13: View Security Server

In a production environment we would buy an SSL certificate for the Security Server from a recognized CA.  In this lab we are going to use an SSL certificate from our internal CA as View will trust it.

Create an VM for the VMware View Security Server

$vm = Get-ResourcePool -Location Servers | New-VM -Name "VSS01" -DiskGB 30 -MemoryGB 4 -NumCpu 2 -NetworkName "VM Network" -GuestId windows8Server64Guest
Get-NetworkAdapter $vm | Set-NetworkAdapter -Type Vmxnet3 -Confirm:$false
Get-ScsiController $vm | Set-ScsiController -Type ParaVirtual -Confirm:$false
Start-VM $vm | Open-VMConsoleWindow -FullScreen

Network boot from MDT and install Windows 2012 R2 and join the domain naming the computer VSS01

Copy the View Connection Server installer on to the desktop.  Ensure that the auto-enrolment has issued an SSL certificate to the machine.  Set the friendly name of the certificate to vdm.

$cert = Get-ChildItem Cert:\LocalMachine\My
$cert.FriendlyName = 'vdm'

Disjoin from the domain – this is the DMZ after all!

Remove-Computer

Set the IP address and DNS server

New-NetIPAddress -InterfaceAlias "Ethernet0" -IPAddress 10.1.2.2 -PrefixLength 24 -DefaultGateway 10.0.0.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet0" -ServerAddresses 10.0.1.5

Now move the VM into the DMZ Network

Get-NetworkAdapter $vm | Set-NetworkAdapter -NetworkName "DMZ Network" -Confirm:$false

We now need to configure firewall rules to allow connections into the DMZ and from the DMZ to the LAN.  The full details are given in the View 6.1 documentation, View Security Reference, View TCP and UDP ports.  The final configuration should look like this.

image

On the firewall we need to define a list of applications (tcp/udp) ports that we will need

set applications application view-pcoip term tcp-4172 protocol tcp
set applications application view-pcoip term tcp-4172 source-port 0-65535
set applications application view-pcoip term tcp-4172 destination-port 4172
set applications application view-pcoip term udp-4172 protocol udp
set applications application view-pcoip term udp-4172 source-port 0-65535
set applications application view-pcoip term udp-4172 destination-port 4172
set applications application view-blast term tcp-8443 protocol tcp
set applications application view-blast term tcp-8443 source-port 0-65535
set applications application view-blast term tcp-8443 destination-port 8443
set applications application esp term ip50 protocol 50
set applications application esp term ip50 source-port 0-65535
set applications application esp term ip50 destination-port 0-65535
set applications application view-agent-blast term tcp-22443 protocol tcp
set applications application view-agent-blast term tcp-22443 source-port 0-65535
set applications application view-agent-blast term tcp-22443 destination-port 22443
set applications application view-agent-usb term tcp-32111 protocol tcp
set applications application view-agent-usb term tcp-32111 source-port 0-65535
set applications application view-agent-usb term tcp-32111 destination-port 32111
set applications application view-jms term tcp-4001 protocol tcp
set applications application view-jms term tcp-4001 source-port 0-65535
set applications application view-jms term tcp-4001 destination-port 4001
set applications application view-jms-ssl term tcp-4002 protocol tcp
set applications application view-jms-ssl term tcp-4002 source-port 0-65535
set applications application view-jms-ssl term tcp-4002 destination-port 4002
set applications application view-ajp13 term tcp-8009 protocol tcp
set applications application view-ajp13 term tcp-8009 source-port 0-65535
set applications application view-ajp13 term tcp-8009 destination-port 8009

Next define a set of rules to govern access to and from the DMZ

set security policies from-zone dmz to-zone untrust policy outgoing match source-address dmz
set security policies from-zone dmz to-zone untrust policy outgoing match destination-address any
set security policies from-zone dmz to-zone untrust policy outgoing match application any
set security policies from-zone dmz to-zone untrust policy outgoing then permit
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match source-address vss01
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match destination-address vcs02
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application esp
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application junos-ike
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application view-jms
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application view-jms-ssl
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application view-ajp13
set security policies from-zone dmz to-zone trust policy policy-vss-vcs then permit
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match source-address vss01
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match destination-address lan
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match application view-pcoip
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match application view-agent-blast
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match application view-agent-usb
set security policies from-zone dmz to-zone trust policy policy-vss-desktop then permit
set security policies from-zone dmz to-zone trust policy policy-dns match source-address dmz
set security policies from-zone dmz to-zone trust policy policy-dns match destination-address dc01
set security policies from-zone dmz to-zone trust policy policy-dns match application junos-dns-tcp
set security policies from-zone dmz to-zone trust policy policy-dns match application junos-dns-udp
set security policies from-zone dmz to-zone trust policy policy-dns then permit
set security policies from-zone untrust to-zone dmz policy policy-vss match source-address any
set security policies from-zone untrust to-zone dmz policy policy-vss match destination-address vss01
set security policies from-zone untrust to-zone dmz policy policy-vss match application view-blast
set security policies from-zone untrust to-zone dmz policy policy-vss match application view-pcoip
set security policies from-zone untrust to-zone dmz policy policy-vss match application junos-http
set security policies from-zone untrust to-zone dmz policy policy-vss match application junos-https
set security policies from-zone untrust to-zone dmz policy policy-vss then permit
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match source-address vcs02
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match destination-address vss01
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match application esp
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match application junos-ike
set security policies from-zone trust to-zone dmz policy policy-vcs-vss then permit

Launch the View Connection Server installer: VMware-view-connectionserver-x86_64-6.1.1-2769403.exe

Race through the initial screens of the installer

imageimageimage

This will be a View Security Server

image

And it will pair with vcs02.mylab.local

image

Pause for a moment a login to View Administrator and uder View Configuration, Servers, Connection Servers.  Select VCS02 and specify the pairing password

image

Set password then enter that password back in the in the installation wizard

imageimage

Next set the external URLs.  Normally this would be

image

Allow the wizard to configure the firewall

image

Summary and finish

imageimage

Back in View Administrator, edit VCS02 and tick the box PCoIP Secure Gateway

image