by Hasan Mahmood

Recently I was asked if it was possible to control access to a pool of View Desktops based on whether they were accessed internally or externally. That’s a good question.  Here’s what you need to know:

VMware View version 4.0 and above has a tagging feature that allows us to specify if a pool can be accessed when using a particular connection broker. Using this feature it is possible to differentiate your pools for internal or external access.

There are a few things you need to be aware of before you proceed with using tags.

  • The tags are applicable to Connection Servers only and not on Security Servers
  • Any Security servers paired to a Connection Server works exactly like the Connection Server.
  • If we have a load balancer in from of a group of Security Server or Connection Server they must be tagged exactly the same.
  • A single Connection Server or pool can have multiple tags
  • Multiple Connection Servers and pools can have the same tag
  • Desktop pools that do not have any tags can be accessed through any Connection Server
  • View Connection Servers that do not have any tags can only access desktop pools that also do not have any tags.
  • Tags have higher priority to user entitlement to pools.

Keeping in mind the above parameters, let’s examine a scenario where a pool named ‘mobile-users’ needs to access the corporate network. From inside the organization, this needs to be done through Connection Servers named ‘internalCS-01’ and ‘internalCS-02’. When being externally accessed, we need to go through Security Server ‘ExternalSS-01’ which is paired to Connection Server ‘externalCS-01’.

In this case all pools that need internal access should be tagged with tag ‘internal’ and the external-pool should have two tags ‘external’ and ‘internal’.

The Connection Servers internalCS01 and Internal CS02 should be tagged ‘internal’ and the externalCs01 ‘external’. Users will not be able to login until configuration to all the Connection servers and the pools are complete.

Note: Logged in users will not be disconnected even if the new rules conflict with access.

Detailed information on Tags and Restricting View Desktop Access is available in the VMware View Administration, page 116.