VMware View has the ability to create a security server in the DMZ that allows a network administrator to tunnel through from the external DMZ firewall to the internal DMZ firewall. The security server accepts only HTTP/HTTPS traffic from the Web and tunnels it through the internal firewall to the VMware View Desktop Manager Server.
If there were no security server, then other ports would need to be opened up to the Web -- creating additional security issues. These ports could be used for RDP, Java and View Communication. The security server ensures these types of communication are restricted within the DMZ. The network configuration would look similar to that in Figure 1, which depicts online Web-based training and internal classroom training.
Figure 1 Network configuration for online Web-based and internal classroom training. (Click on image for enlarged view.)
The red dotted line shows communication from an external student's desktop to a virtual desktop via the security server. This gives the IT department the ability to ensure security. In this scenario, the student is given a unique username such as Student01. That user is then placed in the Active Directory Organizational Unit (OU) assigned to the virtual desktop pool. When the training class is refreshed for the new set of students, the trainer only needs to change the passwords on the same set of students in the OU to ensure security. This enables the trainer to quickly prepare the classroom for a new set of students while ensuring that the previous set of students cannot access virtual desktops.
RSA Secure-ID 2-Factor Authentication component, which is added to the login of a VMware View user, also affects security. Unfortunately, this option cannot be used for students who aren't employees since the RSA system needs users to have Secure-ID FOBs -- small devices that generate random keys used during sign-in. Due to the dynamic nature of training environments, the class instructor cannot distribute FOBs to students.
On the other hand, an internal classroom training scenario is simpler to secure since users will be onsite at a company's training facility. Therefore, there is no risk of exposing the internal network to the Web. But security is still a major factor because AD and network policies can still lock down the network, but no security server is needed.
|ABOUT THE AUTHOR:|
Brad Maltz is CTO of International Computerware, a national consulting firm focused on virtualization and storage technologies. He holds certifications from VMware and EMC for many technologies. Brad can be reached at firstname.lastname@example.org for any questions, comments or suggestions.
This was first published in May 2009