My friend Richard Hicks had some great information on his ForeFront TMG blog that was pertinent to this project. In the PCoIP publishing rule, notice how you need both TCP and UDP, and of course, the correct direction. of the View 5 Architecture Planning Guide illustrates this pretty well. A View session with the display setting of PCoIP will use both of the publishing rules. A View session with the display setting of RDP will use only the HTTPS publisher. To make View work, you will need two publishing rules. The server will still have its private address as it resides in the DMZ, but would take on one of the assigned public IP addresses bound to the external interface of the TMG appliance. In this case, that would be the View Security Server. These are for the purposes of securely exposing a server that you want visible to the outside world. In the screen above, near the bottom, you see two Publishing rules. Here are what my rules looked like for a successful implementation of VMware View in TMG 2010.Ĭreating Publishing rules for VMware View in TMG 2010 Access rules are typically defining access in a From/To arrangement. The next step will be to build some access rules.
My implementation at this time does not include a View Transfer Server, so if your deployment includes this, please refer to the installation guide.Ĭreating Access Rules for VMware View in TMG 2010 Hopefully, what I provide will help bridge the gap on anything confusing in the manual. I appreciate the detail, and it is all technically correct, but it can be a little confusing. of the VMware View Security Reference will detail the ports and access needed.
Here was the list (as I named them) that was used as a part of my rule sets. For the sake of keeping track of all of the user defined protocols, I always included the name “View” (to remember it’s purpose), the direction, type, and the port number. In order to build the rules properly, you will first need to define some “User-Defined” protocols.
It will make the work later on easier.Ĭreating Custom Protocols for VMware View in TMG 2010 For clarity, I will just show the rules that are used for getting VMware View to work.īefore you get started, make sure you have planned out all of the system names and IP addresses of the various Connection Servers, VM’s running the View Agent. vCenter, and SQL databases providing services for vCenter, and View Composer.įor those who have their vSphere Management network on a separate network by way of a simple VLAN, your rules will be simpler than mine. View connection server dedicated for communication with the Security Server. View connection server dedicated for access from the inside. (a pretty picture of this can be seen in Part 2) Network LegĪll users connecting to our View environment. My network design was a fairly straightforward, 4 legged topology. Sometimes this is not always practical, but in this case, I found that I only had to make a few adjustments before things were working perfectly with all of the components. Since all of the supporting components of VMware View will need to communicate across network segments anyway, I suggest making accommodations in your firewall before you start building the View components. While the screen captures are directly from TMG, much of the information here would apply to other security solutions. For me, access to these segments are managed by a Celestix MSA 5200i, 6 port Firewall running Microsoft ForeFront Threat Management Gateway (TMG) 2010. This post is simply going to focus on the security rules to do such a thing. We are almost at the point of installing and configuring the VMware View components, but before that is addressed, the most prudent step is to ensure that the right type of traffic can communicate across the different isolated network segments. Part 2, I left off with how VMware View was going to be constructed in my environment.
0 kommentar(er)
