By Charles Windom, Sr. Product Marketing Manager, End-User Computing, VMware
In this blog post I cover the most common tasks in securing your VMware Horizon View deployment. Although the main objective is to provide a secure environment for your users to connect to, you should consider each suggestion relative to user productivity. You do not want to lock down the environment so much that your end users become unproductive and cannot get their daily tasks accomplished while using the environment.
After you have deployed VMware Horizon View internally as a proof of concept, and your users love it, you want to go to production with your internal deployment. Your users want remote access to their Horizon View desktops and your IT Security department has given the go-ahead approval to allow remote access to your internal Horizon View deployment. However, IT mandates that you create a controlled and secured deployment. What can you can do to ensure that you provide secure remote access to your Horizon View desktops?
On the front-end or remote side of your deployment
- The first task you must complete if you didn’t when you first deployed your Horizon View proof of concept is to install trusted Secure Sockets Layer (SSL) certificates on the vCenter, View Connection Server, View Composer Server and the View Security Server (when deployed). Installing trusted certificates on all of the servers will ensure that View Clients are communicating with the correct servers and that any client sessions will not be hijacked by un-trusted entities. For more information on replacing the SSL certificates on your View servers and your vCenter Server, see “Obtaining SSL Certificate for VMware Horizon View Servers” and “VMware vSphere Security.”
- Once you have replaced your SSL certificates, if you haven’t already, deploy a load-balancer in the DMZ of your organization’s forward firewall. A load-balancer can handle large numbers of connections and is also used to load-balance other applications in addition to Horizon View. If you are handling very large numbers of View Client connections, SSL connections can be terminated at the load-balancer to offload SSL overhead from the View Security Servers. If a traditional load-balancer is not installed or cannot be installed, vCloud Network and Security (vCNS) can be deployed in place of a traditional load-balancer. VMware vCNS Edge includes a firewall, load-balancer and VPN amongst other security features that can be implemented to secure your Horizon View deployment.