Delivering a functional user experience that is consistent with organisational policy for the remote worker

Delivering a consistent yet secure user experiencing can be very challenging in a mobile use case. The remote might sometimes work from home and again in the office. The user might be working from their hotel or out of an Airport.

The Objective of this session is help anyone wanting to do this what configurations one would use to get started. We will use a scenario where a user connects from a remote device into their Horizon environment and would potentially be on an untrusted network, versus connecting to the same infrastructure on a trusted network

PART 1: Setting up VMware Horizon Smart Policies with VMware Dynamic Environment Manager for Trusted Networks

  1. On your ControlCenter server Desktop
    • Select and Launch, the DEM management Console shortcut from your start menu
  1. In the Dynamic Environment Manager Console
    • Select the User Environment tab
  1. In the User Environment Inventory
    • Select Horizon Smart Policies,
    • Right-click and select Create Horizon Smart Policies setting...
  1. In the Horizon Smart Policies, Settings tab enter the following:-
    • Under General Settings, enter the following, next to:
      • Name: Trusted Network
      • Label: USB, Clipboard and Client drive
      • Tag: Internal
    • In the Horizon Smart Policy Settings, enable the following checkboxes, next to:
      • Audio Playback : Enable
      • Bandwidth Profile : LAN
      • Blast Extreme protocol
        • H.264: Enable
        • JPG: Enable
        • Max frame rate :  30
    • Drag and drop : Allow all
    • Printing : Enable
    • In the Redirection settings, enable the following checkboxes and associated settings, next to:
      • Client drive : Allow all
      • Clipboard : Allow all
      • USB : Enable
    • Web and Chrome file transfer: Allow all
  1. In the Horizon Smart Policies window
    • Select the Conditions tab
    • Under Conditions, select the dropdown next to Add
  1. In the Add Condition dropdown
    • Select Horizon Client Property

Note:  By default, if you connect directly to a View Connection Server, the gateway location is Internal.  If you connect to an Unified Access Gateway Server, the gateway location is External by default.

  1. In the Horizon Client Property, add the following:
    • Next to Property, select Client location from the dropdown
    • Next to Is equal to, select Internal from the dropdown
    • Select OK, to close the Horizon Client Property
  1. In the Horizon Smart Policies window, Conditions tab
    • Select Add
    • Select Endpoint IP Address
  1. In the Endpoint IP Address window, enter the following
    • Under Settings, enter the following:
      • next to IP address between: 192.168.110.1
      • next to and enter: 192.168.110.254
    • Select OK to close the window
  1. In the Horizon Smart Policies window, Conditions tab
    • Select Add
    • Select Endpoint IP Address
  1. In the Endpoint IP Address window, enter the following
    • Under Settings,
      • next to IP address between: 172.16.10.1
      • next to and enter: 172.16.10.254
    • Select OK to close the window
  1. In the Horizon Smart Policies window
    • Select and right-click the AND Endpoint IP address is in range 172.16.10.1 - 172.16.10.254
      • Select OR
    • Confirm your configuration with the Screenshot
    • Select Save

PART 2: Setting up VMware Horizon Smart Policies with VMware Dynamic Environment Manager for Untrusted Networks

  1. In the User Environment Inventory
    • Select Horizon Smart Policies,
    • Right-click and select Create Horizon Smart Policies setting...
  1. In the Horizon Smart Policies, Settings tab enter the following:-
    • Under General Settings, enter the following, next to:
      • Name: Untrusted Networks
      • Label: USB, Clipboard and Client drive disabled
      • Tag: External
    • In the Horizon Smart Policy Settings, enable the following checkboxes, next to:
      • Audio Playback : Enable
      • Bandwidth Profile : Broadband WAN
      • Blast Extreme protocol
        • H.264: Enable
        • Max frame rate :  30
    • Drag and drop : Disable
    • In the Redirection settings, enable the following checkboxes and associated settings, next to:
      • Client drive : Disable
      • Clipboard : Disable
      • USB : Disable
    • Web and Chrome file transfer: Disable
  1. In the Horizon Smart Policies window
    • Select the Conditions tab
    • Under Conditions, select the dropdown next to Add
  1. In the Add Condition dropdown
    • Select Horizon Client Property
  1. In the Horizon Client Property, add the following:
    • Next to Property, select Client location from the dropdown
    • Next to Is equal to, select External from the dropdown
    • Select OK, to close the Horizon Client Property
  1. In the Horizon Smart Policies window, In the Conditions area
    • Select and right-click  the the existing client property
      • Select Add >
      • Select Endpoint IP Address
  1. In the Endpoint IP Address window, enter the following
    • Under Settings, next to IP address between: 172.16.30.1
      • Next to and enter: 172.16.30.254
    • Select OK to close the window
  1. In the Horizon Smart Policies window
    • Confirm your configuration with the Screenshot
    • Select Save

PART 3 : Testing your Smart Policies.

Due to constraints in our virtual environment with external access, we will demonstrate only one of the features in Horizon Smart Policies

  • That being Drag and Drop functionality.
  • We have limitations in terms of what we can demonstrate with USB redirection
  • We will use the Dynamic Environment Manager Logs, to see if the settings are effective.
  1. On your ControlCenter server desktop
    • Launch your Horizon Client
    • Select your Horizon POD HORIZON.euc-livefire.com
  1. In the Horizon Client login window
    • Next to User name: login as YOUR Custom Test User
    • Next to Password: VMware1!
    • Select Login
  1. In the VMware Horizon Client
    • Select the horizon.euc-livefire.com (we are testing the internal network rules)
    • Select your W10INST desktop entitlement
  • Wait for the Desktop session to load
  1. In the VMware Horizon Client
    • Select the dropdown arrow, next to USB Devices
      • Note, No suitable USB devices available, is the message you get.
  1. Starting from your ControlCenter server desktop
    • First, ensure that you are not in full-screen with the Horizon Client
    • With your mouse, select the CA Console.msc icon on the ControlCenter server desktop and Drag over into the Horizon Client session
      • Note that you will get a + type Icon , just below your cursor.
    • Release your mouse button to Drop the Console within the Horizon Session
  1. In the Horizon Client session
    • From the Taskbar, select the File Explorer folder shortcut
  1. In the File Explorer Window
    • Select This PC in the left Inventory
    • To the right, scroll down and observe, there are network locations configured. ie the Z: drive
  1. On the ControlCenter server
    • Open your File Explorer Icon, from the Taskbar
    • On the C:\, open your UEMProfiles\YOUR Custom Test User\Logs folder
  1. In File Explorer C:\UEMProfiles\user1\Logs
    • Select and right-click FlexEngine.log
    • Select Edit with Notepad++
  1. In the Notepad++ session
    • Reload your logs, by selecting File > Reload from Disk
    • Scroll down, right to the bottom of your logs,
      • Scroll up until you find the YOUR Custom Test User and the Performing path-based import logs starting
      • Observe that each configuration is processed and logged as disabled / enabled or True / False
      • Note its the Internal Policy that is being applied
      • Note what features are allowed or enabled
  1. On the ControlCenter server
    • Switch back to your Horizon Client session
    • Next to Fullscreen, select the dsee more (3 buttons), next to Options,
      • Select Log Off Desktop
        • On the Disconnect and log off desktop? window
        • Select OK
    • Ensure with this version of Horizon, you go to the Horizon Admin Console and Remove the Desktop for re-provisioning to work
  1. On the ControlCenter server
    • Open the Remote Desktops folder
    • Open w10EXT01a.RDP (Note!)
      • Login with the username w10ext01a\administrator
      • Login with the password VMware1!
  1. On the W10Ext01a desktop
    • Please Note. W10Ext01a desktop is on a network which we have configured as external. That being the 172.16.30.x network
    • We will also be connecting via the Unified Access Gateway in this exercise
  • Launch the VMware Horizon Client
  • In the VMware Horizon Client window
    • Launch: UAG-HZN.euc-livefire.com
    • Next to User name: enter :- YOUR Custom Test User
    • Next to Password: enter:- VMware1!
    • Select Login
  • In the VMware Horizon Client
    • Select the W10INST desktop entitlement
  1. In the Horizon Client
    • In the top bar, next to Connect USB Device, select the drop-down
      • Notice that USB is "Unavailable" is the state of USB
        • Read your logs to validate
  1. In the Horizon Client Desktop
    • On the title bar, select the File Explorer Icon
    • Ensure This PC is selected in the left inventory
      • Scroll down on the right side to the bottom of the window.
        • Notice that you have no Network drive Mappings
      • Close all windows in the Horizon W10 desktop session
  1. In the W10EXT01a Desktop
    • Attempt to drag the Software Shortcut on the W10Ext01a Desktop into the Horizon Desktop session.
    • Attempt to drag the README file from the Horizon Desktop session to the W10EXT01a Desktop
  1. On the ControlCenter server Desktop
    • Revert back to your Notepad++ application
    • When prompted to Reload, select Yes
    • Scroll right to the bottom of Notepad ++
    • Slowly scroll up searching for the YOUR Custom Test User path based import
      • When authoring this material, I had to scroll up about 300 lines
    • Note the following:
      • That the External Smart Policy is applied
      • Broadband band-width profile is being applied
      • Client drive, USB and Clipboard redirection are disabled
  1. On the W10EXT01a desktop
    • Switch back to your Horizon Client session
    • Select the drop down,
    • Next to the right of FullScreen, select ...
      • Select Log Off Desktop
      • In the Disconnect and log off desktop? window
        • Select OK

PART 4: Using Triggered Tasks to enforce Horizon Smart Policies

  1. In the Dynamic Environment Manager Console, under User Environment
    • Select Triggered Tasks
    • Select Create Triggered Task...
  1. In the Triggered Task window, configure the following:
    • In the General Settings area, add the following
      • Next to Name: type Refresh Smart Policies at Reconnection
    • In the Triggered Tasks area, configure the following next to:
      • Trigger: Session reconnected
    • Next to Action: from the drop down,
      • Select User Environment refresh
      • In the Refresh: area, enable the
        • Horizon Smart Policies checkbox
        • Application Blocking Settings checkbox
      • Enable the Check box next to Show message
        • Enter the following:-
          • Next to Caption: Your Livefire Configurations have been Updated
          • In the Message Box: This is Corp IT Livefire. We have re-evaluated and updated your Desktop settings
          • Enable the checkbox next to Close automatically after and type 10 in front of seconds
      • Select Save to close the window
  1. In the Triggered Tasks area
    • Select and right-click, Message at unlock
    • Select Disable
  1. On your ControlCenter Desktop
    • Open your Google Chrome Browser
    • Select the Horizon shortcut in the Titlebar
    • In the VMware Horizon login, enter the following:-
      • User name area : - enter Administrator
      • Password area:- enter VMware1!
      • Select Sign in
  1. In the VMware Horizon Admin console
    • Expand Inventory
    • Select Desktops
  1. In the Desktop Pools area
    • Select the checkbox next W10INS
    • Select Edit
  1. In the Edit Pool - W10INST window
    • Select the Desktop Pool Settings tab
  1. In the Edit Pool - W10INST window
    • Under Remote Settings > Automatically Logoff After Disconnect
      • From the dropdown , Change from Immediately to After
      • Under After change 120 minutes to 15 minutes
      • Select OK

We will now move forward and do two simple tests

  • We will log in to VMware Horizon from a Trusted Network. We will NOT log off , we will disconnect
  • We will then log back in to the same VMware Horizon session session from an Untrusted Network source.
  • Please ensure , once you start the following steps you complete the tests within 15 minutes
  1. On your ControlCenter server desktop
    1. Launch your Horizon client > Login as Your Custom Test User > Select your W10INST entitlement
      • Notice you still have all your configurations for a Trusted Network environment.
      • Test some of your configurations, for example ,
        • Check that you have USB,
        • That you can copy and paste from the Controlcenter to your Horizon virtual Desktop
    2. In the Horizon Client, next to Exit Fullscreen, select the see more 3 buttons
      • Select Disconnect
        • When prompted by the Disconnect desktop? window select OK
          • ( you have 15 minutes to login to your existing session)
  1. On your W10Ext01a.RDP session
    • Launch your Horizon Client
      • Connect via your external Gateway, UAG-HZN.euc-livefire.com
        • Login as YOUR Custom Test User
        • Password VMware1!
        • Select your W10INST desktop Entitlement
          • Notice the prompt that your Desktop settings have been re-evaluated
  1. In the W10INST Horizon client session on W10EXT01a
    • Notice that USB is Unavailable
  1. In the W10INST Horizon client session on W10EXT01a
    • There is no Network Drive Mapping
  1. In the W10INST Horizon client session on W10EXT01a
    • Note that you still have the file dragged on to the desktop when you were on your Trusted network.
    • However, we are unable to drag and drop in and out of this desktop session
  1. On your ControlCenter server desktop
    • In the Horizon Client, next to Exit Fullscreen, select the see more 3 buttons
      • Select Disconnect
        • When prompted by the Disconnect desktop? window select OK
          • ( you have 15 minutes to login to your existing session)

PART 5: Configuring Application Block and integrating with Horizon Smart Policies

  1. On you ControlCenter server desktop
    • In the DEM Admin Console select  the User Environment tab
    • Select  Application Blocking
    • In the the title bar, select Global Configuration
  1. In the Application Blocking - Global Configuration window
    • Select the Checkbox next to Enable Application Blocking
    • Select OK
    • In the Application Blocking window,
      • Before we select OK , read the note
      • Select OK

We will now go and configure further.

  1. On the User Environment tab, of the DEM Console
    • Select and right-click Application Blocking
    • Then select Create Application Blocking setting....
  1. In the Application Blocking window
    • In the General Settings area, add the following next to:
      • Name: Putty
      • Label: Admins
      • Tag: Internal only
  1. In the Application Blocking window
    • In the Application Blocking Settings, configure the following next to:-
      • Type: Path-based, from the drop down
      • In the Block area:
        • Select Add
        • In the Select path to block window
          • Browse to C:\Program Files\PuTTY,
          • Select putty.exe
          • Select Open
        • In the Select path to block,
          • Select OK
  1. In the Application Blocking window
    • Select the Conditions tab.
    • Under Conditions, select the dropdown next to Add
    • Select Group Membership
  1. In the Group Membership window
    • Select Browse
    • In the Select Group window, under Enter the object name to select type IT and then select Check Names
      • IT Support should show
    • Select OK to close Select Group
    • Select OK to close the Group Membership window
  1. In the Conditions Tab for Application Blocking
    • Select and right-click the condition you have just added for IT support
    • Select Add >
    • In the Add Condition dropdown select Horizon Client Property
  1. In the Horizon Client Property window
    • Under Settings, next to Property address select the dropdown
    • Select Client location
      • Ensure that next to Is equal to:"External" is selected (this should default)
      • Select OK
      • Select Save

PART 6: Testing Application Block with VMware Dynamic Environment Manager

  1. On your ControlCenter server desktop
    • Launch your Horizon Client
    • Select your Horizon POD HORIZON.euc-livefire.com
  1. In the Horizon Client login window
    • Next to User name: login as Kim (Kim is a member of IT support)
    • Next to Password: VMware1!
    • Select Login
  1. In the VMware Horizon Client
    • Select your W10INST desktop entitlement
      • Wait for the Desktop session to load
  1. On your VMware Horizon Client session
    • On your Desktop, launch the Microsoft Edge Browser
    • Type Putty download windows 10
      • In the search results select Go to download
  1. On your VMware Horizon Client session
    • Next to 64bit , select the putty-64bit-xxxx-installer.msi
    • In Downloads, select Open file
    • When prompted, what do you want to do... select Run >
  1. On your VMware Horizon Client session
    • In the PuTTY setup window
      • Select Next > Next > Install
      • When prompted in User Account Control
        • In User name type Administrator
        • In the Password type VMware1!
        • Select Yes
      • Select Finish
  1. On your VMware Horizon Client session
    • Select the START button > scroll to P > Expand the Putty Folder > Launch Putty
    • Notice you have your PuTTy Configuration window
    • Click Cancel to close the window (very important)
  1. On your ControlCenter desktop
    • In the Horizon Client, next to Exit Fullscreen, select the see more 3 buttons
      • Select Disconnect
        • When prompted by the Disconnect desktop? window select OK
  1. On your ControlCenter Desktop
    • Select your your W10EXT01a.rdp session
      • If this session has closed, go to your Remote Desktops folder and launch the W10Ext01a.rdp and
        • login with username  Administrator
        • password VMware1!
  1. On your W10Ext01a.RDP session
    • Launch your Horizon Client
      • Connect via your external Gateway, UAG-HZN.euc-livefire.com
        • Login as Kim (Kim is a member of IT support)
        • Password VMware1!
      • Select your W10INST desktop Entitlement
        • Notice the prompt that your Desktop settings have been re-evaluated
  1. In the W10INST Horizon client session on W10EXT01a
    • Select your START Menu > Expand the Putty folder > Select Putty
  1. In the W10INST Horizon client session on W10EXT01a
    • Notice your App has been blocked, using a combination of App Blocking and Horizon Smart Policies
    • Select Close to close the App Block message window
  1. On the W10EXT01a desktop
    • Switch back to your Horizon Client session
    • Next to Fullscreen, select the ... dropdown,
      • Select Log Off Desktop
      • Select OK in the Disconnect and log off desktop? window

About the Author: Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

Any questions related to this session, email Reinhart at RACE-Livefire-EUC <[email protected]>

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.