-
Notifications
You must be signed in to change notification settings - Fork 0
/
horizon7_Service.yml
480 lines (478 loc) · 17.3 KB
/
horizon7_Service.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
#Horizon View Services
HorizonViewServices :
- name : HorizonView-Agent_TCP
protocol : TCP
dest_ports : 4172,3389,9427,32111,22443,4001,4002
source : any
description : PCoIP,RDP,CDR/MMR,USB redirection,Blast Extreme,JMS
- name : HorizonView-Agent_UDP
protocol : UDP
dest_ports : 22443,4172,443,8443
source : any
description : Blast Extreme PcoIP
- name : HorizonView-ComposerService
protocol : TCP
dest_ports : 80,443,18443
source : any
description : Secure connection between composer service and connection servers
- name : HorizonView-CS_inbound_client
protocol : TCP
dest_ports : 80,443,8443,4001,4002,4172,55000
source : any
description : Client/Desktop connections to internal connection server
- name : HorizonView-CS_inbound_client_tunneled
protocol : UDP
dest_ports : 4172,443,8443
source : any
description : If PCoIP secure gateway and Blast are used
- name : HorizonView_interCS
protocol : TCP
dest_ports : 48080,4100,4101,8472,22389,22636,389
source : any
description : CS to CS traffic and others like CPA
- name : HorizonView_SS_to_CS_tcp
protocol : TCP
dest_ports : 4001,4002,8009
source : any
description : Security Server to Connection Server traffic
- name : HorizonView_SS_to_CS_udp
protocol : UDP
dest_ports : 500,4500
source : any
description : Security Server to Connection Server traffic
- name : HorizonView_SS_tcp
protocol : TCP
dest_ports : 80,18443,4172,8443,443
source : any
description : Security Server traffic
- name : HorizonView_SS_udp
protocol : UDP
dest_ports : 55000,4172,443,8443
source : any
description : Security Server traffic
- name : HorizonView-ES
protocol : TCP
dest_ports : 32111
source : any
description : Enrollment Server
- name : HorizonView-AVMGR
protocol : TCP
dest_ports : 8443,80,443
source : any
description : App Volumes Manager
- name : HorizonView-IDM
protocol : TCP
dest_ports : 443,8443
source : any
description : Identity Manager
- name : HorizonView-V4H
protocol : TCP
dest_ports : 443,22,3091-3099,3100,3101
source : any
description : vRealize Operations for Horizon
- name : HorizonView-UAG-TCP inbound
protocol : TCP
dest_ports : 443,8443,4172
source : any
description : UAG Traffic inbound from client TCP
- name : HorizonView-UAG-UDP inbound
protocol : UDP
dest_ports : 443,8443,4172
source : any
description : UAG Traffic inbound from client TCP
- name : vSphere-vCenter-TCP
protocol : TCP
dest_ports : 443,902
source : any
description : vSphere - vCenter TCP communication
- name : vSphere-vCenter-UDP
protocol : UDP
dest_ports : 902
source : any
description : vSphere - vCenter UDP communication
- name : File Repositories Share
protocol : TCP
dest_ports : 445
source : any
description : File Repositories Shares
- name : Active Directory LDAP
protocol : TCP
dest_ports : 389,636
source : any
description : Active Directory LDAP or LDAPS
- name : Active Directory LDAP UDP
protocol : UDP
dest_ports : 389,636
source : any
description : Active Directory LDAP or LDAPS UDP
- name : Database MSSQL
protocol : TCP
dest_ports : 1433
source : any
description : MSSQL Database communication
- name : DNS Lookups-UDP
protocol : UDP
dest_ports : 53
source : any
description : DNS Lookups UDP
- name : DNS Updates Lookups-TCP
protocol : TCP
dest_ports : 53
source : any
description : DNS Updates Lookups
- name : Time Services NTP
protocol : UDP
dest_ports : 123
source : any
description : Time Services NTP
- name : Admin Services HTTPS
protocol : TCP
dest_ports : 443
source : any
description : Admin Services HTTPS
- name : Admin Services SSH
protocol : TCP
dest_ports : 22
source : any
description : Admin Services SSH
- name : Admin Services VAMI
protocol : TCP
dest_ports : 5480
source : any
description : Admin Services VAMI
- name : Admin Service RDP
protocol : TCP
dest_ports : 3389
source : any
description : Admin Service RDP
- name : Admin Services 84439443
protocol : TCP
dest_ports : 8443,9443
source : any
description : Admin Services 84439443
- name : HorizonView-AVAgent
protocol : TCP
dest_ports : 443,5895
source : any
description : Horizon View Desktop App Volumes Agent to Manager communication
- name : Active Directory GC
protocol : TCP
dest_ports : 3268
source : any
description : Active Directory GC communication
- name : Active Directory User Comp Authentication Forest TCP
protocol : TCP
dest_ports : 88
source : any
description : Active Directory User Computer Authentication Forest trust
- name : Active Directory User Comp Authentication Forest UDP
protocol : UDP
dest_ports : 88
source : any
description : Active Directory User Computer Authentication Forest trust
- name : Active Directory Group Policy TCP
protocol : TCP
dest_ports : 445,135
source : any
description : Active Directory Group Policy
- name : Active Directory Group Policy UDP
protocol : UDP
dest_ports : 445
source : any
description : Active Directory Group Policy
- name : Syslog
protocol : UDP
dest_ports : 514
source : any
description : Syslog used throughout the infrastructure
- name : System Center Service
protocol : TCP
dest_ports : 80,5723
source : any
description : SCOM (5723) and SCCM (80)
#DFW Service Groups
DFWServiceGroups :
- name : Horizon View Composer Services
children :
- HorizonView-ComposerService
- name : Horizon View Connection Services
children :
- HorizonView-CS_inbound_client_tunneled
- HorizonView-CS_inbound_client
- HorizonView_interCS
- HorizonView_SS_to_CS_tcp
- HorizonView_SS_to_CS_udp
- name : Horizon View Desktops
children :
- HorizonView-Agent_TCP
- HorizonView-Agent_UDP
- name : Horizon View Security Services
children :
- HorizonView_SS_tcp
- HorizonView_SS_udp
- name : Horizon View Enrollment Services
children :
- HorizonView-ES
- name : HorizonView UAG Services
children :
- HorizonView-UAG-TCP inbound
- HorizonView-UAG-UDP inbound
- name : vSphere-vCenter Services
children :
- vSphere-vCenter-TCP
- vSphere-vCenter-UDP
- name : DNS Services
children :
- DNS Updates Lookups-TCP
- DNS Lookups-UDP
- name : Active Directory
children :
- Active Directory LDAP
- Active Directory LDAP UDP
- Active Directory GC
- Active Directory User Comp Authentication Forest TCP
- Active Directory User Comp Authentication Forest UDP
- Active Directory Group Policy TCP
- Active Directory Group Policy UDP
- name : MSSQL Database
children :
- Database MSSQL
- name : DHCP Service
children :
- DHCP-Client
- DHCP-Server
- name : Time Services
children :
- Time Services NTP
- name : Syslog Services
children :
- Syslog
- name : Admin Services
children :
- Admin Services HTTPS
- Admin Services SSH
- Admin Services VAMI
- Admin Services 84439443
- Admin Service RDP
- name : V4H Services
children :
- HorizonView-V4H
- name : File Services UEM
children :
- File Repositories Share
- name : App Volumes Agent Services
children :
- HorizonView-AVAgent
- name : vIDM CS Services
children :
- Active Directory LDAP
- name : vIDM Inbound Services
children :
- HorizonView-IDM
- name : AirWatch Services
children :
- Admin Services HTTPS
- Database MSSQL
- name : Windows System Management Services
children :
- System Center Service
#Security Groups
SecurityGroups :
- Horizon View Desktops
- Horizon View Connection Server
- Horizon View Security Server
- Horizon View Composer Server
- Horizon Enrollment Server
- Horizon Clients Zones
- Horizon External Clients Zones
- Load Balancers Connection Servers
- Unified Access Gateways Server
- VMware Identity Manager Proxy
- VMware Identity Manager
- App Volumes Manager
- vROPS for Horizon
- Airwatch Console Server
- Airwatch Device Server
- vSphere vCenter - Hosts
- Domain Controllers
- DHCP Servers
- UEM File Repositories
- MSSQL Servers
- Domain Name Servers
- NTP Servers
- Syslog Servers
- Admin Stations
- Windows System Management Servers
#Firewall Rules
FirewallRules :
- name : Inter Desktop FW Rule
source : Horizon View Desktops
destination : Horizon View Desktops
action : Reject
- name : Inter Connection Server FW Rule
source : Horizon View Connection Server
destination : Horizon View Connection Server
action : Allow
serviceGroup : Horizon View Connection Services
- name : Desktop Client FW Rule
source : "Horizon Clients Zones, Horizon View Security Server,Horizon View Connection Server,Horizon View Composer Server,App Volumes Manager,Unified Access Gateways Servers"
destination : Horizon View Desktops
action : Allow
serviceGroup : Horizon View Desktops
- name : Connection Server FW Rule
source : "Horizon Clients Zones,Load Balancers Connection Servers,VMware Identity Manager,Horizon View Desktops"
destination : Horizon View Connection Server
action : Allow
serviceGroup : Horizon View Connection Services
- name : Security Server FW Rule
source : Horizon External Clients Zones
destination : Horizon View Security Server
action : Allow
serviceGroup : Horizon View Security Server
- name : Composer Server FW Rule
source : Horizon View Connection Server
destination : Horizon View Composer Server
action : Allow
serviceGroup : Horizon View Composer Server
- name : UAG FW Rule
source : Horizon External Clients Zones
destination : Unified Access Gateways Server
action : Allow
serviceGroup : HorizonView UAG Services
- name : vSphere-vCenter FW Rule
source : "App Volumes Manager,Horizon View Composer Server,Horizon View Connection Server"
destination : vSphere vCenter - Hosts
action : Allow
serviceGroup : vSphere-vCenter Services
- name : Domain Controllers LDAP FW Rule
source : "App Volumes Manager,VMware Identity Manager,vSphere vCenter - Hosts,vROPS for Horizon,Horizon View Connection Server,Horizon View Composer Server,Horizon View Desktops"
destination : Domain Controllers
action : Allow
serviceGroup : Active Directory
- name : SQL Server Management FW Rule
source : "App Volumes Manager,VMware Identity Manager,Horizon View Connection Server,Horizon View Composer Server,vROPS for Horizon"
destination : MSSQL Servers
action : Allow
serviceGroup : MSSQL Database
- name : Desktop DHCP Server IN FW Rule
source : "Horizon View Desktops"
destination : "DHCP Servers"
action : Allow
serviceGroup : DHCP Service
- name : DHCP Server Desktop FW Rule
source : "DHCP Servers"
destination : "Horizon View Desktops"
action : Allow
serviceGroup : DHCP Service
- name : DNS FW Rule
source : "Horizon View Desktops,Horizon View Connection Server,Horizon View Security Server,Horizon View Composer Server,Horizon Enrollment Server,Unified Access Gateways Server,App Volumes Manager,VMware Identity Manager,vROPS for Horizon,Airwatch Console Server,Airwatch Device Server,vSphere vCenter - Hosts"
destination : "Domain Name Servers"
action : Allow
serviceGroup : DNS Services
- name : NTP FW Rule
source : "Horizon View Desktops,Horizon View Connection Server,Horizon View Security Server,Horizon View Composer Server,Horizon Enrollment Server,Unified Access Gateways Server,App Volumes Manager,VMware Identity Manager,vROPS for Horizon,Airwatch Console Server,Airwatch Device Server,vSphere vCenter - Hosts"
destination : "NTP Servers"
action : Allow
serviceGroup : Time Services
- name : Syslog FW Rule
source : "Horizon View Desktops,Horizon View Connection Server,Horizon View Security Server,Horizon View Composer Server,Horizon Enrollment Server,Unified Access Gateways Server,App Volumes Manager,VMware Identity Manager,vROPS for Horizon,Airwatch Console Server,Airwatch Device Server,vSphere vCenter - Hosts"
destination : "Syslog Servers"
action : Allow
serviceGroup : Time Services
- name : Administrative Console Access FW Rule
source : Admin Stations
destination : "Horizon View Desktops,Horizon View Connection Server,Horizon View Security Server,Horizon View Composer Server,Horizon Enrollment Server,Unified Access Gateways Server,App Volumes Manager,VMware Identity Manager,vROPS for Horizon,Airwatch Console Server,Airwatch Device Server,vSphere vCenter - Hosts"
action : Allow
serviceGroup : Admin Services
- name : V4H FW Rule
source : "Horizon View Desktops,Horizon View Connection Server,Unified Access Gateways Server,App Volumes Manager,vROPS for Horizon,vSphere vCenter - Hosts"
destination : "Horizon View Desktops,Horizon View Connection Server,vROPS for Horizon"
action : Allow
serviceGroup : V4H Services
- name : UEM File FW Rule
source : "Horizon View Desktops"
destination : "UEM File Repositories"
action : Allow
serviceGroup : File Services UEM
- name : App Volumes Agent FW Rule
source : "Horizon View Desktops"
destination : "App Volumes Manager"
action : Allow
serviceGroup : App Volumes Agent Services
- name : Connection Server App Volumes FW Rule
source : "Horizon View Connection Server"
destination : "App Volumes Manager"
action : Allow
serviceGroup : App Volumes Agent Services
- name : vIDM CS FW Rule
source : "VMware Identity Manager"
destination : "Horizon View Connection Server"
action : Allow
serviceGroup : vIDM CS Services
- name : vIDM Inbound FW Rule
source : "Horizon Clients Zones,Horizon External Clients Zones,Horizon View Connection Server"
destination : VMware Identity Manager
action : Allow
serviceGroup : vIDM Inbound Services
- name : vIDM Proxy FW Rule
source : "VMware Identity Manager Proxy, VMware Identity Manager"
destination : "VMware Identity Manager Proxy, VMware Identity Manager"
action : Allow
serviceGroup : vIDM Inbound Services
- name : AirWatch Console MSSQL FW Rule
source : "AirWatch Console Server"
destination : "MSSQL Servers"
action : Allow
serviceGroup : AirWatch Services
- name : AirWatch Inter FW Rule
source : "AirWatch Device Server"
destination : "AirWatch Console Server"
action : Allow
serviceGroup : AirWatch Services
- name : Windows System Management FW Rule
source : "Horizon View Connection Server,Horizon View Security Server,Horizon View Composer Server,Horizon Enrollment Server,App Volumes Manager,Airwatch Console Server,Airwatch Device Server"
destination : "Windows System Management Servers"
action : Allow
serviceGroup : Windows System Management Services
#DFW Firewall Sections
FirewallSections :
- name : Horizon Desktop Block Section
firewallRules :
- Desktop Client FW Rule
- App Volumes Agent FW Rule
- UEM File FW Rule
- Inter Desktop FW Rule
- DHCP Server Desktop FW Rule
- name : Horizon View Management Block Section
firewallRules :
- Connection Server FW Rule
- Composer Server FW Rule
- Inter Connection Server FW Rule
- vSphere-vCenter FW Rule
- Connection Server App Volumes FW Rule
- name : Horizon View External Connections Section
firewallRules :
- UAG FW Rule
- Security Server FW Rule
- vIDM Proxy FW Rule
- name : Horizon Operation Management Section
firewallRules :
- V4H FW Rule
- name : Horizon Identity Manager Section
firewallRules :
- vIDM CS FW Rule
- vIDM Inbound FW Rule
- name : Infrastructure Services Section
firewallRules :
- Domain Controllers LDAP FW Rule
- SQL Server Management FW Rule
- Desktop DHCP Server IN FW Rule
- DNS FW Rule
- NTP FW Rule
- Syslog FW Rule
- Administrative Console Access FW Rule
- Windows System Management FW Rule
- name : AirWatch Section
firewallRules :
- AirWatch Console MSSQL FW Rule
- AirWatch Inter FW Rule