VMware Access Point: The One-Stop Shop for Secure Access to VMware Horizon 7, VMware Identity Manager, and VMware AirWatch

Sep 22, 2016

Author:

Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware. Currently focusing on best-practice technical architecture throughout the VMware EUC portfolio, white paper, collateral creation, enablement of technical communities, and tool development.

Share This Post On

Flash! For more recent information on VMware Access Point, which has now become VMware Unified Gateway Access, see Providing Secure Access to VMware Horizon 7 and VMware Identity Manager with the VMware Unified Access Gateway.


Access Point 2.7.2 is one of the components updated as part of the recent VMware Horizon 7.0.2, VMware Horizon Client 4.2, and VMware Identity Manager 2.7.1 releases. You can read more about all the great new features and capabilities of the Horizon 7 and Horizon Client releases in VMware Horizon 7.0.2 and Horizon Client 4.2 Are Now GA!.

What Is Access Point?

Access Point functions as a secure gateway for users who want to access application and desktop resources from outside the corporate firewall. An Access Point appliance typically resides within a network demilitarized zone (DMZ) and acts as a proxy host for connections inside your organization’s trusted network. This design provides an additional layer of security by shielding VMware Identity Manager, virtual desktops, application hosts, and servers from the public-facing Internet.

8148_VM_EUC_BREAKOUT_Blog_InText_600pxAccess Point directs authentication requests to the appropriate server and discards any un-authenticated requests. The only VMware Identity Manager, virtual desktop, and hosted application traffic that can enter the organization’s data center is traffic on behalf of a strongly authenticated user. Users can access only the resources that they are authorized to access.

Access Point provides very similar functionality to View security server for Horizon 7 but does not need 1-to-1 pairing with a View Connection Server. Access Point is also capable of proxying sessions to other VMware products and providing more advanced security options including authentication in the DMZ. If you are running View security servers, take the time to look at replacing them with Access Point appliances.

Convergence of Versions

With Access Point 2.7.2, you can use the same version of Access Point to provide edge services to Horizon Connection Servers, VMware Identity Manager, and VMware AirWatch. Previously you had to use different versions of Access Point appliances for each of these products.

With this convergence of versions, we can even take this a step further and use the same instance of Access Point to proxy sessions to multiple end solutions. Now you can use the same appliance to proxy sessions to Connection Servers, VMware Identity Manager, and AirWatch.

VMware Access Point 2.7.2 Connections

In larger-scale environments you would still want to have separate Access Point appliances for each purpose, to provide scale and operational separation. But in mid to smaller environments, where the load on Access Point is not substantial, combining workloads on one set of Access Point appliances is convenient.

Deployment of Access Point

The easiest way to deploy Access Point is to use the PowerShell scripts provided in Using PowerShell to Deploy VMware Access Point.

First, configure the PowerShell script for your environment.

  1. From Using PowerShell to Deploy VMware Access Point, download the apdeploy-272.v2.zip or later file and extract the contents.
  1. Make a copy of the ap10-vidm.ini file and edit it.
  1. As with any deployment, go through and enter your information as required for the General and SSLCert sections.

Leave all other lines as they are. In the following example, spaces and comment lines have been removed to conserve space.

[General]
name=ap1
source=S:\euc-access-point-2.7.2.0-4354291_OVF10.ova
target=vi://administrator@vsphere.local:PASSWORD@192.168.1.12/Datacenter/host/Cluster/
ds=vsanDatastore
netInternet=DMZ
netManagementNetwork=DMZ
netBackendNetwork=DMZ
deploymentOption=onenic
ip0=192.168.2.36
dns=192.168.1.10

[SSLCert]
pemCerts=sslcertificate.pem
pemPrivKey=private.key

  1. Complete the WebReverseProxy section to configure access to VMware Identity Manager.

The only line you need to change here is the proxyDestinationURL line. Do not change the proxyPattern lines.

[WebReverseProxy]
proxyDestinationURL= https://workspace.domain.com

In the example above, workspace.domain.com is the internal address of the VMware Identity Manager appliance (or the internal load balancer address if you have more than one VMware Identity Manager appliance).

  1. Copy the Horizon section of the ap2-advanced.ini file and paste it into your first file (your copy of ap10-vidm.ini) at the end, on a new line after the authCookie line.
  1. Complete the Horizon section and enter the following relevant values for your environment.

[Horizon]
proxyDestinationUrl=https://view.domain.com
tunnelExternalUrl=https://horizon.domain.com:443
blastExternalUrl=https://horizon.domain.com:443
pcoipExternalUrl=88.100.100.100:4172

In the example above:

view.domain.com is the internal address of the Connection Server (or the internal load balancer address if you have more than one Connection Server).

horizon.domain.com is the external address used for Horizon connections.

88.100.100.100 is the external IP address for horizon.domain.com.

Now you are ready to deploy the Access Point appliance.

  1. Open a PowerShell prompt and change to the directory where the scripts are located.
  1. Run ./apdeploy.psl ./<filename>.ini and follow the prompts, entering the passwords. Make sure to use the apdeploy.ps1 supplied with the apdeploy-272.v2.zip file or later.
  1. After the process is complete, wait a few minutes for the Access Point appliance to boot completely.

You can monitor this process in VMware vCenter Server to see when the assigned IP address is reported on the Summary page for the VM. If you have all the settings in the INI file completed correctly, and your certificates are in order, you will have a fully operational Access Point that will proxy connections to both your Connection Server and the VMware Identity Manager appliance.

There is one slight nuance of this combined deployment model where an Access Point appliance is used for both VMware Identity Manager and Horizon 7. Direct external Web access to the Horizon 7 HTML login page is not possible using the normal URL. In this example, you have two FQDNs: horizon.domain.com for your Connection Servers and workspace.domain.com for your VMware Identity Manager appliance. If the user enters either https://horizon.domain.com or https://workspace.domain.com, the user always gets directed to the VMware Identity Manager login page.

VMware Access Point 2.7.2 Login Access to VMware Identity Manager and to Horizon 7

This should not be a concern, as you want your primary external Web entry point for users to be through VMware Identity Manager. From there, a user can always connect to a Horizon 7 desktop or app using HTML Access or the Horizon Client. Users can also access the Horizon 7 HTML login page by appending /portal to the URL, for example:

https://horizon.domain.com/portal

External access using the Horizon Client is unaffected by this behavior and directly routes to the Connection Server.

Of course, this configuration of Access Point works with multiple components (Access Point appliances, Connection Servers, VMware Identity Manager appliances) and load balancers. To understand how to deploy multiple components with load balancers, see the recent Horizon 7 Enterprise Edition Reference Architecture: Validated Integration Design.

Try the deployment instructions in this blog post and use this as an opportunity to make the move to Access Point 2.7.2. You can create PowerShell scripts that quickly deploy the appliance and provide secure edge services to multiple use cases, including Horizon Connection Server, VMware Identity Manager, and VMware AirWatch.


For more recent information on VMware Access Point, which has now become VMware Unified Gateway Access, see Providing Secure Access to VMware Horizon 7 and VMware Identity Manager with the VMware Unified Access Gateway.

468 ad