VMware Player checks the integrity of the certificate store included in the package every time it communicates
with the server. VMware Player does not trust any certificates stored on the host machine on which it is
running. Instead, it relies on a complete certification chain that is included in the ACE package. The use of
self‐signed certificates is adequate for most security needs.
If, however, your enterprise requires the use of a certificate signed by a certificate authority (internal or
commercial), you can set up that type of key‐certificate pair for the ACE packages to use. A certificate authority,
or CA, is an entity that issues and signs public‐key certificates, typically for a fee.
Accessing ACE Management Server from Outside the Corporate
Firewall
All client requests to ACE Management Server are HTTPS traffic on port 443. This means that any solution
using a proxy to secure HTTPS traffic into your corporate servers can be used to proxy ACE Management
Server traffic.
Because of the number of data connections that the ACE Management Server must make on the back end
(LDAP, DNS, ODBC, Kerberos), VMware recommends using an HTTPS proxy in the DMZ. This proxy can
relay ACE Management Server traffic to the actual ACE Management Server inside the corporate network.
Figure 2-2. Recommended Deployment for External Access
HTTPS traffic
(443)
external client
ACE Management Server can be deployed with the following HTTPS proxy solutions:
Apache Proxy – Using mod_proxy
Zeus Technology Load Balancer – A commercially available load balancer and traffic management
solution
Avoid the following problems when you use a proxy for traffic into an ACE Management Server:
SSL Termination – If your HTTPS proxy terminates the SSL connection, you must use the same SSL key
and certificate on the HTTPS proxy server and ACE Management Server. Or, use the ACE Management
Server certificate chain to embed the HTTPS proxy certificate verification chain in the ACE package.
An example of a proxy server that terminates SSL connections is Apache Proxy. The Zeus load‐balancing
products support SSL passthrough, which means that the SSL connection is terminated at ACE
Management Server.
Multiple ACE Management Server SSL certificates – If you are deploying multiple ACE Management
Server instances behind a load‐balancing solution, all ACE Management Server instances must use the
same SSL key and certificate pair. You can also use the ACE Management Server certificate chain feature
to embed every SSL certificate verification chain into the ACE package.
DNS resolution – When you create an ACE‐enabled virtual machine, you must specify a host name for
ACE Management Server. This host name must resolve to the appropriate IP address for both internal and
external clients. Internally, it can resolve to ACE Management Server itself. Externally, it can resolve to the
HTTPS proxy server.
Because the traffic coming into ACE Management Server is plain HTTPS traffic and the server is stateless, you
can deploy many other configurations to provide external access to an ACE Management Server. When you
design your deployment, think of ACE Management Server as a Web server with secure traffic.
VMware, Inc.
HTTPS traffic
(443)
external
firewall
HTTPS
proxy server
Chapter 2 Planning an ACE Management Server Deployment
LDAP (port 389)
KRB5 (port 88)
NETBIOS (port 137)
internal
firewall
AMS server
DNS
ODBC
19