EUCUsability & Security in the Enterprise 2023 / 24Day 33. Securing Horizon unmanaged endpoints with OPSWAT MetaAccess ( UPDATED )

3. Securing Horizon unmanaged endpoints with OPSWAT MetaAccess ( UPDATED )

Workspace ONE has a broad range of solutions to secure and manage endpoints and render them compliant prior to connecting from an external source

An endpoint can be enrolled and we can use the Risk scoring feature for compliance checking. There constraints when it comes to the number as a minimum of 100 enrolled devices, enrolled for up 30 days before algorithmic analysis will start.

We might want to mention the BYOD use case

In a Developer use case or the small business, numbers are possibly going to be a singular possible constraint when wanting to secure the endpoint

For this reason VMware have partnered with OPSWAT as an integration to secure this endpoint

Requirements for this lab

Its highly recommended to register a test email account with either GMAIL.com or Outlook.com

Section 1. Preparing your lab environment for OPSWAT MetaAccess testing

In our testing we learned that every device is registered in OPSWAT MetaAccess requires a unique UUID and Mac hardware address.
For this lab to work in the Livefire environment we will first perform certain edits to the existing test virtual desktops to ensure we are able to perform our labs

It is critical that you follow the guidance exactly as outlined. Failure to follow the lab guide might result in a corrupted virtual machine. This might result in a complete re-deployment of your test machine in vSphere

Step 1. Resetting the Hardware address on W11EXT-01a on site 1
  1. On your ControlCenter server
    • Launch your site 1 Chrome Browser profile
      • On the browser Favourites bar
        • select the vCenter-01a shortcut
  1. In the VMware vSphere login
    • In the username area
    • In the password area
      • enter VMware1!
    • select LOGIN
  1. In the vCenter Hosts & Clusters inventory
    • select & right click W11EXT-01a
      • in the menu
        • select Power > Shut Down Guest OS
  1. In the Confirm Guest Shut Down window
    • select YES
  1. In the vCenter Inventory
    • select & right-click W11EXT-01a
      • in the menu
        • select Edit Settings...
  1. In the Edit Settings window
    • in line with Network adapter1
      • to the right,
        • select the more Options icon
        • select Remove device
    • in the bottom right corner
      • select OK
  1. In the vCenter Inventory
    • select & right-click W11EXT-01a
      • in the menu
        • select Edit Settings...
  1. In the Edit Settings window
    • in line the top right corner
      • select ADD NEW DEVICE
    • from the dropdown
      • at the bottom
        • select Network Adapter
  1. In the Edit Settings window
    • to the left of New Network*
      • expand the configuration
    • to the right  New Network*
      • select the dropdown
        • select Browse...
  1. In the Select Network window
    • next to CorpExternalO1
      • select the radio button
    • select OK
  1. In the Edit Settings window
    • review your configurations
      • to close
        • select OK

Leave this virtual machine powered off

Step 2. Resetting the Hardware address on W11EXT-02a on site 2
  1. On your ControlCenter server
    • Launch your site 2 Chrome Browser profile
      • On the browser Favourites bar
        • select the vCenter-02a shortcut
  1. In the VMware vSphere login
    • In the username area
    • In the password area
      • enter VMware1!
    • select LOGIN
  1. In the vCenter Hosts & Clusters inventory
    • select & right click W11EXT-02a
      • in the menu
        • select Power > Shut Down Guest OS
  1. In the Confirm Guest Shut Down window
    • select YES
  1. In the vCenter Inventory
    • select & right-click W11EXT-02a
      • in the menu
        • select Edit Settings...
  1. In the Edit Settings window
    • in line with Network adapter1
      • to the right,
        • select the more Options icon
        • select Remove device
    • in the bottom right corner
      • select OK
  1. In the vCenter Inventory
    • select & right-click W11EXT-02a
      • in the menu
        • select Edit Settings...
  1. In the Edit Settings window
    • in line the top right corner
      • select ADD NEW DEVICE
    • from the dropdown
      • at the bottom
        • select Network Adapter
  1. In the Edit Settings window
    • to the left of New Network*
      • expand the configuration
    • to the right  New Network*
      • select the dropdown
        • select Browse...
  1. In the Select Network window
    • next to CorpExternalO2
      • select the radio button
    • select OK
  1. In the Edit Settings window
    • review your configurations
      • to close
        • select OK

Leave this virtual machine powered off

Step 3. Editing the BIOS UUID for W11EXT-01a on site 1
  1. In the ControlCenter server Desktop
    • launch the WinSCP shortcut
  1. In the WinSCP window
    • If necessary
      • select New Site
    • In the Session area
      • below Hostname
        • enter esxi-01a.euc-livefire.com
      • below User name:
        • enter root
      • below Password:
        • enter VMware1!
    • select Login
  1. In WinSCP
    • Warning window
      • select Yes
  1. In WinSCP
    • in the right pane
      • select vmfs > volumes
        • select the CorpLun01a shortcut
      • In the volumes area
        • open W11EXT-01a

The next steps need to be followed precisely as depicted in this guide. Failure to follow this guide might result in a corrupt virtual machine and a re-installation will be required

  1. In WinSCP
    • /vmfs/volumes/61fced03-34c20fe5-cffb-00505603cc7b/W11EXT-01a
      • select and rightclick
        • W11EXT-01a.vmx
      • in the dropdown menu
        • select Edit
  1. In the Editor for WinSCP
    • scroll down until you find the uuid.bios entry
  1. In the Editor for WinSCP
    • uuid.bios line
      • edit the 3rd & 4th last hexadecimal entry in the address
        • where XXX is your class identifier
  1. In the Editor for WinSCP
    • uuid.bios line
      • review your entry
    • in the top left corner
      • select the SAVE icon
    • to close Editor for WinSCP
      • select X in the top right corner
    • to close WinSCP
      • select X in the top right corner
      • when prompted to Confirm
        • select OK
  1. On your ControlCenter
    • revert to your Site 1 Chrome browser Profile
    • In the vSphere client
      • Hosts & Clusters Inventory
        • select & right-click W11EXT-01a
          • select Power > Power On
Step 4. Editing the BIOS UUID for W11EXT-02a on site 2
  1. In the ControlCenter server Desktop
    • launch the WinSCP shortcut
  1. In the WinSCP window
    • If necessary
      • select New Site
    • In the Session area
      • below Hostname
        • enter esxi-02a.euc-livefire.com
      • below User name:
        • enter root
      • below Password:
        • enter VMware1!
    • select Login
  1. In WinSCP
    • Warning window
      • select Yes
  1. In WinSCP
    • in the right pane
      • select vmfs > volumes
        • select the CorpLun02a shortcut
      • In the volumes area
        • open W11EXT-02a

The next steps need to be followed precisely as depicted in this guide. Failure to follow this guide might result in a corrupt virtual machine and a re-installation will be required

  1. In WinSCP
    • /vmfs/volumes/61fcee55-cd076f0a-263b-005056011718/W11EXT-02a
      • select and rightclick
        • W11EXT-02a.vmx
      • in the dropdown menu
        • select Edit
  1. In the Editor for WinSCP
    • scroll down until you find the uuid.bios entry
  1. In the Editor for WinSCP
    • uuid.bios line
      • edit the 3rd & 4th last hexadecimal entry in the address
        • where XXX is your class identifier
  1. In the Editor for WinSCP
    • uuid.bios line
      • review your entry
    • in the top left corner
      • select the SAVE icon
    • to close Editor for WinSCP
      • select X in the top right corner
    • to close WinSCP
      • select X in the top right corner
      • when prompted to Confirm
        • select OK
  1. On your ControlCenter
    • revert to your Site 2 Chrome browser Profile
    • In the vSphere client
      • Hosts & Clusters Inventory
        • select & right-click W11EXT-02a
          • select Power > Power On
Step 5. Configuring W11EXT-01a on site 1
  1. On your ControlCenter server
    • switch to your Site 1 Chrome browser profile
      • select W11EXT-01a
    • In the W11EXT-01a properties
      • select the Summary tab
        • In the Summary area
          • select LAUNCH WEB CONSOLE
  1. In the W11EXT-01a Web Console
    • In the top right corner
      • select Send Ctrl+Alt+Delete
      • login as admin
        • in the password area
          • enter VMware1!
  1. In the W11EXT-01a desktop
    • on the Taskbar
      • select and right-click the START button
        • In the Menu
          • select Run
  1. In the W11EXT-01a desktop
    • In the Run window
      • next to Open:
        • enter ncpa.cpl
          • select OK
  1. In the Network Connections window
    • select and right click Ethernet0
      • from the dropdown
        • select Properties
  1. In the Ethernet0 Properties
    • select Internet Protocol Version 4 (TCP/IP4)
      • towards the right bottom
        • select Properties
  1. In the Internet Protocol Version 4 (TCP/IP4) Properties
    • next to Use the following IP address
      • select the radio button
    • next to IP address:
      • enter 172.16.30.XX
        • where XX is your Class ID
    • next to Subnet mask:
      • enter 255.255.255.0
    • next to Default gateway:
      • enter 172.16.30.1
    • next to Use the following DNS server address
      • select the radio button
    • next to Preferred DNS server:
      • enter 192.168.110.10
    • In the bottom right corner
      • select OK
  1. On your ControlCenter server
    • Open your Remote Desktops folder
      • Go to Remote Desktops > Site 1
        • select & right-click W11Ext-01a.RDP
          • select Edit
  1. In the Remote Desktop Connection window
    • General Tab
      • next to Computer
        • edit the IP in the last OCTET
          • where XX is your Class ID
        • select Save
Step 6. Configuring W11EXT-02a on site 2
  1. On your ControlCenter server
    • switch to your Site 2 Chrome browser profile
      • select W11EXT-02a
    • In the W11EXT-02a properties
      • select the Summary tab
        • In the Summary area
          • select LAUNCH WEB CONSOLE
  1. In the W11EXT-02a Web Console
    • In the top right corner
      • select Send Ctrl+Alt+Delete
      • login as admin
        • in the password area
          • enter VMware1!
  1. In the W11EXT-02a desktop
    • on the Taskbar
      • select and right-click the START button
        • In the Menu
          • select Run
  1. In the W11EXT-02a desktop
    • In the Run window
      • next to Open:
        • enter ncpa.cpl
          • select OK
  1. In the Network Connections window
    • select and right click Ethernet0
      • from the dropdown
        • select Properties
  1. In the Ethernet0 Properties
    • select Internet Protocol Version 4 (TCP/IP4)
      • towards the right bottom
        • select Properties
  1. In the Internet Protocol Version 4 (TCP/IP4) Properties
    • next to Use the following IP address
      • select the radio button
    • next to IP address:
      • enter 172.16.40.XX
        • where XX is your Class ID
    • next to Subnet mask:
      • enter 255.255.255.0
    • next to Default gateway:
      • enter 172.16.40.1
    • next to Use the following DNS server address
      • select the radio button
    • next to Preferred DNS server:
      • enter 192.168.110.10
    • In the bottom right corner
      • select OK
  1. On your ControlCenter server
    • Open your Remote Desktops folder
      • Go to Remote Desktops > Site 2
        • select & right-click W11Ext-02a.RDP
          • select Edit
  1. In the Remote Desktop Connection window
    • General Tab
      • next to Computer
        • edit the IP in the last OCTET
          • where XX is your Class ID
        • select Save

Section 2. Getting started with OPSWAT MetaAccess

Requirements for this section. Ensure you have an email address you are able to open in the lab environment. We highly recommend creating a bespoke email address for this lab

  • This Section has two Parts
    1. We will register an Account with OPSWAT
    2. On the Unified Access Gateway servers, we will upload and configure the On Demand OPSWAT MetaAccess agent for Horizon Client deployment
Part 1. Registering your Account with OPSWAT
  1. On your ControlCenter server
    • open a new tab on your Chrome browser
      • In the address bar, enter the following URL
        • https://gears.opswat.com/o
      • In the OPSWAT MetaAccess page
        • select Register
  1. In the Create your OPSWAT Account page
    • Enter the following required information
      • First Name
      • Last Name
      • Email
      • Password & Confirm Password
      • Company Name
        • VMware Livefire Training
      • Next to
        • I agree to the OPSWAT Inc. Terms of Service and Privacy Policy, unless my organization has a separate written agreement with OPSWAT Inc., in which case those separate terms shall apply.*
          • select the Checkbox
        • Yes, I would like to receive email communications from OPSWAT.
          • select the Checkbox

 

  1. In the Create your OPSWAT Account page
    • at the bottom of the page
      • next to
        • I'm not a robot
      • select the checkbox
      • Follow the requirements on the window
        • select VERIFY
          • select Sign Up
  1. In the OPSWAT MetaAccess page
    • Note that you now need to check your email to confirm your Account
    • from your ControlCenter
      • Log in to your email
  1. On your ControlCenter server
    • In your email account
      • Note you have an email from opwat-support
        • check your SPAM folder
    • open the email
  1. In the OPSWAT MetaAccess Account Registration email
    • select Activate MetaAccess
  1. In the OPSWAT MetaAccess page
    • Change the URL from
      • https://console.metaaccess-b.opswat.com/onlanding/install/windows
    • to
      • https://console.metaaccess-b.opswat.com/
  1. In the OPSWAT MetaAccess page
    • You are now in the Admin Console for OPSWAT MetaAccess
    • In the following Parts we will perform the following
      1. Register the VMware Unified Access Gateway with OPSWAT MetaAccess
      2. Register two endpoints with OPSWAT MetaAccess
      3. Test OPSWAT functionality
    • But first we need to download the OPSWAT On demand agent
Part 2: Downloading the Windows based OPSWAT on-demand client
  1. In the OPSWAT MetaAccess Admin Console
    • In left Inventory pane
      • expand Inventory
        • select Devices
  1. In the Devices area
    • in the middle of the admin pane,
      • select +Device
  1. In the Add Devices window
    • select Download OPSWAT Client For Distribution
  1. In the Windows tab for clients
    • under the Limited OPSWAT On-Demand Client area
      • select Limited Client

Note, the primary difference between the Limited OPSWAT On-Demand Client and the OPSWAT On-Demand Client is the end user requires local Admin permission for the installer to download and run.

  1. On your Controlcenter server
    • from the Taskbar,
      • select the Folder Icon
      • under Quick access
        • select Downloads
          • notice you now have an OPSWAT_GEARS_Client.... executable

Section 3. Getting Started with OPSWAT MetaAccess in a VMware Horizon Environment

Our lab environment is a multi-site setup.

  • We will configure the Unified Access Gateway servers to all communicate with OPSWAT MetaAccess
Step 1: Register the Unified Access Gateway servers with OPSWAT
  1. On your ControlCenter server
    • open a new tab on your Chrome browser
    • In the address bar, enter the following URL
      • https://gears.opswat.com/o
      • with your keyboard
        • press ENTER
  1. In the OPSWAT MetaAccess OAuth Applications console
    • select Register New Application
  1. In the OPSWAT MetaAccess OAuth Applications console
    • under *Application Name
      • enter VMware Unified Access Gateway
    • under *Description
      • possibly enter This is a multi-site solution
    • scroll down to the bottom of the window
  1. In the OPSWAT MetaAccess OAuth Applications console
    • under  Upload a new icon
      • select Input file
        • In File Explorer window
          • browse to
            • \\horizon-01a.euc-livefire.com\software\icons
        • select uag.png
        • select Open
  1. In the OPSWAT MetaAccess OAuth Applications console
    • under  *Website URL
      • enter :-
        • https://corp.euc-livefire.com
          • Note! this is a required parameter, but the UAG server integration does not use this setting.
    • under *Callback URL
      • http://127.0.0.1/opswat.
    • At the top of the page
      • select Create
  1. In the OPSWAT MetaAccess OAuth Applications console
    • under  OAuth Settings
      • select Reveal Keys
  1. In the OPSWAT MetaAccess OAuth Applications console
    • under  OAuth Settings
      • Copy both the Client key and the Client secret
      • save to Notepad++
Step 2: UAG-HZN-01a / OPSWAT integration on Site 1
  1. On your ControlCenter server
    • On your Site 1 browser
      • from the Favourites bar
        • open a new tab
      • select the UAG-HZN-01a shortcut
  1. In Unified Access Gateway
    • In the Username area
      • enter admin
    • In the Password area
      • enter VMware1!
    • select Login
  1. Under Configure Manually
    • click Select
  1. In the Unified Access Gateway console
    • scroll down to the Advanced Settings area
      • next to Endpoint Compliance Check Provider Settings
        • select the GEAR LEVER
  1. In the Endpoint Compliance Check Provider Settings window
    • select Add
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Endpoint Compliance Check Provider
      • from the dropdown
        • select OPSWAT
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Client Key*
      • from Notepad++
        • copy your Client Key
    • next to Client Secret*
      • from Notepad++
        • paste your Client Secret
      • next to Connectivity Check Interval
        • enter 5
    • scroll down
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Compliance Check Interval Timeunit
      • from the dropdown ,
        • validate that minutes is selected (default)
    • next to Compliance Check Initial Delay
      • enter 15
    • next to Compliance Check Fast Interval
      • enter 5
    • next Compliance Check Interval
      • enter 5

Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment

Make a Note of the time you save your settings

  1. In the Endpoint Compliance Check Provider Settings window
    • next to Show Allowed Status Codes
      • select the EXPAND option
        • ensure that the In compliance toggle is Enabled
  1. Below the Compliance settings
    • expand Show Allowed Status Codes
      • below Windows - On-demand agent
        • next to Local
          • select the radio button
  1. Below the Windows - On -demand Agent Settings heading
    • next to Executable File*
      • click Select
  1. In File Explorer Open window
    • In the Quick Access Bar
      • select Downloads
        • In the Downloads folder
          • select the  OPSWAT_GEARS_Client*.*default .exe
            • select Open
  1. Below the Windows - On -demand Agent Settings heading
    • next to Name
      • enter OPSWAT OnDemand Client
    • next to Parameters
      • enter /silent /log 1
    • next to Flags
      • enter RUN_AS_SYSTEM
  1. In the Endpoint Compliance Check Provider Settings window
    • at the bottom of the window
      • select Save
      • In the Endpoint Compliance Check Provider Settings
        • select Close
  1. In the Unified Access Gateway Admin Console
    • at the top of the page
      • under General Settings
        • next to Edge Service Settings
          • expand the TOGGLE
  1. In the Unified Access Gateway Admin Console
    • to the right of Horizon Settings
      • select the GEAR ICON
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to More
        • select the EXPAND icon
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to Endpoint Compliance Check Provider
        • select the dropdown
      • From the dropdown
        • select OPSWAT
  1. Below Endpoint Compliance Check Provider
    • next to Compliance Check on Authentication
      • enable the Toggle
  1. In the Horizon Settings window
    • next to Disable HTML Access
      • Turn the Toggle from disabled to enabled
    • at the bottom to the page
      • select Save

Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client

Step 3: UAG-HZN-01b / OPSWAT integration on Site 1
  1. On your ControlCenter server
    • On your Site 1 browser
      • open a new tab
    • select the UAG-HZN-01b shortcut
  1. In Unified Access Gateway
    • In the Username area
      • enter admin
    • In the Password area
      • enter VMware1!
    • select Login
  1. Under Configure Manually
    • click Select
  1. In the Unified Access Gateway Appliance v22.12 console
    • scroll down to the Advanced Settings area
      • next to Endpoint Compliance Check Provider Settings
        • select the GEAR LEVER
  1. In the Endpoint Compliance Check Provider Settings window
    • select Add
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Endpoint Compliance Check Provider
      • from the dropdown
        • select OPSWAT
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Client Key*
      • from Notepad++
        • copy your Client Key
    • next to Client Secret*
      • from Notepad++
        • paste your Client Secret
      • next to Connectivity Check Interval
        • enter 5
    • scroll down
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Compliance Check Interval Timeunit
      • from the dropdown ,
        • validate that minutes is selected (default)
    • next to Compliance Check Initial Delay
      • enter 15
    • next to Compliance Check Fast Interval
      • enter 5
    • next Compliance Check Interval
      • enter 5

Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment

Make a Note of the time you save your settings

  1. In the Endpoint Compliance Check Provider Settings window
    • next to Show Allowed Status Codes
      • select the EXPAND option
        • ensure that the In compliance toggle is Enabled
  1. Below the Compliance settings
    • expand Show Allowed Status Codes
      • below Windows - On-demand agent
        • next to Local
          • select the radio button
  1. Below the Windows - On -demand Agent Settings heading
    • next to Executable File*
      • click Select
  1. In File Explorer Open window
    • In the Quick Access Bar
      • select Downloads
        • In the Downloads folder
          • select the  OPSWAT_GEARS_Client*.*default .exe
            • select Open
  1. Below the Windows - On -demand Agent Settings heading
    • next to Name
      • enter OPSWAT OnDemand Client
    • next to Parameters
      • enter /silent /log 1
    • next to Flags
      • enter RUN_AS_SYSTEM
  1. In the Endpoint Compliance Check Provider Settings window
    • at the bottom of the window
      • select Save
      • In the Endpoint Compliance Check Provider Settings
        • select Close
  1. In the Unified Access Gateway Admin Console
    • at the top of the page
      • under General Settings
        • next to Edge Service Settings
          • expand the TOGGLE
  1. In the Unified Access Gateway Admin Console
    • to the right of Horizon Settings
      • select the GEAR ICON
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to More
        • select the EXPAND icon
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to Endpoint Compliance Check Provider
        • select the dropdown
      • From the dropdown
        • select OPSWAT
  1. Below Endpoint Compliance Check Provider
    • next to Compliance Check on Authentication
      • enable the Toggle
  1. In the Horizon Settings window
    • next to Disable HTML Access
      • Turn the Toggle from disabled to enabled
    • at the bottom to the page
      • select Save

Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client

Step 4: UAG-HZN-02a / OPSWAT integration on Site 2
  1. On your ControlCenter server
    • Open your Site 2 browser
    • select the UAG-HZN-02a shortcut
  1. In Unified Access Gateway
    • In the Username area
      • enter admin
    • In the Password area
      • enter VMware1!
    • select Login
  1. Under Configure Manually
    • click Select
  1. In the Unified Access Gateway Appliance v22.12 console
    • scroll down to the Advanced Settings area
      • next to Endpoint Compliance Check Provider Settings
        • select the GEAR LEVER
  1. In the Endpoint Compliance Check Provider Settings window
    • select Add
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Endpoint Compliance Check Provider
      • from the dropdown
        • select OPSWAT
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Client Key*
      • from Notepad++
        • copy your Client Key
    • next to Client Secret*
      • from Notepad++
        • paste your Client Secret
      • next to Connectivity Check Interval
        • enter 5
    • scroll down
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Compliance Check Interval Timeunit
      • from the dropdown ,
        • validate that minutes is selected (default)
    • next to Compliance Check Initial Delay
      • enter 15
    • next to Compliance Check Fast Interval
      • enter 5
    • next Compliance Check Interval
      • enter 5

Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment

Make a Note of the time you save your settings

  1. In the Endpoint Compliance Check Provider Settings window
    • next to Show Allowed Status Codes
      • select the EXPAND option
        • ensure that the In compliance toggle is Enabled
  1. Below the Compliance settings
    • expand Show Allowed Status Codes
      • below Windows - On-demand agent
        • next to Local
          • select the radio button
  1. Below the Windows - On -demand Agent Settings heading
    • next to Executable File*
      • click Select
  1. In File Explorer Open window
    • In the Quick Access Bar
      • select Downloads
        • In the Downloads folder
          • select the  OPSWAT_GEARS_Client*.*default .exe
            • select Open
  1. Below the Windows - On -demand Agent Settings heading
    • next to Name
      • enter OPSWAT OnDemand Client
    • next to Parameters
      • enter /silent /log 1
    • next to Flags
      • enter RUN_AS_SYSTEM
  1. In the Endpoint Compliance Check Provider Settings window
    • at the bottom of the window
      • select Save
      • In the Endpoint Compliance Check Provider Settings
        • select Close
  1. In the Unified Access Gateway Admin Console
    • at the top of the page
      • under General Settings
        • next to Edge Service Settings
          • expand the TOGGLE
  1. In the Unified Access Gateway Admin Console
    • to the right of Horizon Settings
      • select the GEAR ICON
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to More
        • select the EXPAND icon
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to Endpoint Compliance Check Provider
        • select the dropdown
      • From the dropdown
        • select OPSWAT
  1. Below Endpoint Compliance Check Provider
    • next to Compliance Check on Authentication
      • enable the Toggle
  1. In the Horizon Settings window
    • next to Disable HTML Access
      • Turn the Toggle from disabled to enabled
    • at the bottom to the page
      • select Save

Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client

Step 5: UAG-HZN-02b / OPSWAT integration on Site 2
  1. On your ControlCenter server
    • On  your Site 2 browser
      • open a new Tab
    • select the UAG-HZN-02b shortcut
  1. In Unified Access Gateway
    • In the Username area
      • enter admin
    • In the Password area
      • enter VMware1!
    • select Login
  1. Under Configure Manually
    • click Select
  1. In the Unified Access Gateway Appliance v22.12 console
    • scroll down to the Advanced Settings area
      • next to Endpoint Compliance Check Provider Settings
        • select the GEAR LEVER
  1. In the Endpoint Compliance Check Provider Settings window
    • select Add
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Endpoint Compliance Check Provider
      • from the dropdown
        • select OPSWAT
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Client Key*
      • from Notepad++
        • copy your Client Key
    • next to Client Secret*
      • from Notepad++
        • paste your Client Secret
      • next to Connectivity Check Interval
        • enter 5
    • scroll down
  1. In the Endpoint Compliance Check Provider Settings window
    • next to Compliance Check Interval Timeunit
      • from the dropdown ,
        • validate that minutes is selected (default)
    • next to Compliance Check Initial Delay
      • enter 15
    • next to Compliance Check Fast Interval
      • enter 5
    • next Compliance Check Interval
      • enter 5

Note you have entered a Compliance Check Initial Delay of 15. This will facilitate client deployment

Make a Note of the time you save your settings

  1. In the Endpoint Compliance Check Provider Settings window
    • next to Show Allowed Status Codes
      • select the EXPAND option
        • ensure that the In compliance toggle is Enabled
  1. Below the Compliance settings
    • expand Show Allowed Status Codes
      • below Windows - On-demand agent
        • next to Local
          • select the radio button
  1. Below the Windows - On -demand Agent Settings heading
    • next to Executable File*
      • click Select
  1. In File Explorer Open window
    • In the Quick Access Bar
      • select Downloads
        • In the Downloads folder
          • select the  OPSWAT_GEARS_Client*.*default .exe
            • select Open
  1. Below the Windows - On -demand Agent Settings heading
    • next to Name
      • enter OPSWAT OnDemand Client
    • next to Parameters
      • enter /silent /log 1
    • next to Flags
      • enter RUN_AS_SYSTEM
  1. In the Endpoint Compliance Check Provider Settings window
    • at the bottom of the window
      • select Save
      • In the Endpoint Compliance Check Provider Settings
        • select Close
  1. In the Unified Access Gateway Admin Console
    • at the top of the page
      • under General Settings
        • next to Edge Service Settings
          • expand the TOGGLE
  1. In the Unified Access Gateway Admin Console
    • to the right of Horizon Settings
      • select the GEAR ICON
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to More
        • select the EXPAND icon
  1. In the Horizon Settings window
    • below Enable Tunnel
      • next to Endpoint Compliance Check Provider
        • select the dropdown
      • From the dropdown
        • select OPSWAT
  1. Below Endpoint Compliance Check Provider
    • next to Compliance Check on Authentication
      • enable the Toggle
  1. In the Horizon Settings window
    • next to Disable HTML Access
      • Turn the Toggle from disabled to enabled
    • at the bottom to the page
      • select Save

Note OPSWAT MetaAccess only supports the Horizon Client not the HTML Client

Section 4. Testing the OPSWAT MetaAccess agent deployment

  • We will use two Desktops for testing. We have already prepared W11EXT-01a for site 1 and W11EXT-02a for site 2
  • We will demonstrate the On-demand Client with W11EXT-01a
  • We will demonstrate the Persistent  Client with W11EXT-02a
Step 1: Deploying the OPSWAT MetaAccess On-Demand agent  on Site 1
  1. On your ControlCenter server
    • Open your Remote Desktops \ Site1 folder
    • select and double - click w11EXT-01a.RDP
  1. In the Windows Security window
    • select Use a different account
      • In the Username area
        • enter W11ext-01a\nancy
      • In the Password area,
        • enter VMware1!
      • select OK
  1. On your  W11EXT-01a desktop
    • open the VMware Horizon Client
  1. In the VMware Horizon Client
    • select + Add Server
  1. In the VMware Horizon Client
    • Name of the Connection Server
      • enter corp.euc-livefire.com
      • select Connect
  1. In the Edge Browser
    • select Start without your data
    • Next to Allow
      • select the radio button
      • select Confirm and continue
      • select Confirm and start browsing
  1. In the Microsoft Sign in page
    • in the username area
      • enter nancy@corpXXX.euc-livefire.com
        • where XXX is your assigned POD ID
      • select Next
  1. In the Microsoft Sign in page
    • in the password area
      • enter VMware1!
      • select Sign in
  1. In the Microsoft Stay signed in? page
    • select No
  1. In the This site is trying to open VMware Horizon Client
    • select Open
  1. In the User Account Control window
    • under admin
      • in the password area
      • enter VMware1!
    • select Yes
  1. On your W11EXT-01a client
    • in the right corner of the taskbar
      • select the dropdown arrow
        • observe that you do have the OPSWAT client installed
  1. On your W11EXT-01a client
    • Launch your Enterprise Desktop Global Entitlement
      • Note we are able to launch a Desktop entitlement whilst your initial 15 delay is valid
  1. In your Horizon Client session
    • next to Exit Fullscreen
      • select the MORE button (3 dots)
        • from the dropdown select Logoff Desktop
        • In the Disconnect and log off desktop? window
          • select OK
      • On your W11Ext -01a desktop
        • close all other windows
Step 2: Deploying the OPSWAT MetaAccess  Persistent agent on Site 2

The OPSWAT MetAccess Persistent client does not integrate through the UAG

  1. On your ControlCenter server
    • Open your Remote Desktops \ Site2 folder
    • select and double - click w11EXT-02a.RDP
  1. In the Windows Security window
    • In the Username area (if necessary)
      • enter W11EXT-02a\malcolm
    • In the  password area,
      • enter VMware1!
    • select OK
  1. On your  W11EXT-02a desktop
    • open a Chrome browser session
  1. On your  W11EXT-02a desktop
    • In your Browser address bar
      • enter the following URL
        • https://console.metaaccess-b.opswat.com
  1. On your  W11EXT-02a desktop
    • On the OPSWAT MetaAccess Sign in page
      • under Email
        • enter your registered email with OPSWAT
      • select Sign In
  1. On your  W11EXT-02a desktop
    • On the OPSWAT MetaAccess Sign in page
      • under Password
        • enter your Password
      • select Sign In
  1. In your OPSWAT MetaAccess webpage
    • select Download OPSWAT Client for Windows
  1. On your W11Ext-02a desktop
    • Go to  your Downloads folder
    • select the OPSWAT_GEARS_Client
      • select Show More Options
        • select Install
  1. In the OPSWAT Client Setup window
    • next to I accept the terms in the License Agreement
      • select the Checkbox
    • select Install
  1. In User Account Control window
    • under admin
      • enter VMware1!
      • select Yes
  1. In the OPSWAT Client Setup window
    • select Finish
  1. In the OPSWAT Client
    • select Compliance
  1. In the OPSWAT Client
    • Note that by default on this endpoint
      • there is a missing patch
      • no drive encrypt
    • rendering this device Non-compliant

 

Section 5. Observing how Compliance enforcement works for On-Demand and Persistent clients

  • One thing to recall is we set a Delay period in the Unified Access Gateway settings
    • This delay period applies to every session
  • We will now go and disable this delay period
Step 1:  Editing Delay configuration on the Unified Access Gateway server UAG-HZN-01a
  1. On your ControlCenter server
    • Site 1 Browser
      • from the Favourites Bar
        • select the UAG-HZN-01a shortcut
      • In the VMware Unified Access Gateway window
        • In the Admin username area
          • enter Admin
        • In the Admin password area
          • enter VMware1!
        • select Login
  1. In the VMware Unified Access Gateway Admin page
    • under Configure Manually
      • click Select
  1. In the VMware Unified Access Gateway Admin page
    • under Advanced Settings
      • next to Endpoint Compliance Check Provider Settings
        • select the GEAR icon
  1. In the Endpoint Compliance Check Provider Settings page
    • In line with OPSWAT
      • select the GEAR icon
  1. In the Endpoint Compliance Check Provider Settings page
    • next to Compliance Check initial Delay
      • change 15 minutes to ZERO
    • At the bottom of the page
      • select Save
  1. In the Endpoint Compliance Check Provider Settings page
    • select Close
Step 2:  Editing Delay configuration on the Unified Access Gateway server UAG-HZN-01b
  1. On your ControlCenter server
    • Site 1 Browser
      • from the Favourites Bar
        • select the UAG-HZN-01b shortcut
      • In the VMware Unified Access Gateway window
        • In the Admin username area
          • enter Admin
        • In the Admin password area
          • enter VMware1!
        • select Login
  1. In the VMware Unified Access Gateway Admin page
    • under Configure Manually
      • click Select
  1. In the VMware Unified Access Gateway Admin page
    • under Advanced Settings
      • next to Endpoint Compliance Check Provider Settings
        • select the GEAR icon
  1. In the Endpoint Compliance Check Provider Settings page
    • In line with OPSWAT
      • select the GEAR icon
  1. In the Endpoint Compliance Check Provider Settings page
    • next to Compliance Check initial Delay
      • change 15 minutes to ZERO
    • At the bottom of the page
      • select Save
  1. In the Endpoint Compliance Check Provider Settings page
    • select Close
Step 3: Testing how Compliance enforcement for the On-demand Agent works when the end point is Non Complaint
  1. On the ControlCenter server
    • Open the Remote Desktops \ Site1 folder
    • Open w11EXT-01a.RDP
  1. On the Windows Security window
    • Ensure w11ext-01a\nancy is the username
    • In the password area
      • enter VMware1!
    • select OK
  1. On the W11Ext-01a desktop
    • to the right of the Task bar
      • select the dropdown arrow
        • note there is no OPSWAT on-demand client running
    • Launch the VMware Horizon Client shortcut

If you are really curious.

  • Go to Control Panel / Programs and note there is no OPSWAT installer installed
  • Launch Task Manager and you will see no OPSWAT processes
  1. On the W11Ext-01a desktop
    • launch the Horizon Client shortcut
    • In the VMware Horizon Client window
      • select and launch the corp.euc-livefire.com entitlement
  1. In the Microsoft Sign in window
    • enter nancy@corpXXX.euc-livefire.com
      • where XXX is your assigned Domain identifier
    • select Next
  1. In the Microsoft Enter password window
    • enter VMware1!
    • select Sign in
  1. In the Microsoft Stay signed in?
    • select Yes
  1. On your W11Client-01a desktop
    • on the Open VMware Horizon Client? window
      • select Open VMware Horizon Client
  1. In the VMware Horizon Client login window
    • Notice that you are denied access
    • Close all windows on your W11Ext-01a client
Step 4: Updating OPSWAT MetaAccess Policies in the admin Console
  1. On the ControlCenter server
    • Open a new tab on your Chrome Browser
    • In the address bar enter
      • https://console.metaaccess-b.opswat.com/dashboard/overview
    • Log into the OPSWAT MetaAccess
      • under Email
        • enter your admin ID
          • select Sign in
        • under Password
          • enter your admin ID Password
            • select Sign in
  1. In the OPSWAT MetaAccess console address URL
    • remove everything after .....opswat.com
    • with your keyboard
      • press ENTER
  • you should now be redirected to the MetaAccess Admin console
  1. In the OPSWAT MetaAccess console admin console
    • In the Inventory pane
      • select Policy Management > Policies
  1. In the OPSWAT MetaAccess console admin console
    • Policies pane
      • below Policy Description
        • Hover your mouse over the notes
        • with your Mouse > right-click and select
  1. In the Policies pane
    • In Deep Compliance area
      • Next to
        • Turn off Anti-Malware
          • turn off the toggle
        • Turn off Encryption
          • turn off the toggle
  1. In the Policies pane
    • select  the Patch Management tab
  1. In the Policies pane
    • next to Patch Management
      • turn off the toggle
  1. In the Policies pane
    • In the top right-corner
      • select  Save
  1. In the OPSWAT MetaAccess console
    • In the Policies area
      • Take a moment and scroll through the tabs to observe the broad range of compliance mechanisms that can be used
    • You will now revert back to your TEST clients
Step 5: Testing a Compliant end-point using the On-Demand Agent for Site 1
  1. On the W11Ext-01a desktop
    • Launch the VMware Horizon Client shortcut
  1. On the W11Ext-01a desktop
    • In the Name of the Connection Server window
      • select and launch the corp.euc-livefire.com URL
  1. On your W11Ext-01a desktop
    • on the Open VMware Horizon Client? window
      • select Open VMware Horizon Client
  1. In the VMware Horizon Client
    • select the Enterprise_Desktop entitlement
  1. On your W11EXT-01a desktop
    • Note that you have a seamless user experience with your Horizon Desktop session
  1. On your W11EXT-01a desktop
    • In the right hand of the Taskbar
      • from the dropdown arrow
        • notice the OPSWAT On-demand client running
          • to validate
            • select About
        • select OK
        • Close and shut down all windows
Step 6: Testing a Compliant end-point using the OPSWAT MetaAccess Persistent Client
  1. On your W11EXT-02a desktop
    • to launch notifications
      • with your mouse
        • click over the date area
      • Note. depending on how quick you are, you might observe a Notifications pop-up which one could select and read
  1. On your W11EXT-02a desktop
    • Notifications area
      • validate that the OPSWAT client deems your desktop compliant
  1. On the W11Ext-02a desktop
    • Launch the VMware Horizon Client shortcut
  1. On the W11Ext-02a desktop
    • In the Name of the Connection Server window
      • select and launch the corp.euc-livefire.com URL
  1. On your W11Ext-02a desktop
    • on the This site is trying to open VMware Horizon Client window
      • select Open
  1. In the W11Ext-02a desktop
    • select the Enterprise_Desktop entitlement
  1. On your W11EXT-02a desktop
    • Note that you have a seamless user experience with your Horizon Desktop session