VMware Access Point: Better Security for VDI
The virtual appliance improves on View Security Server.
When VMware first announced Access Point, I was confused about what it was, what it did, and how it fit into VMware's portfolio of products. Was it already a product? Would it replace View Security Server? Was it part of Horizon? How was it deployed and how was it integrated? Luckily, VMware's Mark Benson led an excellent session on Access Point at VMworld 2015. In the session, Mark answered most of my questions and was kind enough to answer some follow-up questions on Access Point.
What is Access Point?
Access Point is a virtual appliance that allows secure access from the Internet to VMware Horizon virtual desktop and RDSH servers. It can be thought of as a replacement for View security server. Access Point isn't new; it was initially developed and deployed with Horizon Air for cloud-hosted desktops. Access Point takes many of the best features of View security server and combines them with new technology on a secure OS platform to bring it inline with current and future requirements of Horizon View. In the future it will work with other VMware products that require end-user authentication and secure connectivity into a datacenter.
One of the issues with View security server is that it runs on Windows server, and thus inherits the challenges of trying to run a Windows server in a DMZ. These challenges range from trying to keep the OS patched to having secondary applications (such as Web servers) running on them. Access Point runs on a hardened Linux OS (SUSE Linux 11), and as such removes many of these challenges. As a secondary benefit, Access Point uses only a fraction of the CPU (2 CPUs vs. 4 CPUs), memory (4GB vs. 12GB), and disk resources (20GB vs. 70GB) that a View security server does. Moreover, it doesn't require a Windows server license.
View security servers have a one-to-one relationship with View connection servers, which severely limits the architectural design in which they could be deployed. Access Point removes this limitation and can be paired with multiple connection servers, allowing a load balancer to be used to divide the load among as many connection servers as appropriate.
Figure 1 shows a load balancer being used in front of an Access Point appliance (which View Security Server can do), as well as on the back end (which View security server does not support). This allows greater flexibility in design and can provide better end-to-end continuity.
Access Point is deployed as an OVF file. The OVF is available at no additional cost to those with a Horizon license. I believe, however, that Access Point will eventually replace Horizon security server; currently both are supported by Horizon, and they can be run in the same environment.
Command Line Only
Access Point supports all the features, protocols, and authentication methods (except for smart cards) of Horizon security server. The one drawback to Access Point is that it must be configured and managed via the command line.
Access Point looks like a solid replacement for security server. VMware's documentation on Deploying and Configuring Access Point can be found here.
Tom Fenton works in VMware's Education department as a Senior Course Developer. He has a wealth of hands-on IT experience gained over the past 20 years in a variety of technologies, with the past 10 years focused on virtualization and storage. Before re-joining VMware, Tom was a Senior Validation Engineer with The Taneja Group, were he headed their Validation Service Lab and was instrumental in starting up its vSphere Virtual Volumes practice. He's on Twitter @vDoppler.