VMware Fling – VMware Access Point Deployment Utility
With Horizon 6.2 VMware introduced the VMware Access Point, which is a virtual appliance designed to allow secure remote access to virtual desktops and applications served by Horizon 6. The VMware Access Point is very similar to the View Security Server, but offers some additional benefits. VMware Access Point is a hardened Linux appliance that can be deployed into the DMZ. Big difference with the View Security Server is, that an Access Point does not need to be paired with a View Connection Server. So you can avoid the need to provision additional Connection Servers for authentication mechanism support.
VMware Access Point is a Linux based Virtual Appliance deployed as an OVA with a REST based API for querying and updating the appliance. The OVA deployment can be done in two ways. You can deploy it via vCenter or by using the VMware OVF tool. When using the OVF tool you can pass all of the API parameters to configure it into the OVF tool by using a JSON string. This sounds awesome but this process is command line based and creating a correct input string can be very complicated.
And that is only the installation and configuration. If, during the lifecycle of the Access Point appliance, you want to update the certificates, the PEM files must be formatted into a single line string with appropriate embedded new line characters. This is a painstaking process which void the ease of deploying a simple Access Point appliance.
VMware acknowledged that and created a new Fling, the VMware Access Point Deployment Utility, which acts as a GUI wrapper for the OVF tool and will construct a proper OVF Tool input string including all of the JSON to be passed to the Access Point API. It also allows settings to be saved to an XML file and later imported to reduce how much data needs to be manually entered. The utility will take a standard PEM formatted certificate chain and private key and convert them to the proper format for JSON. View settings can also be set at time of deployment with this utility.
VMware Access Point System Requirements
To use the VMware Access Point Deployment Utility you need the following prerequisites:
- Microsoft .NET Framework 4.5
- VMware OVF Tool 4.1 (download here)
When you first start the application it reads the registry to see if the VMware OVF tool is installed, and it reads where the tool is currently installed. If no tool is detected, you will see a message indicating that you will need to install the OVF Tool to continue. Once the OVF Tool is installed, you can start inputting the information required to deploy the VMware Access Point Appliance. Note, some of the settings are case sensitive–these items are called out below.
General Configuration of VMware Access Point
The VMware Access Point Deployment Utility needs the following input:
|Virtual Center||This is the FQDN or IP address of the Virtual Center you want to deploy the appliance into. This setting is case sensitive.||192.168.1.12|
|VC Username||User that has access to deploy a Virtual Appliance in the Virtual Center you are targeting for deployment. This should be in the format [email protected]||[email protected]|
|VC Password||The password for the user specified in the previous step.|
|ESX Host||The FQDN or IP of the ESX host where the appliance will be deployed. It must reside in the Virtual Center you specified earlier. This setting is case sensitive.||esxhost.company.com or 192.168.1.11|
|Datastore||The datastore as defined in Virtual Center/vSphere that you want to place the appliance on.||VMFS_1|
|Folder||The folder you want to place the appliance in. This is optional and can be left blank or set to “/”. This setting is case sensitive.||External|
|Appliance Name||The name of the Access Point appliance once it is deployed.||AP_PROD|
|VC Datacenter||The name of the Virtual Center Datacenter you want to deploy this appliance to. Remember, you must have IP Pools defined for this datacenter with the network(s) you plan to use. This setting is case sensitive.||Home|
|Cluster Name||The name of the cluster in which the ESX host you are deploying to resides. If you are using clusters in your environment you must enter the cluster name. This is an optional field, and if not using a cluster it must be left blank. If you are using clusters in your environment it is a required field. This setting is case sensitive.||Prod Cluster|
|#NICs||How many NICs are defined for the virtual appliance. If one, external, management and back-end traffic flows over the one NIC. If two NICs are configured, external has a dedicated NIC and management and back-end traffic travel over the second NIC. If three NICs are defined, external traffic, management traffic and back-end traffic each have their own NIC.||onenic|
|Use a Management IP?||This option is automatically selected if using two or three NICs.|
|Use a Back-End IP?||This option is automatically selected if using two or three NICs.|
|Configure View Settings During Deployment||Checking this box will enable the panel containing View Settings which will be passed into the appliance API via JSON and set during deployment.|
|Configure Certificates During Deployment||Checking this box will enable the panel containing certificate settings which will be passed into the appliance API via JSON and set during deployment.|
|External IP||IP address of the Virtual Appliance.||192.168.1.50|
|External Network||The network label as defined in Virtual Center/vSphere for the port group you want to assign to the external interface. If using just one NIC, this will be used by management and back-end traffic as well.|
|DNS IP||Single DNS Server* *Note: Access Point is currently not properly accepting multiple DNS entries (even when deployed via vCenter). In SUSE, multiple DNS entries should be placed on separate “nameserver” lines and they are being placed on a single line. This is a known issue and at this time you must use a single DNS IP Address. This will be fixed in a future release of Access Point.||192.168.1.199|
|Management IP||IP address that will be bound to the management network if using two or three NICs.||192.168.1.51|
|Management Network||The network label as defined in Virtual Center/vSphere for the port group you want to assign to the management interface. If using two NICs, this will be used by management and back-end traffic.|
|Back-End IP||The address that will be bound to the back-end network if using three NICs.||192.168.1.52|
|Back-End Network||The network label as defined in Virtual Center/vSphere for the port group you want to assign to the back-end interface.|
|Root Password||Password used when connecting via console to the Access Point appliance. This must be a valid Linux password.||VMware1|
|Admin Password||Password used to connect to the REST API. This password must be 8 characters long and contain at least one each of the following: upper case letter, lower case letter, number and special character, e.g.: ! @ # $ % * ( )||VMware1!|
|Path to OVA||This is the path to the OVA for VMware Access Point. You can type in the path or click the … button and browse to the file.|
|Optional Certificate Configuration||The certificates for Access Point are set via the API using JSON. The certificate data must be formatted as a single line string with embedded newline characters. This can be a bit of a pain to do, so this application will format the certificates for you. You just need to have a properly formatted PEM private key and certificate chain. You copy them into the appropriate text boxes, and choose “Format Private Key” and “Format Certificates”. The certificates will be automatically formatted for deployment via JSON.|
|Optional View Configuration||The primary use case for the Access Point appliance is to access View desktops and applications. You can set all of the View configurations at deployment by selecting the “Configure View Settings During Deployment” checkbox and entering the proper information.|
|Destination URL||URL of a View connection server, or the address of a load balancer in front of View Connection servers. This URL must contain the protocol, FQDN or IP and port.||https://192.168.1.30:443|
|View Thumbprints||Specifies a list of View Connection Server thumbprints. If you do not provide a comma separated list of thumbprints, the server certificates must be issued by a trusted CA. The format includes the algorithm (sha1 or md5) and the hexadecimal thumbprint digits. To find these properties, browse to the View Connection Server, click the lock icon in the address bar, and view the certificate details. Note: The appliance will accept both the space delimited format from Chrome or the colon separated format from Firefox. Note: sha1 or md5 MUST be lower case.|
|Tunnel Enabled Checkbox||Specifies whether the View secure channel is enabled.|
|Access Point URL||The external URL to be used by clients to connect to the Access Point appliance to tunnel secure connections. Note: Do NOT start this URL with https://||view.company.com:443|
|Enable PCOIP Checkbox||Specifies if the PCOIP Secure gateway is enabled.|
|PCOIP URL||The external IP of the Access Point appliance which will be used as the PCOIP secure gateway. This should ONLY be an IP address and the port for PCOIP.||220.127.116.11:4172|
|Blast Enabled Checkbox||Specifies if the Blast Secure gateway is enabled.|
|Blast URL||Specifies an external URL of the Access Point appliance, which allows end users to make secure connections through the Blast Secure Gateway. Note: Do NOT start this URL with https://||view.company.com:8443|
How to back up these Settings
Now that all of the appropriate settings for deploying an Access Point appliance are in place, this is a good time to export out the settings that you have entered. Click the “Export Current Settings” button at the bottom left of the form and select a location to save the settings to. This will create an XML document with the values you had entered (with the exception of passwords) so they can easily be imported at a later date when deploying additional appliances.
Prior to deploying the appliance, or for troubleshooting, the generated input string can be shown and copied out at any time by clicking the “Show OVF Tool String” button on the bottom right of the form.
Click the “Deploy Access Point Appliance” button when you are ready to deploy. There is a lot of validation that happens before the appliance is actually deployed. If any fields are not correctly formatted or missing you may receive a message indicating which fields are missing for formatted incorrectly. You can monitor the deployment from the dialog box which shows the live OVF Tool log.