2.5
Table Of Contents
- ACE Management Server Administrator’s Manual
- Contents
- About This Book
- Introduction
- Planning an ACE Management Server Deployment
- Installing and Configuring ACE Management Server
- Configuration Options for ACE Management Server
- Prerequisites for Configuring the Server
- Starting ACE Management Server Configuration
- Viewing and Changing Licensing Information
- Using an External Database
- Creating Access Control
- Uploading Custom SSL Certificates
- Logging Events
- Applying Configuration Settings
- Load-Balancing Multiple ACE Management Server Instances
- Typical Setup Using Load-Balanced ACE Management Server Instances
- Install the Required Services for Load Balancing
- Use the Same SSL Certificate on All Servers
- Create New SSL Certificates and Keys for Each Server
- Installing and Configuring the Load Balancer
- Verify That ACE Instances Are Using the Load Balancer
- Managing ACE Instances
- Viewing ACE Instances That the Server Manages
- Search for an Instance
- Sort by Column Heading and Change Column Width
- Show, Hide, and Move Columns in the Instance View
- Create or Delete Custom Columns in the Instance View
- View Instance Details
- Reactivate, Deactivate, or Delete an ACE Instance
- Change a Copy Protection ID
- Reset the Authentication Password
- Add Information for Custom Columns
- Troubleshooting and Maintenance
- Appendix: Database Schema and Audit Event Log Data
- Glossary
- Index
ACE Management Server Administrator’s Manual
22 VMware, Inc.
ThestoreorcollectionofcertificatesthatisdownloadedwhenanACE‐enabledvirtual
machineconnectstoaserverisincludedineachACEpackagethatyoucreatewiththat
virtualmachine.ItissavedintheACE Resourcesdirectory.Whenyoudeployandrun
anACEinstanceofthisACE‐enabled
virtualmachine,theVMwarePlayerapplication
usesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE
ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematch
thosethattheserverprovides.Iftheydonotmatchexactly,VMware Playerdisplaysan
errormessage
anddoesnotruntheinstance.
VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackage
everytimeitcommunicateswiththeserver.VMwarePlayerdoesnottrustany
certificatesstoredonthehostmachineonwhichitisrunning.Instead,itreliesona
completecertificationchain
thatisincludedintheACEpackage.Theuseofself‐signed
certificatesisadequateformostsecurityneeds.
If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificate
authority(internalorcommercial),youcansetupthat typeofkey‐certificatepairfor
theACEpackages
touse.Acertificateauthority,orCA,isanentitythatissuesandsigns
public‐keycertificates,typicallyforafee.
Accessing ACE Management Server from Outside the
Corporate Firewall
AllclientrequeststoACEManagementServerareHTTPStrafficonport443.
This meansthatanysolutionusingaproxytosecureHTTPStrafficintoyourcorporate
serverscanbeusedtoproxyACEManagementServertraffic.
BecauseofthenumberofdataconnectionsthattheACEManagementServermust
make
onthebackend(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusingan
HTTPSproxyintheDMZ.ThisproxycanrelayACEManagementServertraffictothe
actualACEManagementServerinsidethecorporatenetwork.
Figure 2-2. Recommended Deployment for External Access
HTTPS
proxy server
external client
ODBC
NETBIOS (port 137)
DNS
KRB5 (port 88)
LDAP (port 389)
HTTPS traffic
(443)
HTTPS traffic
(443)
external
firewall
AMS server
internal
firewall