Session Protection with VMware Horizon

Introduction

This chapter has 3 primary objectives

  • Securing a Horizon Blast sessions using HTML Access
  • Securing the HTML Blast functionality when Origin Blocking refuses connections via the Unified Access Gateway
  • Securing Workspace ONE Access and VMware Horizon Sessions with JWT TOKEN

Overview

When launching an entitlement using the HTML client with Horizon Blast either through Workspace ONE Access or as a Direct connection with the broker by default one might observe the following:

You might notice that the Browser constantly gets stuck even though our Connection server had trusted CA signed certificates from a public source.

The problem also occurs wheen using HTML blast via Workspace ONE Access, even though Workspace ONE Access is using CA-signed certificates.

The result is an unsatisfactory User-Experience, a user would have to accept what appears to be an Invalid certificate, leaving them with concerns about the resource they are consuming

Background

In earlier versions of Horizon, if we wanted to solve this problem we had to perform two primary operations.

1st an edit had to made on the Broker to the LDS database using ADSIEDIT. The reason for this is as follows and it entails understanding how the transport works. The 2nd step entailed replacing the Agents self-signed cert with a CA signed cert. In a non-persistant environment the most practical way to do this was to use a wild-card certificate.

This exercise is divided into two parts.

  • Part 1 will cover understanding this issue with the Transport
  • Part 2 we will use the latest approach to configuring Horizon Blast with Workspace ONE Access and you will notice how much better it works.

Part 1. Validating the default configuration on the Blast transport

  1. On the ControlCenter server. Open up your Chrome browser session
    • Select the WSONE Access short cut in the favourites bar, that being https://access.euc-livefire.com, select Next
    • In the Select your domain, ensure euc-livefire.com is the selection. Select Next
  • Enter the user name User 4 and the password VMware1! Select Sign in
  1. In the Workspace ONE Access Console
    • Select Apps
    • Under Categories, select Virtual
    • Select and launch, any one of the 4 entitlements
  1. In the address bar, notice you have an IP address, also you will notice it says the certificate is not Valid.
  1. So there are two problems here, our Agent is using a self-signed cert, but even if we had a CA signed cert it would not be trusted as by default Horizon prefers to use IP address rather than domain name.
    1. In the past this was a two part process, where we had to edit the LDS database using ADSIEDIT (above screenshot of the config) and we would have configure Horizon to Prefer using a FQDN rather than an IP Address. The reason for this was, even if we had a valid certificate it would not be recognized as the address in the certificate would not map to the address in the browser.
    2. On the virtual desktop we would replace the self-signed cert with a CA signed Wild CARD cert .
      • And that was a problem as no one liked that, it was not secure, it gave the impression of being secure, but it was an open door waiting to be exploited.
    3. Thankfully this issue has been rectified and we will look at Part 2 on how secure our Horizon environment properly when we integrate with Access using the Blast Protocol
    4. Log off from Workspace ONE Access and Close any open Browsers
  • Reference
    • https://kb.vmware.com/s/article/2088354
    • https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-installation/GUID-8E7FBB9D-F2DB-4787-B11B-7506126DEB7F.html

Part 2. Securing a Horizon Blast sessions using HTML Access.

What the Product development team have done is give us the ability to Tunnel HTML Blast traffic through the Broker.

  • This has a two advantages. The Broker can use its own CA signed certificate when launching the session with the client and we do not have to configure the Broker to prefer to use DNS as the client is connecting directly with the Broker.
  • Best practice now is to configure the HTML BLAST SECURE GATEWAY on the Broker for internal Horizon Clients. In the past we would not configure Blast to Tunnel through the Horizon Connection Server if we wanted to use the Unified Access Gateway.
  • With this new configuration we are able to use this Connection Server for both Internal and External use.
    • We will now implement this configuration on the Horizon Connection server and then test this configuration out in this Part

 

  1. On your ControlCenter2 server, launch the Chrome Browser, select the Horizon_Admin shortcut in the Favourites Bar
    • Login as Administrator
    • For password us VMware1!
    • Select Sign in
  1. In the Horizon Console
    • Expand Settings
    • Select Servers under Settings
  1. Under Servers, select Connection Servers
  1. On the Connection Servers tab, select the CS1-PD1 and select Edit
  1. Notice that the issue occurs with our HTML client  Do not use Blast Secure Gateway is selected
  1. Change the default configuration by selecting the radio button next to Use Blast Secure Gateway for only HTML Access Connections to machine
    • Close the Edit Connection Server Settings by selecting OK

Part 3 . Validating our Horizon HTML Blast Configuration

  1. On the ControlCenter2 server.
    • Open a new tab on your Chrome browser session
    • Select the WSONE Access short cut in the favourites bar for Workspace ONE Access, that being https://access.euc-livefire.com, select Next
    • In the Select your domain, ensure euc-livefire.com is the selection. Select Next
  • Enter the user name User 4 and the password VMware1! Select Sign in
  1. In the Workspace ONE Access Console
    • Select Apps
    • Under Categories, select Virtual
    • Select and launch, any one of the 4 entitlements
  1. Notice there were no hiccups in the launch of your application in your browser and you have a valid certificate in your Browser
    • You are not being redirected to have a direct session with the Desktop
    • Log off from Workspace ONE Access , Close your Chrome Browser

Conclusion

In this session we have seen how we secure internal HTML Blast traffic

If we were external our traffic would tunnel through the Blast Secure Gateway on the UAG. However, when external we would not then tunnel again through the Horizon Connection server. The Unified Access Gateway would come into play. In the next part we will look at how we configure the Unified Access Gateway for secure the HTML Blast Transport for external Access.

Part 4: Securing the HTML Blast functionality when Origin Blocking refuses connections via the Unified Access Gateway

  1. On your ControlCenter2 Server
    • Open your Remote Desktop folder, launch W10EXT01a.RDP
    • On the W10Ext01a desktop, open your Chrome browser, in the address bar, type uag-hzn.euc-livefire.com or select the UAG-Client shortcut
    • Select the VMware Horizon HTML Access shortcut
  1. Notice you have a Failed to connect to the Connection Server issue
  1. On your ControlCenter2 server Desktop
    • In the Remote Desktops folder
    • Launch  CS1-PD1.RDP
  1. On your Horizon Connection server ( CS1-PD1) to your logs folder to validate this is the issue.
    • On the Task bar launch File Explorer
    • Go to c\:ProgramData\VMware\VDM\logs
    • Open the most current debug log and
    • Search for a keyword "unexpected origin"
  • This validates the issue we are having. To solve this proceed with the following step
  1. On your ControlCenter2 server Desktop
    • Open your Chrome Browser, open a new tab and select the UAG_Admin shortcut
    • In the UAG Admin login, type
      • In the Username area type : admin
      • In the Password area type: VMware1!
  1. On the Unified Access Gateway Appliance v20.09 Admin console
    • Under Configure Manually
      • Click on, Select
  1. On the Unified Access Gateway Appliance v20.09 Admin console
    • Under General Settings
      • Next to Edge Service Settings, move the toggle next to Edge Service Settings from Left to Right
  1. To the right of Horizon Settings, select the gear wheel
  1. In the Horizon Settings, next to
    • Re-write Origin Header, move the toggle from No on the left to Yes on the right.
    • Select Save at the bottom of the window.
    • Logout from the UAG Admin console
  1. Switch back to your W10Ext01a server,
    • Launch your Chrome Browser
    • Enter UAG-HZN.euc-livefire.com in the Address Bar
    • Select VMware Horizon HTML Access
  1. In the Login window type in the following:
    • Username: User4
    • Password:VMware1!
    • Select Login
  1. In the Horizon HTML entitlements, launch any of the 4 entitlements
  1. Notice your entitlement launches without any further prompts
    • Select Log out and then on the Log Off window select OK from your Horizon Session
    • Close your Browser
    • Minimize your W10Ext01a.RDP Session

Conclusion

This concludes this part

We have Configured HTML Blast for external access using the Unified Access Gateway and the HTML Blast Secure Gateway

Part 5:  Configuring an appropriate authentication method when Integrating Workspace ONE Access with VMware Horizon and the Unified Access Gateway.

Introduction

When configuring the Transport integration with Workspace ONE Access a customer might have deployed an On-premises, LAN deployed Workspace ONE Access server or DMZ deployed Workspace ONE Access server or the customer might have subscribed to a SAAS deployment of Workspace ONE Access.
VMware Horizon will always be on a Microsoft Active Directory Domain joined LAN connected network. The Unified Access Gateway will be deployed in the DMZ to facilitate all external access for Horizon Based resources and will not be domain joined.

Internal Users should / could connect and tunnel directly through the Connection Server with HTML Blast or have a direct session to the Horizon Agent on the LAN.

External Users should always connect and tunnel via the Unified Access Gateway and should never have a Direct session on the Transport from an external network to a domain joined desktop.

In this scenario all we are doing is securing North / South traffic and to ensure East / West traffic within networks are secure we would have to use VMware NSX

The objective of this session is demonstrate the Networking configuration requirements when Workspace ONE Access integrates with VMware Horizon and the VMware Unified Access Gateway.

  1. On your ControlCenter2 server, on your Google Chrome browser, open a new tab and select the WSONE Access shortcut in the Favourites bar
    • Ensure that in the Select your Domain window, you have System Domain selected in the dropdown
    • Select Next
  1. Under Username type admin, under Password type VMware1!
    • Select Sign In
  1. In the Workspace ONE Access console,
    • Select the Identity & Access Management tab
  1. Under Identity & Access Management select Policies
  1. In the Policies window,  select NETWORK RANGES
  1. Under Network Ranges select + ADD NETWORK RANGE
  1. In the Add Network Range window add the follow
    • Under Name type External
    • Under IP Ranges type 172.16.30.1 To 172.16.30.254
    • Select SAVE
  • In the Real world for external we leave the default All Ranges, as we dont have external access we will emulate an external network
    • In this setup the 172.16.30.x network we are treating as an external network for our configurations
    • W10Ext01a is our Test machine and is there representing a Device on an External Network
  1. In the Network Ranges window select + ADD NETWORK RANGE
  1. In the Add Network Range window add the follow
    • Under Name type Internal
    • Under IP Ranges type 192.168.100.1 To 192.168.100.254
    • Select +ADD ROW twice
    • Under IP Ranges (2nd Row) type 192.168.110.1 To 192.168.110.254
    • Under IP Ranges (3rd Row) type 172.16.10.1 To 172.16.10.254
  • In this setup the above networks are all being treating as external networks for our configurations
    • Select SAVE
  • Note!  Do not cut and paste the Ip address's . Its possible you could a message when trying to save that says,  try entering a valid range of IP addresses . If this happens delete all Internal entries and start with Step 9 from scratch
  1. Review your configurations, click to Close the Network Ranges window,
  1. Under Polices , select the radio button next to default_access_policy_set and select EDIT
  1. In the Edit Policy window select Configuration
  1. Click ADD POLICY RULE in the Configuration tab of Edit Policy page.
  1. In the Add Policy Rule window
    • Next to, If a user's network range is * Select External
    • Next to, and the user accessing content from *, from the drop down,  select Windows 10
    • Next to, then the user may authenticate using * Select Certificate (Cloud Deployment) for the first authentication method
    • Next to, If the preceding method fails or is not applicable, select Password (cloud deployment)
  • Select + ADD FALLBACK METHOD
    • Next to, If the preceding method fails or is not applicable, select Password (Local Deployment)
  • Click SAVE at the botom right hand side of the page
  1. Next to ALL RANGES for Windows 10 on the left select the 6 DOTS and drag to the top
  1. In the Configuration window, select ALL RANGES next to Web Browser
  1. In the Edit Policy Rule, change the following, next to :-
    • Next to:-
      • If a user's network range is * select External
      • and user accessing content from * select Web Browser
      • then the user may authenticate using * select Certificate (Cloud Deployment)
      • If the preceding method fails or is not applicable, then select Password (cloud deployment)
      • If the preceding method fails or is not applicable, then select Password (Local Directory)
    • Select SAVE
  1. Under External  Web Browser select the + ADD POLICY RULE link
  1. In the Add Policy Rule window add the following:
    • Next to :-
      • If a user's network range is * select Internal
      • and user accessing content from * select Web Browser
      • then the user may authenticate using * select Password (cloud deployment)
      • If the preceding method fails or is not applicable, then select Password (Local Directory)
    • Select SAVE
  1. Under internal select the + ADD POLICY RULE link
  1. In the Add Policy Rule window add the following:
    • Next to :-
      • If a user's network range is * select Internal
      • and user accessing content from * select Windows 10
      • then the user may authenticate using * select Password (cloud deployment)
      • If the preceding method fails or is not applicable, then select Password (Local Directory)
    • Select SAVE
  1. In the Edit Policy window,
    • Select the 6 DOTS next to ALL RANGES WORKSPACE ONE App,
      • Ensure this line, is dragged right to the bottom of the order list
    • Select NEXT
  1. In the Edit Policy window, select SAVE
  1. In the Workspace ONE Access console select Catalog > Virtual Apps Collection
  1. In the Virtual Apps Collections window,
    • Select Horizon
  1. In the Horizon settings window, select EDIT NETWORK RANGE
  1. In Network Ranges select External
  1. In the Assign Pods to Network Ranges window under Client Access FQDN enter  uag-hzn.euc-livefire.com
    • Select SAVE
    • Select FINISH

Part 6: Securing Workspace ONE Access and VMware Horizon Sessions with JWT TOKEN

  1. On the Controlcenter2 server
    • On your Chrome browser, select the UAG-HZN admin session
    • In the Username area, login as admin
    • In the password area, enter VMware1!,
    • Select Login
  1. In the UAG ADMIN Console
    • Under Configure Manually, click the Blue Select button
  1. In the UAG ADMIN Console
    • Under Advanced Settings
      • Select the Gear to the right of JWT Settings
  1. In the UAG ADMIN Console
    • In the JWT Settings window, select Add
  1. In the JWT Settings window, enter the following, next to
    • Name: Workspace ONE Access
    • Dynamic Public key URL: https://access.euc-livefire.com/SAAS/API/1.0/REST/auth/token?attribute=publicKey&format=pem
    • Public key refresh interval: 86400
    • Select Save
    • Select Close
  1. In the UAG Admin Console
    • In the General Settings area
      • Next to Edge Service Settings, select and move the toggle to the right
      • To the right of Horizon Settings, select the GEAR
  1. In the Horizon Settings window
    • At the bottom of the page, select More
    • To the right of JWT Settings select the dropdown and select Workspace ONE Access
    • Scroll to the bottom of the window and select Save
  1. On your Controlcenter2 server
    • Open an existing Access session to the Admin Console: access.euc-livefire.com
      • If no session is open, Login as Admin and password VMware1!
      • Select the Catalog tab dropdown and select Virtual Apps Collection
      • Under Name, double Click the Horizon hyperlink
  1. In the Horizon window
    • Select the EDIT NETWORK RANGE button
  1. In the Network Ranges window
    • Select External
  1. In the Assign Pods to Network Ranges window
    • Under Wrap Artifact in JWT move the toggle to Yes
    • Under Audience in JWT, enter https://access.euc-livefire.com
    • Select SAVE
    • Select FINISH to close the Network Ranges window
  1. In the Network Ranges window
    • Select Internal
    • Under  Client Access FQDN, type cs1-pd1.euc-livefire.com
    • Select SAVE
    • Select FINISH

Part 7: Validating Workspace ONE Access Transport Configurations with VMware Horizon

INTRODUCTION

We will test our Workspace ONE Access Console on what is representative of an internal network. We will perform this task on the ControlCenter server which has and IP address of 192.168.110.10. The 192.168.110.x range was one of the networks we defined as Internal

Next we will test our Workspace ONE Access Console on a network that is representative of an External Network. That being the 172.16.30.x Network. We will perform the test on the W10EXT01a virtual machine that has an IP address of 172.16.30.30

  1. On your ControlCenter2 server
    • On your Chrome Browser in the top right hand corner, select the 3 DOTS and then select New incognito window
  1. In the Favourites Bar, select the shortcut to the WSONE Access server
  1. In the Select your domain window.
    • Validate that the default domain euc-livefire.com is selected
    • Select Next
  1. Under username enter user4, under password enter VMware1!, select Sign in
  1. Next to Favorites, select Apps
  1. Select any of the Virtual App entitlements, I am going to select Calculator
  1. Notice the Address in the Browser is our Horizon Connection server.
    • In this example, We have launched a Virtual Application from Workspace ONE ACCESS and our session is Tunneling through the Connection Server, without any hiccups. Most important is our Workspace ONE Access Policies pointed us directly to the Internal Broker (Connection Server)
    • Select Log out
    • On the Log Off window select OK
    • In the top right hand corner, select  UP, right-click, select  Sign Out
    • Close the browser
  1. On your ControlCenter2 server,
    • Switch back to the W10EXT01a.RDP session
    • Open your Chrome browser and type https://access.euc-livefire.com
  1. On the Select your domain window, select Next
  1. In the Select a certificate windows
    • Select OK

 

  1. Next to Favorites, select Apps
  1. In the App entitlements,
    • Select Calculator
    • Notice you are again prompted for Username. (This is as a result of TrueSSO not being configured) We will fix this in the next lab
    • In the Password Request area enter VMware1! as the password
    • Select Sign in
    • To the right of the Address Bar,
      • Select the red flag Icon
      • Change Continue blocking radio button to Always allow pop-ups radio button and redirects from https://access.euc-livefire.com
      • Select Done
  1. Notice the Address in the Browser is our Unified Access Gateway server.
    • In this example, We have launched a Virtual Application from Workspace ONE ACCESS and our session is Tunneling through the Unified Access Gateway Server, without any hiccups. Most important is our Workspace ONE Access Policies pointed us directly to the Unified Access Gateway because of the network settings we defined and the Network we using Workspace ONE Access from.
    • Select Log out
    • On the Log Off window select OK
    • Close the browser

Conclusion

In Summary we looked at Best practice with the regard to configuring the Blast protocol for using with  HTML Client. It is important to note that Native Client by default offers the same and possibly better user experience and we do not necessarily, see the errors we see with the HTML client. However best practices and configurations we saw in this exercise apply to both the Native and the HTML client

Acknowledgements and References

About the Author: Reinhart Nel

https://www.dropbox.com/s/cf32s1ddeyt5zx4/Reinhart%20Nel.pdf?dl=0

For any questions related to this session, email Reinhart at [email protected]

 

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.