Re: External Access Policy

bchris999 · ‎01-29-2014

Hi,

I am currently doing a POC for VMware View to replace an existing Citrix infrastructure. The company has a policy where by when the system is accessed from outside the company network, no data can be removed. This means disabling Copy and Paste (clipboard going outside the VDI session), USB redirection, Printer redirection, etc. When the user is internal to the company network, some USB devices should be allowed, printer redirection needs to be turned on and copy and paste needs to work. This is currently set up in Citrix with policies that different depending on if the user session is coming through the Citrix Access Gateway or not.

I cannot seem to find a way to implement this with View. I have seen both the GPO policies and the Pool policy settings, but cannot figure out how to change them dependent on the Client environment. Ideally this would be determined by if the user was coming through a Security server or not (or, as they are paired, a connection server). Maybe using the tags?

All connections to the pool would be over PCoIP. There are two internal connection servers and two external connection / security server pairs, both load balanced. Security servers are located in a DMZ.

Help much appreciated, as this could be a show stopper for the View project.

Thanks,

Chris

btrabue · ‎01-31-2014

Chris,

We are having the very same issues that you are looking into. We have been talking with VMware the past few weeks and I have a phone conference call on the 7th of February to discuss it again. They believe that they have a way to disable USB redirection when connecting externally.

Would it matter if you disabled the clipboard both externally and internally? We have done that because internally the users use thin clients so there is no copying internally. This was done by not allowing the users to select RDP when making the connection. PCoIP doesn't allow the clipboard to work.

The ThinPrint service is what redirects the printer from the local device to the VM. Below is a script that I found that will only enable the ThinPrint service if the user is a member of a certain AD group. NOTE: I have not tested this script yet. It's on my list of things to do.

Good Luck!

In case anyone is interested i managed to resolve this by
using a vbs script run using the RunOnConnect option from the View agent GPO.
It queries the volatile environmental variables for the name of the external
access view connection servers. and if it matches it then checks group
membership. If not a member of the remote-printing-allowed group it disables
the thinprint services.

strComputer = "."

Set objNetwork =
WScript.CreateObject("Wscript.Network")

Set objSysInfo = CreateObject("ADSystemInfo" )

strUserDN = objSysInfo.userName

Set objUser = GetObject("LDAP://" &
strUserDN)

Set objWMIService = GetObject("winmgmts:\\"
& strComputer & "\root\cimv2")

Set objShell = CreateObject("WScript.Shell")

'--------------------------------------------------------

' IsMember Function

'--------------------------------------------------------

Function IsMember(strGroup)

' Function to test one user for group membership.

' objUser is the user object with global scope.

' strGroup is the NT Name of the group to test.

' objGroupList is a dictionary object with global scope.

' Returns True if the user is a member of the group.

Dim objGroup

If IsEmpty(objGroupList) Then

Set objGroupList =
CreateObject("Scripting.Dictionary" )

objGroupList.CompareMode = vbTextCompare

For Each objGroup In objUser.Groups

objGroupList(objGroup.sAMAccountName) = True

IsMember = objGroupList.Exists(strGroup)

End Function

'--------------------------------------------------------

' Check to see if client logged into external View
Connection Servers

' Disable printing if not member of AD Group
remote-printing-allowed

'--------------------------------------------------------

If
objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") =
"GR1VCSV01.domain.net"
_

Or
objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") =
"GR1VCSV02.domain.net"
_

Then

If IsMember("remote-printing-allowed") Then

echo "Virtual Printing Enabled"

Else

Set colServiceList = objWMIService.ExecQuery _

("Select * from Win32_Service where Name =
'TPAutoConnSvc' OR Name = 'TPVCGateway'")

For Each objService in colServiceList

If objService.State = "Running" Then

objService.StopService()

Wscript.Sleep 5000

End If

errReturnCode =
objService.ChangeStartMode("Disabled")

end if

end If

rbythell · ‎03-05-2014

Hi Chris,

I have the same dilemma - for a user access group, how can I have PCoIP optimization applied to their sessions when they access the solution remotely yet when they come into the office have PCoIP configured to LAN access best practices? The only way I can see it at the moment is to have separate pools for either style of access which is obviously really inefficient...

I think tags will only control which connection server is related to your security server access but you can't apply the GPOs against connection servers - only the agent/client and then we appear to be talking about more of an Active Directory issue than a View issue.

I'm stumped and have asked my account manager to investigate whether there's a way to achieve this, we can't be the only people who have users accessing from LAN and WAN.

vcpguy · ‎03-05-2014

Can we create tags and separate OU for the VMs that will be accessed from outside and separate OUs and GPO for the internal VMs? May be I am missing something here.

----------------------------------------------------------------------------- Please don't forget to reward Points for helpful hints; answers; suggestions. My blog: http://vmwaredevotee.com

btrabue · ‎03-05-2014

We are currently in the middle of testing USB redirection. We don't want the users to have access to any USB storage device while outside the office. We have blocked TCP 32111 on the security servers in our test environment. Within a short while USB redirection was disabled on the VM's being accessed from outside the office and not internally. We just recently did this and are not 100% sure that this is the solution, but it is looking promising.

InTheZone · ‎03-11-2014

For preventing USB transfers to external clients we block 32111 at the firewall. See http://kb.vmware.com/selfservice/viewAttachment.do?attachID=HorizonView-ReferencePorts-v1.pdf&docume... for a really nice port diagram of View that shows this.

For printing, we disable the TP AutoConnect service and TP VC Gateway service on the View desktop, then deploy LAN printers via GPO. That way they can print to their internal printers from any location (work or home), but cannot print to their home printers. Staff are also not local admins so they cannot change either of the TP services. This solution precludes the need to determine the location of the individual, which makes it much easier to deploy and manage.

I am just starting a lab for v5.3, so I don't have any answers on PCoIP yet. If I do come across a solution for your question I will post it.

-Ray

VirtualSven · ‎12-03-2014

I have the same challenge: I want to disable clipboard redirection when user connect externally (through the security server) and I want to enable clipboard redirection when users connect from an internal client/network. I think this is still not possible with View, or am I wrong? I can only set clipboard redirection with the PCoIP computer policy, so I can not set this setting when the users logs in. This means I have to create separate pools to use external, and set the policy on those desktops. Then use tags to allow only these desktops to connect through the security server.

I don't want to create separate pools, is there an alternative?

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com

gilmararnold · ‎03-06-2015

Well, I realized that the vmware view is poor

controls and features that Citrix provides. So have to bail scripts or third-party tools to configure your environment.

roneng · ‎03-10-2015

All you request can be done.

But its not available to be configured in the gui.

It can be done by utilizing the session host script, that is mentioned very briefly in the Horizon documentation.

Basically it runs scripts before the use logs in and can implement changes on the fly to the desktop based on volatile information it reads from the registry about the client, like user, location, ip, tunnel etc...

That way you can disable / enable clipboard redirection on the fly, and also disable print redirection and anything you can think of and code.

The problem with that is the information you need to do this is not publicly available, so you will need PSO by vmware to accomplish.

I have been also asking vmware for years this capabilities , but with no success.

I know i did not really help, but maybe you can push your sales person, to help get that engagement.