Horizon Security Server additional considerations

The following are additional considerations that should be kept in mind when deploying a Horizon Security Server:

  • If you require Windows IPsec encryption to be applied to the network traffic between the Horizon Security Server and the Horizon Connection Server, the Windows firewall service must be enabled for both hosts in order for Horizon to create the required Windows IPsec policies. The firewall service is enabled by default; if it was disabled, visit the Microsoft TechNet article Windows Firewall with Advanced Security Overview (https://technet.microsoft.com/en-us/library/hh831365.aspx) for information about how to manage the feature. It is recommended to enable the firewall service prior to the installation of any Horizon software component, as the installer will then automatically configure the appropriate settings.
  • Like Horizon Connection Servers, Horizon Security Servers have no native load-balancing functionality. It is recommended that you implement some sort of load-balancing functionality to help balance the client connections across all the Horizon Security Servers in your infrastructure. Refer to the Load-Balancing Connection Servers section in Chapter 2, Implementing Horizon Connection Server, for information about load-balancing options.
  • When installed, the Horizon Security Server is configured with a self-signed SSL certificate that will not be trusted by Horizon clients. It is recommended that you replace the self-signed certificate with one issued from an internal or commercial certificate authority that the Horizon clients will trust. Chapter 16, Managing Horizon SSL Certificates will provide the process used to replace the default SSL certificates for all Horizon components.
  • Options such as tunneling connections and two-factor authentication are set on a per-Connection Server basis. If either of these options is going to be used, and you do not want to subject internal Horizon clients to the additional security measures, you are required to deploy additional Connection Servers with these settings enabled to be used solely with the Horizon Security Servers.