Deploy View Security Server
Today we will discuss about how to deploy Horizon View Security Server. As we all know these days organisations are putting more attention to security. The Horizon Security Server is a type of Horizon Connection Server that is designed to add an additional layer of security between remote Horizon Clients and Horizon resources that are located on a private network.
Horizon View 7.5 blog series: “Horizon View 7.5”
Previous blog post: “Deploy View Replica Server 7.5”
- At least one configured Horizon Connection Server with a license key must be installed
- A dedicated Windows 2012 R2 server is needed to host the Horizon Security Server role
- You must have two network adapters and a static IP address for each on the
Security Server host (one adapter will be public facing, the other private facing)
- The Security Server host should be able to resolve the FQDN of the Connection Server it will pair with, either using DNS or the local hosts file
- You must have a valid Horizon Connection Server pairing password is needed
- Firewall access is required between the Horizon Security Server and the necessary Horizon components on the private network
- Firewall access between the Internet and the Horizon Security Server
- A resolvable public URL that will be used for accessing the Horizon Security
- You must have local administrator access on the host server
Supported Operating Systems for View Security Server
You must install Horizon Security Server on a supported Windows Server operating system. Below operating systems support Horizon View Security server.
Note:- Windows Server 2008 R2 with no service pack is no longer supported.
Horizon Security Server Hardware Requirements
Firewall Rules for Horizon Security Server
Certain ports must be opened on the firewall for Connection Server instances and security servers.
When you install Connection Server, the installation program can optionally configure the required Windows Firewall rules for you. These rules open the ports that are used by default. If you change the default ports after installation, you must manually configure Windows Firewall to allow Horizon Client devices to connect to Horizon 7 through the updated ports.
The following table lists the default ports that can be opened automatically during installation. Ports are incoming unless otherwise noted.
Ports Opened During Horizon Security Server Installation
In my environment I have deployed standalone view Security server on top of windows 2012 R2 with 2 CPU and 4 GB RAM.
- Host Name: SS01
- IP Address: 192.168.0.115
- SS01 Under Work group
Before proceeding View Security Server installation make sure server not under domain and you have assigned static IP.
First we need to setup a Security Server Pairing Password on Connection Server.
For setting pairing password,
- In View Administrator, expand View Configuration, and click Servers.
- Switch to the Connection Servers tab.
- Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands, and click Specify Security Server Pairing Password.
Switch to Security Server SS01 for installation.
I downloaded VMware-viewconnectionserver-x86_64-7.5.0-8583568 software from VMware software downloads.
Open VMware-viewconnectionserver-x86_64-7.5.0-8583568 and run as administrator.
Accept EULA and click “Next”.
Verify installation folder and click “Next”.
From the installation option, Select Horizon 7 Security Server option.
While selecting IP protocol, make sure all the components of Horizon environment should be in same IP protocol. You can’t use IPv4 and IPv6 combination in Horizon environment. I am going with IPv4 because my connection server is configured with IPv4.
Click “Next” to continue.
Provide your Connection server FQDN or IP address in server field, in my case my primary connection server is “cs02.vgyan.local”, I configured pairing password on my “cs02” connection server.
Enter pairing password which we configured on connection server.
I didn’t configured IPsec tunnel between a security server and a VMware View Connection Server, Click “OK” to continue:-
Provide External URLs for security server, I am going with default configuration. After installation also we can change this configuration.
Windows firewall is requirement for horizon view, spicily for Security server to connection server communication. So do not disable windows firewall. While installing security server it will configure windows firewall automatically.
Select “Configure windows firewall automatically” and click “Next”.
Verify and click “Install”.
Once the installation completed, click “Finish”.
Verify all there required services are installed and running as expected.
Login to Horizon View admin portal and verify Security Server is installed and listed in Dashboard.
Currently SS01 having only self signed certificate, because of that its showing RED alert.
Under Servers tab select security Servers, you can verify SS01 is listed.
Open any supported browser and try to access security server with IP/FQDN.
As you can see in below screenshot SS01 is accessible from network.
Through Security Server we can access only Horizon web client, unable to access Horizon View admin portal.
So we successfully deployed Horizon View Security Server 7.5.0.
According to the design we can add more number of security servers in environment. Each connection server can connect with only one security server.
That’s all guys.. will discuss more on Horizon View 7.5 in upcoming post, Horizon View components installation and configuration, various Desktop pool creations, Application publishing etc… stay tuned..
Next blog post will be “Replace SSL certificate on View Security Server”
I hope you enjoyed reading this post. Feel free to share this to others if it is worth sharing!!!