One of the benefits of a virtual desktop and application publishing infrastructures is the ability to grant employees, contractors, and other third parties remote access to internal systems without having to give them laptops or VPN access.
One of the main ways to accomplish this in VMware Horizon deployments is to deploy the Horizon Security Server. The Horizon Security Server is a Windows Server that runs a subset of the Horizon Connection Server services. The main function of the Security Server is to proxy Horizon traffic back to the Connection Server that it is paired with. When high availability is required, it can be deployed with a third party load balancer to disperse connections across multiple Security Servers.
But the Horizon Security Server has its own set of eccentricities that make it less than ideal for some environments. For starters, it requires placing Windows servers in a DMZ, and many organizations have policies that restrict where Windows-based servers can be used due to its larger attack surface. Firewall setup between the trusted and DMZ networks can also be complicated as the connection requires either IPSEC and JMS on ports 4001 and 4002 or a large number of ports to be opened. The Security Server also needs to be able to reach the subnets where virtual desktops and RDSH servers reside.
One of the other challenges with the Security Server is that it has to be paired to a Connection Server, and all traffic that hits a particular Security Server will always be funneled to the same Connection Server. If that Connection Server is down or unavailable, any Security Server that has paired with it is useless.
The EUC Access Point
In order to address some of these challenges, VMware has released a new component in Horizon 6.2 – the EUC Access Point. The EUC Access Point is a purpose-built hardened appliance designed to work with both Horizon View and Workspace/VMware Identity Manager. It runs the same version of SUSE Linux as other VMware virtual appliances.
There are a couple of benefits when using the new virtual appliance instead of the Windows-based Security Server. First, these appliances are purpose-built for DMZ and Internet-facing deployments. They are hardened and locked down, and they have a very small attack surface. It also reduces the number of Windows licenses that you will need for your environment.
The second benefit to the new appliance is that they are disposable. Whenever an appliance breaks, or when an upgrade is released, the appliance can be removed from the environment and quickly redeployed. Management is done through a REST-based API in order to facilitate this, and it is easy to automate the configuration when the appliance is deployed.
One of the side benefits of having a disposable virtual appliance is that you do not need to pair the new EUC Access Points with a Connection Server. It will work with a pool of Connection Servers by simply pointing the appliance’s proxy to a load-balanced URL, and if a Connection Server is unavailable, the EUC Access Points will just be directed to a different server by the load balancer. This won’t impact user connections to their desktops or published applications.
The current version of the new appliance only supports Horizon View, and Workspace support will be added in a future release.
The new EUC Access Point is available now as part of Horizon 6.2. If you’d like to learn more about VMware’s Horizon Suite and other mobility solutions, you can schedule a briefing at the AHEAD Lab and Briefing Center. At this center, we offer you time with subject matter experts to discuss strategy and the opportunity to test and assess the latest technology offerings. Learn more about the briefing below.