VMware Horizon 7.11 Security Server

Last Modified: Dec 14, 2019 @ 9:45 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer, including 7.5.2 (ESB), 7.10 (ESB), and 7.11.

đź’ˇ = Recently Updated

Change Log

Preparation

Security Servers are intended to be deployed in the DMZ.

Horizon Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Unified Access Gateway (formerly known as Access Point). Note: Some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If your load balancer (e.g. NetScaler ADC, F5) is able to provide persistence across multiple port numbers, then you only need one public IP. For example, in NetScaler, this is called Persistency Groups.

If your load balancer doesn’t support persistence across multiple port numbers, then create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

Firewall Rules for View Connection Server at VMware Docs.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP and UDP 8443 (for Blast)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at VMware Docs.
  • TCP 8009 (AJP13) to the paired internal Horizon Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon Agents.
  • TCP and UDP 22443 (HTML Blast) to all internal Horizon Agents.
  • TCP 9427 (MMR) to all internal Horizon Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at VMware Docs

Pairing Password

Horizon Console does not support Security Servers. The Flash-based Horizon Administrator won’t work for much longer, so take it as a clue that you should deploy Unified Access Gateways to replace your Security Servers.

  1. In Horizon Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands, and click Specify Security Server Pairing Password.
  4. Enter a temporary password, and click OK.

Install – Security Server

  1. Ensure the Horizon Security Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported for the Horizon Security Server 7.8 and newer.
  3. Login to the Horizon Security Server.
  4. Download Horizon 7.11.0 View Connection Server, Horizon 7.10.0 View Connection Server (ESB), or Horizon 7.5.2 View Connection Server (ESB).


  5. If you are upgrading an existing Security Server, then you must prepare it for upgrade:

    1. In Horizon Administrator (Flash/Flex console), on the left, expand View Configuration, and click Servers.
    2. On the right, switch to the tab named Security Servers.
    3. Highlight the Security Server, then click the menu named More Commands and click Prepare for Upgrade or Reinstallation.
    4. Click OK to remove the IPSec rules.
  6. On the Security Server, run the downloaded VMware-Horizon-Connection-Server-x86_64-7.11.0.exe, VMware-Horizon-Connection-Server-x86_64-7.10.0.exe or VMware-viewconnectionserver-x86_64-7.5.2.exe.


  7. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon 7 Security Server, and click Next.
  11. In the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  12. In the Paired Horizon 7 Connection Server Password page, enter the pairing password specified earlier, and click Next.
  13. In the Horizon 7 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN, while the middle URL is an IP address. These can be changed later. Click Next.
  14. In the Firewall Configuration page, click Next.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.

SSL

Security Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the public FQDN of the Security Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon 7 Security Server service.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Right-click the Connection Server that is paired with the Security Server, and click Edit. Note: you can’t configure this directly on the Horizon Security Server, and instead must configure it on the paired Horizon Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to machine. Also, make sure HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

46 thoughts on “VMware Horizon 7.11 Security Server”

  1. Hi Carl good morning,

    We have an Horizon 7.10 environment with two connection servers running in Windows Server 2016.

    When we try to connect to the environment using the Horizon client, we get the error:

    “Is not possible to connect to the connection server. The server provided an invalid certificate”

    In addition, in the horizon administrator withing events shows:

    “Certificate is invalid for Secure Gateway at address y.y.y.y” for both connection servers.

    Both connection servers have the TLS signed certificates installed and the Horizon administrator shows green check marks in both.

    What are we missing? We run out of ideas.

    Thank you.

      1. Hi Carl,

        If we try to connect directly to any connection server it’s works perfectly. The problem resides when connecting through a load balancer.

        We know for sure that the problem is not in the load balancer because when pointing the load balancer to other connection servers we have running, it works so the problem must reside in the connection servers.

        Regards.

        1. Is your load balancer terminating SSL? Or is it simply passing through the SSL traffic? Do all of your Connection Servers have the same certificate that matches the load balanced FQDN? Is persistence enabled on your load balancer?

          1. Hi Carl,

            Is your load balancer terminating SSL? Or is it simply passing through the SSL traffic? My load balancer is just passing the traffic through.
            Do all of your Connection Servers have the same certificate that matches the load balanced FQDN? My connection servers have their own CA signed certificate. Do we have to import the load balancer FQDN certificate into the Connection server’s certificate store? If so, once imported, do we need to keep both certificates on each connection server?
            Is persistence enabled on your load balancer? Yes, it is.

            Thank you.

          2. If your load balancer is not terminating SSL, then you the Connection Servers need a certificate that matches the load balanced FQDN. You can use Subject Alternative Names to include multiple names.

  2. Hi Carl,

    Thanks fro your efforts.

    We have Horizon 7.9 deployment 2 connection server, 1 security server, composer. All deployments are good but we face an issue when using WAN. We are using Riverbed Steelhead CX and created inpath rule.
    WAN optimization working well when connecting to the VM using HTML on Blast protocol but unfortunately it is working for seconds when we using VMware horizon client then stopped while it is working on Blast HTML sessions very good, so kindly advise for this specially that both using same rule on Riverbed WAN optimization. the port is 8443 in destination between source (client ) and destination (security server:8443)

    So kindly advise if this can be solved by VMware horizon or it is Riverbed configuration.

    Thanks

  3. Carl, in a HA environment were I have 2 security servers behind a load balanced vip and 2 internal connection servers (primary and replica), when I setup the second security server should I point it at the primary server or do they work in pairs and I need to point it at the second connection server?

    1. Usually each Security Server is paired to a different Connection Server. For redundancy, you should have at least two pairs.

  4. Hi Carl,

    Can i ask you a question, were using Horizon View 7.6 and our SSL cert. is about to expire so i did the cert. request from within the Certificate manager on our connection server, imported the newly purchased SSL cert. in the Certificate Manager on the connection server (private key included), then did a export with Private Key and All Extended Properties.

    Then imported the SSL certificate (with the Private Key) in the Certificate manager on out Security Server.

    On both servers the certificate Friendly Name was renamed to vdm and the old SSL certificate was

    But in Horizon View the Security Server shows an error message;

    Status : The service has minor issue, The BLAST Secure Gateway is not working properly
    IPSec Status : Not in Use
    SSL Certificate : Valid

    When i check the running Services on the Security Server i see that the “VMware Horizon View Blast Secure Gateway” is Paused, starting this manually gives the following message :

    Windows could not start the VMware Horizon View Blast Secure Gateway service on Local Computer
    The service did not return an error. This could be an internal Windows error or an internal service error.

    When our users try to connect to our external Portal they get the following error message using the Horizon Application:

    Connection Failed
    Error: An SSL error occurred
    Please verify that Connection Server Address and network settings are correct and try again.

    And this error when they try to connect using a web browser :

    Secure Connection Failed
    An error occurred during a connection to myportal.company.com. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

    But when i re-import my old SSL certificates and rename them to vdm on both Connection and Security Server the problem is gone and everything works fine.

    Do you have any idea how to solve this problem.?

    1. When you imported the new certificate, did you make sure the key is exportable?

      What kind of certificate? Is it a ECDSA instead of RSA? What is the key size? There might be a log under c:\programdata\vmware\vdm that details the issue.

      1. Yes the key is exportable, the certificate imported on the Security server shows that is has the private key, the certificate is an RSA type and the keysize I chose when ordering the certificate was 4096, but the certificate it self shows the public key as being RSA (2048)

      2. I just checked the log file and it shows the following;

        C:\ProgramData\VMware\VDM\logs\Blast Secure Gateway\absg.log

        [2019-06-04 15:01:49.642] [ERROR] 3000 [absg-master] – keystoreutil.exe failed to load certificate from [ ‘windows-local-machine’, ‘MY’, ‘vdm’ ] 1 Key CryptExportKey get size FAILED (error 2148073483)

        1. Found the issue this morning, so thought i’d share it.

          When i tried to (as a test) export the certificate from the security server i noticed that the ‘export private key’ option was greyed out, this meant that during the import of the SSL certificate this option was not enabled (i probably didn’t notice it), even tho when i viewed the certificate it said ‘you have a private key for this certificate’, i removed the certificate and re-imported it this time i did check the option ‘make private key exportable’, rebooted both Connection and Security server after this just to be sure and the SSL error is gone.

          1. To ensure the private key is exportable, try exporting the key. If the private key export option is grayed out, then it’s not exportable.

  5. I have everything up and running both internally and externally. My only issue is accessing externally through a web browser.

    I just get a blank grey screen after clicking on the desktop link, this works internally through a web browser.

    Any usggestions?

    Thanks

    1. Is port 8443 open from the Internet? Is port 22443 open from Security Server to every Horizon Agent? Does the Blast Secure Gateway have the correct URL?

      1. Hi Carl,

        thanks for the response. I can confirm port 8443 is open from the internet to the security server and port 22443 is open from the security server to all horizon agents.

        For my “Blast Secure Gateway URL”, I have it set to my public facing URL with :8443 on the end. Is this correct?

        Thanks

          1. We were able to solve our issues, our Wildcard certificate was created using the CNG Key Template which is unsupported by View, you have to use the Legacy Key Template.

  6. Hello Carl. Cannot install Security Server (DMZ), error during installation “Error 28083 IPSec setup failed”. What could be wrong?

      1. Yes, it is and all necessary ports are opened. Error occurs when using IPSec pairing option, without IPSec everythink is fine and SS connects to CS properly.

  7. Carl,
    Thanks for a very helpful article! I do have one question on the certificate portion of this:

    We purchased a GeoTrust wildcard certificate for our domain. As such, I did not go through the export portion of the certificate process that you outlined above (steps 1-6, notably the portions where you described how to make the private key exportable, then exported the certificate).

    I did update the friendly name of the self-signed certificate by setting it to blank, then imported my GeoTrust certificate in to the same Personal->Certificates store, and set its friend name to vdm, and restarted the services.

    However, when I then tried to access the server, I got an SSL error stating “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”, along with a message that the site couldn’t provide a secure connection.

    Any idea on what I might have done wrong, or any procedure changes that apply when using an existing wildcard certificate?

    I set the friendly names back to their original settings and restarted the service, which allows me access to the security server again (with an invalid cert message). I’m no expert on certificates, so if I’ve made some basic mistake with this process, I won’t be terribly surprised…

    Thanks in advance for any assistance you’re willing to provide.

    1. Does your GeoTrust certificate have a private key? If you double-click it, on the first tab, on the bottom, there should be a message that there’s a private key.

      1. Carl,
        Thanks for following up on this. Looks like my default certificate did not have a private key. I’m going to refresh it with one that does include a private key. However, when I start that process (right click Certificates + All tasks + Request New Certificate), the first thing that pops up is the process that creates a new Certificate Enrollment Policy. That process prompts me for an Enrollment Policy Server URI. As the Horizon Security Server is not currently part of an A/D forest, does that mean that I need to install the Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service on this machine?

        If these topics are extraneous, I do apologize. My experiences with SSL certificates is pretty limited.

        Thanks again!

        1. You should be able to go to any IIS Server, run IIS Console, click the server, in the middle click Server Certificates and create a CSR. After you get the CSR signed, complete it in IIS, export the certificate from IIS, and then import to your Connection Servers.

  8. I noticed this error “The service has minor issue.The PCOIP Secure Gateway is not working properly” in dashboard for 1 Connection Server which is paired with Security Server. Another Connection Server is working fine which is not paired is working fine. Disabling PCOIP tunneling in Connection Server settings has been a workaround. However, it is recommended to keep PCOIP tunneling checked. Any insight on this ?

        1. Was a resolution for this found? I have the same on 2 new connection servers.

          Version: 7.6.0
          Status: The service has minor issue.The PCOIP Secure Gateway is not working properly.

  9. Hi Carl,
    I am in need of some help here, Security server and Connection server are in place, Certificates are installed, access to virtual desktops from within the network is fine, users connect to virtual desktops using Horizon client and Connectionserver.domain.com as the address.
    There is need to provide external access as well, i.e., from internet. the subdomain is available and configured, public IP is configured and Firewall is in place.
    Front end firewall NAT the traffic to DMZ network (192.168.2.x) where security server is located (192.168.2.27) the same firewall NAT traffic again to Production network(10.10.10.x) where connection server is located (10.10.10.26)
    I can see traffic on firewall coming to security server on port 443 TCP, from security server to connection server 8009 and 4002., But there is no traffic logged from connection server to security server.

    User experience: open horizon client, enter url view.domain.com, user is prompted to provide credentials, upon providing credentials the error message immediately pops “You are not Entitled to use the system” the same user can access from within the network.

    1. Apart from Desktop Pool Entitlements, you have to add the users under “Remote Access” tab found in “Users and Groups” section (left navigation menu). These are the users whom you want to be able to access desktops over internet or VPN.

  10. I’m having an issue connecting from the outside, I set up 2 factor with our Radius Server. I get the prompt for our token and it takes it, but it just spins at Authenticating after i enter my Domain login. I have ports 1812 and 1813 open but im not sure if their is another port i need to open. I can login internally with no issues.

    1. Does it work through Security Server without RADIUS configured?

      RADIUS is enabled on the paired Connection Server. Does it work when pointing the client to the paired server?

      What Horizon Client version?

  11. Carl,
    just a question.
    We configured two security servers in DMZ paired with two dedicated connection servers.
    Everything works with horizon View client installed on a pc and by webclient but using ipad/android app always go to timeout.
    We configured a load balancer following your guide and it’s working too, only mobile client go to timeout.
    Any ideas?

    Thanks

    1. I came across similar situation where I use Blast Extreme protocol on my android phone and i always got timeout.

      Solutions:
      At security server settings, make sure your Blast External URL matches your external FQDN/IP address and change the port 8443 to custom port if port forwarding is configured at firewall.

      example:
      Horizon Mobile Client address: https://vdi.abc.com

      Then your Blast External URL will be: https://vdi.abc.com:8443 (If custom port for 8443 is configured at firewall, just change the port number)

      Same if IP Address is used instead of FQDN.

      in my case, I used ip address.

    1. 8443 should only be used if you are connecting through a browser. Do you have the same issue with Horizon Client?

      You can also use procmon on the client to verify the ports that are being used. If TCP, netstat will show you the connection. If UDP, then netstat won’t help you.

  12. How can I use Blast Extreme protocol? I heard its uses only port 443 .This simplifies access and allows users to access it in many locations where ports 8443 and 8172 are blocked. I did not see any where to select this protocol. I saw only Blast and it needs port 8443 .

    most places only port 443 is opened and no way you can access view desktops . any Solution for this?

    1. Are you using Horizon 7? Edit your pool and set Blast as the protocol. It defaults to TCP 443 but you can use a GPO to enable UDP 443.

Leave a Reply