this password during the installation process.
The security server pairing password is a one-time password that permits a security server to be paired with a View Connection Server instance. The password becomes invalid after you provide it to the View
Connection Server installation program.
NOTE You cannot pair an older version of security server with the current version of View Connection Server. If you configure a pairing password on the current version of View Connecton Server and try to install an older version of security server, the pairing password will be invalid.
Procedure
1 In View Administrator, select View Configuration > Servers.
2 In the Connection Servers tab, select the View Connection Server instance to pair with the security server.
3 From the More Commands drop-down menu, select Specify Security Server Pairing Password. 4 Type the password in the Pairing password and Confirm password text boxes and specify a password
timeout value.
You must use the password within the specified timeout period. 5 Click OK to configure the password.
What to do next
Install a security server. See “Install a Security Server,” on page 62.
IMPORTANT If you do not provide the security server pairing password to the View Connection Server installation program within the password timeout period, the password becomes invalid and you must configure a new password.
Install a Security Server
A security server is an instance of View Connection Server that adds an additional layer of security between the Internet and your internal network. You can install one or more security servers to be connected to a View Connection Server instance.
The security server software cannot coexist on the same virtual or physical machine with any other View software component, including a replica server, View Connection Server, View Composer, View Agent, or Horizon Client.
Prerequisites
n Determine the type of topology to use. For example, determine which load balancing solution to use. Decide if the View Connection Server instances that are paired with security servers will be dedicated to users of the external network. For information, see the View Architecture Planning document.
IMPORTANT If you use a load balancer, it must have an IP address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6 environment, machines automatically get IP addresses that do not change.
n Verify that your installation satisfies the requirements described in “View Connection Server
Requirements,” on page 7.
n Prepare your environment for the installation. See “Installation Prerequisites for View Connection
Server,” on page 49.
n Verify that the View Connection Server instance to be paired with the security server is installed and configured and is running a View Connection Server version that is compatible with the security server version. See "View Component Compatibility Matrix" in the View Upgrades document.
n Verify that the View Connection Server instance to be paired with the security server is accessible to the computer on which you plan to install the security server.
n Configure a security server pairing password. See “Configure a Security Server Pairing Password,” on page 62.
n Familiarize yourself with the format of external URLs. See “Configuring External URLs for Secure
Gateway and Tunnel Connections,” on page 112.
n Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is
recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.
n Familiarize yourself with the network ports that must be opened on the Windows Firewall for a security server. See “Firewall Rules for View Connection Server,” on page 70.
n If your network topology includes a back-end firewall between the security server and View Connection Server, you must configure the firewall to support IPsec. See “Configuring a Back-End Firewall to Support IPsec,” on page 71.
n If you are upgrading or reinstalling the security server, verify that the existing IPsec rules for the security server were removed. See “Remove IPsec Rules for the Security Server,” on page 69. n If you are installing View in FIPS mode, you must deselect the global setting Use IPSec for Security
Server Connections in View Administrator, because in FIPS mode, you must configure IPsec manually
after installing a security server.
Procedure
1 Download the View Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the
build number and y.y.y is the version number.
2 To start the View Connection Server installation program, double-click the installer file. 3 Accept the VMware license terms.
4 Accept or change the destination folder.
5 Select the View Security Server installation option. 6 Select the Internet Protocol (IP) version, IPv4 or IPv6.
You must install all View components with the same IP version. 7 Select whether to enable or disable FIPS mode.
This option is available only if FIPS mode is enabled in Windows.
8 Type the fully qualified domain name or IP address of the View Connection Server instance to pair with the security server in the Server text box.
The security server forwards network traffic to this View Connection Server instance. 9 Type the security server pairing password in the Password text box.
If the password has expired, you can use View Administrator to configure a new password and type the new password in the installation program.
10 In the External URL text box, type the external URL of the security server for client endpoints that use the RDP or PCoIP display protocols.
The URL must contain the protocol, client-resolvable security server name, and port number. Tunnel clients that run outside of your network use this URL to connect to the security server.
For example: https://view.example.com:443
11 In the PCoIP External URL text box, type the external URL of the security server for client endpoints that use the PCoIP display protocol.
In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172. In an IPv6 environment, you can specify an IP address or a fully qualified domain name, and the port number 4172. In either case, do not include a protocol name.
For example, in an IPv4 environment: 10.20.30.40:4172
Clients must be able to use the URL to reach the security server.
12 In the Blast External URL text box, type the external URL of the security server for users who use HTML Access to connect to remote desktops.
The URL must contain the HTTPS protocol, client-resolvable host name, and port number. For example: https://myserver.example.com:8443
By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this security server.
13 Choose how to configure the Windows Firewall service.
Option Action
Configure Windows Firewall automatically
Let the installer configure Windows Firewall to allow the required network connections.
Do not configure Windows Firewall Configure the Windows firewall rules manually.
Select this option only if your organization uses its own predefined rules for configuring Windows Firewall.
14 Complete the installation wizard to finish installing the security server. The security server services are installed on the Windows Server computer: n VMware Horizon View Security Server
n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Blast Secure Gateway
For information about these services, see the View Administration document. The security server appears in the Security Servers pane in View Administrator.
The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.
NOTE If the installation is cancelled or aborted, you might have to remove IPsec rules for the security server before you can begin the installation again. Take this step even if you already removed IPsec rules prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, see “Remove IPsec Rules for the Security Server,” on page 69.
What to do next
Configure an SSL server certificate for the security server. See Chapter 8, “Configuring SSL Certificates for View Servers,” on page 77.
You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See “Configuring Horizon Client Connections,” on page 109 and “Sizing Windows Server Settings to Support Your Deployment,” on page 120.
If you are reinstalling the security server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.