Deploying and Configuring Access Point

Deploying and Configuring Access Point
Deploying and Configuring Access Point
Access Point 2.5
Access Point 2.6
VMware Horizon
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-001998-00
Deploying and Configuring Access Point
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
[email protected]
Copyright © 2015, 2016 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2
VMware, Inc.
Contents
Deploying and Configuring Access Point 5
1 Introduction to Access Point 7
Firewall Rules for DMZ-Based Access Point Appliances
Access Point Topologies 12
8
2 System Requirements and Deployment 17
Access Point System Requirements 17
Preparing View Connection Server for Use with Access Point 19
Deploy the Access Point Appliance 19
Using VMware OVF Tool to Deploy the Access Point Appliance 23
Access Point Deployment Properties 27
3 Configuring Access Point 31
Using the Access Point REST API 31
Reset the admin Password for the Access Point REST API 32
Configuration Settings for System Settings and Server Certificates 33
Configuration Settings for Edge Services 34
Configuring TLS/SSL Certificates for Access Point Appliances 40
Selecting the Correct Certificate Type 40
Convert Certificate Files to One-Line PEM Format 41
Replace the Default TLS/SSL Server Certificate for Access Point 42
Change the Security Protocols and Cipher Suites Used for TLS or SSL Communication 43
Configuring the Secure Gateways Used with the View Edge Service 44
4 Collecting Logs from the Access Point Appliance 47
5 Setting Up Smart Card Authentication 49
Generate Access Point SAML Metadata 50
Creating a SAML Authenticator for View Connection Server 51
Create a SAML Authenticator on a Horizon 7 Connection Server 51
Create a SAML Authenticator on View Connection Server 6.2 53
Change the Expiration Period for Service Provider Metadata on View Connection Server
Copy Service Provider SAML Metadata to Access Point 55
Obtain the Certificate Authority Certificates 56
Obtain the CA Certificate from Windows 56
Configure Smart Card Settings on the Access Point Appliance 57
Smart Card Certificate Properties for Advanced Options 58
54
6 Setting Up Two-Factor Authentication 61
Configure RSA SecurID Authentication on the Access Point Appliance 61
VMware, Inc.
3
Deploying and Configuring Access Point
Configure RADIUS Authentication on the Access Point Appliance 63
Index
4
67
VMware, Inc.
Deploying and Configuring Access Point
®
Deploying and Configuring Access Point provides information about designing VMware Horizon and
®
VMware Identity Manager deployment that uses Access Point for secure external access to your
organization's applications, including Windows applications, software as a service (SaaS) applications, and
desktops. This guide also provides instructions for deploying Access Point virtual appliances and changing
the configuration settings after deployment, if desired.
Intended Audience
This information is intended for anyone who wants to deploy and use Access Point appliances. The
information is written for experienced Linux and Windows system administrators who are familiar with
virtual machine technology and datacenter operations.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions
of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.
VMware, Inc.
5
Deploying and Configuring Access Point
6
VMware, Inc.
Introduction to Access Point
1
Access Point functions as a secure gateway for users who want to access remote desktops and applications
from outside the corporate firewall.
Access Point appliances typically reside within a DMZ and act as a proxy host for connections inside your
company's trusted network. This design provides an additional layer of security by shielding View virtual
desktops, application hosts, and Horizon servers from the public-facing Internet.
Access Point directs authentication requests to the appropriate server and discards any un-authenticated
request. The only remote desktop and application traffic that can enter the corporate data center is traffic on
behalf of a strongly authenticated user. Users can access only the resources that they are authorized to
access.
With Access Point 2.6 and later releases, the Access Point appliance can also serve as a reverse proxy for
VMware Identity Manager.
The following authentication mechanisms are available:
n
Active Directory credentials
n
RSA SecurID
n
RADIUS
n
Smart cards
n
SAML (Security Assertion Markup Language)
For the View component of VMware Horizon, Access Point appliances fulfill the same role that was
previously played by View security servers, but Access Point provides additional benefits:
n
An Access Point appliance can be configured to point to either a View Connection Server instance or a
load balancer that fronts a group of View Connection Server instances. This design means that you can
combine remote and local traffic.
n
Configuration of Access Point is independent of View Connection Server instances. Unlike with
security servers, no pairing password is required to pair each security server with a single View
Connection Server instance.
n
Access Point appliances are deployed as hardened virtual appliances, which are based on a Linux
appliance that has been customized to provide secure access. Extraneous modules have been removed
to reduce potential threat access.
n
Access Point uses a standard HTTP(S) protocol for communication with View Connection Server. JMS,
IPsec, and AJP13 are not used.
VMware, Inc.
7
Deploying and Configuring Access Point
This chapter includes the following topics:
n
“Firewall Rules for DMZ-Based Access Point Appliances,” on page 8
n
“Access Point Topologies,” on page 12
Firewall Rules for DMZ-Based Access Point Appliances
DMZ-based Access Point appliances require certain firewall rules on the front-end and back-end firewalls.
During installation, Access Point services are set up to listen on certain network ports by default.
A DMZ-based Access Point appliance deployment usually includes two firewalls.
n
An external network-facing, front-end firewall is required to protect both the DMZ and the internal
network. You configure this firewall to allow external network traffic to reach the DMZ.
n
A back-end firewall, between the DMZ and the internal network, is required to provide a second tier of
security. You configure this firewall to accept only traffic that originates from the services within the
DMZ.
As an example, the following figure illustrates the protocols that each View component uses for
communication. This configuration might be used in a typical WAN deployment if you are using
Access Point appliances with the View component of VMware Horizon.
8
VMware, Inc.
Chapter 1 Introduction to Access Point
Figure 1‑1. View Components and Protocols with Access Point
Client Devices
RDP
Client
Horizon
Client
PColP
Blast
HTTP(S)
HTTP(S)
Access Point Appliance
View Secure
Protocol Handlers
PColP
Blast
RDP, Framework, MMR, CDR...
HTTP(S)
View Connection Server
View Secure GW Server &
PColP Secure GW
View
Messaging
View Broker &
Admin Server
HTTP(S)
View
Administrator
SOAP
vCenter
Server
View
LDAP
View desktop virtual machine or RDS host
View
Agent
Firewall policy strictly controls inbound communications from DMZ services, which greatly reduces the risk
of compromising your internal network.
The following figure shows an example of a configuration that includes front-end and back-end firewalls.
VMware, Inc.
9
Deploying and Configuring Access Point
Figure 1‑2. Dual Firewall Topology
Client
Device
Client
Device
HTTPS
Traffic
front-end
firewall
Fault-tolerant
load balancing
mechanism
HTTPS
Traffic
DMZ
Access
Point
Appliance
Access
Point
Appliance
back-end
firewall
Horizon
Server
Horizon
Server
VMware
vCenter
Active
Directory
Internal
Network
VMware
ESXi servers
Front-End Firewall Rules
To allow external client devices to connect to an Access Point appliance within the DMZ, the front-end
firewall must allow traffic on certain TCP and UDP ports.
Table 1‑1. Front-End Firewall Rules
Default
Port
Protocol
Destination
Horizon
Client
TCP Any
HTTP
Access Point
appliance
TCP 80
(Optional) External client devices connect to an
Access Point appliance within the DMZ on TCP port
80 and are automatically directed to HTTPS.
Horizon
Client or
Client Web
browser
TCP Any
HTTPS
Access Point
appliance
TCP 443
UDP 443 (for
Blast)
External client devices and external Web clients
(HTML Access) connect to an Access Point appliance
within the DMZ on TCP port 443.
Source
10
Destination
Port
Notes
VMware, Inc.
Chapter 1 Introduction to Access Point
Table 1‑1. Front-End Firewall Rules (Continued)
Source
Default
Port
Protocol
Destination
Destination
Port
Horizon
Client
TCP Any
UDP Any
PCoIP
Access Point
appliance
TCP 4172
UDP 4172
External client devices connect to an Access Point
appliance within the DMZ on TCP port 4172 and UDP
port 4172 to communicate with a remote desktop or
application over PCoIP.
Access
Point
appliance
UDP 4172
PCoIP
Horizon Client
UDP Any
Access Point appliances send PCoIP data back to an
external client device from UDP port 4172. The
destination UDP port is the source port from the
received UDP packets. Because these packets contain
reply data, it is normally unnecessary to add an
explicit firewall rule for this traffic.
Notes
Back-End Firewall Rules
To allow an Access Point appliance to communicate with a Horizon server or load balancer that resides
within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind
the back-end firewall, internal firewalls must be similarly configured to allow remote desktops, applications
and Horizon servers to communicate with each other.
Table 1‑2. Back-End Firewall Rules
Default
Port
Protocol
Destination
Access Point
appliance
TCP Any
HTTPS
Horizon server
or load
balancer
TCP 443
Access Point appliances connect on TCP port 443 to
communicate with a Horizon server or load
balancer in front of multiple Horizon server
instances.
Access Point
appliance
TCP Any
RDP
Remote
desktop
TCP 3389
Access Point appliances connect to remote desktops
on TCP port 3389 to exchange RDP traffic.
Access Point
appliance
TCP Any
MMR or
CDR
Remote
desktop
TCP 9427
Access Point appliances connect to remote desktops
on TCP port 9427 to receive MMR (multimedia
redirection) or CDR (client drive redirection) traffic.
Access Point
appliance
TCP Any
UDP Any
PCoIP
Remote
desktop or
application
TCP 4172
UDP 4172
Access Point appliances connect to remote desktops
and applications on TCP port 4172 and UDP port
4172 to exchange PCoIP traffic.
Remote
desktop or
application
UDP 4172
PCoIP
Access Point
appliance
UDP Any
Remote desktops and applications send PCoIP data
back to an Access Point appliance from UDP port
4172 .
The destination UDP port will be the source port
from the received UDP packets and so as this is
reply data, it is normally unnecessary to add an
explicit firewall rule for this.
Access Point
appliance
TCP Any
USB-R
Remote
desktop
TCP 32111
Access Point appliances connect to remote desktops
on TCP port 32111 to exchange USB redirection
traffic between an external client device and the
remote desktop.
Source Port
VMware, Inc.
Destination
Port
Notes
11
Deploying and Configuring Access Point
Table 1‑2. Back-End Firewall Rules (Continued)
Source Port
Default
Port
Protocol
Destination
Destination
Port
Access Point
appliance
TCP or
UDP Any
Blast
Extreme
Remote
desktop or
application
TCP or UDP
22443
Access Point appliances connect to remote desktops
and applications on TCP and UDP port 22443 to
exchange Blast Extreme traffic.
Access Point
appliance
TCP Any
HTTPS
Remote
desktop
TCP 22443
If you use HTML Access, Access Point appliances
connect to remote desktops on HTTPS port 22443 to
communicate with the VMware Blast agent.
Notes
NOTE Access Point optionally listens on TCP port 9443 for the admin REST API traffic and optionally sends
Syslog events on a default UDP port of 514. If there is a firewall in place for this communication, these ports
must not be blocked.
Access Point Topologies
You can implement any of several different topologies.
An Access Point appliance in the DMZ can be configured to point to a Horizon server or a load balancer that
fronts a group of Horizon servers. Access Point appliances work with standard third-party load balancing
solutions that are configured for HTTPS.
If the Access Point appliance points to a load balancer in front of Horizon servers, the selection of the
Horizon server instance is dynamic. For example, the load balancer might make a selection based on
availability and the load balancer's knowledge of the number of current sessions on each Horizon server
instance. The Horizon server instances inside the corporate firewall usually already have a load balancer in
order to support internal access. With Access Point, you can point the Access Point appliance to this same
load balancer that is often already being used.
12
VMware, Inc.
Chapter 1 Introduction to Access Point
Figure 1‑3. Access Point Appliance Pointing to a Load Balancer
Client
Device
External
Network
DMZ
load
balancing
Access
Point
Appliance
load
balancing
Horizon
Server
Microsoft
Active
Directory
ESXi hosts running
Virtual Desktop
virtual machines
vCenter
Management
Server
You can alternatively have one or more Access Point appliances point to an individual Horizon server
instance. In both approaches, use a load balancer in front of two or more Access Point appliances in the
DMZ.
VMware, Inc.
13
Deploying and Configuring Access Point
Figure 1‑4. Access Point Appliance Pointing to a Horizon Server Instance
Client
Device
External
Network
DMZ
load
balancing
Access
Point
Appliance
Horizon
Server
Microsoft
Active
Directory
ESXi hosts running
Virtual Desktop
virtual machines
vCenter
Management
Server
The following figure illustrates Access Point integration with VMware Identity Manager. You can configure
Web Reverse Proxy service to use Access Point 2.6 with VMware Identity Manager.
14
VMware, Inc.
Chapter 1 Introduction to Access Point
Figure 1‑5. VMware Identity Manager components with Access Point
Laptop
DMZ
HTTPS (443)
PC
HTTPS (443)
mycompany.vmwareidentity.com
Access Point
Appliance
Corporate Zone
PC
Internal Load Balancer
myconnector.mycompany.com
HTTPS (443)
Corporate LAN
users
HTTPS (443)
Connector-va
cluster
DNS/NTP
services
VMware, Inc.
Laptop
RSA
SecurID
AD/directory
services
15
Deploying and Configuring Access Point
16
VMware, Inc.
System Requirements and
Deployment
2
You deploy an Access Point appliance in much the same way that you deploy other VMware virtual
appliances.
This chapter includes the following topics:
n
“Access Point System Requirements,” on page 17
n
“Preparing View Connection Server for Use with Access Point,” on page 19
n
“Deploy the Access Point Appliance,” on page 19
n
“Using VMware OVF Tool to Deploy the Access Point Appliance,” on page 23
n
“Access Point Deployment Properties,” on page 27
Access Point System Requirements
To deploy the Access Point appliance, ensure your system meets the hardware and software requirements.
VMware Software Requirements
You must use specific versions of VMware products with specific versions of Access Point.
Horizon 7
Horizon 7 is qualified to support Access Point 2.5. Refer to the product
release notes for the latest information about compatibility, and refer to the
VMware Product Interoperability Matrix at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Information in the release notes and interoperability matrix supersede
information in this guide.
During an upgrade, make sure the View Connection Server instances are
upgraded to 6.2 or later before using Access Point appliances. Access Point is
not designed to interoperate with earlier versions of Connection Server.
VMware Horizon Air
Hybrid-mode 1.0
VMware, Inc.
At the time of publication of this document, Horizon Air Hybrid-mode 1.0
has been qualified to support Access Point 2.5. Refer to the product release
notes for the latest information about compatibility, and refer to the VMware
Product Interoperability Matrix at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Information in the release notes and interoperability matrix supersede
information in this guide.
17
Deploying and Configuring Access Point
VMware Identity
Manager 2.6
VMware Identity Manager 2.6 is qualified to support Access Point 2.6. Refer
to the product release notes for the latest information about compatibility,
and refer to the VMware Product Interoperability Matrix at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Information in the release notes and interoperability matrix supersede
information in this guide.
VMware vSphere ESXi
hosts and vCenter
Server
Access Point appliances must be deployed on a version of vSphere that is the
same as a version supported for the Horizon products and versions you are
using.
For details about which versions of your Horizon products are compatible
with which versions of vCenter Server and ESXi, see the VMware Product
Interoperability Matrix at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Horizon Client
Although VMware recommends that you upgrade to the latest version of the
clients to get new features and performance improvements, Access Point is
designed to work with all client versions that are supported with the
supported versions of Horizon servers.
Hardware Requirements
The OVF package for the Access Point appliance automatically selects the virtual machine configuration that
Access Point requires. Although you can change these settings, VMware recommends that you not change
the CPU, memory, or disk space to smaller values than the default OVF settings.
Networking Requirements
You can use one, two, or three network interfaces, and Access Point requires a separate static IP address for
each. Many DMZ implementations use separated networks to secure the different traffic types. Configure
Access Point according to the network design of the DMZ in which it is deployed.
n
One network interface is appropriate for POCs (proof of concept) or testing. With one NIC, external,
internal, and management traffic are all on the same subnet.
n
With two network interfaces, external traffic is on one subnet, and internal and management traffic are
on another subnet.
n
Using three network interfaces is the most secure option. With a third NIC, external, internal, and
management traffic all have their own subnets.
IMPORTANT Verify that you have assigned an IP pool to each network. The Access Point appliance can then
pick up the subnet mask and gateway settings at deployment time. To add an IP pool, in vCenter Server, if
you are using the native vSphere Client, go to the IP Pools tab of the data center. Alternatively, if you are
using the vSphere Web Client, you can create a network protocol profile. Go to the Manage tab of the data
center and select the Network Protocol Profiles tab. For more information, see Configuring Protocol Profiles
for Virtual Machine Networking.
Log Retention Requirements
The log files are configured by default to use a certain amount of space which is smaller than the total disk
size in the aggregate. The logs for Access Point roll by default. You must use syslog to preserve these log
entries.
18
VMware, Inc.
Chapter 2 System Requirements and Deployment
Preparing View Connection Server for Use with Access Point
If you plan to use Access Point with Horizon 6 or Horizon 7, or with Horizon Air Hybrid-mode, you must
perform specific tasks to ensure that View Connection Server works correctly with Access Point.
NOTE If you plan to use Access Point only as a reverse Web proxy, a feature that is available with
Access Point 2.6 and later releases, do not perform the tasks listed in this topic. This topic does not apply.
n
If you plan to use a secure tunnel connection for client devices, disable the secure tunnel for View
Connection Server. In View Administrator, go to the Edit View Connection Server Settings dialog box
and deselect the check box called Use secure tunnel connection to machine. By default, the secure
tunnel is enabled on the Access Point appliance.
n
Disable the PCoIP secure gateway for View Connection Server. In View Administrator, go to the Edit
View Connection Server Settings dialog box and deselect the check box called Use PCoIP Secure
Gateway for PCoIP connections to machine. By default, the PCoIP secure gateway is enabled on the
Access Point appliance.
n
Disable the Blast secure gateway for View Connection Server. In View Administrator, go to the Edit
View Connection Server Settings dialog box and deselect the check box called Use Blast Secure
Gateway for HTML Access to machine. By default, the Blast secure gateway is enabled on the
Access Point appliance.
n
To use pass-through authentication so that two-factor authentication, such as RSA SecurID or RADIUS
authentication, is performed on View Connection Server rather than Access Point, you must enable this
feature on View Connection Server. See the topics about two-factor authentication in the View
Administration document.
Deploy the Access Point Appliance
You can deploy the Access Point appliance by logging in to vCenter Server and using the Deploy OVF
Template wizard. Logging in directly to an ESXi host to use the deployment wizard is not supported.
It is also possible to use the command-line VMware OVF Tool to deploy the appliance, see “Using VMware
OVF Tool to Deploy the Access Point Appliance,” on page 23. With this tool, you can set advanced
properties that are not available in the deployment wizard.
When Access Points are deployed, you must ensure that View Connection Sever instances behind them are
configured appropriately. For more information, see the View Installation document.
IMPORTANT For production environments, VMware recommends that you use the sample PowerShell script
attached to the blog post "Using PowerShell to Deploy VMware Access Point," available at
https://communities.vmware.com/docs/DOC-30835. Using the PowerShell script to deploy Access Point
overcomes the main difficulties of using OVF Tool directly on the command line. The script calls the OVF
Tool command but validates the settings and automatically constructs the correct command line syntax.
This method allows advanced settings such as configuration of the TLS/SSL server certificate to be applied
at deployment time.
Prerequisites
n
VMware, Inc.
Familiarize yourself with the deployment options available in the wizard. See “Access Point
Deployment Properties,” on page 27. The following options are required: static IP address for the
Access Point appliance, IP address of the DNS server, password for the root user, and the URL of the
Horizon server instance or load balancer that this Access Point appliance will point to.
19
Deploying and Configuring Access Point
n
Determine how many network interfaces and static IP addresses to configure for the Access Point
appliance. See “Networking Requirements,” on page 18.
IMPORTANT If you use the vSphere Web Client, you can also specify the DNS server, gateway, and
netmask addresses for each network. If you use the native vSphere Client, verify that you have assigned
an IP pool to each network. To add an IP pool, in vCenter Server, if you are using the native vSphere
Client, go to the IP Pools tab of the data center. Alternatively, if you are using the vSphere Web Client,
you can create a network protocol profile. Go to the Manage tab of the data center and select the
Network Protocol Profiles tab. For more information, see Configuring Protocol Profiles for Virtual
Machine Networking.
n
Verify that you can log in to vSphere Client or vSphere Web Client as a user with system administrator
privileges. For example, you might log in as the user [email protected]
If you use vSphere Web Client, use a supported browser. See the "Client Integration Plug-In Software
Requirements" topic in the vSphere documentation center for your version of vSphere.
n
Verify that the data store you plan to use for the appliance has enough free disk space and meets other
system requirements. The download size of the virtual appliance is 2.5GB. By default, for a thinprovisioned disk, the appliance requires 2.5GB, and a thick-provisioned disk requires 20GB. Also see
“Access Point System Requirements,” on page 17.
n
Download the .ova installer file for the Access Point appliance from the VMware Web site at
https://my.vmware.com/web/vmware/downloads, or determine the URL to use (example:
http://example.com/vapps/euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova), where Y.Y is the version
number and xxxxxxx is the build number.
n
If you plan to use the vSphere Web Client, verify that the Client Integration plug-in is installed. For
more information, see the vSphere documentation. For example, for vSphere 6, see Install the Client
Integration Plug-in. If you do not install this plug-in before you start the deployment wizard, the
wizard prompts you to install the plug-in, which requires closing your browser and exiting the wizard.
Procedure
1
Use the native vSphere Client or the vSphere Web Client to log in to a vCenter Server instance.
2
Select a menu command for launching the Deploy OVF Template wizard.
3
Option
Menu Command
vSphere Client
Select File > Deploy OVF Template.
vSphere Web Client
Select any inventory object that is a valid parent object of a virtual
machine, such as a datacenter, folder, cluster, resource pool, or host, and
from the Actions menu, select Deploy OVF Template.
On the Select Source page of the wizard, browse to the location of the .ova file that you downloaded or
enter a URL and click Next.
A details page appears, which tells how much disk space the appliance requires.
20
VMware, Inc.
Chapter 2 System Requirements and Deployment
4
Follow the wizard prompts, and take the following guidelines into consideration as you complete the
wizard.
Text on each wizard page explains each control. In some cases, the text changes dynamically as you
select various options.
NOTE If you use the vSphere Web Client, for assistance you can also click the context-sensitive help
button, which is a question mark (?) icon in the upper-right corner of the wizard.
VMware, Inc.
Option
Description
Select a deployment configuration
You can use one, two, or three network interfaces (NICs), and Access Point
requires a separate static IP address for each. Many DMZ implementations
use separated networks to secure the different traffic types. Configure
Access Point according to the network design of the DMZ in which it is
deployed.
Disk format
For evaluation and testing environments, select the Thin Provision format.
For production environments, select one of the Thick Provision formats.
Thick Provision Eager Zeroed is a type of thick virtual disk format that
supports clustering features such as fault tolerance but takes much longer
to create than other types of virtual disks.
VM storage policy
(vSphere Web Client only) This option is available if storage policies are
enabled on the destination resource.
21
Deploying and Configuring Access Point
Option
Description
Setup Networks/Network Mapping
If you are using vSphere Web Client, the Setup Networks page allows you
to map each NIC to a network and specify protocol settings.
a Select the first row in the table (Internet) and then click the down
arrow to select the destination network.
b
c
After you select the row, you can also enter IP addresses for the DNS
server, gateway, and netmask in the lower portion of the window.
If you are using more than one NIC, select the next row
(ManagementNetwork), select the destination network, and then you
can enter the IP addresses for the DNS server, gateway, and netmask
for that network.
If you are using only one NIC, all the rows are mapped to the same
network.
If you have a third NIC, also select the third row and complete the
settings.
If you are using only two NICs, for this third row (BackendNetwork),
select the same network that you used for ManagementNetwork.
With the vSphere Web Client, a network protocol profile is automatically
created after you complete the wizard if one does not already exist.
If you use the native vSphere Client (rather than the Web Client), the
Network Mapping page allows you to map each NIC to a network, but
there are no fields for specifying the DNS server, gateway, and netmask
addresses. As described in the prerequisites, you must already have
assigned an IP pool to each network or created a network protocol profile.
Customize template
5
The text boxes on this page are specific to Access Point and might not be
required for other types of virtual appliances. Text in the wizard page
explains each setting. If the text is truncated on the right side of the wizard,
resize the window by dragging from the lower-right corner. You must
enter values in the following text boxes:
n External IP address
n DNS server addresses
n Management network IP address if you specified 2 NICs, and
Backend network IP address if you specified 3 NICs
n Password for the root user of this VM
n Horizon server URL
n Horizon server thumbprints if the Horizon server does not already
have a server certificate that is issued by a trusted certificate authority
All other settings are either optional or already have a default setting
entered. VMware strongly recommends that you also specify a password
for the Admin credentials for REST API text box. Note the password
requirements listed on the wizard page. For a description of all
deployment properties, see “Access Point Deployment Properties,” on
page 27.
On the Ready to Complete page, select Power on after deployment, and click Finish.
A Deploy OVF Template task appears in the vCenter Server status area so that you can monitor
deployment. You can also open a console on the virtual machine to view the console messages that are
displayed during system boot. A log of these messages is also available in the file /var/log/boot.msg.
22
VMware, Inc.
Chapter 2 System Requirements and Deployment
6
When deployment is complete, verify that end users will be able to connect to the appliance by opening
a browser and entering the following URL:
https://FQDN-of-AP-appliance
In this URL, FQDN-of-AP-appliance is the DNS-resolvable, fully qualified domain name of the
Access Point appliance.
If deployment was successful, you will see the Web page provided by the Horizon server that
Access Point is pointing to. For example, if you configured Access Point to point to a View Connection
Server instance, the Horizon Web Portal appears. If deployment was not successful, you can delete the
appliance virtual machine and deploy the appliance again. The most common error is not entering
certificate thumbprints correctly.
7
To verify that the admin credentials for accessing the REST API were set correctly, open a browser,
enter the following URL, and enter the credentials for the admin user.
https://FQDN-of-AP-appliance:9443/rest/swagger.yaml
A page containing the Access Point REST API specification appears. If you get an error message, you
can either deploy the appliance again and be sure to follow the requirements for the password, or you
can log in to the Access Point virtual machine and set the admin password using the REST API.
The Access Point appliance is deployed and starts automatically.
What to do next
Configure security certificates for Access Point. If you did not set the admin credentials correctly for the
REST API, you can set them by using the procedure “Reset the admin Password for the Access Point REST
API,” on page 32.
IMPORTANT Configure the clock (UTC) on the Access Point appliance so that the appliance has the correct
time. For example, open a console window on the Access Point virtual machine and use arrow buttons to
select the correct time zone. Also verify that the ESXi host's time is synchronized with an NTP server, and
verify that VMware Tools, which is running in the appliance virtual machine, synchronizes the time on the
virtual machine with the time on the ESXi host.
Using VMware OVF Tool to Deploy the Access Point Appliance
As an alternative to using the deployment wizard, you can use this command-line tool to deploy
Access Point. Using this tool allows you to set more configuration options than are available in the
deployment wizard.
IMPORTANT For production environments, VMware recommends that you use the sample PowerShell script
attached to the blog post "Using PowerShell to Deploy VMware Access Point," available at
https://communities.vmware.com/docs/DOC-30835. Using the PowerShell script to deploy Access Point
overcomes the main difficulties of using OVF Tool directly on the command line. The script calls the OVF
Tool command but validates the settings and automatically constructs the correct command line syntax.
This method allows advanced settings such as configuration of the TLS/SSL server certificate to be applied
at deployment time. The interactive deployment wizard does not include these advanced settings.
You can download the VMware OVF Tool and its documentation by going to
https://www.vmware.com/support/developer/ovf/. Besides the standard commands described in the OVF
Tool documentation, you can use Access Point-specific options. For a list of the available properties and
options, see “Access Point Deployment Properties,” on page 27.
VMware, Inc.
23
Deploying and Configuring Access Point
Prerequisites for Access Point Deployment
n
Familiarize yourself with the deployment options available. See “Access Point Deployment Properties,”
on page 27. The following options are required: static IP address for the Access Point appliance, IP
address of the DNS server, password for the root user, and the URL of the Horizon server or load
balancer that this Access Point appliance will point to.
n
Determine how many network interfaces and static IP addresses to configure for the Access Point
appliance. See “Networking Requirements,” on page 18.
IMPORTANT Verify that you have assigned an IP pool to each network. The Access Point appliance can
then pick up the subnet mask and gateway settings at deployment time. To add an IP pool, in vCenter
Server, if you are using the native vSphere Client, go to the IP Pools tab of the data center.
Alternatively, if you are using the vSphere Web Client, you can create a network protocol profile. Go to
the Manage tab of the data center and select the Network Protocol Profiles tab. For more information,
see Configuring Protocol Profiles for Virtual Machine Networking.
n
Verify that the data store you plan to use for the appliance has enough free disk space and meets other
system requirements. The download size of the virtual appliance is 1.4GB. By default, for a thinprovisioned disk, the appliance requires 2.5GB, and a thick-provisioned disk requires 20GB. Also see
“Access Point System Requirements,” on page 17.
n
Download the .ova installer file for the Access Point appliance from the VMware Web site at
https://my.vmware.com/web/vmware/downloads, or determine the URL to use (example:
http://example.com/vapps/euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova), where Y.Y is the version
number and xxxxxxx is the build number.
Example OVF Tool Command That Uses Access Point Deployment Properties
Following is an example of a command for deploying an Access Point appliance using OVF Tool on a
Windows client machine:
ovftool --X:enableHiddenProperties ^
--powerOffTarget ^
--powerOn ^
--overwrite ^
--vmFolder=folder1 ^
--net:Internet="VM Network" ^
--net:ManagementNetwork="VM Network" ^
--net:BackendNetwork="VM Network" ^
-ds=PERFORMANCE-X ^
--name=name1 ^
--ipAllocationPolicy=fixedPolicy ^
--deploymentOption=onenic ^
--prop:ip0=10.20.30.41 ^
--prop:DNS=192.0.2.1 ^
--prop:[email protected] ^
--prop:rootPassword=vmware ^
--prop:viewDestinationURL=https://192.0.2.2 ^
--prop:viewDestinationURLThumbprints="sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b
dc 34" ^
euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova ^
vi://root:[email protected]/ExampleDC/host/ap
NOTE The caret characters at the ends of the lines are escape characters for line continuation on Windows,
which can be used in a BAT script. You can alternatively just type the entire command on one line.
24
VMware, Inc.
Chapter 2 System Requirements and Deployment
Following is an example of a command for deploying an Access Point appliance using OVF Tool on a Linux
client machine:
ovftool --X:enableHiddenProperties \
--powerOffTarget \
--powerOn \
--overwrite \
--vmFolder=folder1 \
--net:Internet="VM Network" \
--net:ManagementNetwork="VM Network" \
--net:BackendNetwork="VM Network" \
-ds=PERFORMANCE-X \
--name=name1 \
--ipAllocationPolicy=fixedPolicy \
--deploymentOption=onenic \
--prop:ip0=10.20.30.41 \
--prop:DNS=192.0.2.1 \
--prop:[email protected] \
--prop:rootPassword=vmware \
--prop:viewDestinationURL=https://192.0.2.2 \
--prop:viewDestinationURLThumbprints="sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b
dc 34" \
euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova \
vi://root:[email protected]/ExampleDC/host/ap
NOTE The backslashes at the ends of the lines are escape characters for line continuation on Linux, which
can be used in a Linux shell script. You can alternatively just type the entire command on one line.
If you use this command, you can then use the Access Point admin REST API to configure additional
settings such as the security certificate and secure gateways. Alternatively, you can use the settingsJSON
property to configure these settings at deployment time.
Example Using the settings.JSON Property
In addition to the deployment properties shown in the previous example, you can use the settingsJSON
property to pass a JSON string directly to the EdgeServiceSettings resource in the Access Point admin
REST API. In this manner, you can use the OVF Tool to set configuration properties during deployment that
must otherwise be set by using the REST API after deployment.
The following example shows how to use the settingsJSON property to enable the View edge service, so
that Access Point can point to and use View Connection Server or a Horizon Air Node. In addition to
specifying the Horizon server URL and the Horizon server thumbprint, the settingsJSON property sets the
external URLs for the secure gateways. This example uses escape characters for running the command on a
Windows client machine.
ovftool --X:enableHiddenProperties ^
--powerOffTarget ^
--powerOn ^
--overwrite ^
--vmFolder=folder1 ^
--net:Internet="VM Network" ^
--net:ManagementNetwork="VM Network" ^
--net:BackendNetwork="VM Network" ^
-ds="PERFORMANCE-X" ^
--name=name1 ^
--ipAllocationPolicy=fixedPolicy ^
--deploymentOption=onenic ^
VMware, Inc.
25
Deploying and Configuring Access Point
--prop:ip0=10.20.30.41 ^
--prop:DNS=192.0.2.1 ^
--prop:[email protected] ^
--prop:rootPassword=vmware ^
--prop:settingsJSON="{\"edgeServiceSettingsList\": { \"edgeServiceSettingsList\": [ ^
{ ^
\"identifier\": \"VIEW\", ^
\"enabled\": true, ^
\"proxyDestinationUrl\": \"https://192.0.2.2\", ^
\"proxyDestinationUrlThumbprints\": \"sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b
dc 34\", ^
\"pcoipEnabled\": true, ^
\"pcoipExternalUrl\": \"10.20.30.40:4172\", ^
\"blastEnabled\": true, ^
\"blastExternalUrl\": \"https://ap1.example.com:443\", ^
\"tunnelEnabled\": true, ^
\"tunnelExternalUrl\": \"https://ap1.example.com:443\", ^
\"proxyPattern\":\"/\" } ] }^
}" ^
euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova ^
vi://root:[email protected]/ExampleDC/host/ap
The following example uses escape characters for running the command on a Linux client machine. This
example also shows how to use the settingsJSON property to enable the View edge service, so that
Access Point can point to and use View Connection Server or a Horizon Air Node. In addition to specifying
the Horizon server URL and the Horizon server thumbprint, the settingsJSON property sets the external
URLs for the secure gateways.
ovftool --X:enableHiddenProperties \
--powerOffTarget \
--powerOn \
--overwrite \
--vmFolder=folder1 \
--net:Internet="VM Network" \
--net:ManagementNetwork="VM Network" \
--net:BackendNetwork="VM Network" \
-ds=PERFORMANCE-X \
--name=name1 \
--ipAllocationPolicy=fixedPolicy \
--deploymentOption=onenic \
--prop:ip0=10.20.30.41 \
--prop:DNS=192.0.2.1 \
--prop:[email protected] \
--prop:rootPassword=vmware \
--prop:settingsJSON='{"edgeServiceSettingsList": { "edgeServiceSettingsList": [ \
{ \
"identifier": "VIEW", \
"enabled": true, \
"proxyDestinationUrl": "https://192.0.2.2", \
"proxyDestinationUrlThumbprints": "sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b dc
34", \
"pcoipEnabled": true, \
"pcoipExternalUrl": "10.20.30.40:4172", \
"blastEnabled": true, \
"blastExternalUrl": "https://ap1.example.com:443", \
"tunnelEnabled": true, \
26
VMware, Inc.
Chapter 2 System Requirements and Deployment
"tunnelExternalUrl": "https://ap1.example.com:443", \
"proxyPattern":"/" } ] } \
}' \
euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova \
vi://root:[email protected]/ExampleDC/host/ap
IMPORTANT To use the View edge service, you must configure the external URLs for the secure tunnel, the
PCoIP Secure Gateway, and the Blast Secure Gateway at deployment time. This configuration step must be
done before you can use Access Point for View traffic. For more information about these URLs, see
“Configuring the Secure Gateways Used with the View Edge Service,” on page 44.
For a list of the REST API properties for configuring Access Point, see “Configuration Settings for System
Settings and Server Certificates,” on page 33.
Access Point Deployment Properties
For your convenience, almost all deployment properties can be set using either the deployment wizard or
the OVF Tool command-line interface.
For information about how to specify these properties by using the deployment wizard, see “Deploy the
Access Point Appliance,” on page 19. To specify the properties by using the OVF Tool command-line
interface, see “Using VMware OVF Tool to Deploy the Access Point Appliance,” on page 23.
IMPORTANT For production environments, VMware recommends that you use the sample PowerShell script
attached to the blog post "Using PowerShell to Deploy VMware Access Point," available at
https://communities.vmware.com/docs/DOC-30835. Using the PowerShell script to deploy Access Point
overcomes the main difficulties of using OVF Tool directly on the command line. The script calls the OVF
Tool command but validates the settings and automatically constructs the correct command line syntax.
This method allows advanced settings such as configuration of the TLS/SSL server certificate to be applied
at deployment time. The interactive deployment wizard does not include these advanced settings.
Table 2‑1. Deployment Options Access Point
Deployment
Property
OVF Tool Option
Description
Deployment
configuration
--deploymentOption
{onenic|twonic|threenic}
Specifies how many network interfaces are
available in the Access Point virtual machine.
By default, this property is not set, which means
that one NIC is used.
External
(Internet-facing)
IP address
--prop:ip0=external-ip-address
(Required) Specifies public IPv4 address used for
accessing this virtual machine on the Internet.
NOTE The computer name is set through a DNS
query of this Internet IPv4 address.
Default: none.
Management
network IP
address
--prop:ip1=management-ip-address
Specifies the IP address of the interface that is
connected to the management network.
If not configured, the administration server
listens on the Internet-facing interface.
Default: none.
Back-end
network IP
address
--prop:ip2=back-end-ip-address
Specifies the IP address of the interface that is
connected to the back-end network.
If not configured, network traffic sent to the
back-end systems is routed through the other
network interfaces.
Default: none.
VMware, Inc.
27
Deploying and Configuring Access Point
Table 2‑1. Deployment Options Access Point (Continued)
Deployment
Property
OVF Tool Option
Description
DNS server
addresses
--prop:DNS=ip-of-name-server1[ ip-of-nameserver2 ...]
(Required) Specifies one or more space-separated
IPv4 addresses of the domain name servers for
this virtual machine (example: 192.0.2.1
192.0.2.2). You can specify up to three servers.
By default, this property is not set, which means
that the system uses the DNS server that is
associated with the Internet-facing NIC.
CAUTION If you leave this option blank and if no
DNS server is associated with the Internet-facing
NIC, the appliance will not be deployed
correctly.
Password for the
root user
--prop:rootPassword=password
(Required) Specifies the password for the root
user of this virtual machine. The password must
be a valid Linux password.
Default: none.
Password for the
admin user
--prop:adminPassword=password
If you do not set this password, you will not be
able to access the REST API on the Access Point
appliance.
Passwords must be at least 8 characters long,
contain at least one uppercase and one lowercase
letter, one digit, and one special character, which
includes ! @ # $ % * ( ).
Default: none.
Locale to use for
localized
messages
--prop:locale=locale-code
(Required) Specifies the locale to use when
generating error messages.
n
en_US for English
n
ja_JP for Japanese
n
fr_FR for French
n
de_DE for German
n
zh_CN for Simplified Chinese
n
zh_TW for Traditional Chinese
ko_KR for Korean
Default: en_US.
n
Syslog server
URL
28
--prop:syslogUrl=url-of-syslog-server
Specifies the Syslog server used for logging
Access Point events.
This value can be a URL or a host name or IP
address. The scheme and port number are
optional (example: syslog://server.example.com:
514).
By default, this property is not set, which means
that no events are logged to a syslog server.
VMware, Inc.
Chapter 2 System Requirements and Deployment
Table 2‑1. Deployment Options Access Point (Continued)
Deployment
Property
OVF Tool Option
Description
Horizon server
URL
--prop:proxyDestinationURL=URL
(Required) Specifies the destination URL of the
load balancer or Horizon server. The
Access Point appliance directs traffic to the
server at this destination.
The destination URL must contain the protocol,
host name or IP address, and port number
(example: https://load-balancer.example.com:
443)
Default: none.
Horizon server
thumbrpints
--prop:proxyDestinationURLThumbprints=
thumbprint-list
If you do not provide a comma-separated list of
thumbrpints, the server certificates must be
issued by a trusted CA.
The format includes the algorithm (sha1 or md5)
and the hexadecimal thumbprint digits (example:
sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1
7a f8 8b dc 34). To find these properties, browse
to the Horizon server URL, click the lock icon in
the address bar, and view the certificate details.
Default: none.
You can also use the settingsJSON property to specify other REST API configuration settings using OVF
Tool, such as for configuring the external URLs for the secure gateways. For more information, see
“Example Using the settings.JSON Property,” on page 25.
VMware, Inc.
29
Deploying and Configuring Access Point
30
VMware, Inc.
Configuring Access Point
3
You use the Access Point REST API to configure Access Point.
IMPORTANT After deployment, the first configuration task is to configure the clock (UTC) on the
Access Point appliance so that the appliance has the correct time. For example, open a console window on
the Access Point virtual machine and use arrow buttons to select the correct time zone. Also verify that the
ESXi host's time is synchronized with an NTP server, and verify that VMware Tools, which is running in the
appliance virtual machine, synchronizes the time on the virtual machine with the time on the ESXi host. Use
vCenter Server, rather than the REST API for this configuration task.
This chapter includes the following topics:
n
“Using the Access Point REST API,” on page 31
n
“Configuring TLS/SSL Certificates for Access Point Appliances,” on page 40
n
“Configuring the Secure Gateways Used with the View Edge Service,” on page 44
Using the Access Point REST API
To change or add configuration settings after you deploy the Access Point appliance, you can either use the
Access Point REST API or you can deploy the appliance again, using different settings.
The specification for the Access Point REST API is available at the following URL on the virtual machine
where Access Point is installed: https://access-point-appliance.example.com:9443/rest/swagger.yaml
You can use any REST client application, such as curl or postman. For example, the following command uses
a curl client to retrieve the Access Point configuration:
curl -k -u 'admin:Password' https://access-point-appliance.example.com:
9443/rest/v1/config/settings
In this example, Password is the password for the administrator and access-point-appliance.example.com is the
fully qualified domain name of the Access Point appliance. As a best practice with regards to security, you
can omit the password for the admin user from any scripts. When the password is omitted, the curl
command prompts you for the password and ensures that no passwords are inadvertently stored in script
files.
You also use JSON requests to invoke the Access Point REST API and make configuration changes. The
following example shows a configuration JSON for the View edge service. You could use the PUT method
for this request:
{
"identifier": "VIEW",
"enabled": true,
"proxyDestinationUrl": "https://192.0.2.1",
VMware, Inc.
31
Deploying and Configuring Access Point
"proxyDestinationUrlThumbprints": "sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b
dc 34",
"healthCheckUrl": "/favicon.ico",
"pcoipEnabled": true,
"pcoipExternalUrl": "10.20.30.40:4172",
"blastEnabled": true,
"blastExternalUrl": "https://ap1.example.com:8443",
"tunnelEnabled": true,
"tunnelExternalUrl": "https://ap1.example.com:443"
"proxyPattern": "/",
"matchWindowsUserName": false,
"gatewayLocation": "External",
"windowsSSOEnabled": false
}
This example shows the following settings:
Configuration
Options
identifier
enabled
NOTE Setting identifier to VIEW means that
Access Point can communicate with servers that use the
View XML protocol, such as View Connection Server,
Horizon Air, and Horizon Air Hybrid-mode. Setting
identifier to webreverseproxy means that you can use
the Web Reverse Proxy edge service, a feature that is
available with Access Point 2.6. For example, you would
use the Web Reverse Proxy edge service with
VMware Identity Manager.
Address of the Horizon server or load balancer
proxyDestinationUrl
Horizon server's security certificate thumbprint
proxyDestinationUrlThumbprints
This example also shows the following settings that are specific to the View edge service:
n
Settings for enabling the PCoIP Secure Gateway, the Blast Secure Gateway, and the Secure Tunnel
Gateway
n
The external URLs for the PCoIP Secure Gateway, the Blast Secure Gateway, and the Secure Tunnel
Gateway
n
A setting for enabling HTML Access (proxyPattern)
NOTE When you create a JSON request, provide the complete set of properties for that resource. Any
parameter that is not specified in the JSON call is reset to the default value. Alternatively, you can first
retrieve the parameters and then change the JSON string to the new values.
Reset the admin Password for the Access Point REST API
If the password for the admin user is unknown, or if problems prevent you from logging in to the REST API
to reset the password, you can use this procedure to reset the password.
Prerequisites
You must have the password for logging in to the virtual machine as the root user.
Procedure
1
32
Log in to the operating system of the Access Point appliance as the root user.
VMware, Inc.
Chapter 3 Configuring Access Point
2
Enter the following commands:
echo '[email protected]' > /opt/vmware/gateway/conf/firstboot.properties
chown gateway /opt/vmware/gateway/conf/firstboot.properties
supervisorctl restart admin
In this example, [email protected] is a password that is at least 8 characters long, contains at least one uppercase
and one lowercase letter, one digit, and one special character, which includes ! @ # $ % * ( ).
When the admin server reboots, it generates the following message in
the /opt/vmware/gateway/logs/admin.log file: Successfully set initial settings from
firstboot.properties.
What to do next
You can now log in to the REST administration interface using the user name admin and the password that
you just set (for example, [email protected]).
Configuration Settings for System Settings and Server Certificates
Use the Access Point REST API properties to configure the security certificates, protocols, and cipher suites
are used, set up smart card authentication, and more.
You can use the properties listed below to make configuration changes after the Access Point appliance is
deployed, or you can alternatively use the OVF Tool property
--X:enableHiddenProperties=settingsJSON in the list of properties to configure the appliance at
deployment time. For more information about how to use Access Point with the OVF Tool, see “Access
Point Deployment Properties,” on page 27.
System Settings
These settings are included in the SystemSettings resource. The URL is https://access-pointappliance.example.com:9443/rest/v1/config/system. In this URL, access-point-appliance.example.com is the fully
qualified domain name of the Access Point appliance.
Table 3‑1. REST API Properties for the SystemSettings Resource
REST API Property
Description and Example
Default Value
adminPassword
Specifies the administrator password for accessing
the REST API. Passwords must be at least 8
characters long, contain at least one uppercase and
one lowercase letter, one digit, and one special
character, which includes ! @ # $ % * ( ).
Not set unless set by the deployment
wizard or OVF Tool.
cipherList
Configures the cipher list to restrict the use of certain
cryptographic algorithms before establishing an
encrypted TLS/SSL connection. This setting is used
with the settings for enabling various security
protocols.
TLS_ECDHE_RSA_WITH_AES_128_CBC
_SHA256,TLS_ECDHE_RSA_WITH_AES
_128_CBC_SHA,TLS_RSA_WITH_AES_1
28_CBC_SHA
ssl30Enabled
Specifies whether the SSLv3.0 security protocol is
enabled.
FALSE
tls10Enabled
Specifies whether the TLSv1.0 security protocol is
enabled.
FALSE
tls11Enabled
Specifies whether the TLSv1.1 security protocol is
enabled.
TRUE
tls12Enabled
Specifies whether the TLSv1.2 security protocol is
enabled.
TRUE
VMware, Inc.
33
Deploying and Configuring Access Point
Table 3‑1. REST API Properties for the SystemSettings Resource (Continued)
REST API Property
Description and Example
Default Value
locale
Specifies the local to use for localized messages.
n en_US for English
n ja_JP for Japanese
n fr_FR for French
n de_DE for German
n zh_CN for Simplified Chinese
n zh_TW for Traditional Chinese
n ko_KR for Korean
en_US
syslogUrl
Specifies the Syslog server used for logging
Access Point events.
This value can be a URL or a host name or IP address.
The scheme and port number are optional (example:
syslog://server.example.com:514). .
Not set unless set by the deployment
wizard or OVF Tool.
healthCheckUrl
Specifies the URL that the load balancer connects and
checks the health of Access Point.
/favicon.ico which is a graphic inbuilt
in Access Point.
quiesceMode
Pause or alter a device or application to achieve a
consistent state.
FALSE
monitorInterval
Monitors the interval that the backend systems take
to respond to Access Point.
60 seconds
Server Certificate
These settings are included in the ServerCertificate resource. The URL is
https://access-point-appliance.example.com:9443/rest/v1/config/certs/ssl
In this URL, access-point-appliance.example.com is the fully qualified domain name of the Access Point
appliance.
Table 3‑2. REST API Properties for the ServerCertificate Resource
REST API Property
Description and Example
Default Value
privateKeyPem
Specifies the private key for the certificate in
PEM format.
System-generated
certChainPem
Specifies the certificate chain in PEM format
System-generated
Configuration Settings for Edge Services
In addition to specifying system settings, you must configure the edge service for the type of role you want
Access Point to engage. For example, you configure the View edge service to use Access Point with
VMware Horizon 7 or VMware Horizon Air Hybrid-Mode. You configure the Web Reverse Proxy service to
use Access Point with VMware Identity Manager.
Edge Service Settings That Are Common to All Types of Edge Services
The properties listed in the following table must be configured regardless of which type of edge service you
configure. These settings are included in the EdgeServiceSettings resource. The REST API URL is
https://access-point-appliance.example.com:9443/rest/v1/config/edgeservice/edge-service-type. In this URL, accesspoint-appliance.example.com is the fully qualified domain name of the Access Point appliance.
NOTE The REST API properties for the resource are generic to View and VMware Identity Manager.
However, the specific supported properties are listed in the topics for View and Web Reverse Proxy services
exclusively.
34
VMware, Inc.
Chapter 3 Configuring Access Point
Table 3‑3. REST API Properties for the EdgeServiceSettings resource
REST API Property
Description and Example
Default Value
enabled
If set to TRUE, specifies that the edge service
is enabled.
FALSE
identifier
Specifies the type of edge service. The
following values are valid for the property:
None
n
VIEW uses the edge service for servers that
use the View XML protocol. These servers
can include View Connection Server,
which is included with VMware Horizon
6 and VMware Horizon 7, and servers
used with VMware Horizon Air and
VMware Horizon Air Hybrid-mode.
n
webreverseproxy uses the Web reverse
proxy edge service. This edge service
requires Access Point 2.6. Use this edge
service for VMware Identity Manager.
Specifies the URL of the VMware Horizon
server or load balancer to which the
Access Point appliance directs traffic.
This URL must contain the protocol, host
name or IP address, and port number
(example: https://load-balancer.example.com:
443).
None
proxyDestinationUrlThumbprints Specifies a list of Horizon server thumbrpints.
If you do not provide a comma-separated list
of thumbrpints, the server certificates must be
issued by a trusted CA.
The format includes the algorithm (sha1 or
md5) and the hexadecimal thumbprint digits,
for example sha1=b6 77 dc 9c 19 94 2e f1 78 f0
ad 4b ec 85 d1 7a f8 8b dc 34. To find these
properties
n Browse to the Horizon server URL.
n Click the lock icon in the address bar.
n View the certificate details.
None
proxyDestinationUrl
healthCheckUrl
Specifies the URL that the load balancer
connects to, and checks the health of
Access Point.
/favicon.ico - a graphic
inbuilt in Access Point.
unSecurePattern
Specifies the matching URI paths that are
forwarded to the destination URL.
None
VMware, Inc.
35
Deploying and Configuring Access Point
Table 3‑3. REST API Properties for the EdgeServiceSettings resource (Continued)
REST API Property
Description and Example
Default Value
authMethods
Specifies the type of authentication to use. Set
this property to one of the following values
unless you want to use pass-through
authentication:
By default, authentication is
passed through to the Horizon
server, which can be configured
for AD password, RSA SecurID,
RADIUS, or SAML.
authCookie
n
sp-auth, the default, means that
authentication is passed through to the
service provider (Horizon server).
n
certificate-auth means smart card
authentication is mandatory.
n
certificate-auth || sp-auth means
smart card authentication is optional. If a
smart card is not used, pass-through
authentication is used.
n
radius-auth && sp-auth means
RADIUS two-factor authentication is used
followed by pass-through.
n
securid-auth && sp-auth means RSA
SecurID authentication is used followed
by pass-through.
n
saml-auth means SAML authentication
is used.
n
saml-auth || sp-auth means SAML
authentication is optional. If SAML
authentication is not used, pass-through
authentication is used.
Specifies an authentication cookie name.
None
Edge Service Settings for View
These settings are included in the EdgeServiceSettings resource. Use this edge service to configure
Access Point to point to a server that uses the View XML protocol, such as View Connection Server, Horizon
Air, or Horizon Air Hybrid-mode. The REST API URL is https://access-point-appliance.example.com:
9443/rest/v1/config/edgeservice/view In this URL, access-point-appliance.example.com is the fully qualified
domain name of the Access Point appliance.
Table 3‑4. REST API Properties for the EdgeServiceSettings Resource for View
36
REST API Property
Description and Example
Default Value
tunnelEnabled
Specifies whether the View secure tunnel is
enabled.
FALSE
NOTE If you use VMware OVF
Tool to specify a value for the
proxyDestinationUrl
property, tunnelEnabled is set
to TRUE.
tunnelExternalUrl
Specifies an external URL of the Access Point
appliance, which clients will use for tunnel
connections through the View Secure
Gateway. This tunnel is used for RDP, USB,
and Multimedia Redirection (MMR) traffic.
https://appliance:443
(appliance is the fully qualified
domain name of the
Access Point appliance.)
pcoipEnabled
Specifies whether the PCoIP Secure Gateway
is enabled.
FALSE
NOTE If you use VMware OVF
Tool to specify a value for the
proxyDestinationUrl
property, pcoipEnabled gets set
to TRUE.
VMware, Inc.
Chapter 3 Configuring Access Point
Table 3‑4. REST API Properties for the EdgeServiceSettings Resource for View (Continued)
REST API Property
Description and Example
Default Value
pcoipExternalUrl
Specifies an external URL of the Access Point
appliance, which clients will use for secure
connections through the PCoIP Secure
Gateway. This connection is used for PCoIP
traffic.
applianceIP:4172
(applianceIP is the IPv4 address
of the Access Point appliance.)
blastEnabled
Specifies whether the Blast Secure Gateway is
enabled.
FALSE
NOTE If you use VMware OVF
Tool to specify a value for the
proxyDestinationUrl
property, blastEnabled gets set
to TRUE.
blastExternalUrl
Specifies an external URL of the Access Point
appliance, which allows end users to make
secure connections from their Web browsers
through the Blast Secure Gateway. This
connection is used for the HTML Access
feature.
https://appliance:8443
(appliance is the fully qualified
domain name of the
Access Point appliance.)
proxyPattern
Specifies the regular expression that matches
URIs that should be forwarded to the Horizon
server URL (proxyDestinationUrl). For View
Connection Server, a forward slash (/) is a
typical value for providing redirection to the
HTML Access Web client when using the
Access Point appliance.
(/|/viewclient(.*)|/portal(.*))
samlSP
Set this property for setting up smart card
authentication. See Chapter 5, “Setting Up
Smart Card Authentication,” on page 49.
None
matchWindowsUserName
Set this property to enable securID-auth to
true and then match SecureID and Windows
user name.
FALSE
gatewayLocation
Identifies the location from where the
connection request originates. The security
server and Access Point sets the gatewaylocation. The location can be external or
internal.
External
NOTE The admin can override
this location by providing the
correct configuration.
windowsSSOEnabled
Set this property to enable radius-auth to true.
The Windows login now uses the credentials
that were used in the first successful RADIUS
access request.
FALSE
Edge Service Settings for VMware Identity Manager Web Reverse Proxy
These settings are included in the EdgeServiceSettings resource. Use this edge service to configure a reverse
Web proxy for VMware Identity Manager. To use this edge service you must have Access Point 2.6.
The REST API URL is https://access-point-appliance.example.com:
9443/rest/v1/config/edgeservice/webreverseproxy. In this URL, access-point-appliance.example.com is the fully
qualified domain name of the Access Point appliance.
Table 3‑5. REST API Properties for the EdgeServiceSettings Resource for Web Reverse Proxy for vIDM
REST API Property
Description and Example
Values
enabled
Specifies whether the service is Enabled in
Access Point.
False
identifier
Specifies the type of edge service.
None
VMware, Inc.
37
Deploying and Configuring Access Point
Table 3‑5. REST API Properties for the EdgeServiceSettings Resource for Web Reverse Proxy for vIDM
(Continued)
38
REST API Property
Description and Example
Values
proxyDestinationUrl
Specifies the URL of the proxy requests that
the users request to Access Point to access a
service. For example, https://vidmserver.example.com.
None
healthCheckUrl
Specifies the URL that the load balancer
connects to and checks the health of
Access Point.
/favicon.ico - a graphic
inbuilt in Access Point.
proxyPattern
Specifies the matching URI paths that are
forwarded to the destination URL.
(/|/SAAS(.*)|/hc(.*)|/web(
.*)|/catalog-portal(.*))
VMware, Inc.
Chapter 3 Configuring Access Point
Table 3‑5. REST API Properties for the EdgeServiceSettings Resource for Web Reverse Proxy for vIDM
(Continued)
REST API Property
Description and Example
Values
unSecurePattern
Specifies an unsecured URL pattern for a
login page. This is static content.
(/catalogportal(.*)|/|/SAAS/|/SAAS
|/SAAS/API/1.0/GET/image(.
*)|/SAAS/horizon/css(.*)
|/SAAS/horizon/angular(.*)
|/SAAS/horizon/js(.*)|/SAA
S/horizon/jslib(.*)|/SAAS/auth/login(.
*)|/SAAS/jersey/manager/ap
i/branding|/SAAS/horizon/i
mages/(.*)|/SAAS/jersey/ma
nager/api/images/(.*)|/h
c/(.*)/authenticate/(.*)
|/hc/static/(.*)|/SAAS/aut
h/saml/response|/SAAS/aut
h/authenticatedUserDispatc
her|/web(.*)|/SAAS/app
s/|/SAAS/horizon/portal/(.
*)|/SAAS/horizon/fonts(.*)
|/SAAS/API/1.0/POST/sso(.*
)|/SAAS/API/1.0/REST/syste
m/info(.*)|/SAAS/API/1.0/R
EST/auth/cert(.*)|/SAAS/AP
I/1.0/REST/oauth2/activat
e(.*)|/SAAS/API/1.0/GET/us
er/devices/register(.*)|/S
AAS/API/1.0/oauth2/token(.
)|/SAAS/API/1.0/REST/oauth
2/session(.*)|/SAAS/API/1.
0/REST/user/resources(.*)
|/hc/t/(.* )/(.*)/authenti
cate(.*)|/SAAS/API/1.0/RES
T/auth/logout(.*)|/SAAS/au
th/saml/response(.*)|/SAA
S/(.*)/(.*)auth/login(.*)
|/SAAS/API/1.0/GET/apps/la
unch(.*)|/SAAS/API/1.0/RES
T/user/applications(.*)|/S
AAS/auth/federation/sso(.*
)|/SAAS/auth/oauth2/author
ize(.*)|/hc/prepareSaml/fa
ilure(.*)|/SAAS/auth/oauth
token(.*)|/SAAS/API/1.0/GE
T/metadata/idp.xml|/SAAS/a
uth/saml/artifact/resolve(
.*)|/hc/(.*)/authAdapter(.
*)|/hc/authenticate/(.*)
|/SAAS/auth/logout|/SAAS/c
ommon.js|/SAAS/auth/launch
Input(.*)|/SAAS/launchUser
sApplication.do(.*)|/hc/AP
I/1.0/REST/thinapp/downloa
d(.*)|/hc/t/(.*)/(.*)/logo
ut(.*))
authCookie
Specifies an authentication cookie name.
HZN
loginRedirectURL
If the user connects to a protected URL, he is
redirected.
/SAAS/auth/login?dest=%s
VMware, Inc.
39
Deploying and Configuring Access Point
Configuring TLS/SSL Certificates for Access Point Appliances
TLS/SSL is required for client connections to Access Point appliances. Client-facing Access Point appliances
and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.
TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that
guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users
no longer receive messages asking them to verify the certificate, and thin client devices can connect without
requiring additional configuration.
A default TLS/SSL server certificate is generated when you deploy an Access Point appliance. For
production environments, VMware strongly recommends that you replace the default certificate as soon as
possible. The default certificate is not signed by a trusted CA. Use the default certificate only in a nonproduction environment
Selecting the Correct Certificate Type
You can use various types of TLS/SSL certificates with Access Point. Selecting the correct certificate type for
your deployment is crucial. Different certificate types vary in cost, depending on the number of servers on
which they can be used.
Follow VMware security recommendations by using fully qualified domain names (FQDNs) for your
certificates, no matter which type you select. Do not use a simple server name or IP address, even for
communications within your internal domain.
Single Server Name Certificate
You can generate a certificate with a subject name for a specific server. For example: dept.example.com.
This type of certificate is useful if, for example, only one Access Point appliance needs a certificate.
When you submit a certificate signing request to a CA, you provide the server name that will be associated
with the certificate. Be sure that the Access Point appliance can resolve the server name you provide so that
it matches the name associated with the certificate.
Subject Alternative Names
A Subject Alternative Name (SAN) is an attribute that can be added to a certificate when it is being issued.
You use this attribute to add subject names (URLs) to a certificate so that it can validate more than one
server.
For example, three certificates might be issued for the Access Point appliances that are behind a load
balancer: ap1.example.com, ap2.example.com, and ap3.example.com. By adding a Subject Alternative Name
that represents the load balancer host name, such as horizon.example.com in this example, the certificate will
be valid because it will match the host name specified by the client.
Wildcard Certificate
A wildcard certificate is generated so that it can be used for multiple services. For example: *.example.com.
A wildcard is useful if many servers need a certificate. If other applications in your environment in addition
to Access Point appliances need TLS/SSL certificates, you can use a wildcard certificate for those servers,
too. However, if you use a wildcard certificate that is shared with other services, the security of the
VMware Horizon product also depends on the security of those other services.
NOTE You can use a wildcard certificate only on a single level of domain. For example, a wildcard
certificate with the subject name *.example.com can be used for the subdomain dept.example.com but not
dept.it.example.com.
40
VMware, Inc.
Chapter 3 Configuring Access Point
Certificates that you import into the Access Point appliance must be trusted by client machines and must
also be applicable to all instances of Access Point and any load balancer, either by using wildcards or by
using Subject Alternative Name (SAN) certificates.
Convert Certificate Files to One-Line PEM Format
To use the Access Point REST API to configure certificate settings, or to use the PowerShell scripts, you must
convert the certificate into PEM-format files for the certificate chain and the private key, and you must then
convert the .pem files to a one-line format that includes embedded newline characters.
When configuring Access Point, there are three possible types of certificates you might need to convert.
n
You should always install and configure a TLS/SSL server certificate for the Access Point appliance.
n
If you plan to use smart card authentication, you must install and configure the trusted CA issuer
certificate for the certificate that will be put on the smart card.
n
If you plan to use smart card authentication, VMware recommends that you install and configure a root
certificate for the signing CA for the SAML server certificate that is installed on the Access Point
appliance.
For all of these types of certificates, you perform the same procedure to convert the certificate into a PEMformat file that contains the certificate chain. For TLS/SSL server certificates and root certificates, you also
convert each file to a PEM file that contains the private key. You must then convert each .pem file to a oneline format that can be passed in a JSON string to the Access Point REST API.
Prerequisites
n
Verify that you have the certificate file. The file can be in PKCS#12 (.p12 or .pfx) format or in Java JKS
or JCEKS format.
n
Familiarize yourself with the openssl command-line tool that you will use to convert the certificate. See
https://www.openssl.org/docs/apps/openssl.html.
n
If the certificate is in Java JKS or JCEKS format, familiarize yourself with the Java keytool commandline tool to first convert the certificate to .p12 or .pks format before converting to .pem files.
Procedure
1
If your certificate is in Java JKS or JCEKS format, use keytool to convert the certificate to .p12 or .pks
format.
IMPORTANT Use the same source and destination password during this conversion.
2
If your certificate is in PKCS#12 (.p12 or .pfx) format, or after the certificate is converted to PKCS#12
format, use openssl to convert the certificate to .pem files.
For example, if the name of the certificate is mycaservercert.pfx, use the following commands to
convert the certificate:
openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem
openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercert.pem
openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem
3
VMware, Inc.
Edit mycaservercert.pem and remove any unnecessary certificate entries. It should contain the one SSL
server certificate followed by any necessary intermediate CA certificates and root CA certificate.
41
Deploying and Configuring Access Point
4
Use the following UNIX command to convert each .pem file to a value that can be passed in a JSON
string to the Access Point REST API:
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem
In this example, cert-name.pem is the name of the certificate file.
The new format places all the certificate information on a single line with embedded newline
characters. If you have an intermediate certificate, that certificate must also be in one-line format and
add to the first certificate so that both certificates are on the same line.
You can now configure certificates for Access Point by using these .pem files with the PowerShell scripts
attached to the blog post "Using PowerShell to Deploy VMware Access Point," available at
https://communities.vmware.com/docs/DOC-30835. Alternatively, you can create and use a JSON request to
configure the certificate.
What to do next
If you converted an TLS/SSL server certificate, see “Replace the Default TLS/SSL Server Certificate for
Access Point,” on page 42. For smart card certificates, see Chapter 5, “Setting Up Smart Card
Authentication,” on page 49.
Replace the Default TLS/SSL Server Certificate for Access Point
To store a trusted CA-signed TLS/SSL server certificate on the Access Point appliance, you must convert the
certificate to the correct format and use PowerShell scripts or the Access Point REST API to configure the
certificate.
For production environments, VMware strongly recommends that you replace the default certificate as soon
as possible. The default TLS/SSL server certificate that is generated when you deploy an Access Point
appliance is not signed by a trusted Certificate Authority.
IMPORTANT Also use this procedure for periodically replacing a certificate that has been signed by a trusted
CA before the certificate expires, which might be every two years.
This procedure describes how to use the REST API to replace the certificate. An easier alternative might be
to use the PowerShell scripts attached to the blog post "Using PowerShell to Deploy VMware Access Point,"
available at https://communities.vmware.com/docs/DOC-30835. If you have already deployed the named
Access Point appliance, then running the script again will power off the appliance, delete it, and redeploy it
with the current settings you specify.
Prerequisites
n
Unless you already have a valid TLS/SSL server certificate and its private key, obtain a new signed
certificate from a Certificate Authority. When you generate a certificate signing request (CSR) to obtain
a certificate, make sure that a private key is generated also. Do not generate certificates for servers using
a KeyLength value under 1024.
To generate the CSR, you must know the fully qualified domain name (FQDN) that client devices will
use to connect to the Access Point appliance and the organizational unit, organization, city, state, and
country to complete the Subject name.
42
n
Convert the certificate to PEM-format files and convert the .pem files to one-line format. See “Convert
Certificate Files to One-Line PEM Format,” on page 41.
n
Familiarize yourself with the Access Point REST API. The specification for this API is available at the
following URL on the virtual machine where Access Point is installed: https://access-pointappliance.example.com:9443/rest/swagger.yaml.
VMware, Inc.
Chapter 3 Configuring Access Point
Procedure
1
Create a JSON request for submitting the certificate to the Access Point appliance.
{
"privateKeyPem": "string",
"certChainPem": "string"
}
In this example, the string values are the JSON one-line PEM values that you created as described in the
prerequisites.
2
Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST
API and store the certificate and key on the Access Point appliance.
The following example uses a curl command. In the example, access-point-appliance.example.com is the
fully qualified domain name of the Access Point appliance, and cert.json is the JSON request you
created in the previous step.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-pointappliance.example.com:9443/rest/v1/config/certs/ssl < ~/cert.json
What to do next
If the CA that signed the certificate is not well known, configure clients to trust the root and intermediate
certificates.
Change the Security Protocols and Cipher Suites Used for TLS or SSL
Communication
Although in almost all cases, the default settings do not need to be changed, you can configure the security
protocols and cryptographic algorithms that are used to encrypt communications between clients and the
Access Point appliance.
The default setting includes cipher suites that use either 128-bit or 256-bit AES encryption, except for
anonymous DH algorithms, and sorts them by strength. By default, TLS v1.1 and TLS v1.2 are enabled. TLS
v1.0 is disabled and SSL v3.0 are disabled.
Prerequisites
n
Familiarize yourself with the Access Point REST API. The specification for this API is available at the
following URL on the virtual machine where Access Point is installed: https://access-pointappliance.example.com:9443/rest/swagger.yaml.
n
Familiarize yourself with the specific properties for configuring the cipher suites and protocols:
cipherSuites, ssl30Enabled, tls10Enabled, tls11Enabled, and tls12Enabled. See
“Configuration Settings for System Settings and Server Certificates,” on page 33.
Procedure
1
Create a JSON request for specifying the protocols and cipher suites to use.
The following example has the default settings.
{
"cipherSuites":
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA",
"ssl30Enabled": "false",
"tls10Enabled": "false",
"tls11Enabled": "true",
"tls12Enabled": "true"
}
VMware, Inc.
43
Deploying and Configuring Access Point
2
Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST
API and configure the protocols and cipher suites.
In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point
appliance.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-pointappliance.example.com:9443/rest/v1/config/system < ~/ciphers.json
ciphers.json is the JSON request you created in the previous step.
The cipher suites and protocols that you specified are used.
Configuring the Secure Gateways Used with the View Edge Service
For a View deployment, by default the secure tunnel, PCoIP Secure Gateway, and Blast Secure Gateway are
all enabled on the Access Point appliance. The external URLs need to be set to values that can be used by
remote Horizon clients to connect to the Access Point appliance for the tunnel connection, the PCoIP
connection, and the Blast connection, respectively.
Table 3‑6. Examples of the Secure Gateway Settings
Type of Secure Gateway
Property Name
Example Setting
Secure tunnel
tunnelExternalUrl
https://ap1.example.com:443
PCoIP Secure Gateway
pcoipExternalUrl
10.20.30.40:4172
Blast Secure Gateway
blastExternalUrl
https://ap1.example.com:443
For more information about these properties, see “Configuration Settings for Edge Services,” on page 34.
The PCoIP external URL must use an IPv4 address. The other URLs can use an IP address or a host name
that can be resolved by the client on the external network, which is usually the Internet. These external
addresses are used only by the clients. The connection from the client for all three URLs must route to the
specific Access Point appliance and must not be load-balanced. In a NAT environment, the addresses must
be the external addresses and not the internal NAT addresses .
The following example shows a configuration JSON that includes these properties.
{
"identifier": "VIEW",
"enabled": true,
"proxyDestinationUrl": "https://192.0.2.1",
"proxyDestinationUrlThumbprints": "sha1=b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b
dc 34",
"healthCheckUrl": "/favicon.ico",
"pcoipEnabled": true,
"pcoipExternalUrl": "10.20.30.40:4172",
"blastEnabled": true,
"blastExternalUrl": "https://ap1.example.com:443",
"tunnelEnabled": true,
"tunnelExternalUrl": "https://ap1.example.com:443",
"proxyPattern": "/",
"matchWindowsUserName": false,
"gatewayLocation": "External",
"windowsSSOEnabled": false
}
44
VMware, Inc.
Chapter 3 Configuring Access Point
These settings are included in the EdgeServiceSettings resource. The URL is https://access-pointappliance.example.com:9443/rest/v1/config/edgeservice/view In this URL, access-point-appliance.example.com is
the fully qualified domain name of the Access Point appliance.
You can configure these settings by using the VMware OVF Tool directly. For an example, see “Using
VMware OVF Tool to Deploy the Access Point Appliance,” on page 23.
VMware, Inc.
45
Deploying and Configuring Access Point
46
VMware, Inc.
Collecting Logs from the Access
Point Appliance
4
You can enter a URL in a browser to get a ZIP file that contains logs from your Access Point appliance.
Use the following URL to collect logs from your Access Point appliance.
https://access-point-appliance.example.com:9443/rest/v1/monitor/support-archive
In this example, access-point-appliance.example.com is the fully qualified domain name of the Access Point
appliance.
These log files are collected from the /opt/vmware/gateway/logs directory on the appliance.
The following tables contain descriptions of the various files included in the ZIP file.
Table 4‑1. Files That Contain System Information to Aid in Troubleshooting
File Name
Description
df.log
Contains information about disk space usage.
netstat.log
Contains information about network connections.
ap_config.json
Contains the current configuration settings for the Access Point appliance.
ps.log
Includes a process listing.
ifconfig.log
Contains information about network interfaces.
free.log
Contains information about memory usage.
Table 4‑2. Log Files for Access Point
File Name
Description
esmanager.log
Contains log messages from the Edge Service Manager process, which listens on ports 443
and 80.
authbroker.log
Contains log messages from the AuthBroker process, which handles authentication
adapters.
admin.log
Contains log messages from the process that provides the Access Point REST API on port
9443.
admin-zookeeper.log
Contains log messages related to the data layer that is used to store Access Point
configuration information.
tunnel.log
Contains log messages from the tunnel process that is used as part of XML API processing.
bsg.log
Contains log messages from the Blast Secure Gateway.
SecurityGateway_*.log
Contains log messages from the PCoIP Secure Gateway.
The log files that end in "-std-out.log" contain the information written to stdout of various processes and
are usually empty files.
VMware, Inc.
47
Deploying and Configuring Access Point
48
VMware, Inc.
Setting Up Smart Card Authentication
5
By default, Access Point uses pass-through authentication, so that users enter their Active Directory
credentials, and these credentials are sent through to a back-end system for authentication. You can,
however, configure the Access Point appliance to perform smart card authentication.
With smart card authentication, a user or administrator inserts a smart card into a smart card reader
attached to the client computer and enters a PIN. Smart card authentication provides two-factor
authentication by verifying both what the person has (the smart card) and what the person knows (the PIN).
End users can use smart cards for logging in to a remote View desktop operating system and also for smartcard enabled applications, such as an email application that uses the certificate for signing emails to prove
the identity of the sender.
With this feature, smart card certificate authentication is performed against Access Point, and Access Point
communicates information about the end user's X.509 certificate and the smart card PIN to the Horizon
server by using a SAML assertion.
You can also set up authentication so that Access Point requires smart card authentication but then
authentication is also passed through to the Horizon server, which might require Active Directory
authentication. To configure this type of chained authentication, see the authMethods property, described
in “Configuration Settings for Edge Services,” on page 34.
NOTE For VMware Identity Manager, authentication is always only passed through Access Point to
VMware Identity Manager. You can configure smart card authentication to be performed on the Access
Point appliance only if Access Point is being used with Horizon 6 or Horizon 7.
This chapter includes the following topics:
n
“Generate Access Point SAML Metadata,” on page 50
n
“Creating a SAML Authenticator for View Connection Server,” on page 51
n
“Copy Service Provider SAML Metadata to Access Point,” on page 55
n
“Obtain the Certificate Authority Certificates,” on page 56
n
“Configure Smart Card Settings on the Access Point Appliance,” on page 57
VMware, Inc.
49
Deploying and Configuring Access Point
Generate Access Point SAML Metadata
You must generate SAML metadata on the Access Point appliance and exchange metadata with the Horizon
server to establish the mutual trust required for smart card authentication.
The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and
exchange authentication and authorization information between different security domains. SAML passes
information about users between identity providers and service providers in XML documents called SAML
assertions. In this scenario, Access Point is the identity provider and the Horizon server is the service
provider.
In this procedure, you generate Access Point SAML metadata by using the Access Point REST API. Related
topics will describe how to copy this generated SAML metadata to the applicable Horizon server.
Prerequisites
n
Configure the clock (UTC) on the Access Point appliance so that the appliance has the correct time. For
example, open a console window on the Access Point virtual machine and use arrow buttons to select
the correct time zone. Also verify that the ESXi host's time is synchronized with an NTP server, and
verify that VMware Tools, which is running in the appliance virtual machine, synchronizes the time on
the virtual machine with the time on the ESXi host.
IMPORTANT If the clock on the Access Point appliance does not match the clock on the Horizon server
host, smart card authentication might not work.
n
Obtain a SAML signing certificate that you can use to sign the Access Point metadata.
NOTE VMware recommends that you create and use a specific SAML signing certificate when you have
more than one Access Point appliance in your setup. In this case, all appliances must be configured
with the same signing certificate so that the Horizon server can accept assertions from any of the
Access Point appliances. With a specific SAML signing certificate, the SAML metadata from all of the
appliances is the same.
n
If you have not done so already, convert the SAML signing certificate to PEM-format files and convert
the .pem files to one-line format. See “Convert Certificate Files to One-Line PEM Format,” on page 41.
Procedure
1
Create a JSON request for generating the SAML metadata for the Access Point appliance.
n
If you do not have a SAML signing certificate for the Access Point appliance, the body of the JSON
request is empty brackets:
{}
n
If you do have a SAML signing certificate, use the following syntax:
{
"privateKeyPem": "string",
"certChainPem": "string"
}
In this example, the string values are the JSON one-line PEM values that you created as described
in the prerequisites.
50
VMware, Inc.
Chapter 5 Setting Up Smart Card Authentication
2
Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST
API and generate Access Point metadata.
The following example uses a curl command. In the example, access-point-appliance.example.com is the
fully qualified domain name of the Access Point appliance, and ap-metadata.json is the JSON request
you created in the previous step.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X POST https://access-pointappliance.example.com:9443/rest/v1/config/idp-metadata < ~/ap-metadata.json
3
Use a REST client to get the generated metadata, and then copy the metadata.
curl -k -u 'admin' https://access-point-appliance.example.com:9443/rest/v1/config/idpmetadata
The contents of this file begin with the following text:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...
What to do next
Use the copied Access Point SAML metadata to create a SAML authenticator on the applicable Horizon
server.
n
For a Horizon 6 server, see “Create a SAML Authenticator on View Connection Server 6.2,” on
page 53.
n
For a Horizon 7 server, see “Create a SAML Authenticator on a Horizon 7 Connection Server,” on
page 51.
Creating a SAML Authenticator for View Connection Server
The process of creating an authenticator for Horizon 6 servers is different from the process for Horizon 7
servers.
In general, the process involves pasting Access Point SAML metadata into the correct configuration setting
on the View Connection Server instance and then extending the expiration period of the metadata.
Create a SAML Authenticator on a Horizon 7 Connection Server
For Horizon 7 servers, you can use the View Administrator UI to create a manual SAML authenticator. You
copy the SAML metadata generated on Access Point and then paste the text into SAML metadata text box in
the View Administrator UI.
You associate an Access Point SAML authenticator with a View Connection Server instance. If your
deployment includes more than one View Connection Server instance, you must associate the SAML
authenticator with each instance.
NOTE If you need to create a SAML authenticator on a Horizon 6 server, see “Create a SAML Authenticator
on View Connection Server 6.2,” on page 53.
Prerequisites
n
Verify that the root certificate for the signing CA for the SAML server certificate is installed on the
connection server host. VMware does not recommend that you configure SAML authenticators to use
self-signed certificates. For information about certificate authentication, see the View Installation
document.
n
Generate SAML metadata on the Access Point appliance and then copy the metadata. See .“Generate
Access Point SAML Metadata,” on page 50
VMware, Inc.
51
Deploying and Configuring Access Point
Procedure
1
In View Administrator, select Configuration > Servers.
2
On the Connection Servers tab, select a server instance to associate with the SAML authenticator and
click Edit.
3
On the Authentication tab, select a setting from the Delegation of authentication to VMware Horizon
(SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator.
Option
Description
Disabled
SAML authentication is disabled. You can launch remote desktops and
applications only from Horizon Client.
Allowed
SAML authentication is enabled but not required..
Required
SAML authentication is enabled. You can use smart cards when launching
remote desktops and applications only through connections to
Access Point.
You can configure each View Connection Server instance in your deployment to have different SAML
authentication settings, depending on your requirements.
4
Click Manage SAML Authenticators and click Add.
5
For Type, select Static and configure the SAML authenticator in the Add SAML 2.0 Authenticator
dialog box.
6
Option
Description
Label
Unique name that identifies the SAML authenticator.
Description
Brief description of the SAML authenticator. This value is optional.
SAML metadata
Metadata text that you generated and copied from the Access Point
appliance.
Enabled for Connection Server
Select this check box to enable the authenticator. You can enable multiple
authenticators. Only enabled authenticators are displayed in the list.
Click OK to save the SAML authenticator configuration.
If you provided valid information, you must either accept the self-signed certificate (not recommended)
or use a trusted certificate for View and Access Point.
The Manage SAML Authenticators dialog box displays the newly created authenticator.
7
In the System Health section on the View Administrator dashboard, select Other components > SAML
2.0 Authenticators, select the SAML authenticator that you added, and verify the details.
If the configuration is successful, the authenticator's health is green. An authenticator's health can
display red if the certificate is untrusted, if Access Point is unavailable, or if the metadata URL is
invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept the
certificate.
What to do next
Extend the expiration period of the View Connection Server metadata so that remote sessions are not
terminated after only 24 hours. See “Change the Expiration Period for Service Provider Metadata on View
Connection Server,” on page 54.
52
VMware, Inc.
Chapter 5 Setting Up Smart Card Authentication
Create a SAML Authenticator on View Connection Server 6.2
For Horizon 6 version 6.2 servers, you must create a manual SAML authenticator in View Connection
Server. You copy the SAML metadata generated on Access Point and then use the ADSI Edit utility on the
View Connection Server host to edit the View LDAP and paste in the metadata. You also edit the View
LDAP to change the expiration period for SAML assertions.
If you do not change the expiration period, View Connection Server will stop accepting SAML assertions
from the SAML authenticator, such as Access Point or a third-party identity provider, after 24 hours, and the
metadata exchange must be repeated. Use this procedure to specify the number of days that can elapse
before View Connection Server stops accepting SAML assertions from the identity provider. This number is
used when the current expiration period ends. For example, if the current expiration period is 1 day and you
specify 90 days, after 1 day elapses, View Connection Server generates metadata with an expiration period
of 90 days.
NOTE This procedure provides instructions for creating the SAML authenticator and changing the
expiration period if you are using Horizon 6 servers. For Horizon 6 servers, you must edit View LDAP. For
Horizon 7 features, you can instead use a page in the View Administrator UI. For instructions, see “Create a
SAML Authenticator on a Horizon 7 Connection Server,” on page 51.
Prerequisites
See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows
operating system version.
Procedure
1
Start the ADSI Edit utility on your View Connection Server 6.2 host.
2
In the console tree, select Connect to.
3
4
In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name
DC=vdi, DC=vmware, DC=int.
In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the
View Connection Server host followed by port 389.
For example: localhost:389 or mycomputer.example.com:389
5
Expand the ADSI Edit tree, expand OU=Properties, right-click OU=Authenticator and select New >
Object.
6
In the Create Object wizard, select pae-SAMLAuthenticator and click Next.
7
In the Value text box, enter a name, such as ap for Access Point, click Next, and click Finish.
The object appears in the right pane. For this example, the name of the object is CN=ap.
VMware, Inc.
53
Deploying and Configuring Access Point
8
Double-click the CN=name object and edit the following attributes.
Attribute
Description
pae-SAMLLabel
Supply a name of the SAML authenticator. This label will appear in View
Connection Server, in the View Connection Server authentication settings.
pae-SAMLMetaDataXml
Paste in the SAML metadata that you generated on the Access Point
appliance. Make sure metadata does not contain escape characters before
double quotes. For example, the correct format is <?xml version="1.0"
and not <?xml version=\"1.0\".
pae-SAMLMetaDataUrl
(Optional) If you specify a URL in this attribute (for example,
https://access-point.example.com), the URL will be displayed in the
Manage Authenticators dialog box in View Administrator.
A new SAML authenticator is created.
On View Connection Server, the new settings take effect immediately. You do not need to restart the View
Connection Server service or the client computer.
What to do next
Extend the expiration period of the View Connection Server metadata so that remote sessions are not
terminated after only 24 hours. See “Change the Expiration Period for Service Provider Metadata on View
Connection Server,” on page 54.
Change the Expiration Period for Service Provider Metadata on View
Connection Server
If you do not change the expiration period, View Connection Server will stop accepting SAML assertions
from the SAML authenticator, such as Access Point or a third-party identity provider, after 24 hours, and the
metadata exchange must be repeated.
Use this procedure to specify the number of days that can elapse before View Connection Server stops
accepting SAML assertions from the identity provider. This number is used when the current expiration
period ends. For example, if the current expiration period is 1 day and you specify 90 days, after 1 day
elapses, View Connection Server generates metadata with an expiration period of 90 days.
Prerequisites
See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows
operating system version.
Procedure
1
Start the ADSI Edit utility on your View Connection Server host.
2
In the console tree, select Connect to.
3
4
In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name
DC=vdi, DC=vmware, DC=int.
In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the
View Connection Server host followed by port 389.
For example: localhost:389 or mycomputer.example.com:389
5
Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click OU=Common
in the right pane.
6
In the Properties dialog box, edit the pae-NameValuePair attribute to add the following values
cs-samlencryptionkeyvaliditydays=number-of-days
cs-samlsigningkeyvaliditydays=number-of-days
54
VMware, Inc.
Chapter 5 Setting Up Smart Card Authentication
In this example, number-of-days is the number of days that can elapse before a remote View Connection
Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML
metadata must be repeated.
Copy Service Provider SAML Metadata to Access Point
After you create and enable a SAML authenticator so that Access Point can be used as an identity provider,
you can generate SAML metadata on that back-end system and use the metadata to create a service provider
on the Access Point appliance. This exchange of data establishes trust between the identity provider (
Access Point) and the back-end service provider, such as View Connection Server.
Prerequisites
Verify that you have created a SAML authenticator for Access Point on the back-end service provider server.
n
For a Horizon 7 server, see “Create a SAML Authenticator on a Horizon 7 Connection Server,” on
page 51.
Procedure
1
Retrieve the service provider SAML metadata, which is generally in the form of an XML file.
For instructions, refer to the documentation for the service provider.
Different service providers have different procedures. For example, for View Connection Server, you
open a browser and enter a URL such as: https://connection-server.example.com/SAML/metadata/sp.xml
You can then use a Save As command to save the Web page to an XML file. The contents of this file
begin with the following text:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...
2
Use a REST client, such as curl or postman, to invoke the Access Point REST API and store the metadata
on the Access Point appliance.
curl -k -d @- -u 'admin' -H "Content-Type: text/xml" -X POST https://access-pointappliance.example.com:9443/rest/v1/config/sp-metadata/service-provider-name < connectionserver-metadata.xml
In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point
appliance, service-provider-name is the name to use for a View Connection Server service provider, and
connection-server-metadata.xml is the metadata file you created in the previous step.
Access Point and the service provider can now exchange authentication and authorization information.
What to do next
To verify that the POST command worked, you can use a GET command with the same URL.
If you copied View Connection Server metadata, to verify that the Access Point SAML authenticator is
successfully configured, open the ADSI Edit utility on the View Connection Server host, connect to View
LDAP (DC=vdi, DC=vmware, DC=int), and in the ADSI Edit tree, under OU=Properties, select OU=Server,
and double-click the CN=name item in the right pane. The pae-SAMLConfigDN attribute is populated with
the distinguished name.
VMware, Inc.
55
Deploying and Configuring Access Point
Obtain the Certificate Authority Certificates
You must obtain all applicable CA (certificate authority) certificates for all trusted user certificates on the
smart cards presented by your users and administrators. These certificates include root certificates and can
include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate
authority.
If you do not have the root or intermediate certificate of the CA that signed the certificates on the smart
cards presented by your users and administrators, you can export the certificates from a CA-signed user
certificate or a smart card that contains one. See “Obtain the CA Certificate from Windows,” on page 56.
Procedure
u
Obtain the CA certificates from one of the following sources.
n
A Microsoft IIS server running Microsoft Certificate Services. See the Microsoft TechNet Web site
for information on installing Microsoft IIS, issuing certificates, and distributing certificates in your
organization.
n
The public root certificate of a trusted CA. This is the most common source of a root certificate in
environments that already have a smart card infrastructure and a standardized approach to smart
card distribution and authentication.
Obtain the CA Certificate from Windows
If you have a CA-signed user certificate or a smart card that contains one, and Windows trusts the root
certificate, you can export the root certificate from Windows. If the issuer of the user certificate is an
intermediate certificate authority, you can export that certificate.
Procedure
1
If the user certificate is on a smart card, insert the smart card into the reader to add the user certificate
to your personal store.
If the user certificate does not appear in your personal store, use the reader software to export the user
certificate to a file. This file is used in Step 4 of this procedure.
2
In Internet Explorer, select Tools > Internet Options.
3
On the Content tab, click Certificates.
4
On the Personal tab, select the certificate you want to use and click View.
If the user certificate does not appear on the list, click Import to manually import it from a file. After the
certificate is imported, you can select it from the list.
5
On the Certification Path tab, select the certificate at the top of the tree and click View Certificate.
If the user certificate is signed as part of a trust hierarchy, the signing certificate might be signed by
another higher-level certificate. Select the parent certificate (the one that actually signed the user
certificate) as your root certificate. In some cases, the issuer might be an intermediate CA.
6
On the Details tab, click Copy to File.
The Certificate Export Wizard appears.
56
7
Click Next > Next and type a name and location for the file that you want to export.
8
Click Next to save the file as a root certificate in the specified location.
VMware, Inc.
Chapter 5 Setting Up Smart Card Authentication
Configure Smart Card Settings on the Access Point Appliance
On the Access Point appliance, you must enable smart card authentication, copy in the certificate, and
change the authentication type to smart card authentication.
Prerequisites
n
Get the trusted CA issuer certificate that was used to sign the X.509 certificates for the smart cards. See
“Obtain the Certificate Authority Certificates,” on page 56. for the certificate that will be put on the
smart card.
n
Convert the certificate to a PEM-format file that contains the certificate chain. See “Convert Certificate
Files to One-Line PEM Format,” on page 41. If you have an intermediate certificate, that certificate must
immediately follow the first certificate, and both certificates must be on the same one line.
n
Verify that you have copied Access Point SAML metadata to the service provider and copied the service
provider SAML metadata to Access Point appliance. See “Generate Access Point SAML Metadata,” on
page 50 and “Copy Service Provider SAML Metadata to Access Point,” on page 55.
n
Familiarize yourself with the smart card certificate properties and determine which settings to use. See
“Smart Card Certificate Properties for Advanced Options,” on page 58.
n
If you use a load balancer between Access Point and the service provider instances, verify that TLS/SSL
termination is not done on the load balancer. The load balancer must be configured to pass
authentication through to the back-end service provider, such as View Connection Server.
Procedure
1
Use a REST client, such as curl or postman, to invoke the Access Point REST API and get the default
certificate settings.
The following example uses a curl command. In the example, access-point-appliance.example.com is the
fully qualified domain name of the Access Point appliance.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/authmethod/certificate-auth
2
Paste this information into a JSON request for enabling smart card authentication and pasting in the
certificate.
The following two properties are the required properties to configure. You can also change the defaults
for the other properties.
{
"enabled": "true",
"caCertificates": "-----BEGIN CERTIFICATE------ ... -----END CERTIFICATE------"
}
In this example, the ellipses (...) indicates the middle content of the certificate text. The format of
certificate text must be one-line format that can be passed in a JSON string to the Access Point REST
API, as described in the prerequisites.
For caCertificates, you can specify multiple certificates using spaces as separators. When a user
initiates a connection to the Access Point appliance, Access Point sends a list of trusted certificate
authorities (CAs) to the client system. The client system checks the list of trusted CAs against the
available user certificates, selects a suitable certificate, and then prompts the user to enter a smart card
PIN. If there are multiple valid user certificates, the client system prompts the user to select a certificate.
VMware, Inc.
57
Deploying and Configuring Access Point
3
Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST
API and store the certificate on the Access Point appliance and enable smart card authentication.
The following example uses a curl command. In the example, access-point-appliance.example.com is the
fully qualified domain name of the Access Point appliance, and smartcard.json is the JSON request you
created in the previous step.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-pointappliance.example.com:9443/rest/v1/config/authmethod/certificate-auth < ~/smartcard.json
4
Use a REST client to get the default edge service settings for the edge service you are using.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/edgeservice/VIEW
This example uses the VIEW edge service because for this release smart card authentication is
supported only if you use the VIEW edge service.
5
Paste this information into a JSON request for enabling smart card authentication for the View server
and add the authMethods and samlSP properties.
{
"identifier": "VIEW",
"enabled": true,
"authMethods": "certificate-auth",
"samlSP": "connection-server-sp"
}
For readability, this example shows only the required properties for configuring smart card
authentication, and not the long list of properties included in edge service configuration. When you
create the JSON request, copy and paste all of the edge service settings you are using and be sure to add
or configure these smart card properties.
connection-server-sp is an example of a service provider name. You specified a service provider name
when you copied the service provider metadata to the Access Point appliance.
6
Use a REST client to send the JSON request to the Access Point API and configure the edge service to
use smart card authentication.
In the following example, smartauth.json is the JSON request you created in the previous step.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-pointappliance.example.com:9443/rest/v1/config/edgeservice/VIEW < ~/smartauth.json
End users can now use smart cards when logging in to Access Point.
Smart Card Certificate Properties for Advanced Options
Smart card authentication properties provide functionality for certificate revocation, consent forms, and
configuring the subject alternative name.
You can prevent users who have revoked user certificates from authenticating with smart cards by
configuring certificate revocation checking. Certificates are often revoked when a user leaves an
organization, loses a smart card, or moves from one department to another.
Access Point supports certificate revocation checking with certificate revocation lists (CRLs) and with the
Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that
issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an
X.509 certificate.
When you configure both types of certificate revocation checking, Access Point attempts to use OCSP first
and can be configured to fall back to CRL if OCSP fails. Access Point does not fall back to OCSP if CRL fails.
The CA must be accessible from the Access Point host.
58
VMware, Inc.
Chapter 5 Setting Up Smart Card Authentication
When you use the REST API to get the configuration data for smart card authentication, you see a list of the
items you can configure. For example, you can use a GET request with the following URL:
https://access-point-appliance.example.com:9443/rest/v1/config/authmethod/certificate-auth
If you have not changed any configuration settings, the following default settings are returned.
"enableOCSP": null,
"ocspSigningCert": null,
"caCertificates": null,
"displayName": "CertificateAuthAdapter",
"versionNum": null,
"enableAlternateUPN": "",
"className": "com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapter",
"sendOCSPNonce": null,
"enabled": "false",
"enableCertCRL": "true",
"enableOCSPCRLFailover": "true",
"enableConsentForm": null,
"ocspURL": null,
"jarFile": "/opt/vmware/gateway/data/authbroker/certificate-auth-adapter-0.1.jar",
"enableCertRevocation": "",
"name": "certificate-auth",
"certificatePolicies": null,
"consentForm": null,
"authMethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",
"crlLocation": null,
"enableEmail": "",
"crlCacheSize": "100"
Table 5‑1. Smart Card Certificate Properties That You Can Configure
Property Name
Description
Valid Values
enableOCSP
Specifies whether to use Online Certificate Status
Protocol (OCSP) for certificate revocation checking.
When this setting is enabled, Access Point sends a
request to an OCSP responder to determine the
revocation status of a specific user certificate.
The default is true.
true or false
ocspSigningCert
Specifies the path to the OCSP responder's
certificate, if known.
Path to the file on the OCSP responder
host (for
example, /path/to/file.cer).
caCertificates
(Required) Specifies one or more trusted CA
certificates in PEM format.
Each certificate's text has the format
"-----BEGIN
CERTIFICATE------ ... -----END
CERTIFICATE------" where the
ellipsis points (...) indicate the middle
content of the certificate text. Separate
multiple certificates with spaces.
enableAlternateUPN
Specifies whether to use alternative fields in the
Subject Alternative Name.
Smart card logins use the user principal name
(UPN) from Active Directory to validate user
accounts.
If the domain a smart card user resides in is
different from the domain that your root certificate
was issued from, you must set the user's UPN to
the Subject Alternative Name (SAN) contained in
the root certificate of the trusted CA.
true or false
VMware, Inc.
59
Deploying and Configuring Access Point
Table 5‑1. Smart Card Certificate Properties That You Can Configure (Continued)
Property Name
Description
Valid Values
sendOCSPNonce
Specifies whether to include a nonce in the OCSP
request and require that the nonce be included in
the response. A nonce is an arbitrary number used
only once in a cryptographic communication.
true or false
enabled
(Required) Specifies whether to use smart card
certificate authentication. You must change this
setting to true.
The default is false.
true or false
enableCertCRL
Specifies whether to use the CRL Distribution
Points extension of the certificate.
true or false
enableOCSPCRLFailover
Specifies whether to use a certificate revocation list
if OCSP fails.
The default is true.
true or false
enableConsentForm
Specifies whether to present users with a consent
form window before they log in using certificate
authentication.
true or false
ocspURL
Specifies the URL of the OCSP responder to use for
the revocation check (for example,
http://ocspurl.com).
A URL that begins with http or https.
enableCertRevocation
Specifies whether to use certificate revocation
checking.
true or false
certificatePolicies
Specifies the object Identifier (OID) list that is
accepted in the Certificate Policies extension.
An OID
consentForm
Specifies the content of the consent form to be
displayed to users.
Text.
crlLocation
Specifies the location of the certificate revocation
list to use for the revocation check.
URL or file path (for example,
http://crlurl.crl or
file:///crlFile.crl).
NOTE Do not use ldap: URLs.
enableEmail
60
Specifies whether to use the RFC822 field in
Subject Alternative Name if no UPN (user
principal name) is found in the certificate.
true or false
VMware, Inc.
Setting Up Two-Factor Authentication
6
You can configure an Access Point appliance so that users are required to use RSA SecurID authentication or
RADIUS (Remote Authentication Dial-In User Service) authentication.
Because two-factor authentication solutions such as RSA SecurID and RADIUS work with authentication
managers, installed on separate servers, you must have those servers configured and accessible to the
Access Point appliance. For example, if you use RSA SecurID, the authentication manager would be RSA
Authentication Manager. If you have RADIUS, the authentication manager would be a RADIUS server.
To use two-factor authentication, each user must have a token, such as an RSA SecurID token, that is
registered with its authentication manager. A two-factor authentication token is a piece of hardware or
software that generates an authentication code at fixed intervals. Often authentication requires knowledge
of both a PIN and an authentication code.
You can also set up authentication so that Access Point requires SecurID or RADIUS authentication but then
authentication is also passed through to the Horizon server, which might require Active Directory
authentication. To configure this type of chained authentication, see the authMethods property, described
in “Configuration Settings for Edge Services,” on page 34.
NOTE For VMware Identity Manager, authentication is always only passed through Access Point to
VMware Identity Manager. You can configure two-factor authentication to be performed on the Access
Point appliance only if Access Point is being used with Horizon 6, Horizon 7, or Horizon Air Hybrid-mode.
This chapter includes the following topics:
n
“Configure RSA SecurID Authentication on the Access Point Appliance,” on page 61
n
“Configure RADIUS Authentication on the Access Point Appliance,” on page 63
Configure RSA SecurID Authentication on the Access Point Appliance
On the Access Point appliance, you must enable RSA SecurID authentication, copy in the contents of the
configuration file for the RSA SecureID server, and change the authentication type to RSA SecurID
authentication.
Prerequisites
n
Verify that the server to be used as the authentication manager server has the RSA SecurID software
installed and configured.
n
Export the sdconf.rec file from the RSA Secure Authentication Manager server. See the RSA
Authentication Manager documentation.
VMware, Inc.
61
Deploying and Configuring Access Point
Procedure
1
After downloading the sdconf.rec file from the RSA Secure Authentication Manager server, run the
following commands to change the file format into Base64 and convert that format to a one-line format
that can be passed in a JSON string to the Access Point REST API.
a
Run a command, Linux base64 command to produce the Base64 encoding format for the
sdconf.rec file.
base64 sdconf.rec > sdconfBase64.txt
b
Run a cat command to convert the Base64 file to single-line JSON format.
cat sdconfBase64.txt | tr '\n' '\\' | sed -e 's/\\/\\n/g'
2
Use a REST client, such as curl or postman, to invoke the Access Point REST API and get the default
RSA SecurID authentication settings.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/authmethod/securid-auth
In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point
appliance .
3
Paste the output of the cat command into the serverConfig field of a JSON request for enabling RSA
SecurID authentication.
The following properties are the required properties to configure. You can also change the defaults for
the other properties.
{
"enabled": "true",
"name": "securid-auth",
"numIterations": "5",
"externalHostName": "10.20.30.40",
"internalHostName": "10.20.30.40",
"nameIdSuffix": ""
"serverConfig": ""OwYFI7owv5UrAdlfnOsW2 ... nVesmbkLRjNOYxqm"
}
In this example, the ellipses indicate the middle content of the base64 sdconfBase64.txt file. The format
of this file must be one-line format that can be passed in a JSON string to the Access Point REST API.
Use externalHostName to specify the external address of the Access Point appliance that is specified in
the SecurID server's agent, and use internalHostName to specify the internal, static IP address of the
Access Point appliance.
Use numIterations to specify the number of attempts that are allowed for logging in. In this example, a
user is allowed 5 attempts to supply the correct SecurID code.
4
Use a REST client to get the default edge service settings for the Horizon server.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/edgeservice/VIEW
This example specifies the VIEW edge service because for this release two-factor authentication is
supported only if you use the View edge service.
62
VMware, Inc.
Chapter 6 Setting Up Two-Factor Authentication
5
Paste the following information into a JSON request for enabling RSA SecurID authentication for the
Horizon server and add the authMethods property.
{
"identifier": "VIEW",
"enabled": true,
"proxyDestinationUrl": "https://horizon-server.example.com",
"proxyDestinationUrlThumbprints": "sha1=40 e6 98 9e a9 d1 bc 6f 86 8c c0 ad b1 ea ff f7 4a
3b 12 8c",
"authMethods": "securid-auth"
}
This example shows only some of the properties that are common to all edge services. In this example,
horizon-server.example.com is the fully qualified domain name of the Horizon server. You specified this
name when you deployed the Access Point appliance. The text for
proxyDestinationUrlThumbprints is an example only. Replace this text with the thumbprint of your
destination server.
6
Use a REST client to send the JSON request to the Access Point API and configure the edge service to
use RSA SecurID authentication.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-pointappliance.example.com:9443/rest/v1/config/edgeservice/edge-service-ID < ~/rsa-auth.json
In the following example, rsa-auth.json is the JSON request you created in the previous step.
End users can now use RSA SecurID tokens when logging in to Access Point.
Configure RADIUS Authentication on the Access Point Appliance
On the Access Point appliance, you must enable RADIUS authentication, specify some configuration
settings from the RADIUS server, and change the authentication type to RADIUS authentication.
Prerequisites
n
Verify that the server to be used as the authentication manager server has the RADIUS software
installed and configured. Follow the vendor's configuration documentation.
n
Make a note of the RADIUS server's host name or IP address, the port number on which it is listening
for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MSCHAPv1, or
MSCHAPv2), and the shared secret.
You can enter values for a primary and a secondary RADIUS authenticator.
Procedure
1
Use a REST client, such as curl or postman, to invoke the Access Point REST API and get the default
RADIUS authentication settings.
In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point
appliance.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/authmethod/radius-auth
2
To enable RADIUS authentication, create a JSON request by using the settings returned from the curl
or postman command.
Access Point 2.6 supports three new properties for RADIUS authentication.
VMware, Inc.
63
Deploying and Configuring Access Point
Table 6‑1. Properties for Radius Authentication
Option
Description
directAuthChainedUsername
Enables direct authentication to RADIUS server during
auth chaining. Default value is NULL.
enabledAux
Enables the secondary RADIUS server when set to
TRUE. Default value is FALSE.
nameIdSuffix
Specifies the nameId which enables View to provide
TrueSSO experience. It is empty by default.
The properties shown in the following example are the required properties to configure. You can also
change the defaults for the other properties.
{
"enabled": "true",
"name": "radius-auth",
"hostName": "10.10.10.10",
"hostName_2": "20.20.20.20",
"serverTimeout": "3",
"serverTimeout_2": "3",
"radiusDisplayHint": "",
"numIterations": "5",
"numAttempts": "5",
"numAttempts_2": "5",
"realmPrefix": "",
"realmPrefix_2": "",
"realmSuffix": "",
"realmSuffix_2": "",
"authPort": "1812",
"authPort_2": "1812",
"accountingPort": "0",
"accountingPort_2": "0",
"sharedSecret": "_PASSWORD_PLACEHOLDER_J94SP2QO45E6R8X2M_",
"sharedSecret_2": "_PASSWORD_PLACEHOLDER_J94SP2QO45E6R8X2M_",
"authType": "MSCHAP2",
"authType_2": "PAP"
}
64
Property
Description
hostName
The IP address of the RADIUS server. Use hostName_2 to specify a
secondary server.
serverTimeout
The number of seconds taken for the server timeout interval. Use
serverTimeout_2 to configure the secondary server. For all of the
following properties, the property names with "_2" are for configuring the
secondary server, if you use one.
numAttempts
The number of login attempts that are allowed. In this example, a user is
allowed 5 attempts to supply the correct RADIUS code.
realmPrefix
The string that is placed at the beginning of the user name when it is sent
to the RADIUS server. For example, if the user name entered is jdoe and
the realm prefix is DOMAIN-A\, the user name DOMAIN-A\jdoe is sent to the
RADIUS server.
realmSuffix
If you specify a realm suffix or postfix string, the string that is placed at the
end of the user name when it is sent to the RADIUS server. For example, if
the user name entered is jdoe and the realm suffix is @mycorp.com, the
user name [email protected] is sent to the RADIUS server.
authPort
The authentication port number of the RADIUS server. The default is 1812.
VMware, Inc.
Chapter 6 Setting Up Two-Factor Authentication
3
Property
Description
accountingPort
Set this port to 0 unless you want to enable RADIUS accounting. Set this
port to a non-zero number only if your RADIUS server supports collecting
accounting data. If the RADIUS server does not support accounting
messages and you set this port to a non-zero number, the messages are
sent, ignored, and retried a number of times, resulting in a delay in
authentication.
Accounting data is used to bill users based on usage time and data.
Accounting data can also be used for statistical purposes and for general
network monitoring.
sharedSecret
The shared secret.
authType
The authentication type: PAP, CHAP, MS-CHAPv1, or MS-CHAPv2.
Use a REST client to get the default edge service settings for the Horizon server.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/edgeservice/VIEW
This example specifies the VIEW edge service because for this release two-factor authentication is
supported only if you use the VIEW edge service.
4
Paste this information into a JSON request for enabling RADIUS authentication for the Horizon server
and add the authMethods property.
{
"identifier": "VIEW",
"enabled": true,
"proxyDestinationUrl": "https://horizon-server.example.com",
"proxyDestinationUrlThumbprints": "sha1=40 e6 98 9e a9 d1 bc 6f 86 8c c0 ad b1 ea ff f7 4a
3b 12 8c",
"authMethods": "radius-auth"
}
This example shows only some of the properties that are common to all edge services. In this example,
horizon-server.example.com is the fully qualified domain name of the Horizon server. You specified this
name when you deployed the Access Point appliance. The text for
proxyDestinationUrlThumbprints is an example only. Replace this text with the thumbprint of your
destination server.
5
Use a REST client to send the JSON request to the Access Point API and configure the edge service to
use RADIUS authentication.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-pointappliance.example.com:9443/rest/v1/config/edgeservice/edge-service-ID < ~/radius-auth.json
In the following example, radius-auth.json is the JSON request you created in the previous step.
End users can now use a RADIUS code when logging in to Access Point.
VMware, Inc.
65
Deploying and Configuring Access Point
66
VMware, Inc.
Index
A
S
Access Point overview 7
Access Point documentation 5
admin password for the REST API 32
authentication 49
SAML 50, 51
SAML 2.0 authenticators, configuring in View
Administrator 51
SAML authenticators for View Connection
Server 51
SAML metadata for service providers 55
security protocols 43
smart cards, exporting user certificates 56
software requirements 17
SSL server certificates 42
system requirements 17
C
certificate revocation lists 58
cipher suites 43
D
deployment, appliance 17
deployment properties 27
deployment wizard 19
T
expiration period for SAML metadata 53, 54
TLS/SSL certificates 40
topologies 12
two-factor authentication 61
F
V
firewall rules 8
View Connection Server 19
E
H
hardware requirements 17
L
logs, collecting 47
O
OVF Tool 23
P
PCoIP Secure Gateway 44
PEM format for security certificates 41
R
RADIUS authentication, enabling 63
requirements 17
REST API 31
REST API properties for Access Point 33, 34
root certificates
exporting 56
obtaining 56
RSA SecurID authentication
configuring 61
enabling 61
VMware, Inc.
67
Deploying and Configuring Access Point
68
VMware, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement