Horizon Infrastructure Internal Security

mk_mk_47 · ‎07-05-2022

Hello everyone

Recently, I deployed a horizon environment and it has to be secured both externally and internally. My problem is that when we install an agent on each VM there is a little interaction between each VM and connection server. Meanwhile if that VM has been infected by any malicious software this infection can be speared into connection server or any other important infrastructure. In addition I don't want users to be able to access connection server admin web page internally while by installing agent to VMs they are able to visit admin page.

Another problem is that the recording server which VMs should be able to connect to it through port 9443 is publicly available to VMs and users can access to its web admin interface.

How can I isolate horizon infrastructure from internal users or at least how can I make sure that the only interaction between VMs are from horizon and not from any unwanted app.

this is a serious issue for me and I will be so much appreciated if anyone could help me with that.

StephenMassman · ‎07-05-2022

Here is a good source for what talks to what and on what port.
https://techzone.vmware.com/resource/network-ports-vmware-horizon

Here is the architecture guide also.
https://techzone.vmware.com/resource/horizon-architecture

Windows Firewall rules on Connection servers would be a good idea based on the network ports document above. If you have DMZ UAG appliances, the network ports document explains what network related FW rules for those also.

---
Steve Massman
@stevemassman

All

Horizon Infrastructure Internal Security