ACE Management Server Administrator's Manual
The store or collection of certificates that is downloaded when an ACE‐enabled virtual
machine connects to a server is included in each ACE package that you create with that
virtual machine. It is saved in the ACE Resources directory. When you deploy and run
an ACE instance of this ACE‐enabled virtual machine, the VMware Player application
uses the certificates included in the package to verify connections made to the ACE
Management Server. It verifies that the certificates that are in the ACE package match
those that the server provides. If they do not match exactly, VMware Player displays an
error message and does not run the instance.
VMware Player checks the integrity of the certificate store included in the package
every time it communicates with the server. VMware Player does not trust any
certificates stored on the host machine on which it is running. Instead, it relies on a
complete certification chain that is included in the ACE package. The use of self‐signed
certificates is adequate for most security needs.
If, however, your enterprise requires the use of a certificate signed by a certificate
authority (internal or commercial), you can set up that type of key‐certificate pair for
the ACE packages to use. A certificate authority, or CA, is an entity that issues and signs
public‐key certificates, typically for a fee.
Accessing ACE Management Server from Outside the
Corporate Firewall
All client requests to ACE Management Server are HTTPS traffic on port 443.
This means that any solution using a proxy to secure HTTPS traffic into your corporate
servers can be used to proxy ACE Management Server traffic.
Because of the number of data connections that the ACE Management Server must
make on the back end (LDAP, DNS, ODBC, Kerberos), VMware recommends using an
HTTPS proxy in the DMZ. This proxy can relay ACE Management Server traffic to the
actual ACE Management Server inside the corporate network.
Figure 2-2. Recommended Deployment for External Access
HTTPS traffic
(443)
external client
22
external
firewall
HTTPS
proxy server
HTTPS traffic
(443)
internal
firewall
AMS server
LDAP (port 389)
KRB5 (port 88)
DNS
NETBIOS (port 137)
ODBC
VMware, Inc.