4 Replies Latest reply on Feb 10, 2019 10:34 PM by ymagalif

    Horizon VDI user-ID or IP address

    Alim11 Lurker

      Hello, i have an overall details about Horizon 7 VDI solution, but there is a missing information related to :

       

      - How we can identify a user desktop in order to create a firewall rule? someone told me that each client has his own user ID and using this ID i can configure a firewall rule.

       

      - What is the drawback of VDI solution? as a result from the research i have did there is some difficulties to operate VDI with other IT security systems ex:

      * Installing PGP in a gold image , then clone this image into several virtual desktops may result to a functional issue when the virtual desktop runs up.

      * How the SIEM solution will handle with the logs generated from the virtual desktop machines if the VDI rely on user-ID. ( example : Qradar solution)

        • 1. Re: Horizon VDI user-ID or IP address
          BenFB Expert

          What you are asking is a much deeper and complex conversation than can likely be answered here. I would highly recommend engaging VAR that can understand all of your requirements and guide you to the best solution.

          • 2. Re: Horizon VDI user-ID or IP address
            Alim11 Lurker

            Hello, Thank you for your reply.

            Please can i know what you mean by VAR? Can you help me please to have an answer on my question?

             

            There is a trouble VDI description, does it rely on User-ID? or ip Address? and if it's on user id , where this ID will be specified , through the Domain Control or whom?

             

            Regards

            • 3. Re: Horizon VDI user-ID or IP address
              BenFB Expert

              A value-added reseller or VAR is a company that you use for purchasing hardware, software or professional services.

               

              To answer your initial question you might be better off tunneling all of the endpoint traffic through a connection server or Unified Access Gateway (UAG). This would allow for all the connections to the virtual desktops to source from known IP addresses. Logging on the connection servers would then tell you the source IP if it's needed.

              • 4. Re: Horizon VDI user-ID or IP address
                ymagalif Novice
                vExpert

                Alim11,

                 

                1. Usually, when you are not tunneling, which means a Horizon virtual desktop connects to a Horizon client directly, you will need to specify the firewall rules based on the IP subnet or IP range of your virtual desktops that is used for DHCP, for example:

                 

                Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from all the Horizon clients in range 10.10.10.20 to 10.10.10.251 on X ports.

                 

                Like BenFB said, when you are tunneling, which means a Horizon virtual desktop connects to a Horizon Connection Server or Unified Access Gateway, you will need to specify the firewall rules based on the IP subnet or IP range of your virtual desktops that is used for DHCP, and the tunneling server, for example:

                 

                Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from Horizon Connection server 10.2.2.5 on X ports.

                 

                2. Installing PGP in a golden image -- have not used PGP, but I can imagine possible problems with it and non-persistent (linked or instant clone) virtual desktops.

                 

                However, you can use other full disk encryption systems with persistent (full clone) Horizon virtual desktops:

                 

                VMware's own vSphere Virtual Machine Encryption:

                 

                Configure Full Clones with vSphere Virtual Machine Encryption

                 

                HyTrust

                 

                Encrypting VMware vSphere VDI VMs

                 

                3. SIEM systems -- for persistent virtual desktops, there will be a persistent user name assigned to the desktop, and a DHCP IP address, that rarely, but may change. Therefore, best is to get a SIEM system that understands Active Directory user logons and can correlate events based on them. Otherwise, you will need to rely on the fact that the user will usually (but not always) get the same IP address from DHCP.

                 

                For non-persistent virtual desktops, the DHCP address may change much more often, and the user gets a fresh virtual desktop every time. Therefore, your SIEM system MUST understand Active Directory user logons and correlate events based on them.

                 

                4. Overall, VDI has some issues with various Security tools, but at the same time improves Security in other areas. For example, all data stays in the datacenter. In addition, in a non-persistent virtual desktop environment, viruses can be killed by logging off, destroying the virtual desktop and the virus in it.

                 

                Sincerely,

                Yury Magalif