VMware View 5.1 security server

1. Does one need to install a security Server for View 5.1 deployment?

2. What is the purpose of the security server?

3. If we have a vpn for our iPads to connect to our network, do we need a security server?

4. Would a security server, allow the ipads to connect faster on att network?
MECITAsked:
Who is Participating?
 
jhyieslaCommented:
No, you do not need the security server to install View.

The security server's main purpose is to set in a DMZ and give direct access to remote users.

If you have a VPN, you do not need the security server. Connecting directly may be quicker and you don't need to depend on the VPN to be working and some public wireless connections may prohibit VPN's, so the security server may be worth it.
0
 
MECITAuthor Commented:
1.Will the Security server need an SSL certificate , will i be able to use our Microsoft CA or will I need a third party?

2.What are the hardware requirments for security server?

3. Where can I find the steps to configure the security server?
0
 
jhyieslaCommented:
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
MECITAuthor Commented:
I show the security server in the view manager. however I am not able to connect to it from the iPAD.
0
 
jhyieslaCommented:
Are you trying to connect from the iPad from the internal LAN or from an external connection?
0
 
MECITAuthor Commented:
external connection.

If i am trying to connect internal then I use the view connection server. If I am connecting external then I use the external IP that I assigned to the security server.

Would this be correct?
0
 
jhyieslaCommented:
Pretty much.   You also need to make sure that you paired the SS and the Connection Server correctly according to the instructions. You need to make sure that server firewalls are off or that they have the appropriate ports opened.

If you did all of this according to the instructions, you should be able to point the View client to the appropriate IP of the SS and that should connect you to the Connection Server.
0
 
MECITAuthor Commented:
Do i use the external ip or the external ip :port on the view client?

As far as the SSL cert., if I have the security server internal I can create the SSL cert just like I did for the connection server. Correct
0
 
jhyieslaCommented:
If you're on your local LAN, you don't really need to access the SS, but you should be able to by connecting to the Internal IP from the View client (PC, Mac, iPad, etc). If you are outside your local LAN, you'd want to use the Public IP that you've assigned.

I'd probably start by disabling the Windows firewall on the SS and attempt to access the View environment - going all the way to a desktop - internally. That will at least confirm that the basic set up is OK. Does the SS reside in a DMZ?  Right now ours does not, so that "may" may a difference for you.

As far as the cert goes, we haven't done anything outside of a default set up. I don't see why you can't just use your own cert generator, but I can't say for sure.

To help us understand things provide the following info:

1. Is the SS in a DMZ?
2. Is there a firewall involved - Windows or hardware-based?
3. What ports are open on the firewall if one is there an turned on?
4. Can you attach pictures of the SS and connection server config from the View manager?
0
 
MECITAuthor Commented:
1. Not in a DMZ

2. Watchguard Firewall

3. Created a policy to NAT the external to internal ip of the SS. Ports 4172 and 443

4. I just noticed the red on the Security Server.

SS red button
SS in view manager
0
 
jhyieslaCommented:
NAT should work, but that's not how mine's set up so I can't address that specifically. We're working with our firewall guy to set it up more like you have yours. I also have open on my firewall (windows) 3389, 4001, and 8009. Right now I've got two NICs; one on outside and one on inside and Windows firewall on and server hardened.

Can you see the internal IP of the SS from other devices on you LAN?  If so, I think you should be able to connect to it locally, bur again, I'm not sure what the NAT is adding to the mix.

The cert error is to be expected. Mine does something similar when I connect and I just accept it and move on.

From the view manager what I wanted you to post was the configs of each of the servers. So from the View manager go to Configuration and then servers, then highlight the SS and click on Edit; post the items that are in there...black out anything that's proprietary to your company. Then do the same thing for the Connection Server.
0
 
MECITAuthor Commented:
I can connect with the internal IP of the SS while on wifi.

SS SettingsConn Settings
0
 
jhyieslaCommented:
Assuming that what you have under the blacked out parts is right, I was in the same position as you in that I could connect from the inside, but not the outside. The fix for me was to check the box in the Connection server part that you don't have checked above. When I did that, accessing the SS from the outside worked like a charm.
0
 
MECITAuthor Commented:
if I do that then my internal ones will route to the external ip and not the internal.
is there not a way for internal use internal ip and external use external ip.
0
 
jhyieslaCommented:
What I have on my settings is the following.  For the SS both fields reference the outside name or IP. On the Connection Server (CS) both fields reference the inside name or IP. I didn't actually try and route out the connection to see how it was working, but I know the following:

With the SS and CS set as above, I was able to get to the SS from the inside without issue, but failed on the Outside. When I checked the second box on the CS settings, I was able to get to both.  And honestly, there's no real reason to use the SS on an inside connection...you're on the inside so it ought to be secure going directly to the CS.
0
 
MECITAuthor Commented:
I ended up calling vmware tech support.

On the CS for the PCoIP GW it originally had the external IP . I changed that to the internal IP of the CS. Also I had to move up my firewall policy . Once I did that it worked
0
 
MECITAuthor Commented:
Thanks for your help
0
 
j_ramesesInfo Sys MngrCommented:
Hello I have a question regarding this.
I tried several options to get my iPad loaded but it does not work.
I still get the "desktop loading warning. your desktop is loading too slowly....".
I set my SS to use the static external ip address and url as view.websitedomainname.com and the CS points to itself internally. I still can not connect via my iPad. I set up the nat rule on firewall to point external ip address to internal SS but to no avail.
I opened ports 4172 on FW still no connection from external network via wifi.
Running the client from within the network I can launch the view desktop form another computer in the network but no via wifi.
any suggestions?
something I might have missed?
0
 
MECITAuthor Commented:
I have a Static NAT in the firewall, external IP --> internal IP to SS. The ports I am using are TCP 443, TCP 4172, UDP 4172
On the iPAD , I installed the  ssl certificate  I created for the SS.

Are you using the aircard within the iPAD to try an connect?  When I was getting that error it was either cell coverage or I had not installed the ssl cert on the ipad.
0
 
j_ramesesInfo Sys MngrCommented:
Hello Mecit, I am using the WiFi feature of the iPad.
I tried installing the SSL certificates as per VMware and other recommendations but all the instructions bounce all over the place.  I removed the certificate form the SS and no I do not get the option for a desktop on my iPad.
It is hard to find exact instructions on import the certificate to the SS and the CS.  I purchase several months ago an SSL certificate.
I tried different methods of import but to no avail.
What suggestions or steps can you offer on how to import the SSL certificate to the SS and CS?
Or is it only needed on one of the View servers?
Now I an not find the self-issued certificate for my SS.
0
 
j_ramesesInfo Sys MngrCommented:
I have a static nat policy on my FW, using external ip to internal ip of SS.
On the FW policy I have ports: TCP=443, UDP & TCP=4172.
For port 4172, I have as source=any and for destination I have SS internal static ip
For Port 443, I have as service=https, source=any, destination=external static IP.
0
 
j_ramesesInfo Sys MngrCommented:
For my connection server i get the message on the admin console:connection server
0
 
j_ramesesInfo Sys MngrCommented:
for my SS I get this message:security server message
0
 
MECITAuthor Commented:
i use an internal CA that created my ssl cert.

ive attached a file,maybe this may help.

Where did you get your ssl cert from?
View-5.1-ssl-cert-server-install.txt
0
 
j_ramesesInfo Sys MngrCommented:
I got it from digicert.com
I needed one for exchange 2013
0
 
j_ramesesInfo Sys MngrCommented:
Hello Mecit,

regarding:
5.Select the template for certificate enrollment and click Details > Properties.

I tried that and was hit with the message: Certificate Types not available.

Any advice?

I did post a question on EE, maybe you can follow on it for points:
21ID28230459
0
 
MECITAuthor Commented:
I think because this is related to the Internal CA.
When requesting the cert , i believe it is trying to find a CA and since you dont have one internally , thats probably why you are getting that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.