If TCP, netstat will show you the connection. If UDP, then netstat won’t help you.

  6. How can I use Blast Extreme protocol? I heard its uses only port 443 .This simplifies access and allows users to access it in many locations where ports 8443 and 8172 are blocked. I did not see any where to select this protocol. I saw only Blast and it needs port 8443 .

    most places only port 443 is opened and no way you can access view desktops . any Solution for this?

    1. Are you using Horizon 7? Edit your pool and set Blast as the protocol. It defaults to TCP 443 but you can use a GPO to enable UDP 443.

Leave a Reply