Home > Blogs > VMware End-User Computing Blog > Tag Archives: VMware View

Tag Archives: VMware View

Did You Know? Newly Updated VMware Workspace Portal 2.1 Reviewer’s Guide is Now Available!

By Cindy Heyer, Technical Writer, Technical Marketing, End-User Computing at VMware

Did you know that there is a newly published Reviewer’s Guide for Workspace Portal 2.1?  The Reviewer’s Guide is aimed at IT professionals who are juggling the management of a wide range of applications, and an equally wide range of devices for their end users. If you are new to Workspace Portal and want to test it out, the Reviewer’s Guide can help you set up a basic, proof-of-concept deployment. To do this, you need VMware vSphere, and to test the services covered in the Reviewer’s Guide, you need VMware ThinApp, VMware Horizon With View, and Citrix XenApp deployments. Through a series of easy-to-follow exercises, the guide takes you on an exploration of some of the key capabilities of Workspace Portal. The final result is that you have hands-on experience with Workspace Portal 2.1. Continue reading

How Bad Is BadUSB with USB Redirection in VMware Horizon with View?

By Peter Brown, Senior Research & Development Manager, VMware, London, United Kingdom

BadUSB has been getting a lot of press lately. For those of you who have not heard, this is a new security threat in which the firmware on some USB devices can be hijacked and replaced with malware. For example, a device can be made to redirect network traffic, or emulate a keyboard and capture keystrokes, or worse. A number of Web pages are talking about BadUSB, for example When Good USB Devices Go Bad, The Unpatchable Malware That Infects USBs Is Now on the Loose, and the original Blackhat presentation, BadUSB—On accessories that turn evil.

Scary stuff, and unfortunately we have no magic cure. We have all been using USB devices for years, and we all probably have many such devices at home and in the office. So how can an enterprise using VMware Horizon with View for VDI protect itself, or what can it do to minimize the risk? This blog post aims to answer those questions!

Disabling All USB Devices

For the ultimate protection, all USB devices should be disabled. This is quite hard to do on desktop machines, especially if the enterprise has a desktop machine on every user’s desk. However, when using View, this is relatively easy to achieve in one of three ways.

Do Not Install the USB Component on the View Agent

You can configure the desktop guest image (in the data center) so that the View Agent has the USB component “not installed.” This entirely prevents USB devices from being used in that desktop image. Then refresh all your desktop images so that the USB component is removed.

Disable USB Devices for Specific Desktop Pools

If you do not want to change the desktop image, from the View Administrator UI, navigate to Desktop Pools and select a specific pool. Next, select Policies within that pool. Finally, select Desktop Pool Policies and click Edit Policies, and disable USB redirection for a specific pool or pools.

VMware_Horizon_View_Administrator_Disable_USB_Devices

You can also apply user overrides to enable or disable USB redirection on a per user basis in a specific pool. This is also done by way of the same View Administrator window, with the User Overrides choice (next to Desktop Pool Policies in the window).

Use GPOs to Disable All USB Devices on the View Agent

Alternatively, you can apply the ExcludeAllDevices configuration option on the View Agent by way of GPO configuration to prevent any devices from being forwarded.

Disabling Specific USB Devices

Disabling USB devices entirely is certainly the best way to completely avoid the risk of BadUSB. In some cases, however, disabling USB devices entirely might not be feasible because you may need specific USB devices to function for your use cases; an example might be doctors using Dictaphone-type USB devices to record patients’ records. In this case, it is not possible to entirely block USB devices, and so the following strategies should be employed to help mitigate the risk.

Educate Employees About Types of USB Devices to Connect

It is important that you completely trust any device connected to your enterprise, regardless of settings, and that includes trusting your supply chain and ideally having some sort of chain of custody as well. You should educate your employees to ensure that they do not connect devices from unknown sources. If possible, try to restrict the devices used in the environment to devices that accept only signed firmware updates, are ideally FIPS 140-3 Level 3-certified, and do not support any kind of field-updatable firmware. These types of USB devices are definitely hard to source and, depending on your specific device requirements, may be impossible to find. This may not be a practical solution to the problem, but certainly worth considering.

Exclude Some Devices Through the Group Policy Editor

You can allow only specific USB devices to be used. Each USB device has its own vendor and product ID that uniquely identifies it to the computer. Rather than allowing View to forward any USB device into the guest virtual machine, you set an Include policy for known device types. Then you can remove the risk of unknown devices being inserted, which might compromise the system. Of course, there will be ways around this, but you do reduce that risk.

Here is an example of how you can configure View to block all devices from being forwarded to the View virtual desktop, except for a known device vendor and product ID (vid/pid = 0123/abcd in this case):

ExcludeAllDevices   Enabled

IncludeVidPid       o:vid-0123_pid-abcd

Note: We should point out that while this sample configuration provides some protection, a compromised device can report any vid/pid, and so there is still a possible attack vector here.

You set these Global Policy Object (GPO) values in the View Agent Group Policy editor.

Note: By default, View blocks certain device families from being forwarded to the View desktop, for example, HID (human interface devices) and keyboards. So with the default filter policy enabled in View, such keyboard devices would be automatically blocked from appearing in the guest. Some of the released BadUSB code targets USB keyboard devices, and this default in View already protects these devices from the malware.

Specific device families can instead be blocked if required. For example, the following GPO value would block all video, audio, and mass storage devices:

ExcludeDeviceFamily o:video;audio;storage

Another configuration example is to block all devices, but only allow a specific device family (whitelist). For example, block all devices, but enable storage devices. This could be done as follows:

ExcludeAllDevices       Enabled

IncludeDeviceFamily     o:storage

Another risk might be someone from outside your office logging in to a desktop and infecting it. Again, this cannot be seen as a complete mitigation, but you can block USB access completely to any View connections that originate from outside the company firewall. The USB device could be used internally, but not externally.

To do this, block the TCP port 32111 from the View security server to the View desktops. Zero clients are slightly different, as the USB traffic for those is embedded inside a virtual channel on UDP port 4172. Because port 4172 is not used only for USB (it also carries the display protocol), it is not possible to block that port. You can disable USB on zero clients if required. Look at the zero client product literature or contact the zero client vendor for specific details.

Blocking certain device families or specific devices can help to mitigate the risk of BadUSB malware, but not completely solve it.

If you want to know more about USB redirection in View, check out my white paper USB Device Redirection, Configuration, and Usage in VMware Horizon with View.

Calling All Citrix XenApp Customers! Make the Move to VMware Horizon 6

By Mark Ewert, End-User Computing Solutions Architect, VMware

This summer we released VMware Horizon 6, the latest version of our leading end-user computing platform. Perhaps the most exciting feature of Horizon 6 is its expanded support for Microsoft Remote Desktop Services, including hosted applications. Whether users need virtual desktops, hosted apps, or shared desktop sessions, VMware Horizon is the only platform you need. This means it is now possible to migrate off your Citrix XenApp infrastructure! Summer 2015 marks both the termination of support for Microsoft Windows Server 2003 and the end of life for XenApp 5.0. If you are still running XenApp 5 on Windows 2003, the timing is perfect for a migration to VMware Horizon. And we are working feverishly to release tools, guidance, and services to provide what you need to make your migration a success. Continue reading

VMware Horizon 6 Supports Application Delivery by RDS Hosting

By Cindy Heyer, Technical Writer, Technical Marketing, End-User Computing at VMware

To meet the demand for hosted applications, VMware Horizon 6 supports an app-remoting option based on Microsoft RDS. The Application-Delivery Options in VMware Horizon 6.0 white paper describes this new option, as well as additional application-delivery options available in Horizon 6. You can publish and manage RDS-hosted applications through Horizon with View in the Horizon Advanced Edition and Horizon Enterprise Edition. That includes setting policies and entitlement. You can also integrate VMware Workspace with View, which enables you to present your hosted applications in Workspace, where they are displayed alongside applications from ThinApp repositories, Citrix XenApp farms, and SaaS and Web application providers.

1

RDS is the Microsoft architecture that supports the use of remote machines and applications through a network connection. The application-hosting option in Horizon 6 provides the essentials for publishing applications based on RDS. You can install one instance of an application on an RDS host instead of on multiple individual desktops, and make that application available to many end users. Continue reading

Next-Generation Unified Workspace with Horizon 6!

By Matt Coppinger, Senior Group Product Line Manager, End-User Computing, VMware

A virtual workspace deployment provides a wealth of features and functions that allows users to access their data and applications on any device from anywhere. With VMware Horizon 6, IT is empowered to administer all application and desktop access and provisioning from a central, unified platform.

Horizon 6 is put to the test in the recently published technical white paper, VMware Horizon 6 Reference Architecture. By integrating the different components within Horizon 6, a unified next-generation workspace is possible. The Horizon 6 reference architecture also discusses the performance of Horizon 6 hosted applications, and managing dedicated desktops using VMware Mirage. Continue reading

New View Security Overview Now Available

By Gary Sloane, VMware End-User-Computing Consultant

Do you remember the guy from Los Alamos who lost a laptop full of weapon plans? How about that database of veterans’ names and social security numbers accidentally left in an airport? Losses like these could all have been prevented by VDI solutions, such as VMware Horizon with View. Enforcement of policies on taking sensitive material off-premises would have been useful, too, but the use of View desktops instead of physical PCs would have been sufficient.

Ah, the good old days!

Today, the breaches are more numerous, frequent, and complex, with more mobile devices at risk and more serious and sophisticated forms of attack. From Stuxnet to Heartbleed to Backoff to less dramatic incidents—like the theft of a billion usernames and passwords—new threats are emerging all the time.

So, if you are a system or network administrator, or a security officer, the good news is: There are ways to reduce your attack vectors. The bad news is that these suggestions are often ignored.

The new VMware Horizon with View Security Hardening Overview provides a broad discussion of the security issues facing VDI administrators. It includes both general advice about the evolving threat landscape and specific recommendations for hardening Horizon 6 with View and implementing a defense-in-depth strategy.

The advice is good. Do not ignore it.

Bank of Stockton Reference Implementation Case Study

By Teresa Wingfield, Solutions Marketing Consultant, VMware

Here are some highlights of a new VMware Reference Implementation Case Study for Bank of Stockton. This was an easy blog to write as I decided to just let the customer do most of the talking.

What is it worth to the Bank of Stockton to have blazing-fast virtual desktops? “How do you put a dollar figure on the ability to serve customers instantly rather than in minutes or even hours?” asked Vincent Lo, Vice President Network Application and Support at Bank of Stockton. “Customer service is at the heart of everything we do from a technology perspective, and now our technology is enabling us to deliver superior service at a lower cost.”

The Bank of Stockton selected VMware Horizon with View as the software foundation for its VDI solution based on a thorough evaluation of multiple competitive products.  It solved the performance challenges of VDI rollout with a hybrid storage solution from Tegile Systems.

Continue reading

Caspida is hosting a Meet-Up at VMware…what does the future of mobile security look like?

 

logo-2x

by Karthik Kannan, Founder and Chief Marketing Officer, Caspida

Mobile security is clearly one of the most major challenges faced by companies today. The mobile dimension extends the traditional network from being a rigid perimeter to a more fluid, yet inevitable, area around corporate assets. Users are increasingly mobile – remote employees, traveling users, contractors, vendors etc. This poses the problem of valuable corporate data being rendered open to corruption, theft and abuse. Yet, the answer does not lie in locking down the data or the devices – for the sake of productivity and competitive edge, companies must make their data accessible and hence not locked down yet protect it at the same time.

Today’s mobile-IT processes provide two options – use a company-provisioned device, or Bring-Your-Own-Device (BYOD). Both have their advantages and disadvantages, but in my opinion, BYOD is the winner. My specific reasons for that opinion are BYOD takes away a huge onus on the part of IT to provision and continuously update corporate devices for its users – this is a thankless task and IT will never get ahead with this approach. What’s left, by definition, is therefore the winner. But BYOD is a winner only because the competing option is a loser!

Continue reading

Deciding Between VMware Horizon 6 and Citrix XenDesktop?

By Cyndie Zikmund, End-User Computing Product Line Marketing Manager, VMware, and Scott Edstrom, End-User Computing Senior Consultant, VMware

You have heard about Horizon 6 by now, but are you curious about how it compares to Citrix XenDesktop?  The VMware Horizon 6 family of solutions offers a choice of new features and capabilities for desktop and application virtualization.

We describe the most prominent features of Horizon 6 in the white paper Why VMware Horizon is a Better Choice Than Citrix XenDesktop. By outlining six ways that Horizon 6 outperforms XenDesktop across the board, we show you that:

Continue reading

What Is the Best Server Virtualization Platform for Virtual Desktop Infrastructure?

By Cyndie Zikmund, EUC Product Line Marketing Manager, VMware

Have you ever asked yourself: What is the best server virtualization platform for virtual desktop infrastructure (VDI)? VMware vSphere is the answer.

More and more organizations are moving towards virtual desktop infrastructure (VDI) as the solution to reducing administrative overhead, increasing productivity, and improving security. VDI is becoming an even more preferred solution as storage costs go down and virtual storage is more widely supported.

But the performance of a VDI deployment depends on the virtualization platform it is hosted on. Which one is best for you? Here are a few key considerations in your decision-making process:

  • Does the platform provide a secure foundation for all the virtual desktops that your organization needs?
  • Can your chosen platform be standardized on the same platform as your existing server virtualization?
  • How will the choice of a virtualization platform impact future migration to a cloud environment?
  • Do the platform’s features, reliability, and high availability meet your business requirements?
  • Is the platform optimized to run VDI workloads?

For more information about using VMware vSphere for desktop virtualization, download the white paper Why Choose VMware vSphere for Desktop Virtualization? This white paper will help you understand why vSphere is the best choice of a hypervisor for a VDI environment.  See VMware vSphere for more information about the VMware server virtualization platform.

VMware vSphere supports the VMware VDI solution, Horizon with View.  See Horizon with View for more information.