Implementing PCoIP Proxy as a Security Server or Access Point Alternative

VMware’s Horizon Security Server and Access Point provides secure access to sessions over an unsecured WAN and/or Internet connection. Typically, the Security Server/Access Point is placed within an organization’s DMZ and proxies connections to internal Horizon desktop and application resources. F5 BIG-IP Access Policy Manager (APM) provides an alternative method for secure access to Horizon desktop and application resources by simplifying your VMware Horizon with View architecture, improving security, and increasing scalability.

Harden Security and Increase Scalability

F5 BIG-IP Access Policy Manager is the industry’s first Application Delivery Networking solution that brings full PCoIP proxy capabilities—certified by Teradici—to the market. This permits IT administrators to replace the View Security Server with a more secure and highly scalable solution in support of their end-user computing deployments. BIG-IP APM is an ICSA Labs–certified flexible, high-performance access and security solution that provides unified global access to your applications and network. BIG-IP APM converges and consolidates remote access, LAN access, and wireless connections within a single management interface and provides easy-to-manage access policies. These capabilities help you free up valuable IT resources and scale cost-effectively.

Simplifying Your Horizon Architecture

Because BIG-IP APM removes the pairing dependency between Security Servers and Connection Servers, the overall architecture can not only be simplified, but a higher level of scalability can be achieved. In addition to BIG-IP APM, F5 BIG-IP Local Traffic Manager (LTM) can provide intelligent traffic management and load balancing to the Connection Servers. The reduction in the overall number of components that need to be managed results in increased productivity for IT administrators, which is especially critical for multi-site or multi-pod VMware Horizon deployments.

Traffic Flow

The diagram outlines the traffic flow of an external Horizon Client connection when using the BIG-IP Access Policy Manager (APM) Module as a Security Server/Access Point alternative:

1. Device connects in from the untrusted network.
2. Connection to APM made over HTTPS using the client or the F5 APM WebTop Portal.
3. User logs in.
4. APM processes the authentication (single/multi-factor) to AD and/or other authentication source (LDAPS/RADIUS, etc.)
5. Once user is validated, APM sends a request to the load balanced pool of Connection Servers to get a list of authorized applications and desktops using HTTPS or HTTP.
6. The user is then presented with the list of available and authorized desktops and applications.
7. User selects the application or desktop to launch.
8. Request then sent from client and proxied to View Connection Server via HTTPS – client receives desktop and/or application source machine info (including the public/client facing IP address if using NAT).
9. Client establishes a connection to the virtual desktop or RDS application server to the APM via PCoIP, or HTML 5 (using HTML Access) using HTTPS . The APM proxies this connection back to the virtual desktop or RDS application server.

We've developed a step-by-step guide for implementing PCoIP Proxy, which you can download here. You can also do a walk through of this very setup in the VMware Hands-On-Lab  (Look for HOL-MBL-1659) by clicking on the following link - http://labs.hol.vmware.com/HOL/catalogs/lab/2078.