3. Securing Horizon unmanaged endpoints with OPSWAT MetaAccess ( UPDATED )
Workspace ONE has a broad range of solutions to secure and manage endpoints and render them compliant prior to connecting from an external source
An endpoint can be enrolled and we can use the Risk scoring feature for compliance checking. There constraints when it comes to the number as a minimum of 100 enrolled devices, enrolled for up 30 days before algorithmic analysis will start.
We might want to mention the BYOD use case
In a Developer use case or the small business, numbers are possibly going to be a singular possible constraint when wanting to secure the endpoint
For this reason VMware have partnered with OPSWAT as an integration to secure this endpoint
Requirements for this lab
Its highly recommended to register a test email account with either GMAIL.com or Outlook.com
Section 1. Preparing your lab environment for OPSWAT MetaAccess testing
In our testing we learned that every device is registered in OPSWAT MetaAccess requires a unique UUID and Mac hardware address.
For this lab to work in the Livefire environment we will first perform certain edits to the existing test virtual desktops to ensure we are able to perform our labs
It is critical that you follow the guidance exactly as outlined. Failure to follow the lab guide might result in a corrupted virtual machine. This might result in a complete re-deployment of your test machine in vSphere
- On your ControlCenter server
- Launch your site 1 Chrome Browser profile
- On the browser Favourites bar
- select the vCenter-01a shortcut
- On the browser Favourites bar
- Launch your site 1 Chrome Browser profile
- In the VMware vSphere login
- In the username area
- enter [email protected]
- In the password area
- enter VMware1!
- select LOGIN
- In the username area
- In the vCenter Hosts & Clusters inventory
- select & right click W11EXT-01a
- in the menu
- select Power > Shut Down Guest OS
- in the menu
- select & right click W11EXT-01a
- In the Confirm Guest Shut Down window
- select YES
- In the vCenter Inventory
- select & right-click W11EXT-01a
- in the menu
- select Edit Settings...
- in the menu
- select & right-click W11EXT-01a
- In the Edit Settings window
- in line with Network adapter1
- to the right,
- select the more Options icon
- select Remove device
- to the right,
-
in the bottom right corner
- select OK
- in line with Network adapter1
- In the vCenter Inventory
- select & right-click W11EXT-01a
- in the menu
- select Edit Settings...
- in the menu
- select & right-click W11EXT-01a
- In the Edit Settings window
- in line the top right corner
- select ADD NEW DEVICE
- from the dropdown
-
at the bottom
- select Network Adapter
-
at the bottom
- in line the top right corner
- In the Edit Settings window
- to the left of New Network*
- expand the configuration
- to the right New Network*
- select the dropdown
- select Browse...
- select the dropdown
- to the left of New Network*
- In the Select Network window
- next to CorpExternalO1
- select the radio button
- select OK
- next to CorpExternalO1
- In the Edit Settings window
- review your configurations
- to close
- select OK
- to close
- review your configurations
Leave this virtual machine powered off
- On your ControlCenter server
- Launch your site 2 Chrome Browser profile
- On the browser Favourites bar
- select the vCenter-02a shortcut
- On the browser Favourites bar
- Launch your site 2 Chrome Browser profile
- In the VMware vSphere login
- In the username area
- enter [email protected]
- In the password area
- enter VMware1!
- select LOGIN
- In the username area
- In the vCenter Hosts & Clusters inventory
- select & right click W11EXT-02a
- in the menu
- select Power > Shut Down Guest OS
- in the menu
- select & right click W11EXT-02a
- In the Confirm Guest Shut Down window
- select YES
- In the vCenter Inventory
- select & right-click W11EXT-02a
- in the menu
- select Edit Settings...
- in the menu
- select & right-click W11EXT-02a
- In the Edit Settings window
- in line with Network adapter1
- to the right,
- select the more Options icon
- select Remove device
- to the right,
-
in the bottom right corner
- select OK
- in line with Network adapter1
- In the vCenter Inventory
- select & right-click W11EXT-02a
- in the menu
- select Edit Settings...
- in the menu
- select & right-click W11EXT-02a
- In the Edit Settings window
- in line the top right corner
- select ADD NEW DEVICE
- from the dropdown
-
at the bottom
- select Network Adapter
-
at the bottom
- in line the top right corner
- In the Edit Settings window
- to the left of New Network*
- expand the configuration
- to the right New Network*
- select the dropdown
- select Browse...
- select the dropdown
- to the left of New Network*
- In the Select Network window
- next to CorpExternalO2
- select the radio button
- select OK
- next to CorpExternalO2
- In the Edit Settings window
- review your configurations
- to close
- select OK
- to close
- review your configurations
Leave this virtual machine powered off
- In the ControlCenter server Desktop
- launch the WinSCP shortcut
- In the WinSCP window
- If necessary
- select New Site
- In the Session area
- below Hostname
- enter esxi-01a.euc-livefire.com
- below User name:
- enter root
- below Password:
- enter VMware1!
- below Hostname
- select Login
- If necessary
- In WinSCP
-
Warning window
- select Yes
-
Warning window
- In WinSCP
- in the right pane
- select vmfs > volumes
- select the CorpLun01a shortcut
- In the volumes area
- open W11EXT-01a
- select vmfs > volumes
- in the right pane
The next steps need to be followed precisely as depicted in this guide. Failure to follow this guide might result in a corrupt virtual machine and a re-installation will be required
- In WinSCP
- /vmfs/volumes/61fced03-34c20fe5-cffb-00505603cc7b/W11EXT-01a
- select and rightclick
- W11EXT-01a.vmx
- in the dropdown menu
- select Edit
- select and rightclick
- /vmfs/volumes/61fced03-34c20fe5-cffb-00505603cc7b/W11EXT-01a
- In the Editor for WinSCP
- scroll down until you find the uuid.bios entry
- In the Editor for WinSCP
- uuid.bios line
- edit the 3rd & 4th last hexadecimal entry in the address
- where XXX is your class identifier
- edit the 3rd & 4th last hexadecimal entry in the address
- uuid.bios line
- In the Editor for WinSCP
-
uuid.bios line
- review your entry
- in the top left corner
- select the SAVE icon
- to close Editor for WinSCP
- select X in the top right corner
- to close WinSCP
- select X in the top right corner
- when prompted to Confirm
- select OK
-
uuid.bios line
- On your ControlCenter
- revert to your Site 1 Chrome browser Profile
- In the vSphere client
-
Hosts & Clusters Inventory
- select & right-click W11EXT-01a
- select Power > Power On
- select & right-click W11EXT-01a
-
Hosts & Clusters Inventory
- In the ControlCenter server Desktop
- launch the WinSCP shortcut
- In the WinSCP window
- If necessary
- select New Site
- In the Session area
- below Hostname
- enter esxi-02a.euc-livefire.com
- below User name:
- enter root
- below Password:
- enter VMware1!
- below Hostname
- select Login
- If necessary
- In WinSCP
-
Warning window
- select Yes
-
Warning window
- In WinSCP
- in the right pane
- select vmfs > volumes
- select the CorpLun02a shortcut
- In the volumes area
- open W11EXT-02a
- select vmfs > volumes
- in the right pane
The next steps need to be followed precisely as depicted in this guide. Failure to follow this guide might result in a corrupt virtual machine and a re-installation will be required
- In WinSCP
- /vmfs/volumes/61fcee55-cd076f0a-263b-005056011718/W11EXT-02a
- select and rightclick
- W11EXT-02a.vmx
- in the dropdown menu
- select Edit
- select and rightclick
- /vmfs/volumes/61fcee55-cd076f0a-263b-005056011718/W11EXT-02a
- In the Editor for WinSCP
- scroll down until you find the uuid.bios entry
- In the Editor for WinSCP
-
uuid.bios line
- edit the 3rd & 4th last hexadecimal entry in the address
- where XXX is your class identifier
- edit the 3rd & 4th last hexadecimal entry in the address
-
uuid.bios line
- In the Editor for WinSCP
-
uuid.bios line
- review your entry
- in the top left corner
- select the SAVE icon
- to close Editor for WinSCP
- select X in the top right corner
- to close WinSCP
- select X in the top right corner
- when prompted to Confirm
- select OK
-
uuid.bios line
- On your ControlCenter
- revert to your Site 2 Chrome browser Profile
- In the vSphere client
-
Hosts & Clusters Inventory
- select & right-click W11EXT-02a
- select Power > Power On
- select & right-click W11EXT-02a
-
Hosts & Clusters Inventory
- On your ControlCenter server
- switch to your Site 1 Chrome browser profile
- select W11EXT-01a
- In the W11EXT-01a properties
- select the Summary tab
- In the Summary area
- select LAUNCH WEB CONSOLE
- In the Summary area
- select the Summary tab
- switch to your Site 1 Chrome browser profile
- In the W11EXT-01a Web Console
- In the top right corner
- select Send Ctrl+Alt+Delete
- login as admin
- in the password area
- enter VMware1!
- in the password area
- In the top right corner
- In the W11EXT-01a desktop
- on the Taskbar
- select and right-click the START button
- In the Menu
- select Run
- In the Menu
- select and right-click the START button
- on the Taskbar
- In the W11EXT-01a desktop
- In the Run window
- next to Open:
- enter ncpa.cpl
- select OK
- enter ncpa.cpl
- next to Open:
- In the Run window
- In the Network Connections window
- select and right click Ethernet0
- from the dropdown
- select Properties
- from the dropdown
- select and right click Ethernet0
- In the Ethernet0 Properties
- select Internet Protocol Version 4 (TCP/IP4)
- towards the right bottom
- select Properties
- towards the right bottom
- select Internet Protocol Version 4 (TCP/IP4)
-
In the Internet Protocol Version 4 (TCP/IP4) Properties
-
next to Use the following IP address
- select the radio button
-
next to IP address:
-
enter 172.16.30.XX
- where XX is your Class ID
-
enter 172.16.30.XX
-
next to Subnet mask:
- enter 255.255.255.0
-
next to Default gateway:
- enter 172.16.30.1
- next to Use the following DNS server address
- select the radio button
- next to Preferred DNS server:
- enter 192.168.110.10
- In the bottom right corner
- select OK
-
next to Use the following IP address
- On your ControlCenter server
- Open your Remote Desktops folder
- Go to Remote Desktops > Site 1
- select & right-click W11Ext-01a.RDP
- select Edit
- select & right-click W11Ext-01a.RDP
- Go to Remote Desktops > Site 1
- Open your Remote Desktops folder
- In the Remote Desktop Connection window
-
General Tab
- next to Computer
- edit the IP in the last OCTET
- where XX is your Class ID
- select Save
- edit the IP in the last OCTET
- next to Computer
-
General Tab
- On your ControlCenter server
- switch to your Site 2 Chrome browser profile
- select W11EXT-02a
- In the W11EXT-02a properties
- select the Summary tab
- In the Summary area
- select LAUNCH WEB CONSOLE
- In the Summary area
- select the Summary tab
- switch to your Site 2 Chrome browser profile
- In the W11EXT-02a Web Console
- In the top right corner
- select Send Ctrl+Alt+Delete
- login as admin
- in the password area
- enter VMware1!
- in the password area
- In the top right corner
- In the W11EXT-02a desktop
- on the Taskbar
- select and right-click the START button
- In the Menu
- select Run
- In the Menu
- select and right-click the START button
- on the Taskbar
- In the W11EXT-02a desktop
- In the Run window
- next to Open:
- enter ncpa.cpl
- select OK
- enter ncpa.cpl
- next to Open:
- In the Run window
- In the Network Connections window
- select and right click Ethernet0
- from the dropdown
- select Properties
- from the dropdown
- select and right click Ethernet0
- In the Ethernet0 Properties
- select Internet Protocol Version 4 (TCP/IP4)
- towards the right bottom
- select Properties
- towards the right bottom
- select Internet Protocol Version 4 (TCP/IP4)
-
In the Internet Protocol Version 4 (TCP/IP4) Properties
-
next to Use the following IP address
- select the radio button
-
next to IP address:
-
enter 172.16.40.XX
- where XX is your Class ID
-
enter 172.16.40.XX
-
next to Subnet mask:
- enter 255.255.255.0
-
next to Default gateway:
- enter 172.16.40.1
- next to Use the following DNS server address
- select the radio button
- next to Preferred DNS server:
- enter 192.168.110.10
- In the bottom right corner
- select OK
-
next to Use the following IP address
- On your ControlCenter server
- Open your Remote Desktops folder
- Go to Remote Desktops > Site 2
- select & right-click W11Ext-02a.RDP
- select Edit
- select & right-click W11Ext-02a.RDP
- Go to Remote Desktops > Site 2
- Open your Remote Desktops folder
- In the Remote Desktop Connection window
-
General Tab
- next to Computer
- edit the IP in the last OCTET
- where XX is your Class ID
- select Save
- edit the IP in the last OCTET
- next to Computer
-
General Tab
Section 2. Getting started with OPSWAT MetaAccess
Requirements for this section. Ensure you have an email address you are able to open in the lab environment. We highly recommend creating a bespoke email address for this lab
- This Section has two Parts
- We will register an Account with OPSWAT
- On the Unified Access Gateway servers, we will upload and configure the On Demand OPSWAT MetaAccess agent for Horizon Client deployment
- On your ControlCenter server
- open a new tab on your Chrome browser
- In the address bar, enter the following URL
- https://gears.opswat.com/o
-
In the OPSWAT MetaAccess page
- select Register
- In the address bar, enter the following URL
- open a new tab on your Chrome browser
- In the Create your OPSWAT Account page
- Enter the following required information
- First Name
- Last Name
- Password & Confirm Password
-
Company Name
- VMware Livefire Training
- Next to
-
I agree to the OPSWAT Inc. Terms of Service and Privacy Policy, unless my organization has a separate written agreement with OPSWAT Inc., in which case those separate terms shall apply.*
- select the Checkbox
-
Yes, I would like to receive email communications from OPSWAT.
- select the Checkbox
-
I agree to the OPSWAT Inc. Terms of Service and Privacy Policy, unless my organization has a separate written agreement with OPSWAT Inc., in which case those separate terms shall apply.*
- Enter the following required information
- In the Create your OPSWAT Account page
- at the bottom of the page
- next to
- I'm not a robot
- select the checkbox
-
Follow the requirements on the window
- select VERIFY
- select Sign Up
- select VERIFY
- next to
- at the bottom of the page
- In the OPSWAT MetaAccess page
- Note that you now need to check your email to confirm your Account
- from your ControlCenter
- Log in to your email
- On your ControlCenter server
- In your email account
- Note you have an email from opwat-support
- check your SPAM folder
- Note you have an email from opwat-support
- open the email
- In your email account
- In the OPSWAT MetaAccess Account Registration email
- select Activate MetaAccess
- In the OPSWAT MetaAccess page
- Change the URL from
- https://console.metaaccess-b.opswat.com/onlanding/install/windows
- to
- https://console.metaaccess-b.opswat.com/
- Change the URL from
- In the OPSWAT MetaAccess page
- You are now in the Admin Console for OPSWAT MetaAccess
- In the following Parts we will perform the following
- Register the VMware Unified Access Gateway with OPSWAT MetaAccess
- Register two endpoints with OPSWAT MetaAccess
- Test OPSWAT functionality
- But first we need to download the OPSWAT On demand agent
- In the OPSWAT MetaAccess Admin Console
- In left Inventory pane
- expand Inventory
- select Devices
- expand Inventory
- In left Inventory pane
- In the Devices area
- in the middle of the admin pane,
- select +Device
- in the middle of the admin pane,
- In the Add Devices window
- select Download OPSWAT Client For Distribution
- In the Windows tab for clients
- under the Limited OPSWAT On-Demand Client area
- select Limited Client
- under the Limited OPSWAT On-Demand Client area
Note, the primary difference between the Limited OPSWAT On-Demand Client and the OPSWAT On-Demand Client is the end user requires local Admin permission for the installer to download and run.
- On your Controlcenter server
- from the Taskbar,
- select the Folder Icon
- under Quick access
- select Downloads
- notice you now have an OPSWAT_GEARS_Client.... executable
- select Downloads
- from the Taskbar,
Section 3. Getting Started with OPSWAT MetaAccess in a VMware Horizon Environment
Our lab environment is a multi-site setup.
- We will configure the Unified Access Gateway servers to all communicate with OPSWAT MetaAccess
- On your ControlCenter server
- open a new tab on your Chrome browser
- In the address bar, enter the following URL
- https://gears.opswat.com/o
- with your keyboard
- press ENTER
- In the OPSWAT MetaAccess OAuth Applications console
- select Register New Application
- In the OPSWAT MetaAccess OAuth Applications console
- under *Application Name
- enter VMware Unified Access Gateway
- under *Description
- possibly enter This is a multi-site solution
- scroll down to the bottom of the window
- under *Application Name
- In the OPSWAT MetaAccess OAuth Applications console
- under Upload a new icon
- select Input file
-
In File Explorer window
- browse to
- \\horizon-01a.euc-livefire.com\software\icons
- browse to
- select uag.png
- select Open
-
In File Explorer window
- select Input file
- under Upload a new icon
- In the OPSWAT MetaAccess OAuth Applications console
- under *Website URL
-
enter :-
-
https://corp.euc-livefire.com
- Note! this is a required parameter, but the UAG server integration does not use this setting.
-
https://corp.euc-livefire.com
-
enter :-
- under *Callback URL
- http://127.0.0.1/opswat.
-
At the top of the page
- select Create
- under *Website URL
- In the OPSWAT MetaAccess OAuth Applications console
- under OAuth Settings
- select Reveal Keys
- under OAuth Settings
- In the OPSWAT MetaAccess OAuth Applications console
- under OAuth Settings
- Copy both the Client key and the Client secret
- save to Notepad++
- under OAuth Settings
- On your ControlCenter server
- On your Site 1 browser
- from the Favourites bar
- open a new tab
- select the UAG-HZN-01a shortcut
- from the Favourites bar
- On your Site 1 browser
- In Unified Access Gateway
- In the Username area
- enter admin
- In the Password area
- enter VMware1!
- select Login
- In the Username area
- Under Configure Manually
- click Select
- In the Unified Access Gateway console
-
scroll down to the Advanced Settings area
- next to Endpoint Compliance Check Provider Settings
- select the GEAR LEVER
- next to Endpoint Compliance Check Provider Settings
-
scroll down to the Advanced Settings area
- In the Endpoint Compliance Check Provider Settings window
- select Add
- In the Endpoint Compliance Check Provider Settings window
- next to Endpoint Compliance Check Provider
- from the dropdown
- select OPSWAT
- from the dropdown
- next to Endpoint Compliance Check Provider
- In the Endpoint Compliance Check Provider Settings window
- next to Client Key*
- from Notepad++
- copy your Client Key
- from Notepad++
- next to Client Secret*
- from Notepad++
- paste your Client Secret
-
next to Connectivity Check Interval
- enter 5
- from Notepad++
- scroll down
- next to Client Key*
- In the Endpoint Compliance Check Provider Settings window
- next to Compliance Check Interval Timeunit
- from the dropdown ,
- validate that minutes is selected (default)
- from the dropdown ,
- next to Compliance Check Initial Delay
- enter 15
- next to Compliance Check Fast Interval
- enter 5
- next Compliance Check Interval
- enter 5
- next to Compliance Check Interval Timeunit
Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment
Make a Note of the time you save your settings
- In the Endpoint Compliance Check Provider Settings window
- next to Show Allowed Status Codes
- select the EXPAND option
- ensure that the In compliance toggle is Enabled
- select the EXPAND option
- next to Show Allowed Status Codes
- Below the Compliance settings
-
expand Show Allowed Status Codes
- below Windows - On-demand agent
- next to Local
- select the radio button
- next to Local
- below Windows - On-demand agent
-
expand Show Allowed Status Codes
- Below the Windows - On -demand Agent Settings heading
- next to Executable File*
- click Select
- next to Executable File*
- In File Explorer Open window
- In the Quick Access Bar
- select Downloads
- In the Downloads folder
- select the OPSWAT_GEARS_Client*.*default .exe
- select Open
- select the OPSWAT_GEARS_Client*.*default .exe
- In the Downloads folder
- select Downloads
- In the Quick Access Bar
- Below the Windows - On -demand Agent Settings heading
- next to Name
- enter OPSWAT OnDemand Client
-
next to Parameters
- enter /silent /log 1
-
next to Flags
- enter RUN_AS_SYSTEM
- next to Name
- In the Endpoint Compliance Check Provider Settings window
- at the bottom of the window
- select Save
- In the Endpoint Compliance Check Provider Settings
- select Close
- at the bottom of the window
- In the Unified Access Gateway Admin Console
- at the top of the page
- under General Settings
- next to Edge Service Settings
- expand the TOGGLE
- next to Edge Service Settings
- under General Settings
- at the top of the page
- In the Unified Access Gateway Admin Console
- to the right of Horizon Settings
- select the GEAR ICON
- to the right of Horizon Settings
- In the Horizon Settings window
- below Enable Tunnel
- next to More
- select the EXPAND icon
- next to More
- below Enable Tunnel
- In the Horizon Settings window
- below Enable Tunnel
- next to Endpoint Compliance Check Provider
- select the dropdown
-
From the dropdown
- select OPSWAT
- next to Endpoint Compliance Check Provider
- below Enable Tunnel
- Below Endpoint Compliance Check Provider
- next to Compliance Check on Authentication
- enable the Toggle
- next to Compliance Check on Authentication
- In the Horizon Settings window
- next to Disable HTML Access
- Turn the Toggle from disabled to enabled
- at the bottom to the page
- select Save
- next to Disable HTML Access
Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client
- On your ControlCenter server
- On your Site 1 browser
- open a new tab
- select the UAG-HZN-01b shortcut
- On your Site 1 browser
- In Unified Access Gateway
- In the Username area
- enter admin
- In the Password area
- enter VMware1!
- select Login
- In the Username area
- Under Configure Manually
- click Select
- In the Unified Access Gateway Appliance v22.12 console
-
scroll down to the Advanced Settings area
- next to Endpoint Compliance Check Provider Settings
- select the GEAR LEVER
- next to Endpoint Compliance Check Provider Settings
-
scroll down to the Advanced Settings area
- In the Endpoint Compliance Check Provider Settings window
- select Add
- In the Endpoint Compliance Check Provider Settings window
- next to Endpoint Compliance Check Provider
- from the dropdown
- select OPSWAT
- from the dropdown
- next to Endpoint Compliance Check Provider
- In the Endpoint Compliance Check Provider Settings window
- next to Client Key*
- from Notepad++
- copy your Client Key
- from Notepad++
- next to Client Secret*
- from Notepad++
- paste your Client Secret
-
next to Connectivity Check Interval
- enter 5
- from Notepad++
- scroll down
- next to Client Key*
- In the Endpoint Compliance Check Provider Settings window
- next to Compliance Check Interval Timeunit
- from the dropdown ,
- validate that minutes is selected (default)
- from the dropdown ,
- next to Compliance Check Initial Delay
- enter 15
- next to Compliance Check Fast Interval
- enter 5
- next Compliance Check Interval
- enter 5
- next to Compliance Check Interval Timeunit
Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment
Make a Note of the time you save your settings
- In the Endpoint Compliance Check Provider Settings window
- next to Show Allowed Status Codes
- select the EXPAND option
- ensure that the In compliance toggle is Enabled
- select the EXPAND option
- next to Show Allowed Status Codes
- Below the Compliance settings
-
expand Show Allowed Status Codes
- below Windows - On-demand agent
- next to Local
- select the radio button
- next to Local
- below Windows - On-demand agent
-
expand Show Allowed Status Codes
- Below the Windows - On -demand Agent Settings heading
- next to Executable File*
- click Select
- next to Executable File*
- In File Explorer Open window
- In the Quick Access Bar
- select Downloads
- In the Downloads folder
- select the OPSWAT_GEARS_Client*.*default .exe
- select Open
- select the OPSWAT_GEARS_Client*.*default .exe
- In the Downloads folder
- select Downloads
- In the Quick Access Bar
- Below the Windows - On -demand Agent Settings heading
- next to Name
- enter OPSWAT OnDemand Client
-
next to Parameters
- enter /silent /log 1
-
next to Flags
- enter RUN_AS_SYSTEM
- next to Name
- In the Endpoint Compliance Check Provider Settings window
- at the bottom of the window
- select Save
- In the Endpoint Compliance Check Provider Settings
- select Close
- at the bottom of the window
- In the Unified Access Gateway Admin Console
- at the top of the page
- under General Settings
- next to Edge Service Settings
- expand the TOGGLE
- next to Edge Service Settings
- under General Settings
- at the top of the page
- In the Unified Access Gateway Admin Console
- to the right of Horizon Settings
- select the GEAR ICON
- to the right of Horizon Settings
- In the Horizon Settings window
- below Enable Tunnel
- next to More
- select the EXPAND icon
- next to More
- below Enable Tunnel
- In the Horizon Settings window
- below Enable Tunnel
- next to Endpoint Compliance Check Provider
- select the dropdown
-
From the dropdown
- select OPSWAT
- next to Endpoint Compliance Check Provider
- below Enable Tunnel
- Below Endpoint Compliance Check Provider
- next to Compliance Check on Authentication
- enable the Toggle
- next to Compliance Check on Authentication
- In the Horizon Settings window
- next to Disable HTML Access
- Turn the Toggle from disabled to enabled
- at the bottom to the page
- select Save
- next to Disable HTML Access
Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client
- On your ControlCenter server
- Open your Site 2 browser
- select the UAG-HZN-02a shortcut
- In Unified Access Gateway
- In the Username area
- enter admin
- In the Password area
- enter VMware1!
- select Login
- In the Username area
- Under Configure Manually
- click Select
- In the Unified Access Gateway Appliance v22.12 console
-
scroll down to the Advanced Settings area
- next to Endpoint Compliance Check Provider Settings
- select the GEAR LEVER
- next to Endpoint Compliance Check Provider Settings
-
scroll down to the Advanced Settings area
- In the Endpoint Compliance Check Provider Settings window
- select Add
- In the Endpoint Compliance Check Provider Settings window
- next to Endpoint Compliance Check Provider
- from the dropdown
- select OPSWAT
- from the dropdown
- next to Endpoint Compliance Check Provider
- In the Endpoint Compliance Check Provider Settings window
- next to Client Key*
- from Notepad++
- copy your Client Key
- from Notepad++
- next to Client Secret*
- from Notepad++
- paste your Client Secret
-
next to Connectivity Check Interval
- enter 5
- from Notepad++
- scroll down
- next to Client Key*
- In the Endpoint Compliance Check Provider Settings window
- next to Compliance Check Interval Timeunit
- from the dropdown ,
- validate that minutes is selected (default)
- from the dropdown ,
- next to Compliance Check Initial Delay
- enter 15
- next to Compliance Check Fast Interval
- enter 5
- next Compliance Check Interval
- enter 5
- next to Compliance Check Interval Timeunit
Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment
Make a Note of the time you save your settings
- In the Endpoint Compliance Check Provider Settings window
- next to Show Allowed Status Codes
- select the EXPAND option
- ensure that the In compliance toggle is Enabled
- select the EXPAND option
- next to Show Allowed Status Codes
- Below the Compliance settings
-
expand Show Allowed Status Codes
- below Windows - On-demand agent
- next to Local
- select the radio button
- next to Local
- below Windows - On-demand agent
-
expand Show Allowed Status Codes
- Below the Windows - On -demand Agent Settings heading
- next to Executable File*
- click Select
- next to Executable File*
- In File Explorer Open window
- In the Quick Access Bar
- select Downloads
- In the Downloads folder
- select the OPSWAT_GEARS_Client*.*default .exe
- select Open
- select the OPSWAT_GEARS_Client*.*default .exe
- In the Downloads folder
- select Downloads
- In the Quick Access Bar
- Below the Windows - On -demand Agent Settings heading
- next to Name
- enter OPSWAT OnDemand Client
-
next to Parameters
- enter /silent /log 1
-
next to Flags
- enter RUN_AS_SYSTEM
- next to Name
- In the Endpoint Compliance Check Provider Settings window
- at the bottom of the window
- select Save
- In the Endpoint Compliance Check Provider Settings
- select Close
- at the bottom of the window
- In the Unified Access Gateway Admin Console
- at the top of the page
- under General Settings
- next to Edge Service Settings
- expand the TOGGLE
- next to Edge Service Settings
- under General Settings
- at the top of the page
- In the Unified Access Gateway Admin Console
- to the right of Horizon Settings
- select the GEAR ICON
- to the right of Horizon Settings
- In the Horizon Settings window
- below Enable Tunnel
- next to More
- select the EXPAND icon
- next to More
- below Enable Tunnel
- In the Horizon Settings window
- below Enable Tunnel
- next to Endpoint Compliance Check Provider
- select the dropdown
-
From the dropdown
- select OPSWAT
- next to Endpoint Compliance Check Provider
- below Enable Tunnel
- Below Endpoint Compliance Check Provider
- next to Compliance Check on Authentication
- enable the Toggle
- next to Compliance Check on Authentication
- In the Horizon Settings window
- next to Disable HTML Access
- Turn the Toggle from disabled to enabled
- at the bottom to the page
- select Save
- next to Disable HTML Access
Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client
- On your ControlCenter server
- On your Site 2 browser
- open a new Tab
- select the UAG-HZN-02b shortcut
- On your Site 2 browser
- In Unified Access Gateway
- In the Username area
- enter admin
- In the Password area
- enter VMware1!
- select Login
- In the Username area
- Under Configure Manually
- click Select
- In the Unified Access Gateway Appliance v22.12 console
-
scroll down to the Advanced Settings area
- next to Endpoint Compliance Check Provider Settings
- select the GEAR LEVER
- next to Endpoint Compliance Check Provider Settings
-
scroll down to the Advanced Settings area
- In the Endpoint Compliance Check Provider Settings window
- select Add
- In the Endpoint Compliance Check Provider Settings window
- next to Endpoint Compliance Check Provider
- from the dropdown
- select OPSWAT
- from the dropdown
- next to Endpoint Compliance Check Provider
- In the Endpoint Compliance Check Provider Settings window
- next to Client Key*
- from Notepad++
- copy your Client Key
- from Notepad++
- next to Client Secret*
- from Notepad++
- paste your Client Secret
-
next to Connectivity Check Interval
- enter 5
- from Notepad++
- scroll down
- next to Client Key*
- In the Endpoint Compliance Check Provider Settings window
- next to Compliance Check Interval Timeunit
- from the dropdown ,
- validate that minutes is selected (default)
- from the dropdown ,
- next to Compliance Check Initial Delay
- enter 15
- next to Compliance Check Fast Interval
- enter 5
- next Compliance Check Interval
- enter 5
- next to Compliance Check Interval Timeunit
Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment
Make a Note of the time you save your settings
- In the Endpoint Compliance Check Provider Settings window
- next to Show Allowed Status Codes
- select the EXPAND option
- ensure that the In compliance toggle is Enabled
- select the EXPAND option
- next to Show Allowed Status Codes
- Below the Compliance settings
-
expand Show Allowed Status Codes
- below Windows - On-demand agent
- next to Local
- select the radio button
- next to Local
- below Windows - On-demand agent
-
expand Show Allowed Status Codes
- Below the Windows - On -demand Agent Settings heading
- next to Executable File*
- click Select
- next to Executable File*
- In File Explorer Open window
- In the Quick Access Bar
- select Downloads
- In the Downloads folder
- select the OPSWAT_GEARS_Client*.*default .exe
- select Open
- select the OPSWAT_GEARS_Client*.*default .exe
- In the Downloads folder
- select Downloads
- In the Quick Access Bar
- Below the Windows - On -demand Agent Settings heading
- next to Name
- enter OPSWAT OnDemand Client
-
next to Parameters
- enter /silent /log 1
-
next to Flags
- enter RUN_AS_SYSTEM
- next to Name
- In the Endpoint Compliance Check Provider Settings window
- at the bottom of the window
- select Save
- In the Endpoint Compliance Check Provider Settings
- select Close
- at the bottom of the window
- In the Unified Access Gateway Admin Console
- at the top of the page
- under General Settings
- next to Edge Service Settings
- expand the TOGGLE
- next to Edge Service Settings
- under General Settings
- at the top of the page
- In the Unified Access Gateway Admin Console
- to the right of Horizon Settings
- select the GEAR ICON
- to the right of Horizon Settings
- In the Horizon Settings window
- below Enable Tunnel
- next to More
- select the EXPAND icon
- next to More
- below Enable Tunnel
- In the Horizon Settings window
- below Enable Tunnel
- next to Endpoint Compliance Check Provider
- select the dropdown
-
From the dropdown
- select OPSWAT
- next to Endpoint Compliance Check Provider
- below Enable Tunnel
- Below Endpoint Compliance Check Provider
- next to Compliance Check on Authentication
- enable the Toggle
- next to Compliance Check on Authentication
- In the Horizon Settings window
- next to Disable HTML Access
- Turn the Toggle from disabled to enabled
- at the bottom to the page
- select Save
- next to Disable HTML Access
Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client
Section 4. Testing the OPSWAT MetaAccess agent deployment
- We will use two Desktops for testing. We have already prepared W11EXT-01a for site 1 and W11EXT-02a for site 2
- We will demonstrate the On-demand Client with W11EXT-01a
- We will demonstrate the Persistent Client with W11EXT-02a
- On your ControlCenter server
- Open your Remote Desktops \ Site1 folder
- select and double - click w11EXT-01a.RDP
- In the Windows Security window
- select Use a different account
- In the Username area
- enter W11ext-01a\nancy
- In the Password area,
- enter VMware1!
- select OK
- In the Username area
- select Use a different account
- On your W11EXT-01a desktop
- open the VMware Horizon Client
- In the VMware Horizon Client
- select + Add Server
- In the VMware Horizon Client
-
Name of the Connection Server
- enter corp.euc-livefire.com
- select Connect
-
Name of the Connection Server
- In the Edge Browser
- select Start without your data
- Next to Allow
- select the radio button
- select Confirm and continue
- select Confirm and start browsing
- In the Microsoft Sign in page
- in the username area
- enter nancy@corpXXX.euc-livefire.com
- where XXX is your assigned POD ID
- select Next
- enter nancy@corpXXX.euc-livefire.com
- in the username area
- In the Microsoft Sign in page
- in the password area
- enter VMware1!
- select Sign in
- in the password area
- In the Microsoft Stay signed in? page
- select No
- In the This site is trying to open VMware Horizon Client
- select Open
- In the User Account Control window
- under admin
- in the password area
- enter VMware1!
- select Yes
- under admin
- On your W11EXT-01a client
- in the right corner of the taskbar
- select the dropdown arrow
- observe that you do have the OPSWAT client installed
- select the dropdown arrow
- in the right corner of the taskbar
- On your W11EXT-01a client
- Launch your Enterprise Desktop Global Entitlement
- Note we are able to launch a Desktop entitlement whilst your initial 15 delay is valid
- Launch your Enterprise Desktop Global Entitlement
- In your Horizon Client session
- next to Exit Fullscreen
- select the MORE button (3 dots)
- from the dropdown select Logoff Desktop
- In the Disconnect and log off desktop? window
- select OK
-
On your W11Ext -01a desktop
- close all other windows
- select the MORE button (3 dots)
- next to Exit Fullscreen
The OPSWAT MetAccess Persistent client does not integrate through the UAG
- On your ControlCenter server
- Open your Remote Desktops \ Site2 folder
- select and double - click w11EXT-02a.RDP
- In the Windows Security window
- In the Username area (if necessary)
- enter W11EXT-02a\malcolm
- In the password area,
- enter VMware1!
- select OK
- In the Username area (if necessary)
- On your W11EXT-02a desktop
- open a Chrome browser session
- On your W11EXT-02a desktop
- In your Browser address bar
- enter the following URL
- https://console.metaaccess-b.opswat.com
- enter the following URL
- In your Browser address bar
- On your W11EXT-02a desktop
- On the OPSWAT MetaAccess Sign in page
- under Email
- enter your registered email with OPSWAT
- select Sign In
- under Email
- On the OPSWAT MetaAccess Sign in page
- On your W11EXT-02a desktop
- On the OPSWAT MetaAccess Sign in page
- under Password
- enter your Password
- select Sign In
- under Password
- On the OPSWAT MetaAccess Sign in page
- In your OPSWAT MetaAccess webpage
- select Download OPSWAT Client for Windows
- On your W11Ext-02a desktop
- Go to your Downloads folder
- select the OPSWAT_GEARS_Client
- select Show More Options
- select Install
- select Show More Options
- In the OPSWAT Client Setup window
- next to I accept the terms in the License Agreement
- select the Checkbox
- select Install
- next to I accept the terms in the License Agreement
- In User Account Control window
- under admin
- enter VMware1!
- select Yes
- under admin
- In the OPSWAT Client Setup window
- select Finish
- In the OPSWAT Client
- select Compliance
- In the OPSWAT Client
- Note that by default on this endpoint
- there is a missing patch
- no drive encrypt
- rendering this device Non-compliant
- Note that by default on this endpoint
Section 5. Observing how Compliance enforcement works for On-Demand and Persistent clients
- One thing to recall is we set a Delay period in the Unified Access Gateway settings
- This delay period applies to every session
- We will now go and disable this delay period
- On your ControlCenter server
-
Site 1 Browser
- from the Favourites Bar
- select the UAG-HZN-01a shortcut
- In the VMware Unified Access Gateway window
- In the Admin username area
- enter Admin
- In the Admin password area
- enter VMware1!
- select Login
- In the Admin username area
- from the Favourites Bar
-
Site 1 Browser
- In the VMware Unified Access Gateway Admin page
- under Configure Manually
- click Select
- under Configure Manually
- In the VMware Unified Access Gateway Admin page
- under Advanced Settings
- next to Endpoint Compliance Check Provider Settings
- select the GEAR icon
- next to Endpoint Compliance Check Provider Settings
- under Advanced Settings
- In the Endpoint Compliance Check Provider Settings page
- In line with OPSWAT
- select the GEAR icon
- In line with OPSWAT
- In the Endpoint Compliance Check Provider Settings page
- next to Compliance Check initial Delay
- change 15 minutes to ZERO
-
At the bottom of the page
- select Save
- next to Compliance Check initial Delay
- In the Endpoint Compliance Check Provider Settings page
- select Close
- On your ControlCenter server
-
Site 1 Browser
- from the Favourites Bar
- select the UAG-HZN-01b shortcut
- In the VMware Unified Access Gateway window
- In the Admin username area
- enter Admin
- In the Admin password area
- enter VMware1!
- select Login
- In the Admin username area
- from the Favourites Bar
-
Site 1 Browser
- In the VMware Unified Access Gateway Admin page
- under Configure Manually
- click Select
- under Configure Manually
- In the VMware Unified Access Gateway Admin page
- under Advanced Settings
- next to Endpoint Compliance Check Provider Settings
- select the GEAR icon
- next to Endpoint Compliance Check Provider Settings
- under Advanced Settings
- In the Endpoint Compliance Check Provider Settings page
- In line with OPSWAT
- select the GEAR icon
- In line with OPSWAT
- In the Endpoint Compliance Check Provider Settings page
- next to Compliance Check initial Delay
- change 15 minutes to ZERO
-
At the bottom of the page
- select Save
- next to Compliance Check initial Delay
- In the Endpoint Compliance Check Provider Settings page
- select Close
- On the ControlCenter server
- Open the Remote Desktops \ Site1 folder
- Open w11EXT-01a.RDP
- On the Windows Security window
- Ensure w11ext-01a\nancy is the username
- In the password area
- enter VMware1!
- select OK
- On the W11Ext-01a desktop
- to the right of the Task bar
- select the dropdown arrow
- note there is no OPSWAT on-demand client running
- select the dropdown arrow
- Launch the VMware Horizon Client shortcut
- to the right of the Task bar
If you are really curious.
- Go to Control Panel / Programs and note there is no OPSWAT installer installed
- Launch Task Manager and you will see no OPSWAT processes
- On the W11Ext-01a desktop
- launch the Horizon Client shortcut
- In the VMware Horizon Client window
- select and launch the corp.euc-livefire.com entitlement
- In the Microsoft Sign in window
- enter nancy@corpXXX.euc-livefire.com
- where XXX is your assigned Domain identifier
- select Next
- enter nancy@corpXXX.euc-livefire.com
- In the Microsoft Enter password window
- enter VMware1!
- select Sign in
- In the Microsoft Stay signed in?
- select Yes
- On your W11Client-01a desktop
- on the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- on the Open VMware Horizon Client? window
- In the VMware Horizon Client login window
- Notice that you are denied access
- Close all windows on your W11Ext-01a client
- On the ControlCenter server
- Open a new tab on your Chrome Browser
- In the address bar enter
- https://console.metaaccess-b.opswat.com/dashboard/overview
- Log into the OPSWAT MetaAccess
- under Email
- enter your admin ID
- select Sign in
- under Password
- enter your admin ID Password
- select Sign in
- enter your admin ID Password
- enter your admin ID
- under Email
- In the OPSWAT MetaAccess console address URL
- remove everything after .....opswat.com
- with your keyboard
- press ENTER
- you should now be redirected to the MetaAccess Admin console
- In the OPSWAT MetaAccess console admin console
- In the Inventory pane
- select Policy Management > Policies
- In the Inventory pane
- In the OPSWAT MetaAccess console admin console
-
Policies pane
- below Policy Description
- Hover your mouse over the notes
- with your Mouse > right-click and select
- below Policy Description
-
Policies pane
- In the Policies pane
-
In Deep Compliance area
-
Next to
-
Turn off Anti-Malware
- turn off the toggle
-
Turn off Encryption
- turn off the toggle
-
Turn off Anti-Malware
-
Next to
-
In Deep Compliance area
- In the Policies pane
- select the Patch Management tab
- In the Policies pane
- next to Patch Management
- turn off the toggle
- next to Patch Management
- In the Policies pane
- In the top right-corner
- select Save
- In the top right-corner
- In the OPSWAT MetaAccess console
- In the Policies area
- Take a moment and scroll through the tabs to observe the broad range of compliance mechanisms that can be used
- You will now revert back to your TEST clients
- In the Policies area
- On the W11Ext-01a desktop
- Launch the VMware Horizon Client shortcut
- On the W11Ext-01a desktop
- In the Name of the Connection Server window
- select and launch the corp.euc-livefire.com URL
- In the Name of the Connection Server window
- On your W11Ext-01a desktop
- on the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- on the Open VMware Horizon Client? window
- In the VMware Horizon Client
- select the Enterprise_Desktop entitlement
- On your W11EXT-01a desktop
- Note that you have a seamless user experience with your Horizon Desktop session
- On your W11EXT-01a desktop
- In the right hand of the Taskbar
- from the dropdown arrow
- notice the OPSWAT On-demand client running
- to validate
- select About
- to validate
- select OK
- Close and shut down all windows
- notice the OPSWAT On-demand client running
- from the dropdown arrow
- In the right hand of the Taskbar
- On your W11EXT-02a desktop
- to launch notifications
- with your mouse
- click over the date area
- Note. depending on how quick you are, you might observe a Notifications pop-up which one could select and read
- with your mouse
- to launch notifications
- On your W11EXT-02a desktop
-
Notifications area
- validate that the OPSWAT client deems your desktop compliant
-
Notifications area
- On the W11Ext-02a desktop
- Launch the VMware Horizon Client shortcut
- On the W11Ext-02a desktop
- In the Name of the Connection Server window
- select and launch the corp.euc-livefire.com URL
- In the Name of the Connection Server window
- On your W11Ext-02a desktop
- on the This site is trying to open VMware Horizon Client window
- select Open
- on the This site is trying to open VMware Horizon Client window
- In the W11Ext-02a desktop
- select the Enterprise_Desktop entitlement
- On your W11EXT-02a desktop
- Note that you have a seamless user experience with your Horizon Desktop session