VMworld2015: Access point in-depth


VMworld2015: Access point in-depth 

In a previous blog I wrote about VMware Access Point, it was announced at VMworld 2015 in San Francisco. Access Point wasn’t all that new, we knew VMware was working on it for a year or so.
In my previous blog I talked about the basic working and what it is doing.
In this blog I will go more in-depth to how the product is working and why it’s an awesome new product.

What do you know at this moment?

  • VMware Access Point eventually replaces VMware security server which has been there since 2007 I think.
  • VMware Access Point has the same feature set as the security server to start with
  • From a user point of view nothing will change
  • It’s a SLES 11 appliance running in the DMZ
I think reading this top 4 bullets you understand (you who worked with Security server) what the Access Point is. So now we can continue to go in-depth.

Issue  with security servers

The VMware security server, released in 2007, had some issues. The issues that customers report to us are;
  • It’s a Windows server in the DMZ that has a larger attack platform than needed
  • I need to open to many firewall ports to the LAN to authenticate
  • I need to setup extra connection servers to are connected to my security server, scalability is pretty lame
All these points are valid and let me tell you how VMware is changing them.

Access point in-depth

The Access Point is an SLES 11 appliance running in the DMZ, you can install the Access Point by a script within a minute (I’ve been told)

No connection with connection server

The Access point is a self sustaining product that has no relation to the connection server at all. There is no pairing between the Access Point and the connection servers, the Access Point(s) will connect to any connection server though load balancing.
The connection servers don’t know the Access Points exist, for the connection server the requests coming in are clients connection, 2000 of them per Access Point.

Scalability

So scalability of your connection servers is much better as all your connection servers are used for both internal and external access.
If however you will use 2FA like Radius you will need to setup an external facing connection server. In an upcoming release the 2FA will move to the DMZ releasing the connection servers from this burden.

Upscale

If you want to upscale your Access Points so that you add one or two more to handle more load from users connecting externally you can scale up by deploying new Access Points.
Upscaling is not hard to do for the Access Point is an appliance that can be done through a script. Through orchestration and automation you could automate the deployment of the Access Points when needed, scale up and scale down.

Communication

There are far less communication ports to be opened between the Access Point and the connection servers to authenticate the user, only two ports are used to authenticate. 
This is a huge improvement to the old security server where too many ports where open.

Upgrading

Upgrading of the Access Points is gonna be scripting task again. Every 6 months VMware brings out a new Access Point version. you don’t upgrade the Access Point you create new ones and delete the old ones.
I hear you think but my configuration?
setting up a Access Point you need a small number of configuration settings, external URL etc but nothing more. All these settings including the certificates can be added to the script line and executed from there. The Access Point is self learning and doesn’t need any management. You leave it run until VMware brings out a new version.

Management console

There is none.
What?
There is none.
As said it’s self learning so it doesn’t need management.
In time it might be added to Project Astro.
Hope this blog helps you understand the product better.
P.s. Access point is available right now.

Leave a Reply

https://tracking.cirrusinsight.com/869c29e2-3a9b-48c5-9232-0b95e7993ae8/controlup-com-pixel-php