A security server is an instance of Connection Server that adds an additional layer of security between the Internet and your internal network. You can install one or more security servers to be connected to a Connection Server instance.

The security server software cannot coexist on the same virtual or physical machine with any other Horizon 7 software component, including a replica server, Connection Server, View Composer, Horizon Agent, or Horizon Client.

Prerequisites

  • Determine the type of topology to use. For example, determine which load balancing solution to use. Decide if the Connection Server instances that are paired with security servers will be dedicated to users of the external network. For information, see the Horizon 7 Architecture Planning document.
    Important: If you use a load balancer, it must have an IP address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6 environment, machines automatically get IP addresses that do not change.
  • Verify that your installation satisfies the requirements described in Horizon Connection Server Requirements.
  • Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection Server.
  • Verify that the Connection Server instance to be paired with the security server is installed and configured and is running a Connection Server version that is compatible with the security server version. See "Horizon 7 Component Compatibility Matrix" in the Horizon 7 Upgrades document.
  • Verify that the Connection Server instance to be paired with the security server is accessible to the computer on which you plan to install the security server.
    Note: After a Connection Server upgrade to Horizon 7 version 7.5, security servers with IPsec disabled must be reinstalled. If the IP address of a security server changes it must be reinstalled. Security server pairing does not work correctly if the security server is behind Dynamic NAT.
  • Configure a security server pairing password. See Configure a Security Server Pairing Password.
  • Familiarize yourself with the format of external URLs. See Configuring External URLs for Secure Gateway and Tunnel Connections.
  • Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.
  • Familiarize yourself with the network ports that must be opened on the Windows Firewall for a security server. See Firewall Rules for Horizon Connection Server.
  • If your network topology includes a back-end firewall between the security server and Connection Server, you must configure the firewall to support IPsec. See Configuring a Back-End Firewall to Support IPsec.
  • If you are upgrading or reinstalling the security server, verify that the existing IPsec rules for the security server were removed. See Remove IPsec Rules for the Security Server.
  • If you are installing Horizon 7 in FIPS mode, you must deselect the global setting Use IPSec for Security Server Connections in Horizon Administrator, because in FIPS mode, you must configure IPsec manually after installing a security server.

Procedure

  1. Download the Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads.
    Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes Connection Server.

    The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

  2. To start the Connection Server installation program, double-click the installer file.
  3. Accept the VMware license terms.
  4. Accept or change the destination folder.
  5. Select the View Security Server installation option.
  6. Select the Internet Protocol (IP) version, IPv4 or IPv6.
    You must install all Horizon 7 components with the same IP version.
  7. Select whether to enable or disable FIPS mode.
    This option is available only if FIPS mode is enabled in Windows.
  8. Type the fully qualified domain name or IP address of the Connection Server instance to pair with the security server in the Server text box.
    The security server forwards network traffic to this Connection Server instance.
  9. Type the security server pairing password in the Password text box.
    If the password has expired, you can use Horizon Administrator to configure a new password and type the new password in the installation program.
  10. In the External URL text box, type the external URL of the security server. This is required for all clients, no matter which display protocol they use.
    The URL must contain the protocol identifier (https), the client-resolvable security server name, and the port number (443).
    For example: https://view.example.com:443
    Tunnel-capable clients outside your network use the URL to reach machines inside your network via the security server.
  11. In the PCoIP External URL text box, type the external URL of the security server's PCoIP gateway. This is required for clients that use the PCoIP display protocol to connect to remote desktops.
    The protocol-relative URL must contain the security server IP address and the port number (4172). In an IPv4 environment, use an IPv4 address. In an IPv6 environment, use an IPv6 address.
    For example, in an IPv4 environment: 10.20.30.40:4172
    PCoIP-capable clients outside your network use the URL to reach machines inside your network via the security server.
    Note: Although an IPv6 address must be entered here when in an IPv6 environment, it can be replaced with a client-resolvable name after installation.
  12. In the Blast External URL text box, type the external URL of the security server's Blast gateway. This is required for clients that use the Blast display protocol or HTML Access to connect to remote desktops.
    The URL must contain the protocol identifier (https), the client-resolvable security server name, and the port number (8443).
    For example: https://myserver.example.com:8443
    Blast-capable and HTML Access clients outside your network use the URL to reach machines inside your network via the security server.
  13. Choose how to configure the Windows Firewall service.
    Option Action
    Configure Windows Firewall automatically Let the installer configure Windows Firewall to allow the required network connections.
    Do not configure Windows Firewall Configure the Windows firewall rules manually.

    Select this option only if your organization uses its own predefined rules for configuring Windows Firewall.

  14. Complete the installation wizard to finish installing the security server.

Results

The security server services are installed on the Windows Server computer:

  • VMware Horizon View Security Server
  • VMware Horizon View Framework Component
  • VMware Horizon View Security Gateway Component
  • VMware Horizon View PCoIP Secure Gateway
  • VMware Blast Secure Gateway

For information about these services, see the Horizon 7 Administration document.

The security server appears in the Security Servers pane in Horizon Administrator.

The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.

Note: If the installation is cancelled or aborted, you might have to remove IPsec rules for the security server before you can begin the installation again. Take this step even if you already removed IPsec rules prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, see Remove IPsec Rules for the Security Server.

What to do next

Configure an SSL server certificate for the security server. See Configuring TLS Certificates for Horizon 7 Servers.

You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See Configuring Horizon Client Connections and Sizing Windows Server Settings to Support Your Deployment.

If you are reinstalling the security server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.