EUC

Delivering a functional user experience that is consistent with organisational policy for the remote worker

Delivering a consistent yet secure user experiencing can be very challenging in a mobile use case. The remote user might sometimes work from home and again in the office. The user might be working from their hotel or out of an Airport.

The Objective of this session is to introduce anyone facing these challenges with some of the configurations one could use. We will use a scenario where a user connects from a remote device into their Horizon environment and would potentially be on high-performance network, versus connecting over a network where there might be constraints on bandwidth.

Its important to understand that Integrating this functionality with the Unified Access Gateway, Workspace ONE Intelligence and Carbon Black makes it secure. If we were to use these Dynamic Environment Manager features on their own, it might be be better to see this as a Usability feature

PART 1: Setting up Horizon Smart Policies with VMware Dynamic Environment Manager for Performance Networks

On your ControlCenter server
- from the Taskbar
  - launch, the DEM management Console shortcut

In the Dynamic Environment Manager Console
- select the User Environment tab

In the User Environment Inventory
- select Horizon Smart Policies,
  - Right-click
    - select Create Horizon Smart Policies setting...

In the Horizon Smart Policies, window
- Settings tab
  - under General Settings,
    - enter the following:-
      - Name: High Performance Network
      - Label: USB, Clipboard and Client drive
      - Tag: Internal
- to enable select the following, choose the respective checkbox and then configure with the appropriate dropdown
  - under Horizon Smart Policy Settings,
    - Audio Playback : Enable
    - Bandwidth Profile : LAN
    - under Blast Extreme protocol
      - Blast codec: Enable
      - H.264: Enable
      - JPG: Enable
      - Max frame rate : 30
    - Drag and drop : Allow all
    - Printing : Enable
- under Redirection
  - Client drive : Allow all
  - Clipboard : Allow all
  - Storage drive : Enable
  - USB : Enable
- Web and Chrome file transfer: Allow all

In the Horizon Smart Policies window
- select the Conditions tab
- under Conditions,
  - select Add

In the Add Condition dropdown
- select Horizon Client Property

Note: By default, when connecting directly to a Horizon Connection Server, the gateway location Client Property is Internal. When connecting to a Unified Access Gateway Server, the gateway location Client Property is External.

In the Horizon Client Property,
- next to Property,
  - from the dropdown
    - select Client location
- next to Is equal to,
  - from the dropdown
    - select Internal
- to close the Horizon Client Property
  - select OK

In the Horizon Smart Policies window,
- select the Conditions tab
  - select Add
    - from the dropdown
      - select Endpoint IP Address

In the Endpoint IP Address window,
- under Settings,
  - next to IP address between:
    - enter 192.168.110.1
  - next to and:
    - enter 192.168.110.254
- to close the window
  - select OK

In the Horizon Smart Policies window,
- Conditions tab
  - select Add
    - from the dropdown
      - select Endpoint IP Address

In the Endpoint IP Address window,
- under Settings,
  - next to IP address between:
    - enter 172.16.10.1
  - next to and:
    - enter 172.16.10.254
- to close the window
  - select OK

In the Horizon Smart Policies window
- select AND Endpoint IP address is in range 172.16.10.1 - 172.16.10.254
  - right-click
    - select OR
  - select Save

PART 2: Setting up Horizon Smart Policies with VMware Dynamic Environment Manager for Low Performance Networks

In the User Environment Inventory
- select Horizon Smart Policies,
  - right-click
    - select Create Horizon Smart Policies setting...

In the Horizon Smart Policies,
- Settings tab
  - enter the following,
    - under General Settings,
      - next to Name:
        
        enter Untrusted Networks
      - next to Label:
        
        enter USB, Clipboard and Client drive disabled
      - next to Tag:
        
        enter External
- to enable select the following, choose the respective checkbox and then configure with the appropriate dropdown
  - In Horizon Smart Policy Settings,
    - Audio Playback : Enable
    - Bandwidth Profile : Broadband WAN
  - In Blast Extreme protocol
    - Blast Codec: Enable
    - Max frame rate : 30
- Drag and drop : Disable
- In the Redirection settings, enable the following checkboxes and associated settings, next to:
  - Client drive : Disable
  - Clipboard : Disable
  - Storage Drive : Disable
  - USB : Disable
- Web and Chrome file transfer: Disable

In the Horizon Smart Policies window
- select the Conditions tab
  - under Conditions,
    - select Add

In the Add Condition dropdown
- select Horizon Client Property

In the Horizon Client Property,
- next to Property,
  - from the dropdown
    - select Client location
- next to Is equal to:
  - from the dropdown
    - select External
- to close the Horizon Client Property
  - select OK

In the Horizon Smart Policies window,
- In the Conditions area
  - select the the existing client property
    - select Add >
      - select Endpoint IP Address

In the Endpoint IP Address window
- under Settings,
  - next to IP address between:
    - enter 172.16.30.1
  - next to and
    - enter 172.16.30.254
- to close the window
  - select OK

In the Horizon Smart Policies window
- Confirm your configuration with the Screenshot
  - select Save

In the Dynamic Environment Manager - Management Console
- Note, you have two Smart Policies
  1. For High performance networks
  2. For Low performance networks

PART 3 : Testing your Dynamic Environment Manager Smart Policies.

Section 1: Testing a Horizon session on what is defined as a High Performance Network

On your ControlCenter server
- launch your Horizon Client
  - In the Horizon Client
    - select horizon-01a.techseals.co

In the Horizon Client login window
- in the User name: area
  - login as [email protected]
- in the Password: area
  - enter Pa$$w0rd
    - select Login

In the Horizon Client window
- select the Enterprise_Desktop desktop entitlement

In the VMware Horizon Client
- Select the dropdown arrow, next to USB Devices
  - Note, No suitable USB devices available, is the message you get.

From your ControlCenter server desktop
- using the Horizon Client
  - ensure you are not in full-screen mode
- on the ControlCenter server desktop
  - drag over into the Horizon Client session
    - any of the desktop shortcuts
      - notice that you get a + type Icon, just below your cursor.
- within the Horizon Session
  - release your mouse button to Drop the shortcut

In the Horizon Client session
- from the Taskbar,
  - select the File Explorer folder shortcut

In the File Explorer Window
- in the left Inventory
  - select This PC
- To the right, observe, there are network locations configured. ie the Z: drive

On the ControlCenter server
- from the Taskbar
  - open your File Explorer Icon,
    - in the Local Disk (C:)
      - browse to
        
        \DEMProfiles\Jackie\Logs folder

In File Explorer
- select FlexEngine.log
  - right-click
    - select Edit with Notepad++

In the Notepad++ session
- Reload your logs, by selecting File > Reload from Disk
  - Scroll down, right to the bottom of your logs,
    - Scroll up until you find the Jackie and the Performing path-based import logs starting
      - observe that each configuration is processed and logged as disabled / enabled or True / False
        
        note its the High Performance Network Policy is applied
        
        Note what features are allowed or enabled

On the ControlCenter server
- switch back to your Horizon Client session
  - next to Fullscreen,
    - select the see more (3 buttons),
      - select Log Off Desktop
    - on the Disconnect and log off desktop? window
      - select OK

Section 2: Testing a Horizon session on what is defined as a Low Performance Network

On the ControlCenter server
- open the Remote Desktops > Site1 folder
  - open W11EXT-01a
    - login with the username
      - w11ext-01a\jackie
    - in the password area
      - enter Pa$$w0rd
        
        select OK

On the W11Ext-01a desktop
- launch the Horizon Client
  - In the Horizon Client window
    - launch corp.techseals.co
      - in the Select a certificate window
        
        select Jackie
        
        select OK
    - select Enterprise_Desktop

Please Note. W11Ext-01a desktop is on a network which we have configured as external. That being the 172.16.30.x network
in this exercise, we will also be connecting via the Unified Access Gateway

In the Horizon Client
- In the top bar, next to Connect USB Device,
  - select the drop-down
  - notice that USB is "Unavailable" is the state of USB
    - Read your logs to validate

In the Horizon Client Desktop
- on the title bar,
  - select the File Explorer Icon
    - in the left inventory
      - select This PC
        
        Note, that you have no Network drive Mappings
  - Close all windows in the Horizon desktop session

On the W11EXT-01a Desktop
- attempt to drag the Software Shortcut on the W11Ext-01a Desktop into the Horizon Desktop session.
- attempt to drag any desktop shortcut the README file from the Horizon Desktop session to the W10EXT01a Desktop

On the ControlCenter server
- revert back to your Notepad++ application
  - when prompted to Reload, select Yes
    - scroll down to the bottom of Notepad ++
    - scroll up searching for the Jackie path based import
- Note the following:
  - that the Low Performance Smart Policy is applied
  - Broadband band-width profile is being applied
  - Client drive, USB and Clipboard redirection are disabled

On the W11EXT-01a desktop
- switch back to your Horizon Client session
  - select the drop down,
    - next to the right of FullScreen, select ...
      - select Log Off Desktop
  - in the Disconnect and log off desktop? window
    - select OK

PART 4: Using Triggered Tasks to enforce Horizon Smart Policies

In the Dynamic Environment Manager Console,
- under User Environment tab
  - select Triggered Tasks
    - select Create Triggered Task...

In the Triggered Task window,
- in the General Settings area,
  - next to Name:
    - type Refresh Smart Policies at Reconnection
- in the Triggered Tasks area,
  - next to Trigger:
    - select Session reconnected
- next to Action:
  - select User Environment refresh
- In the Refresh: area,
  - in front of
    - Horizon Smart Policies
      - select the checkbox
    - Application Blocking Settings
      - select the checkbox
  - next to Show message
    - enable the Check box
  - in the box called Caption:
    - enter Your configurations have been updated
  - in the box called Message
    - enter This is Corp IT . We have re-evaluated and updated your Desktop settings
  - next to Close automatically after
    - enable the checkbox
      - in front of seconds
        
        type 10
  - to close the window
    - select Save

In the Triggered Tasks area
- select Message at unlock
  - right-click,
    - select Deactivate

On your ControlCenter Desktop
- open your Google Site 1 Browser
  - In the Favourites bar
    - select the Horizon Site 1 shortcut
- In the Horizon login,
  - User name area :
    - enter Administrator
  - Password area:
    - enter Pa$$w0rd
      - select Sign in

In the Horizon Admin console
- expand Inventory
  - select Desktops

In the Desktop Pools area
- in front of W11-BLR-INST
  - select the checkbox
- select Edit

In the Edit Pool - W11-BLR-INST window
- select the Desktop Pool Settings tab

In the Edit Pool - W11-BLR-INST window
- in the Remote Settings area
  - below Automatically Logoff After Disconnect
    - from the dropdown ,
      - change from Immediately to After
    - under After
      - change 120 minutes to 15 minutes
- to close the Edit Pool - W11-BLR-INST window
  - select OK

We will now move forward and do two simple tests

We will log in to VMware Horizon from a Trusted Network. We will NOT log off , we will disconnect
We will then log back in to the same VMware Horizon session session from an Untrusted Network source.
Please ensure , once you start the following steps you complete the tests within 15 minutes

PART 5: Testing Dynamic Environment Manager Triggered Tasks

On your ControlCenter server desktop
1. launch your Horizon client >
  - select horizon-01a.techseals.co
    - login as [email protected]
    - password is Pa$$w0rd
      - select your Enterprise_Desktop entitlement

Notice you still have all your configurations for a Trusted Network environment.
Test some of your configurations, for example ,
- Check that you have USB,
- That you can copy and paste from the Controlcenter to your Horizon virtual Desktop

In the Horizon Client,
- next to Exit Fullscreen,
  - select the see more 3 buttons
    - select Disconnect
  - When prompted by the Disconnect desktop? window
    - select OK

you have 15 minutes to login to your existing session

On your W11Ext-01a.RDP session
- Launch your Horizon Client
  - connect via your external Gateway,
    - select corp.techseals.co
  - In the Select a certificate window
    - select Jackie
      - select OK
  - select your Enterprise_Desktop desktop Entitlement
    - Notice the prompt that your Desktop settings have been re-evaluated

On the Horizon client session on W11EXT-01a
- notice that USB is Unavailable

On the Horizon client session on W11EXT-01a
- there is no Network Drive Mapping

On the Horizon client session on W11EXT-01a
- Note that you are unable to drag and drop in and out of this desktop session

On your ControlCenter server desktop
- in the Horizon Client,
  - next to Exit Fullscreen,
    - select the see more 3 buttons
      - select Logoff
    - when prompted by the Disconnect desktop? window
      - select OK

PART 6: Using Local Entitlements on Site 1 for a Desktop Pool

In preparation for the Application Blocking section we will entitle the IT Support group to a Instant Clone Desktop Pool

On your ControlCenter server
- Open your site 1 browser
- In the favourites bar
  - select the Horizon Site 1 shortcut
- In the Horizon login page
  - In the Username area
    - enter administrator
  - In the Password area
    - enter Pa$$w0rd
  - select Sign in

In the Horizon Admin Console
- In the Side Menu pane
  - expand Inventory
    - select Desktops

In the Desktop Pools area
- next to W11-BLR-INST
  - select the Checkbox
- next to Entitlements
  - from the dropdown
    - select Add Entitlements

In the Add Entitlements window
- select Add

In the Find User or Group window
- In line with Name / User Name
  - next to Starts with
    - enter IT
- select Find
  - next IT Support
    - select the checkbox
  - select OK

In the Add Entitlements window
- select OK

PART 7: Configuring Application Blocking and integrating with Horizon Smart Policies

On you ControlCenter server desktop
- In the DEM Admin Console
  - select the User Environment tab
    - select Application Blocking
- In the the tool bar,
  - select Global Configuration

In the Application Blocking - Global Configuration window
- next to Enable Application Blocking
  - select the Checkbox
    - select OK
- in the Application Blocking window,
  - read the note
    - select OK

On the User Environment tab,
- select Application Blocking
  - right-click
  - select Create Application Blocking setting....

In the Application Blocking window
- In the General Settings area,
  - add the following next to:
    - Name: Putty
    - Label: Admins
    - Tag: Internal Use only

In the Application Blocking window
- In the Block area:
  - select Add
  - In the Select path to block window
    - enter C:\Program Files\PuTTY\putty.exe,
  - select OK

In the Application Blocking window
- select the Conditions tab.
  - Under Conditions,
    - select Add
- In the dropdown
  - select Group Membership

In the Group Membership window
- select Browse
- In the Select Group window,
  - under Enter the object name to select
    - type IT
      - select Check Names
        
        IT Support should show
  - to close Select Group
    - select OK
  - to close the Group Membership window
    - select OK

In the Application Blocking window
- Conditions Tab
  - select the IT support condition
    - right-click
      - select Add >
  - in the Add Condition dropdown
    - select Horizon Client Property

In the Horizon Client Property window
- under Settings,
  - next to Property
    - from the the dropdown
      - select Client location
        
        ensure that next to Is equal to:"External" is selected (this should be default)
    - select OK
  - to close the Application Blocking window
    - select Save

PART 8: Testing Application Block with VMware Dynamic Environment Manager

On your ControlCenter server desktop
- launch your Horizon Client
  - select horizon-01a.techseals.co

In the Horizon Client login window
- in the User name: area
  - enter Kim
    - (Kim is a member of IT support)
- in the Password: area
  - enter Pa$$w0rd
    - select Login

In the Horizon Client
- select your W11INST desktop entitlement

On the Horizon Client session
- select the START button
  - right-click
    - select Run
- In the Run window
  - next to Open:
    - enter \\Horizon-01a\software
  - select OK

In the Software folder
- open Applications
  - select putty-64bit-0.78-installer
    - right-click
      - select More Options
        
        select Install

In the Putty release 0.78 (64-bit) Setup window
- select Next
  - select Next
    - select Install
  - In the User Account Control window
    - in the Username area
      - enter administrator
    - in the Password area
      - enter Pa$$w0rd
    - select Yes
    - select Finish

On your VMware Horizon Client session
- next to the START button
  - in the search area
    - enter Putty
- open PuTTY
- close PuTTY (very important)

On your ControlCenter desktop
- In the Horizon Client,
  - next to Exit Fullscreen,
    - select the see more 3 buttons
  - select Disconnect
    - When prompted by the Disconnect desktop? window
      - select OK

On your ControlCenter Desktop
- switch to the W11EXT-01a.rdp session
  - log off as Jackie

On the ControlCenter server
- on the Remote Desktops > Site 1 folder
  - open the w11EXT-01a.RDP

On the Windows Security window
- select More choices
  - select Use a different account
    - in the Username area
      - enter w11EXT-01a\administrator
    - in the password area
      - enter Pa$$w0rd
  - select OK

On your W11Ext-01a.RDP session
- launch your Horizon Client
  - In the Horizon Client
    - select Add Server
  - In the Name of the Connection server window
    - enter corp.techseals.co
    - select Connect

In the Workspace ONE login
- below Select Your Domain
  - select techseals.co
    - select Next
- below username
  - enter Kim
- below password
  - Pa$$w0rd
- select Sign In

In the Horizon Client
- select W11INST

On your Virtual desktop session
- note your policy has been re-evaluated

On the Horizon client session on W11EXT-01a
- next to START
  - in the Search area
    - enter PuTTY
    - select Open

On the Horizon client session on W11EXT-01a
- Notice your App has been blocked, using a combination of App Blocking and Horizon Smart Policies
- to close the App Block message window
  - select Close

On the Horizon client session on W11EXT-01a
- next to Fullscreen,
  - select the ... dropdown,
    - select Log Off Desktop
- in the Disconnect and log off desktop? window
  - select OK

EUC

Delivering a functional user experience that is consistent with organisational policy for the remote worker

0 Comments

Add your comment

Topics

Last Updated