Delivering a functional user experience that is consistent with organisational policy for the remote worker
Delivering a consistent yet secure user experiencing can be very challenging in a mobile use case. The remote user might sometimes work from home and again in the office. The user might be working from their hotel or out of an Airport.
The Objective of this session is to introduce anyone facing these challenges with some of the configurations one could use. We will use a scenario where a user connects from a remote device into their Horizon environment and would potentially be on high-performance network, versus connecting over a network where there might be constraints on bandwidth.
Its important to understand that Integrating this functionality with the Unified Access Gateway, Workspace ONE Intelligence and Carbon Black makes it secure. If we were to use these Dynamic Environment Manager features on their own, it might be be better to see this as a Usability feature
- On your ControlCenter server
- from the Taskbar
- launch, the DEM management Console shortcut
- from the Taskbar
- In the Dynamic Environment Manager Console
- select the User Environment tab
- In the User Environment Inventory
- select Horizon Smart Policies,
- Right-click
- select Create Horizon Smart Policies setting...
- Right-click
- select Horizon Smart Policies,
- In the Horizon Smart Policies, window
-
Settings tab
- under General Settings,
- enter the following:-
- Name: High Performance Network
- Label: USB, Clipboard and Client drive
- Tag: Internal
- enter the following:-
- under General Settings,
- to enable select the following, choose the respective checkbox and then configure with the appropriate dropdown
- under Horizon Smart Policy Settings,
- Audio Playback : Enable
- Bandwidth Profile : LAN
- under Blast Extreme protocol
- Blast codec: Enable
- H.264: Enable
- JPG: Enable
- Max frame rate : 30
- Drag and drop : Allow all
- Printing : Enable
- under Horizon Smart Policy Settings,
- under Redirection
- Client drive : Allow all
- Clipboard : Allow all
- Storage drive : Enable
- USB : Enable
- Web and Chrome file transfer: Allow all
-
Settings tab
- In the Horizon Smart Policies window
- select the Conditions tab
- under Conditions,
- select Add
- In the Add Condition dropdown
- select Horizon Client Property
Note: By default, when connecting directly to a Horizon Connection Server, the gateway location Client Property is Internal. When connecting to a Unified Access Gateway Server, the gateway location Client Property is External.
- In the Horizon Client Property,
- next to Property,
- from the dropdown
- select Client location
- from the dropdown
- next to Is equal to,
- from the dropdown
- select Internal
- from the dropdown
- to close the Horizon Client Property
- select OK
- next to Property,
- In the Horizon Smart Policies window,
- select the Conditions tab
- select Add
- from the dropdown
- select Endpoint IP Address
- from the dropdown
- select Add
- select the Conditions tab
- In the Endpoint IP Address window,
- under Settings,
- next to IP address between:
- enter 192.168.110.1
- next to and:
- enter 192.168.110.254
- next to IP address between:
- to close the window
- select OK
- under Settings,
- In the Horizon Smart Policies window,
-
Conditions tab
- select Add
- from the dropdown
- select Endpoint IP Address
- from the dropdown
- select Add
-
Conditions tab
- In the Endpoint IP Address window,
- under Settings,
- next to IP address between:
- enter 172.16.10.1
- next to and:
- enter 172.16.10.254
- next to IP address between:
-
to close the window
- select OK
- under Settings,
- In the Horizon Smart Policies window
- select AND Endpoint IP address is in range 172.16.10.1 - 172.16.10.254
- right-click
- select OR
- select Save
- right-click
- select AND Endpoint IP address is in range 172.16.10.1 - 172.16.10.254
- In the User Environment Inventory
- select Horizon Smart Policies,
- right-click
- select Create Horizon Smart Policies setting...
- right-click
- select Horizon Smart Policies,
- In the Horizon Smart Policies,
-
Settings tab
- enter the following,
- under General Settings,
- next to Name:
- enter Untrusted Networks
-
next to Label:
- enter USB, Clipboard and Client drive disabled
-
next to Tag:
- enter External
- next to Name:
- under General Settings,
- enter the following,
- to enable select the following, choose the respective checkbox and then configure with the appropriate dropdown
- In Horizon Smart Policy Settings,
- Audio Playback : Enable
- Bandwidth Profile : Broadband WAN
- In Blast Extreme protocol
- Blast Codec: Enable
- Max frame rate : 30
- In Horizon Smart Policy Settings,
- Drag and drop : Disable
- In the Redirection settings, enable the following checkboxes and associated settings, next to:
- Client drive : Disable
- Clipboard : Disable
- Storage Drive : Disable
- USB : Disable
- Web and Chrome file transfer: Disable
-
Settings tab
- In the Horizon Smart Policies window
- select the Conditions tab
- under Conditions,
- select Add
- under Conditions,
- select the Conditions tab
- In the Add Condition dropdown
- select Horizon Client Property
- In the Horizon Client Property,
- next to Property,
- from the dropdown
- select Client location
- from the dropdown
- next to Is equal to:
- from the dropdown
- select External
- from the dropdown
- to close the Horizon Client Property
- select OK
- next to Property,
- In the Horizon Smart Policies window,
- In the Conditions area
- select the the existing client property
- select Add >
- select Endpoint IP Address
- select Add >
- select the the existing client property
- In the Conditions area
- In the Endpoint IP Address window
- under Settings,
- next to IP address between:
- enter 172.16.30.1
- next to and
- enter 172.16.30.254
- next to IP address between:
-
to close the window
- select OK
- under Settings,
- In the Horizon Smart Policies window
- Confirm your configuration with the Screenshot
- select Save
- Confirm your configuration with the Screenshot
- In the Dynamic Environment Manager - Management Console
- Note, you have two Smart Policies
- For High performance networks
- For Low performance networks
- Note, you have two Smart Policies
- On your ControlCenter server
- launch your Horizon Client
-
In the Horizon Client
- select horizon-01a.techseals.co
-
In the Horizon Client
- launch your Horizon Client
- In the Horizon Client login window
- in the User name: area
- login as [email protected]
- in the Password: area
-
enter Pa$$w0rd
- select Login
-
enter Pa$$w0rd
- in the User name: area
- In the Horizon Client window
- select the Enterprise_Desktop desktop entitlement
- In the VMware Horizon Client
- Select the dropdown arrow, next to USB Devices
- Note, No suitable USB devices available, is the message you get.
- Select the dropdown arrow, next to USB Devices
- From your ControlCenter server desktop
- using the Horizon Client
- ensure you are not in full-screen mode
-
on the ControlCenter server desktop
-
drag over into the Horizon Client session
-
any of the desktop shortcuts
- notice that you get a + type Icon, just below your cursor.
-
any of the desktop shortcuts
-
drag over into the Horizon Client session
-
within the Horizon Session
- release your mouse button to Drop the shortcut
- using the Horizon Client
- In the Horizon Client session
- from the Taskbar,
- select the File Explorer folder shortcut
- from the Taskbar,
- In the File Explorer Window
- in the left Inventory
- select This PC
- To the right, observe, there are network locations configured. ie the Z: drive
- in the left Inventory
- On the ControlCenter server
- from the Taskbar
- open your File Explorer Icon,
- in the Local Disk (C:)
- browse to
- \DEMProfiles\Jackie\Logs folder
- browse to
- in the Local Disk (C:)
- open your File Explorer Icon,
- from the Taskbar
- In File Explorer
- select FlexEngine.log
- right-click
- select Edit with Notepad++
- right-click
- select FlexEngine.log
- In the Notepad++ session
-
Reload your logs, by selecting File > Reload from Disk
-
Scroll down, right to the bottom of your logs,
- Scroll up until you find the Jackie and the Performing path-based import logs starting
- observe that each configuration is processed and logged as disabled / enabled or True / False
- note its the High Performance Network Policy is applied
- Note what features are allowed or enabled
- observe that each configuration is processed and logged as disabled / enabled or True / False
- Scroll up until you find the Jackie and the Performing path-based import logs starting
-
Scroll down, right to the bottom of your logs,
-
Reload your logs, by selecting File > Reload from Disk
- On the ControlCenter server
- switch back to your Horizon Client session
- next to Fullscreen,
- select the see more (3 buttons),
- select Log Off Desktop
- on the Disconnect and log off desktop? window
- select OK
- select the see more (3 buttons),
- next to Fullscreen,
- switch back to your Horizon Client session
- On the ControlCenter server
- open the Remote Desktops > Site1 folder
- open W11EXT-01a
- login with the username
- w11ext-01a\jackie
- in the password area
- enter Pa$$w0rd
- select OK
- enter Pa$$w0rd
- login with the username
- open W11EXT-01a
- open the Remote Desktops > Site1 folder
- On the W11Ext-01a desktop
- launch the Horizon Client
-
In the Horizon Client window
-
launch corp.techseals.co
-
in the Select a certificate window
-
select Jackie
- select OK
-
select Jackie
-
in the Select a certificate window
- select Enterprise_Desktop
-
launch corp.techseals.co
-
In the Horizon Client window
- launch the Horizon Client
- Please Note. W11Ext-01a desktop is on a network which we have configured as external. That being the 172.16.30.x network
- in this exercise, we will also be connecting via the Unified Access Gateway
- In the Horizon Client
- In the top bar, next to Connect USB Device,
- select the drop-down
- notice that USB is "Unavailable" is the state of USB
- Read your logs to validate
- In the top bar, next to Connect USB Device,
- In the Horizon Client Desktop
- on the title bar,
- select the File Explorer Icon
-
in the left inventory
-
select This PC
- Note, that you have no Network drive Mappings
-
select This PC
-
in the left inventory
- Close all windows in the Horizon desktop session
- select the File Explorer Icon
- on the title bar,
- On the W11EXT-01a Desktop
- attempt to drag the Software Shortcut on the W11Ext-01a Desktop into the Horizon Desktop session.
- attempt to drag any desktop shortcut the README file from the Horizon Desktop session to the W10EXT01a Desktop
- On the ControlCenter server
- revert back to your Notepad++ application
- when prompted to Reload, select Yes
- scroll down to the bottom of Notepad ++
- scroll up searching for the Jackie path based import
- when prompted to Reload, select Yes
-
Note the following:
- that the Low Performance Smart Policy is applied
- Broadband band-width profile is being applied
- Client drive, USB and Clipboard redirection are disabled
- revert back to your Notepad++ application
- On the W11EXT-01a desktop
- switch back to your Horizon Client session
- select the drop down,
- next to the right of FullScreen, select ...
- select Log Off Desktop
- next to the right of FullScreen, select ...
-
in the Disconnect and log off desktop? window
- select OK
- select the drop down,
- switch back to your Horizon Client session
- In the Dynamic Environment Manager Console,
- under User Environment tab
- select Triggered Tasks
- select Create Triggered Task...
- select Triggered Tasks
- under User Environment tab
- In the Triggered Task window,
- in the General Settings area,
- next to Name:
- type Refresh Smart Policies at Reconnection
- next to Name:
- in the Triggered Tasks area,
- next to Trigger:
- select Session reconnected
- next to Trigger:
- next to Action:
- select User Environment refresh
- In the Refresh: area,
- in front of
-
Horizon Smart Policies
- select the checkbox
-
Application Blocking Settings
- select the checkbox
-
Horizon Smart Policies
-
next to Show message
- enable the Check box
- in the box called Caption:
- enter Your configurations have been updated
- in the box called Message
- enter This is Corp IT . We have re-evaluated and updated your Desktop settings
-
next to Close automatically after
- enable the checkbox
- in front of seconds
- type 10
- in front of seconds
- enable the checkbox
- to close the window
- select Save
- in front of
- in the General Settings area,
- In the Triggered Tasks area
- select Message at unlock
- right-click,
- select Deactivate
- right-click,
- select Message at unlock
- On your ControlCenter Desktop
- open your Google Site 1 Browser
- In the Favourites bar
- select the Horizon Site 1 shortcut
- In the Favourites bar
- In the Horizon login,
-
User name area :
- enter Administrator
-
Password area:
- enter Pa$$w0rd
- select Sign in
- enter Pa$$w0rd
-
User name area :
- open your Google Site 1 Browser
- In the Horizon Admin console
- expand Inventory
- select Desktops
- expand Inventory
- In the Desktop Pools area
- in front of W11-BLR-INST
- select the checkbox
- select Edit
- in front of W11-BLR-INST
- In the Edit Pool - W11-BLR-INST window
- select the Desktop Pool Settings tab
- In the Edit Pool - W11-BLR-INST window
- in the Remote Settings area
- below Automatically Logoff After Disconnect
- from the dropdown ,
- change from Immediately to After
- under After
- change 120 minutes to 15 minutes
- from the dropdown ,
- below Automatically Logoff After Disconnect
- to close the Edit Pool - W11-BLR-INST window
- select OK
- in the Remote Settings area
We will now move forward and do two simple tests
- We will log in to VMware Horizon from a Trusted Network. We will NOT log off , we will disconnect
- We will then log back in to the same VMware Horizon session session from an Untrusted Network source.
- Please ensure , once you start the following steps you complete the tests within 15 minutes
- On your ControlCenter server desktop
- launch your Horizon client >
- select horizon-01a.techseals.co
- login as [email protected]
- password is Pa$$w0rd
- select your Enterprise_Desktop entitlement
- select horizon-01a.techseals.co
- launch your Horizon client >
- Notice you still have all your configurations for a Trusted Network environment.
- Test some of your configurations, for example ,
- Check that you have USB,
- That you can copy and paste from the Controlcenter to your Horizon virtual Desktop
- In the Horizon Client,
- next to Exit Fullscreen,
- select the see more 3 buttons
- select Disconnect
- When prompted by the Disconnect desktop? window
- select OK
- select the see more 3 buttons
- next to Exit Fullscreen,
you have 15 minutes to login to your existing session
- On your W11Ext-01a.RDP session
- Launch your Horizon Client
- connect via your external Gateway,
- select corp.techseals.co
- In the Select a certificate window
- select Jackie
- select OK
- select Jackie
-
select your Enterprise_Desktop desktop Entitlement
- Notice the prompt that your Desktop settings have been re-evaluated
- connect via your external Gateway,
- Launch your Horizon Client
- On the Horizon client session on W11EXT-01a
- notice that USB is Unavailable
- On the Horizon client session on W11EXT-01a
- there is no Network Drive Mapping
- On the Horizon client session on W11EXT-01a
- Note that you are unable to drag and drop in and out of this desktop session
- On your ControlCenter server desktop
- in the Horizon Client,
- next to Exit Fullscreen,
- select the see more 3 buttons
- select Logoff
- when prompted by the Disconnect desktop? window
- select OK
- select the see more 3 buttons
- next to Exit Fullscreen,
- in the Horizon Client,
In preparation for the Application Blocking section we will entitle the IT Support group to a Instant Clone Desktop Pool
- On your ControlCenter server
- Open your site 1 browser
- In the favourites bar
- select the Horizon Site 1 shortcut
- In the Horizon login page
- In the Username area
- enter administrator
- In the Password area
- enter Pa$$w0rd
- select Sign in
- In the Username area
- In the Horizon Admin Console
- In the Side Menu pane
- expand Inventory
- select Desktops
- expand Inventory
- In the Side Menu pane
- In the Desktop Pools area
- next to W11-BLR-INST
- select the Checkbox
-
next to Entitlements
-
from the dropdown
- select Add Entitlements
-
from the dropdown
- next to W11-BLR-INST
- In the Add Entitlements window
- select Add
- In the Find User or Group window
- In line with Name / User Name
- next to Starts with
- enter IT
- next to Starts with
- select Find
- next IT Support
- select the checkbox
- select OK
- next IT Support
- In line with Name / User Name
- In the Add Entitlements window
- select OK
- On you ControlCenter server desktop
- In the DEM Admin Console
- select the User Environment tab
- select Application Blocking
- select the User Environment tab
-
In the the tool bar,
- select Global Configuration
- In the DEM Admin Console
- In the Application Blocking - Global Configuration window
- next to Enable Application Blocking
- select the Checkbox
- select OK
- select the Checkbox
-
in the Application Blocking window,
-
read the note
- select OK
-
read the note
- next to Enable Application Blocking
- On the User Environment tab,
- select Application Blocking
- right-click
- select Create Application Blocking setting....
- select Application Blocking
- In the Application Blocking window
- In the General Settings area,
- add the following next to:
- Name: Putty
- Label: Admins
- Tag: Internal Use only
- add the following next to:
- In the General Settings area,
- In the Application Blocking window
- In the Block area:
- select Add
-
In the Select path to block window
- enter C:\Program Files\PuTTY\putty.exe,
- select OK
- In the Block area:
- In the Application Blocking window
- select the Conditions tab.
- Under Conditions,
- select Add
- Under Conditions,
- In the dropdown
- select Group Membership
- select the Conditions tab.
- In the Group Membership window
- select Browse
- In the Select Group window,
- under Enter the object name to select
- type IT
- select Check Names
- IT Support should show
- select Check Names
- type IT
-
to close Select Group
- select OK
-
to close the Group Membership window
- select OK
- under Enter the object name to select
- In the Application Blocking window
-
Conditions Tab
- select the IT support condition
-
right-click
- select Add >
-
right-click
-
in the Add Condition dropdown
- select Horizon Client Property
- select the IT support condition
-
Conditions Tab
- In the Horizon Client Property window
- under Settings,
- next to Property
- from the the dropdown
-
select Client location
- ensure that next to Is equal to:"External" is selected (this should be default)
-
select Client location
- select OK
- from the the dropdown
-
to close the Application Blocking window
- select Save
- next to Property
- under Settings,
- On your ControlCenter server desktop
- launch your Horizon Client
- select horizon-01a.techseals.co
- launch your Horizon Client
- In the Horizon Client login window
- in the User name: area
- enter Kim
- (Kim is a member of IT support)
- enter Kim
- in the Password: area
-
enter Pa$$w0rd
- select Login
-
enter Pa$$w0rd
- in the User name: area
- In the Horizon Client
- select your W11INST desktop entitlement
- On the Horizon Client session
-
select the START button
-
right-click
- select Run
-
right-click
-
In the Run window
-
next to Open:
- enter \\Horizon-01a\software
- select OK
-
next to Open:
-
select the START button
- In the Software folder
- open Applications
- select putty-64bit-0.78-installer
- right-click
- select More Options
- select Install
- select More Options
- right-click
- select putty-64bit-0.78-installer
- open Applications
- In the Putty release 0.78 (64-bit) Setup window
- select Next
- select Next
- select Install
-
In the User Account Control window
-
in the Username area
- enter administrator
-
in the Password area
- enter Pa$$w0rd
- select Yes
- select Finish
-
in the Username area
- select Next
- select Next
- On your VMware Horizon Client session
- next to the START button
- in the search area
- enter Putty
- in the search area
- open PuTTY
- close PuTTY (very important)
- next to the START button
- On your ControlCenter desktop
- In the Horizon Client,
- next to Exit Fullscreen,
- select the see more 3 buttons
- select Disconnect
- When prompted by the Disconnect desktop? window
- select OK
- When prompted by the Disconnect desktop? window
- next to Exit Fullscreen,
- In the Horizon Client,
- On your ControlCenter Desktop
- switch to the W11EXT-01a.rdp session
- log off as Jackie
- switch to the W11EXT-01a.rdp session
- On the ControlCenter server
- on the Remote Desktops > Site 1 folder
- open the w11EXT-01a.RDP
- on the Remote Desktops > Site 1 folder
- On the Windows Security window
- select More choices
- select Use a different account
-
in the Username area
- enter w11EXT-01a\administrator
-
in the password area
- enter Pa$$w0rd
-
in the Username area
- select OK
- select Use a different account
- select More choices
- On your W11Ext-01a.RDP session
- launch your Horizon Client
- In the Horizon Client
- select Add Server
- In the Name of the Connection server window
- enter corp.techseals.co
- select Connect
- In the Horizon Client
- launch your Horizon Client
- In the Workspace ONE login
- below Select Your Domain
- select techseals.co
- select Next
- select techseals.co
- below username
- enter Kim
- below password
- Pa$$w0rd
- select Sign In
- below Select Your Domain
- In the Horizon Client
- select W11INST
- On your Virtual desktop session
- note your policy has been re-evaluated
- On the Horizon client session on W11EXT-01a
- next to START
-
in the Search area
- enter PuTTY
- select Open
-
in the Search area
- next to START
- On the Horizon client session on W11EXT-01a
- Notice your App has been blocked, using a combination of App Blocking and Horizon Smart Policies
- to close the App Block message window
- select Close
- On the Horizon client session on W11EXT-01a
- next to Fullscreen,
- select the ... dropdown,
- select Log Off Desktop
- select the ... dropdown,
-
in the Disconnect and log off desktop? window
- select OK
- next to Fullscreen,
0 Comments
Add your comment