VMware Horizon Service Installer for NSX – Building Up a Secured Desktop Infrastructure
By Sam Zhao, Manager, End-User-Computing Technical-Marketing Center of Excellence, VMware
Tristan Todd, VMware alumnus
In an earlier blog, A Deep Dive into VMware Horizon 6 with NSX, Tristan Todd, a VMware alumnus, introduced some VMware technologies that offer wide-ranging capabilities and benefits to users, administrators, and business leaders through securing desktop virtualization with VMware NSX and Horizon 6.
As an IT administrator, you might be concerned about the complexity of the architecture, the amount of time needed to configure the NSX components, or understanding the logic of the firewall policy. And you might ask if there is a straightforward way to build up such a secured desktop infrastructure with NSX for Horizon 6 and Horizon 7.
The answer is “Yes,” and we are pleased to announce that version 1.2 of a Fling, the VMware Horizon Service Installer for NSX, is here.
Note: This Fling is only for View VDI in Horizon 6 or Horizon 7, not for Horizon Air Cloud-Hosted Desktops.
How Does the Horizon Service Installer Work?
Currently, the Services and Service Groups for View in Horizon 6 or Horizon 7 do not ship with NSX 6.2 IT administrators must manually add the services related to Horizon 6 or 7 into NSX, such as source, destination, protocol, and port information. This is a time-consuming process and lends itself to errors.
The VMware Horizon Service Installer for NSX Fling tool inserts View services into NSX for you, and then combines them into Service Groups. The tool creates empty security groups and corresponding NSX distributed firewall rules for the View environment:
- The four security groups are View Desktops, View Connection Server, View Security Server, and View Composer Server, and represent the corresponding View component resources. You must manually place View components into these security groups.
- The five distributed firewall rules are Desktop FW Rule, Connection Server FW Rule, Security Server FW Rule, Composer Server FW Rule, and Default Rule. The security groups are used in the NSX firewall rules.
In your deployment, add the View components to security groups, for example, add your View Connection Server virtual machine to the View Connection Server security group. This sets up the View network infrastructure based on NSX, which can be used to protect both the View infrastructure and hosted desktops and applications.
Using the Horizon Service Installer for NSX
To install the VMware Horizon Service Installer for NSX tool, follow the Instructions on the Fling site, or refer to the readme.txt file in the Fling package. A sample installation is shown in Figure 1.
Figure 1: Sample Installation
The tool automatically creates View services, View service groups, security groups, and the corresponding distributed firewall rules.
Figure 2: The Four Empty Security Groups Created by the Tool
Figure 3: The Five Distributed Firewall Rules Created Under the Firewall Section, Horizon View Section
After installation, add View components to the security groups, as follows.
Figure 4: Service Composer Window in the NSX Administrative Console
Figure 5: Assigning View Component Resources as Members of a Security Group
With this infrastructure, you can start to manage the network with the power of integration of View and NSX. For example, if you want to disable access to all desktops, change the Action of Desktops Rule to Block, as seen in Figure 6. Then you have immediately blocked users from accessing their VDI desktops.
Figure 6: Disabling Access to All Desktops with Desktops Rule
To see the setup discussed in this blog post, you can also watch the H4NSX V1.1 video.
Customizing the Horizon Service Installer for NSX Tool for Your Own Environment
You can customize the Horizon Service Installer for NSX tool if you have your own requirements for NSX service naming, network port configuration, and so on.
Go to the folder with the tool contents to find two files named horizon6_Service.yml and horizon7_Service.yml. The tool reads the data from these properties files. The content in the file is in YAML format and self-explanatory. Customize the values to accommodate the requirements of your environment and run the tool to build your own View network infrastructure that is based on NSX.
Downloading the Horizon Service Installer for NSX Tool
You can learn more about and download the VMware Horizon Service Installer for NSX.
You can comment on this blog post by contacting the VMware End-User-Computing Technical-Marketing Center of Excellence at firstname.lastname@example.org.