This is a pretty simple tutorial (or so i thought), but I didn't see anything out on the interwebs, so i figured I would write one down. Gabe has a great walkthrough
The VMware View Security Server should be one of the final pieces you ever install during your VMware View implementation. I have found Paul Slager's blog an invaluable how-to resource on all installation and best practice configurations for View. He has a 10 part series install guide that will walk you through all the steps with screenshots. Nice job Paul.
Paul also has a great tutorial on installing the VMware View Security Server for a production business environment. It talks about making sure the VMs are PCoIP ready, what firewall ports need to be open, etc.
The one thing missing is how can all this be done on a home lab environment? With the help of Dynamic DNS (DDNS) and router port-forwarding, it's actually very simple.
For my home lab purposes, I installed my VMware View Security Server on the internal domain just like any other server. It does not need to sit on a DMZ. Setup the key pairing and let the View Security Server install all the components and open up any firewall ports that are needed. Verify in your connection server that the security server is reachable.
If your home internet service is like mine, then you probably receive a DHCP address from your ISP. Just like any DHCP service, the address is released and renewed at different intervals so your external IP changes without knowing. Dynamic DNS will update your external DNS entry with your given DHCP address from your ISP. I registered a Dynamic DNS name with no-ip.com. This is a free service and can be anything you choose, such as kendricksvmwareview.no-ip.org. Remember, this is going to be the external DNS name that you will use to connect to your security server, so make it easy to remember.
After your name has been registered, go to your Security Server and download the No-Ip DUC client and install it. After installation, insert your username and password and it will present a list of DDNS names you have registered. Highlight the DDNS name you want to use. This client will send No-Ip.com your external IP address so it knows where to direct the traffic. It's best to have this application run on start up and just hang out.
Now that we have our external DNS setup, we need to make sure the connection will work. I have my router flashed with DD-WRT, but any router that supports port-forwarding should follow the same rules. The following ports must be forwarded to your internal View Security Server IP address:
- 80 - TCP
- 443 - TCP
- 4172 - TCP/UDP
***UPDATE***
We're not done yet. Thanks to Ricky El-Qasem, he pointed that this really wouldn't work and point me to Gabes post of Enabling VMware View 4.6 PCoIP with dynamic IP address. This post proved invaluable because matter of fact is that you need to update the External IP Addresses of your connection server to make this work.
Follow along with Gabes script to customize it to make it your own. Here is my script that I ended up using that needs to be ran on your CONNECTION BROKER:
**UPDATED 12/7/2011 For View 5**
After I installed VMware View 5, this script and network connections from my security server were no longer working. I started troubleshooting and I found my issue at the second line. The PowerShell snap-in Add-PSSnapin VMware.View.Broker is longer a recognized command. After diving a little bit, I noticed that View 5 installed a View 5 Powershell Program that point to their PowerShell plug-ins at C:\Program Files\VMware\VMware View\Server\extras\PowerShell\add-snapin.ps1.
When trying to run the add-snapin.ps1 I get the following error:
After a quick shoutout to twitter, @vDelboy set me straight ant told me to "run as Administrator". That did the trick. So here is your new updated script, but check below it before thinking you're done.
Add-PSSnapin VMware.VimAutomation.Core
& 'C:\Program Files\VMware\VMware View\Server\extras\PowerShell\add-snapin.ps1'
# Name of the Security Server
$SecurityServer = "ViewConnetion"
# For logging creating a timestamp
$TimeStamp = Get-Date -format yyyy-MM-dd-H-mm
# Filling $CheckedIP with the external IP address, using whatismyip.com service
$wc = New-Object net.WebClient
$CheckedIP = $wc.downloadstring("http://automation.whatismyip.com/n09230945.asp")
# Now check the current ExternalPCoIPURL entry
$CurrentSettings = Get-ConnectionBroker
$CurrentIP = $CurrentSettings[0].externalPCoIPURL
# Check if $CurrentIP starts with the IP address from $CheckedIP
# Used StartsWith because $CurrentIP has port address at the end
$Result = $CurrentIP.StartsWith($CheckedIP)
# Are IP address the same?
If ($Result)
{
# Yes, both IP addresses are the same, do nothing, only write a log entry
$row = $TimeStamp + "," + $CheckedIP + "," + $CurrentIP + ",nochange"
}
else
{
# External IP is not equal to IP set in externalPCoIPURL
# Changing the externalPCoIPURL
# Not Needed -> Update-ConnectionBroker -broker_id "ViewConnection" -externalPCoIPURL $CheckedIP
Update-ConnectionBroker -broker_id "ViewSecurity" -externalPCoIPURL $CheckedIP
# Check if it was succesful
$NewSettings = Get-ConnectionBroker
$row = $TimeStamp + "," + $CheckedIP + "," + $CurrentIP + "," + $NewSettings.externalPCoIPURL
}
$row | Out-File -FilePath "c:\logging\check-ip.log" -Append
Now that our script requires us to run with administrator rights, how can this be setup as a scheduled task? Pretty simple actually.
Create a new script and give it an easy to recognize name
Set it to run daily and choose an appropriate time
Next we have to let it start the powershell command prompt and we have to add our powershell script from above in the arguments. Mine is located in "c:\scripts\ChangeSecurityServerIP-v01.ps1"
After you click finish, you need to edit the settings/properties and change the script to run even if no one is logged on, and with a service account that has administrator rights. In addition, you must make sure the "Run With Highest Privileges" box is checked because that's what allows the script to be executed as an administrator.
Go ahead and run the script.
This will update the PCoIP external URL on your security server section. Make sure you enter the DDNS name from before in the external URL section.
Verify that your connection server has the "Use PCoIP Secure Gateway for PCoIP Connections to Desktop" box checked as well.
Now we can use our iPad or remote computer to connect to our View Security Server to access our VMs.
