You can deploy Access Point with Horizon View and Horizon Air Hybrid-Mode. For the View component of VMware Horizon, Access Point appliances fulfill the same role that was previously played by View security servers.

Deployment Scenario

Access Point provides secure remote access to on-premises virtual desktops and applications in a customer data center. This operates with an on-premises deployment of Horizon View or Horizon Air Hybrid-Mode for unified management.

Access Point provides the enterprise with strong assurance of the identity of the user, and precisely controls access to their entitled desktops and applications.

Access Point virtual appliances are typically deployed in a network demilitarized zone (DMZ). Deploying in the DMZ ensure that all traffic entering the data center to desktop and application resources is traffic on behalf of a strongly authenticated user. Access Point virtual appliances also ensure that the traffic for an authenticated user can be directed only to desktop and application resources to which the user is entitled. This level of protection involves specific inspection of desktop protocols and coordination of potentially rapid changing policies and network addresses, to accurately control access.

You must verify the requirements for seamless Access Point deployment with Horizon.

  • Access Point appliance points to a load balancer in front of the Horizon servers, the selection of the server instance is dynamic.

  • Access Point replaces the Horizon security server.

  • Port 443 must be available for Blast TCP/UDP.

  • The Blast Secure Gateway and PCoIP Secure Gateway must be enabled when Access Point is deployed with Horizon. This ensures that the display protocols can serve as proxies automatically through Access Point.The BlastExternalURL and pcoipExternalURL settings specify connection addresses used by the Horizon clients to route these display protocol connections through the appropriate gateways on Access Point. This provides improved security as these gateways ensure that the display protocol traffic is controlled on behalf of an authenticated user. Unauthorized display protocol traffic is disregarded by Access Point.

  • Disable the secure gateways on View Connection Server instances and enable these gateways on the Access Point appliances.

The main difference from View security server is that Access Point is as follows.

  • Secure deployment. Access Point is implemented as a hardened, locked-down, preconfigured Linux-based virtual machine

  • Scalable. You can connect Access Point to an individual View Connection Server, or you can connect it through a load balancer in front of multiple View Connection Servers, giving improved high availability. It acts as a layer between Horizon Clients and back end View Connection Servers. As the deployment is fast, it can rapidly scale up or down to meet the demands of fast-changing enterprises.

Figure 1. Access Point Appliance Pointing to a Load Balancer

Alternatively you can have one or more Access Point appliances pointing to an individual server instance. In both approaches, use a load balancer in front of two or more Access Point appliances in the DMZ.

Figure 2. Access Point Appliance Pointing to a Horizon Server Instance

Authentication

User authentication is very similar to View security server. Supported user authentication methods in Access Point include the following.

  • Active Directory user name and password

  • Kiosk mode. For details about Kiosk mode, see the Horizon documentation.

  • RSA SecurID two-factor authentication, formally certified by RSA for SecurID

  • RADIUS via a number of third party, two-factor security-vendor solutions

  • Smart card, CAC, or PIV X.509 user certificates

  • SAML

These authentication methods are supported in combination with View Connection Server. Access Point is not required to communicate directly with Active Directory. This communication serves as a proxy through the View Connection Server, which can directly access Active Directory. After the user session is authenticated according to the authentication policy, Access Point can forward requests for entitlement information, and desktop and application launch requests, to the View Connection Server. Access Point also manages its desktop and application protocol handlers to allow them to forward only authorized protocol traffic.

Access Point handles smart card authentication itself. This includes options for Access Point to communicate with Online Certificate Status Protocol (OCSP) servers to check for X.509 certificate revocation, and so on.