VMware Horizon Community
Tibmeister
Expert
Expert
‎03-12-2014 11:57 AM
Jump to solution

View 5.2 Security Server-Connection Server connections

So, I'm wondering if it is in anyway possible to not expose a desktop subnet to the DMZ when deploying a Security Server?  I seem to remember there was a way to have the Security Server tunnel all traffic through the Connection Server, but for the life of me I can't seem to figure it out.

Reply
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
‎03-13-2014 10:38 AM
Jump to solution

Even in your previous PoC you would still have needed to allow certain ports (PCoIP, RDP if you use that, and the framework channel) from the Security Server to the virtual desktops. This has always been the case.

The role of the Security Server is to protect exposure of the desktops to the Internet. It performs inspection of protocols from the Internet (such as PCoIP) so that it can verify whether the traffic is on behalf of an authenticated user and to ensure that if it is valid, it gets delivered to a desktop that the user is authorized to access. It is important to configure your inner firewall so that the desktop protocols (PCoIP etc.) can only come from Security Servers. This then gives you the required assurance. If packets such as PCoIP UDP packets arrive in your DMZ that are not on behalf of an authenticated user then they are discarded in the DMZ without ever being forwarded into your data center. You know that all protocols to the virtual desktops have been validated by the Security Server.

The Security Server does also need to communicate with the Connection Server and this is why you also need to allow JMS, AJP13 and IPsec through. These should only be to Connection Servers and again only from Security Servers.

You can always route PCoIP packets through a proxy in your datacenter, but the required security inspection happens before that in the Security Server so that if necessary they can be discarded in the DMZ.

Mark

View solution in original post

Reply
0 Kudos
5 Replies
Linjo
Leadership
Leadership
‎03-12-2014 02:57 PM
Jump to solution

No, that will not work.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
‎03-13-2014 12:53 AM
Jump to solution

You shouldn't expose desktops to the whole DMZ, just the Security Servers. Control this at the firewall.

This way you have the assurance that all traffic going to the desktops is traffic on behalf of View authenticated users and that users can only get to their authorised resources.

Mark

Reply
0 Kudos
Tibmeister
Expert
Expert
‎03-13-2014 10:21 AM
Jump to solution

So that is where my confusion lies; I seem to remember doing a PoC a while back where I only had to open the port on the inner firewall between the Security Server (SS) and Connection Server (CS).  In a current Production environment, this does not function and the documentation states that the inner firewall needs exposure between the SS and the desktops, which seems to me to be a huge security risk and negates the usage of the SS in the first place.

This post is a good breakdown of this: http://www.ivobeerens.nl/2013/03/05/tips-for-implementing-a-vmware-horizon-view-security-server/ and this KB article shows ports opened from the SS to the desktop subnet http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102721...

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee
‎03-13-2014 10:38 AM
Jump to solution

Even in your previous PoC you would still have needed to allow certain ports (PCoIP, RDP if you use that, and the framework channel) from the Security Server to the virtual desktops. This has always been the case.

The role of the Security Server is to protect exposure of the desktops to the Internet. It performs inspection of protocols from the Internet (such as PCoIP) so that it can verify whether the traffic is on behalf of an authenticated user and to ensure that if it is valid, it gets delivered to a desktop that the user is authorized to access. It is important to configure your inner firewall so that the desktop protocols (PCoIP etc.) can only come from Security Servers. This then gives you the required assurance. If packets such as PCoIP UDP packets arrive in your DMZ that are not on behalf of an authenticated user then they are discarded in the DMZ without ever being forwarded into your data center. You know that all protocols to the virtual desktops have been validated by the Security Server.

The Security Server does also need to communicate with the Connection Server and this is why you also need to allow JMS, AJP13 and IPsec through. These should only be to Connection Servers and again only from Security Servers.

You can always route PCoIP packets through a proxy in your datacenter, but the required security inspection happens before that in the Security Server so that if necessary they can be discarded in the DMZ.

Mark

Reply
0 Kudos
Tibmeister
Expert
Expert
‎03-14-2014 08:29 AM
Jump to solution

Very nice answer!  It is very possible the network folks decided to force a proxy through the Connection Server, because when I bounced the CS, all PCoIP sessions disconnected.

Reply
0 Kudos