Horizon Security Server additional considerations

The following are additional considerations that should be kept in mind when deploying a Horizon Security Server:

• If you require Windows IPsec encryption to be applied to the network traffic between the Horizon Security Server and the Horizon Connection Server, the Windows firewall service must be enabled for both hosts in order for Horizon to create the required Windows IPsec policies. The firewall service is enabled by default; if it was disabled, visit the Microsoft TechNet article Windows Firewall with Advanced Security Overview (https://technet.microsoft.com/en-us/library/hh831365.aspx) for information about how to manage the feature. It is recommended to enable the firewall service prior to the installation of any Horizon software component, as the installer will then automatically configure the appropriate settings.
• Like Horizon Connection Servers, Horizon Security Servers have no native load-balancing functionality. It is recommended that you implement some sort of load-balancing functionality to help balance the client connections across all the Horizon Security Servers in your infrastructure. Refer to the Load-Balancing Connection Servers section in Chapter 2, Implementing Horizon Connection Server, for information about load-balancing options.
• When installed, the Horizon Security Server is configured with a self-signed SSL certificate that will not be trusted by Horizon clients. It is recommended that you replace the self-signed certificate with one issued from an internal or commercial certificate authority that the Horizon clients will trust. Chapter 14, Managing Horizon SSL Certificates will provide the process used to replace the default SSL certificates for all Horizon components.
• Options such as tunneling connections and two-factor authentication are set on a per-Connection Server basis. If either of these options is going to be used, and you do not want to subject internal Horizon clients to the additional security measures, you are required to deploy additional Connection Servers with these settings enabled to be used solely with the Horizon Security Servers.

High availability overview

When deploying Horizon Security Servers it is important to understand how that impacts our high availability requirements. This section will provide an overview of what a highly available Horizon infrastructure that must service both internal and external clients might look like.

The following diagram illustrates a Horizon infrastructure that meets the following four requirements:

• Internal Horizon clients use load-balanced connections to Connection Servers
• Remote Horizon clients use load-balanced connections to Security Servers
• Security Servers installed in a DMZ
• Two-factor authentication or connection tunneling policies that apply only to remote Horizon clients

The diagram does not show the connections to the Horizon desktops or applications; it is only meant to illustrate the placement of load-balancing appliances, and show how true high-availability might be achieved in an environment that includes multiple Horizon Security Servers. In addition, it shows that additional Connection Servers are being used for internal clients, as these connections do not require the same security settings as the remote clients do.

This Horizon architecture ensures that Horizon clients will be able to connect or reconnect if either of these two scenarios were to occur:

• Failure of any one of the four Connection Servers shown in the diagram
• Failure of any one of the Security Servers

As a single Horizon Security Server cannot be paired with more than one Connection Server, there is no need to place a load-balancer between the Security Servers and the Connection Servers. Load-balancing the Security Servers ensures that the Horizon client connection will be maintained regardless of which server fails, be it a Security Server or the Connection Server that it is paired to.