By Eric Monjoin and Xavier Montaron
VMware Horizon View enables you to access a virtual desktop from anywhere, anytime. You can work remotely from your office or from a cybercafé, or anywhere else as long as there is a network connection to connect you to Horizon View infrastructure. It’s an ideal solution – but external connections can be risky.
So, how do you protect and secure your data? How do you authorize only some users—or groups of users—to connect from an external network without establishing a VPN connection?
You can achieve this by relaying into an external solution like F5 Networks’ BIG-IP Access Policy Manager (APM). It can perform pre-authentication checks to end-points based on criteria like user rights, desktop compliancy, antivirus up-to-date, and more. Or, you can simply use the built-in capabilities of Horizon View, which is perfect if you are a small or medium company with a limited budget.
There are two ways to achieve this with Horizon View:
- Pool tagging
- Two-factor authentication
Pool Tagging
Pool tagging consists of setting one or more tags on each View Connection Server (see Figure 1) and restricting desktop pools using those tags to specific brokers (see Figure 2).
Figure 1. View Connection Server tagging
In the following example a tag “EXTERNAL” has been created for brokers paired with a View Security Server, and it is dedicated to an external connection with the tag “INTERNAL,” which has been created for brokers dedicated to internal connections only. Only desktop pools assigned with the “EXTERNAL” tag will be available, and will appear in the desktop pool list while connected to a broker used for external connections.
Figure 2. Desktop pools tagging
As shown in Table 1, if you fail to restrict a pool with a tag, that pool will be available on all View Connection Servers. So, as soon as you start using tags, you have to use tags for all of your desktop pools.
Connection to View Connection Server with following tags | Desktop pools with following restricted tag set | Pool appears in desktop pools list |
EXTERNAL | EXTERNAL | YES |
EXTERNAL | INTERNAL | NO |
INTERNAL | EXTERNAL | NO |
INTERNAL | INTERNAL | YES |
INTERNAL or EXTERNAL | INTERNAL and EXTERNAL | YES |
INTERNAL or EXTERNAL | “None” | YES |
Table 1. TAG relationships between VCS and desktop pools
Keep in mind that when using tags, it is implied that the administrator has created specific pools for external connections, and specific pools for internal connections.
Two-Factor Authentication
The other method when using Horizon View is two-factor authentication. This requires two separate methods of authentication to increase security.
The mechanism is simple; you first authenticate yourself using a one-time password (OTP) passcode as seen in Figure 3. These are generated approximatively every 45 seconds depending on the solution provider. If the provided credentials are authorized, a second login screen appears (see Figure 4) where you enter your Active Directory login and password used for single sign-on to the hosted virtual desktop.
Figure 3. OTP login screen
Figure 4. Domain login screen
The advantages with this solution are:
- Enhanced security – You need to have the OTP passcode (the user’s token) and must know the user’s Active Directory login and password.
- Simplicity – There is no need to create two separate desktop pools – one for external connections and another for internal connections.
- You can be selective – Distribute tokens only to employees who require external access.
The most commonly and widely implemented solution is RSA Security from EMC (see below), but you can also use any solution that is RADIUS-compliant.
For more detailed information you can read the white paper “ How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator.” It describes how to set up FreeRADIUS and Google Authenticator to secure external connections, and authorize only specific users or groups of users to connect to Horizon View. This solution was successfully implemented at no cost at the City Hall in Drancy, France, by its chief information officer, Xavier Montaron.
Sources:
F5 BIG-IP Access Policy Manager
http://www.f5.com/pdf/white-papers/f5-vmware-view-wp.pdf
RSA SecureID
https://gallery.emc.com/servlet/JiveServlet/download/1971-24-4990/VMware_Horizon_View_52_AM8.0.pdf
Eric Monjoin joined VMware France in 2009 as PSO Senior Consultant after spending 15 years at IBM as a Certified IT Specialist. Passionate for new challenges and technology, Eric has been a key leader in the VMware EUC practice in France. Recently, Eric has moved to the VMware Professional Services Engineering organization as Technical Solutions Architect. Eric is certified VCP6-DT, VCAP-DTA and VCAP-DTD and was awarded vExpert for the 4th consecutive year.
Xavier Montaron owns a Master in Computer Science from EPITECH school and has a strong developer background. He joined Town Hall of Drancy during December 2007 in the CIO organization, and became the actual CIO since 2010. Town Hall of Drancy has been a long-time IT innovator and user of VMware technology, both for infrastructure servers as well as for VDI, where all desktops have been fully virtualized since 2011 with Horizon View. Town Hall of Drancy recently has decided to externalize all servers and VDI infrastructure and are now hosted by OVH, a global leader in internet hosting based in France.