Does someone know, or know how to restrict the access to some desktops pools by the ip address of the client? We need to achive this because our users will need to reach some differents desktops pool dependly of their location within the campus (we are a College). But we dosen't want a user to reach the pool of a certain lab, when he is not in the lab...Here each lab have his own subnet..
Regards.
The only way to restrict within View is to use the tags feature. This way you can restrict certain pools to connection brokers and the lab pool is only available from a particular lab connection broker available when the user is on the lab subnet. Check out page 116 of the admin guide for more information, http://pubs.vmware.com/view-50/topic/com.vmware.ICbase/PDF/view-50-administration.pdf.
Ok so it will mean that if I have 50 labs, I will nedd 50 connection servers? It will be a huge setup no? Can we pass the client ip address to the connection server or broker and define access rules at this point?
If the connections are being initiated from thin clients or repurposed PCs, you could use a script to launch the View Client and provide additional launch parameters. Those can be found in the same Administration guide mentioned earlier, and would allow you to specify the desktop pool to which users will authenticate and connect. If you're connecting using zero clients, it may be more difficult.
Dave
Came here looking to do the same... same scenario.. we use zero clients... look like the only way to acheive this would be by using policies at the network level. but vmware should do something to address this kind of scenarios.
We are currently using the tag feature and a dedicated broker(only one lab) but we found the students are changing the ip address of the P20 zero clients to connect to the lab broker which is a big NO since exams are administered on that lab...
Hi. I'm looking to do the same thing. Seems this is a relevant request for higher education and labs. It would be great if there was a way to incorporate the IP or MAC of the end-point device. Is there anything other than tags (not really a great solution) that can be done?
@vRicke. How would you use network policy to solve the issue?
It's an extremely old thread so your best bet may to start a new thread with the same question. As far as network policies maybe he is referring to some type of firewall rules that restrict certain IPs to certain View subnets.
I agree that this is a really old post, but the issue keeps coming up every now and then. I've never used the Teradici PCoIP Management Console, but I wonder if that could be used to apply profiles to groups of zero clients that would force them to always connect to specified pools. Does anybody else have some experience with the Management Console and know if it could be used that way? It might be worth having a quick conversation with somebody at Teradici, or just deploying the appliance and giving it a try.
Yah, sorry about posting in this old post. I looked around some more and looks like the Teradici PCoIP utility is the best option:
Re: Apply pool to certain zero clients, can it be done?
Ian
You can use network acl's or firewall rules to prevent connections from the lab subnet to an specified tagged broker/s and a specific subnet on the virtual machines.
And yes you can also specify using the teradici management console for zero clients to connect by default to a specific desktop pool. Still that does not prevent somebody with knowledge to connect to the pool using the client and connecting to it...
So maybe acl's or firewall rules are going to be the most restrictive one.
I'm not sure how someone could change something like the name or IP address of the zero client. The zero clients are locked down with a password, so a person wouldn't have access to get into the zero client to change anything. I agree that acl's/firewall is more flexible as that could include non-zero client type endpoints. The Teradici tool is much easier if all you have are zero clients in the environment.
I'm not sure how I follow what you mean by "use network acl's or firewall rules to prevent connections from the lab subnet to an specified tagged broker/s and a specific subnet on the virtual machines". Could you give an example of what that workflow would look like?
Nobody will be able to change the settings on the zero client but everybody is able to see them even if you lock it. So it would not prevent from somebody gathering the information and connect using the view client.
At least in our environment here we allow all clients but for testing labs is only zero clients are allowed and they are only allowed to take them from a specific location. So we lockdown the zero client but also the network.
Thanks for the feedback. These zero clients will be physically locked down to the lab, but adding network related acl's could also help with someone stealing the zero client IP. I wish VMware recognized this is an issue and added additional ways to restrict endpoint access from within the broker. Tags aren't scalable. They already have Location based awareness, but that only passes endpoint variables to the virtual desktop. They should use that info and pass it to the broker, so additional entitlement policies can be created/enforced. Doesn't seem too difficult.