Securing Horizon View 5.2 Deployments
By Charles Windom, Sr. Product Marketing Manager, End-User Computing, VMware
In this blog post I cover the most common tasks in securing your VMware Horizon View deployment. Although the main objective is to provide a secure environment for your users to connect to, you should consider each suggestion relative to user productivity. You do not want to lock down the environment so much that your end users become unproductive and cannot get their daily tasks accomplished while using the environment.
After you have deployed VMware Horizon View internally as a proof of concept, and your users love it, you want to go to production with your internal deployment. Your users want remote access to their Horizon View desktops and your IT Security department has given the go-ahead approval to allow remote access to your internal Horizon View deployment. However, IT mandates that you create a controlled and secured deployment. What can you can do to ensure that you provide secure remote access to your Horizon View desktops?
On the front-end or remote side of your deployment
- The first task you must complete if you didn’t when you first deployed your Horizon View proof of concept is to install trusted Secure Sockets Layer (SSL) certificates on the vCenter, View Connection Server, View Composer Server and the View Security Server (when deployed). Installing trusted certificates on all of the servers will ensure that View Clients are communicating with the correct servers and that any client sessions will not be hijacked by un-trusted entities. For more information on replacing the SSL certificates on your View servers and your vCenter Server, see “Obtaining SSL Certificate for VMware Horizon View Servers” and “VMware vSphere Security.”
- Once you have replaced your SSL certificates, if you haven’t already, deploy a load-balancer in the DMZ of your organization’s forward firewall. A load-balancer can handle large numbers of connections and is also used to load-balance other applications in addition to Horizon View. If you are handling very large numbers of View Client connections, SSL connections can be terminated at the load-balancer to offload SSL overhead from the View Security Servers. If a traditional load-balancer is not installed or cannot be installed, vCloud Network and Security (vCNS) can be deployed in place of a traditional load-balancer. VMware vCNS Edge includes a firewall, load-balancer and VPN amongst other security features that can be implemented to secure your Horizon View deployment.
- In planning for securing your Horizon View deployment, you should start by looking at the corporate firewall and ensuring that only necessary traffic is flowing into and out of the organization. Read the “VMware Horizon View Security Guide,” which gives you information needed to secure your deployment and allow secure access. The security guide lists the required ports that must be accessible in order to provide secure access to your internal Horizon View deployment. Periodic monitoring should always be performed to ensure that all of the rules required for your organization are enabled and actively enforced.
- The View Security Server is an additional component that should be deployed and configured when remote access to the Horizon View deployment is planned. To facilitate secure connections to the Horizon View desktops, deploy one or more View Security servers and pair them with the View Connection Servers. The View Security Server sits in the DMZ of your corporate network and proxies Horizon View desktop connections into your internal or trusted network. View Security Servers will pass traffic only to the View Connection Server that each is paired with. When the View Security Server is deployed and properly configured, all unprotected connection requests are forced through the View Security Server.
- Client security is a must when connecting to your Horizon View deployment. Ensure that your clients are well protected in the antivirus and anti-malware department. Also ensure that your clients have the latest security and operating system updates installed. If possible, apply Group Policy or Local Security Policy to lock down the client firewall so that only necessary traffic out of and into the client computer is allowed. Disable Auto-Login and enable Screen Saver lockout. Replace the default View Client SSL certificates. A new feature in Horizon View 5.2 allows the use of trusted SSL certificates for View Client connection to the View Security Server. In previous versions of Horizon View, the channel between the View Client and the View Security Server was protected using a self-signed SSL certificate. With Horizon View 5.2, a Certificate Authority (CA)-signed certificate can be used to secure the channel between the View Client and the View Security Server.
On the back-end or internal side of your deployment
- The View Connection Server is typically secured using Active Directory security, Active Directory and Horizon View Group Policy. If more enhanced security is required, two-factor authentication can be deployed and configured to support even higher security for connections to Horizon View desktops. RADIUS and SecurID as well as other token vendors are supported for Horizon View. More information on RADIUS and SecurID is available at “RADIUS Authentication” and the VMware Knowledge Base article 2003455 “Configuring RSA SecurID for VMware View.”
- Active Directory can provide security for your Horizon View deployment with Active Directory user and group authentication. If you are not already using Active Directory Group Policy to manage your desktops, you should create dedicated Organizational Units (OUs) for your Horizon View desktops and users and apply those group policies appropriate for your organization to those OUs. Horizon View Group Policy templates extend Active Directory Group Policy and can also enable policy enforcement on View Agents, View Clients and even View connection protocols such as PCoIP.
- Antivirus implementation for protecting your Horizon View desktops from virus and malware attacks must also be addressed. If not implemented correctly, traditional virus or malware scanning can significantly degrade performance due to increased I/O demands. Deploy VMware vShield Endpoint to effectively manage antivirus and malware. For more information on vCNS vShield Endpoint security and the complete list of partners, see the following link “VMware Integrated Partner Solutions for Networking and Security.”
In this blog post I discussed the more common topics for securing your VMware Horizon View desktop infrastructure. I chose to work from the direction of untrusted to trusted networks. You may take a different approach if you have all of the internal back-end tasks completed. For more information be sure to check out the links provided in this blog post as well as the upcoming “Security Considerations for VMware Horizon View 5.2” paper.