SamSamSony
Contributor
Contributor
‎08-04-2020 02:36 AM

How to restrict access from specific device

My environment is using Horizon Connection server 7.10 and UAG 3.7.  Each user is delegated a VD and connect using Horizon Client 4.5.3.  Blast protocol used.

For some specific users, we have to restrict their login from corporate device.  

I can gather the client information from VD registry.  How can I make use of these to restrict the access, may be by UAG or UEM policy, etc?
- Client IP address
- Network / Wireless Adapter MAC address
- Client computer name
- Client computer login ID

Reply
0 Kudos
Shreyskar
VMware Employee
VMware Employee
‎08-04-2020 09:44 AM

You can achieve all these using DEM conditions:

Adding Conditions to Horizon Smart Policy Definitions

Configure Horizon Smart Policies

Reply
0 Kudos
SamSamSony
Contributor
Contributor
‎08-05-2020 03:00 AM

Those parameters can added into condition set.  In Smart policies, the settings are only allow/disallow Drag&Drop, Printing, client drive/USB redirection.

But how to take action for restricting / disallowing access to VD when the user login using unauthorized machine (e.g. client computer name mismatch)  Thanks,

Reply
0 Kudos
Shreyskar
VMware Employee
VMware Employee
‎08-05-2020 08:51 AM

There is no such default settings in View/DEM to restrict complete VDI access from a specified client IP. You can may be restrict it at the external firewall level using network ACL to block access from a specified set of client IP address.

Reply
0 Kudos
SamSamSony
Contributor
Contributor
‎08-05-2020 09:57 AM

In another way, does UAG support client certification authentication?

Reply
Chisago
Contributor
Contributor
‎02-15-2021 04:18 PM

Did you figure this out? i am also trying to prevent access from any device but the device we provide the user. which currently the users that have remote access can connect from ANY device.. not just company provided devices.

Reply
0 Kudos
fabio1975
Commander
Commander
‎02-16-2021 03:47 AM

Hello 

You could think of integrating the UAG with Azure AD and configuring conditional access and eventually enabling the MFA. If you want some details I can give it to you.

Bye Fabio 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
tsajauka
Contributor
Contributor
‎04-05-2022 05:57 AM

Hi,

I'm also trying to find solution to prevent access from any device (home PC) and allow remote VDI users to access Horizon only from Tera2 Zero Clients (not Win based client) through a UAG. The Device Certificate authentication could be the solution, but we already use RADIUS as Azure MFA (which is mandatory). But both x509 and Radius authentication are not supported by UAG.  

@fabio1975maybe there is an option to manage with Azure AD conditional access era2 Zero Client as well?

Maybe anyone has other recommendations on how to implement this?

 

 

 

 

Reply
0 Kudos
fabio1975
Commander
Commander
‎04-05-2022 01:59 PM

Ciao @tsajauka 

I work with horizon infrastructures that used Tera2 (Teradici PCoIP) Thin Client, but only one I try to use MFA without success, and I find this Teradici KB.
To use Azure conditional access I suppose we need to use SAML to dialogue to UAG, and Tera2 Thin Client I remember it does not support SAML.

 

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
tsajauka
Contributor
Contributor
‎04-06-2022 10:58 PM

@fabio1975  could you point to mentioned Teradici KB

Reply
0 Kudos