some background : We want to check how we can do IP geolocation restriction.
We currently have a pretty standard Horizon 7.13 installation with DEM. No Airwatch or other fancy stuff.
A couple of people suggested to do this on the firewall level, but we want to check other avenues.
As our MFA we use PrivacyIdea, which currently does not support IP location checks.
We noticed that in the registry of each VDI, there is a value
[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\SessionData\9\ViewClient_Broker_Remote_IP_Address]
that shows the public IP of the machine that a user is connecting.
The issue here is that this (9) is always changing on every session.
Is there a way that we can use this path in the DEM as a condition but with something like a wildcard so it will not be static?
For the next part , on how to check the which IPs we are not sure yet on how to approach it.
Unfortunately the "Endpoint IP address" condition reveals the IP of the user in the internal network and not the external public IP.
This is a way we can think off if we could make it work, until we have a more permanent solution.
Any other ideas are welcome
The same information can be found in "HKEY_CURRENT_USER\Volatile Environment"
However, you should be aware that this information is only filled in, AFTER the user has logged on to the VDI (it can take 30 to 60 seconds before this data is filled in in the registry). So I don't think that's the best way to do geolocation restriction, unless you force a logoff of the user after they logged on from an unwanted location.
As you already said in the original post, the firewall or a global load balancer is the best way to go I think.
In my opinion there are multiple options, depending on what you want to achieve and which information you want to use for creating the condition.
Within DEM conditions, you can use the registry value condition or the environment variable condition. To go completely custom, you can also go with the Exit Code condition and use your own script/command to achieve want you want.
Like MickeyByte already mentioned, depending on what source of information you use, timing (having the correct/up-to-date source information in place) may be "a thing". So be sure to test thoroughly 😉.