This post applies to all VMware Horizon versions 7.0 and newer, including 7.5.2 (ESB), 7.10 (ESB), and 7.11.
- Change Log
- Install – Horizon Security Server
- Security Server Certificate
- Load Balancing
- Enable PCoIP Secure Gateway
💡 = Recently Updated
- 2019 Dec 14 – Updated Install section for Horizon Security Server 7.11.0.
- 2019 Sep 17 – Updated Install section for Horizon Security Server 7.10.0 (ESB).
- 2019 Jul 3 – Updated Install section for Horizon Security Server 7.9.0.
- 2019 Mar 8 – Updated Install section for Horizon Security Server 7.5.2 (ESB).
- 2018 Dec 15 – Updated Install section for Horizon Security Server 7.7.0.
- 2018 Sep 8 – Updated Install section for Horizon Security Server 7.6.0.
- 2018 July 21 – Updated Install section for Horizon Security Server 7.5.1 (ESB).
- 2018 June 5 – Updated Install section for Horizon Security Server 7.5 (ESB).
- 2018 Jan 5 – Updated Install section for Horizon Security Server 7.4.
Security Servers are intended to be deployed in the DMZ.
Horizon Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Unified Access Gateway (formerly known as Access Point). Note: Some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.
Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371
If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.
If your load balancer (e.g. NetScaler ADC, F5) is able to provide persistence across multiple port numbers, then you only need one public IP. For example, in NetScaler, this is called Persistency Groups.
If your load balancer doesn’t support persistence across multiple port numbers, then create three public IPs:
- Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
- Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.
Firewall Rules for View Connection Server at VMware Docs.
Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:
- TCP 80
- TCP and UDP 443
- TCP and UDP 4172. UDP 4172 must be opened in both directions.
- TCP and UDP 8443 (for Blast)
Open these ports from the Security Servers to internal:
- If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at VMware Docs.
- TCP 8009 (AJP13) to the paired internal Horizon Connection Server.
- TCP 4001 (JMS) to the paired internal Horizon Connection Server.
- TCP and UDP 4172 (PCoIP) to all internal Horizon Agents. UDP 4172 must be opened in both directions.
- TCP 32111 (USB Redirection) to all internal Horizon Agents.
- TCP and UDP 22443 (HTML Blast) to all internal Horizon Agents.
- TCP 9427 (MMR) to all internal Horizon Agents.
- TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at VMware Docs
Horizon Console does not support Security Servers. The Flash-based Horizon Administrator won’t work for much longer, so take it as a clue that you should deploy Unified Access Gateways to replace your Security Servers.
- In Horizon Administrator, on the left, expand View Configuration, and click Servers.
- On the right, switch to the Connection Servers tab.
- Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands, and click Specify Security Server Pairing Password.
- Enter a temporary password, and click OK.
Install – Security Server
- Ensure the Horizon Security Server has 10 GB of RAM and 4 vCPU.
- Windows Server 2019 is supported for the Horizon Security Server 7.8 and newer.
- Login to the Horizon Security Server.
- Download Horizon 7.11.0 View Connection Server, Horizon 7.10.0 View Connection Server (ESB), or Horizon 7.5.2 View Connection Server (ESB).
- If you are upgrading an existing Security Server, then you must prepare it for upgrade:
- In Horizon Administrator (Flash/Flex console), on the left, expand View Configuration, and click Servers.
- On the right, switch to the tab named Security Servers.
- Highlight the Security Server, then click the menu named More Commands and click Prepare for Upgrade or Reinstallation.
- Click OK to remove the IPSec rules.
- On the Security Server, run the downloaded VMware-Horizon-Connection-Server-x86_64-7.11.0.exe, VMware-Horizon-Connection-Server-x86_64-7.10.0.exe or VMware-viewconnectionserver-x86_64-7.5.2.exe.
- In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
- In the License Agreement page, select I accept the terms, and click Next.
- In the Destination Folder page, click Next.
- In the Installation Options page, select Horizon 7 Security Server, and click Next.
- In the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
- In the Paired Horizon 7 Connection Server Password page, enter the pairing password specified earlier, and click Next.
- In the Horizon 7 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN, while the middle URL is an IP address. These can be changed later. Click Next.
- In the Firewall Configuration page, click Next.
- In the Ready to Install the Program page, click Install.
- In the Installer Completed page, click Finish.
Security Server Certificate
- Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
- Request a new certificate with a common name that matches the public FQDN of the Security Server, or import a wildcard certificate.
- Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
- On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
- In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
- On the General tab, clear the Friendly name field, and click OK.
- Right-click your Certificate Authority-signed certificate, and try to export it.
- On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
- Right-click your Certificate Authority-signed certificate, and click Properties.
- On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
- Then restart the VMware Horizon 7 Security Server service.
See Carl Stalhood – Horizon View Load Balancing
Enable PCoIP Secure Gateway
- In View Administrator, on the left, expand View Configuration, and click Servers.
- On the right, switch to the Connection Servers tab.
- Right-click the Connection Server that is paired with the Security Server, and click Edit. Note: you can’t configure this directly on the Horizon Security Server, and instead must configure it on the paired Horizon Connection Server.
- On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to machine. Also, make sure HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled. Click OK.
- Back to VMware Horizon 7