VMware Horizon Community
john_its
Enthusiast
Enthusiast
‎03-25-2022 04:33 AM

DEM registry condition

Hello !!

some background : We want to check how we can do IP geolocation restriction.
We currently have a pretty standard Horizon 7.13 installation with DEM. No Airwatch or other fancy stuff.
A couple of people suggested to do this on the firewall level, but we want to check other avenues.
As our MFA we use PrivacyIdea, which currently does not support IP location checks.

We noticed that in the registry of each VDI, there is a value 
[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\SessionData\9\ViewClient_Broker_Remote_IP_Address]
that shows the public IP of the machine that a user is connecting.
The issue here is that this (9) is always changing on every session. 
Is there a way that we can use this path in the DEM as a condition but with something like a wildcard so it will not be static?

For the next part , on how to check the which IPs we are not sure yet on how to approach it.

Unfortunately the "Endpoint IP address" condition reveals the IP of the user in the internal network and not the external public IP.

This is a way we can think off if we could make it work, until we have a more permanent solution.

Any other ideas are welcome
Thanks

Reply
0 Kudos
4 Replies
Mickeybyte
Hot Shot
Hot Shot
‎03-27-2022 11:34 PM

@john_its 

The same information can be found in "HKEY_CURRENT_USER\Volatile Environment"

However, you should be aware that this information is only filled in, AFTER the user has logged on to the VDI (it can take 30 to 60 seconds before this data is filled in in the registry). So I don't think that's the best way to do geolocation restriction, unless you force a logoff of the user after they logged on from an unwanted location.


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
Reply
0 Kudos
john_its
Enthusiast
Enthusiast
‎03-28-2022 12:18 AM

Hello @Mickeybyte 

 

Thanks for replying nad also thank you very much for the info.

Do you have any other suggestions on how to approach geo location restrictions?

 

Thanks

Reply
0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎03-28-2022 12:29 AM

@john_its 

As you already said in the original post, the firewall or a global load balancer is the best way to go I think.

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
Reply
ijdemes
Expert
Expert
‎03-30-2022 03:16 AM

In my opinion there are multiple options, depending on what you want to achieve and which information you want to use for creating the condition.

 

Within DEM conditions, you can use the registry value condition or the environment variable condition. To go completely custom, you can also go with the Exit Code condition and use your own script/command to achieve want you want.

 

Like MickeyByte already mentioned, depending on what source of information you use, timing (having the correct/up-to-date source information in place) may be "a thing". So be sure to test thoroughly 😉.


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
Reply
0 Kudos