VMware Horizon Community
Alim11
Contributor
Contributor
‎02-06-2019 06:16 AM

Horizon VDI user-ID or IP address

Hello, i have an overall details about Horizon 7 VDI solution, but there is a missing information related to :

- How we can identify a user desktop in order to create a firewall rule? someone told me that each client has his own user ID and using this ID i can configure a firewall rule.

- What is the drawback of VDI solution? as a result from the research i have did there is some difficulties to operate VDI with other IT security systems ex:

* Installing PGP in a gold image , then clone this image into several virtual desktops may result to a functional issue when the virtual desktop runs up.

* How the SIEM solution will handle with the logs generated from the virtual desktop machines if the VDI rely on user-ID. ( example : Qradar solution)

5 Replies
BenFB
Virtuoso
Virtuoso
‎02-06-2019 11:44 AM

What you are asking is a much deeper and complex conversation than can likely be answered here. I would highly recommend engaging VAR that can understand all of your requirements and guide you to the best solution.

Alim11
Contributor
Contributor
‎02-07-2019 12:24 AM

Hello, Thank you for your reply.

Please can i know what you mean by VAR? Can you help me please to have an answer on my question?

There is a trouble VDI description, does it rely on User-ID? or ip Address? and if it's on user id , where this ID will be specified , through the Domain Control or whom?

Regards

0 Kudos
BenFB
Virtuoso
Virtuoso
‎02-09-2019 10:56 PM

A value-added reseller or VAR is a company that you use for purchasing hardware, software or professional services.

To answer your initial question you might be better off tunneling all of the endpoint traffic through a connection server or Unified Access Gateway (UAG). This would allow for all the connections to the virtual desktops to source from known IP addresses. Logging on the connection servers would then tell you the source IP if it's needed.

0 Kudos
ymagalif
Enthusiast
Enthusiast
‎02-10-2019 10:29 PM

Alim11,

1. Usually, when you are not tunneling, which means a Horizon virtual desktop connects to a Horizon client directly, you will need to specify the firewall rules based on the IP subnet or IP range of your virtual desktops that is used for DHCP, for example:

Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from all the Horizon clients in range 10.10.10.20 to 10.10.10.251 on X ports.

Like BenFB said, when you are tunneling, which means a Horizon virtual desktop connects to a Horizon Connection Server or Unified Access Gateway, you will need to specify the firewall rules based on the IP subnet or IP range of your virtual desktops that is used for DHCP, and the tunneling server, for example:

Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from Horizon Connection server 10.2.2.5 on X ports.

2. Installing PGP in a golden image -- have not used PGP, but I can imagine possible problems with it and non-persistent (linked or instant clone) virtual desktops.

However, you can use other full disk encryption systems with persistent (full clone) Horizon virtual desktops:

VMware's own vSphere Virtual Machine Encryption:

Configure Full Clones with vSphere Virtual Machine Encryption

HyTrust

Encrypting VMware vSphere VDI VMs

3. SIEM systems -- for persistent virtual desktops, there will be a persistent user name assigned to the desktop, and a DHCP IP address, that rarely, but may change. Therefore, best is to get a SIEM system that understands Active Directory user logons and can correlate events based on them. Otherwise, you will need to rely on the fact that the user will usually (but not always) get the same IP address from DHCP.

For non-persistent virtual desktops, the DHCP address may change much more often, and the user gets a fresh virtual desktop every time. Therefore, your SIEM system MUST understand Active Directory user logons and correlate events based on them.

4. Overall, VDI has some issues with various Security tools, but at the same time improves Security in other areas. For example, all data stays in the datacenter. In addition, in a non-persistent virtual desktop environment, viruses can be killed by logging off, destroying the virtual desktop and the virus in it.

Sincerely,

Yury Magalif

0 Kudos
jefferson342
Contributor
Contributor
‎04-04-2019 05:57 AM

Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from Horizon Connection server 10.2.2.5 on X ports,installing pgp in a golden image -have not used pgp but can imaginie possible problems with it.

0 Kudos