VMware Horizon Community
pwynne
Contributor
Contributor
Jump to solution

Access VMview 4.0 portal from the internet.

Hi ,

I have just upgraded my view environment to version 4.0. I want to access Desktop sources from external sources. I use Cisco ASA5510's as my firewall.

My View server sits on the main network not in my DMZ. can i still make it available through the web?

All help would be greatly appreciated here.

Paul.

Reply
0 Kudos
1 Solution

Accepted Solutions
jaffa-unisys
Enthusiast
Enthusiast
Jump to solution

Kia Ora.

Reading the manual and security section covers it

fearly well. You'd best to use a View Security server, which each one

is paired to ONE View Standard or Replica server. You then aren't

allowing external plebs to attach to a box that has AD access directly

and so on. The security server is isolated, and doesn't access any AD. Unless you do RSA you will have trouble with two-factor

authentication at the security server.

This said you could

connect directly through to your View Standard server if you so wish.

Risky though for security reasons, that said it will work. PCoIP

requires a direct connection through between the external Client (in

your case) and the View Agent inside the supported Virtual Desktop

guest. This excludes the use of a Security server in a DMZ. RDP will be your option here. The

reason being the use of UDP which the Security server doesn't process

or whatever.

VPN connection through tunneling all of the conversation

in that will sort things out nicely though allowing you the use of

PCoIP.

We've recently had trouble implementing access using two-factor authentication on a Citrix Netscalor. SSL & AD prior to passing you onto the View server (which could be the View Standard/replica instead of Security). The Web browser externally althoug initiating the conversation fine, starts a second tunnel which is engaged by the View Client. The client naturally can't process the Citrix NS 2 factor conversation requests since it isn't a browser, the result, you get to login, you get an entitlement list, however its set as Not Ready. The second tunnel is blocked (rightly) by the Citrix NS.

In the end we used the NS as a pass through and use single-factor authentication on the View servers. (its from a 3rd party "secure" location so it came down to risk acceptance)

enjoy

View solution in original post

Reply
0 Kudos
3 Replies
jaffa-unisys
Enthusiast
Enthusiast
Jump to solution

Kia Ora.

Reading the manual and security section covers it

fearly well. You'd best to use a View Security server, which each one

is paired to ONE View Standard or Replica server. You then aren't

allowing external plebs to attach to a box that has AD access directly

and so on. The security server is isolated, and doesn't access any AD. Unless you do RSA you will have trouble with two-factor

authentication at the security server.

This said you could

connect directly through to your View Standard server if you so wish.

Risky though for security reasons, that said it will work. PCoIP

requires a direct connection through between the external Client (in

your case) and the View Agent inside the supported Virtual Desktop

guest. This excludes the use of a Security server in a DMZ. RDP will be your option here. The

reason being the use of UDP which the Security server doesn't process

or whatever.

VPN connection through tunneling all of the conversation

in that will sort things out nicely though allowing you the use of

PCoIP.

We've recently had trouble implementing access using two-factor authentication on a Citrix Netscalor. SSL & AD prior to passing you onto the View server (which could be the View Standard/replica instead of Security). The Web browser externally althoug initiating the conversation fine, starts a second tunnel which is engaged by the View Client. The client naturally can't process the Citrix NS 2 factor conversation requests since it isn't a browser, the result, you get to login, you get an entitlement list, however its set as Not Ready. The second tunnel is blocked (rightly) by the Citrix NS.

In the end we used the NS as a pass through and use single-factor authentication on the View servers. (its from a 3rd party "secure" location so it came down to risk acceptance)

enjoy

Reply
0 Kudos
pwynne
Contributor
Contributor
Jump to solution

Thanks very much for this detailed response. I will give this a try . My confusion is where to place the security server. My dmz cannot see the domain so I cannot register the view server with the vcenter server.

The only option I see is to put the security server on the domain with Internet connectivity if that makes sense???

Reply
0 Kudos
jaffa-unisys
Enthusiast
Enthusiast
Jump to solution

Hi.

Read the admin manual, it has good info in it.

A View Security server is installed in a DMZ, it only needs specific ports out, and specific ports to the View Standard/Replica server inside. It will not communicate with any AD boxes etc. You install it onto a supported OS, the configuration is pretty much a file you get when you add a security server in view manager. This file gets jammed onto the Security box and that View Security server then 'behaves' in accordance with your rules. eg. answering on specific External address and port, knows where the View Standard/Replica server is etc.

Very simple to get going. To test, build a Security server next to the View Standard server. Install the software etc. Then add your security server to the View Manager and transfer the configuration information over, restart things. Then pointa View Client at your View Security server instead of the View Standard server. It'll just work as a brought one, and you should have no firewalls to worry about. If the client is refused, you may need to put your External URL entry into the Clients HOSTS file.

eg. 10.1.1.202 myExternalView.company.co.nz myExternalView

That way when the conversation is initiated the Client Guest understands where its going to/from etc.