VMware Cloud Community
AlexKamalov2011
Contributor
Contributor

VMware vShield App and Non-Persistent Desktops in VDI

Greetings,

Wondering if anyone has had to deal with the dilemma of non-persistent desktops and user-based firewalls ? I know that currently VMware vShield App does not provide a firewall based on UserID, but with we're facing this issue since we're deploying VDI environment and do not want to create persistent desktops. Also, with the UserID based firewalls, we'd like to use feature of temporary (expiring) firewall rules based on User ID (i.e., consultants, etc). What do you guys think ? Currently Cisco NX IOS offers this, but I was hopin VMware will be coming up something similar in their next release or so.

Thanks again,

Alex

Reply
0 Kudos
6 Replies
admin
Immortal
Immortal

So while not exactly a user based firewall, there is a way to accomplish this with View and vShield App. 

In simple terms, basically you would have different pools of desktops for the different users you wish to limit access for and then create vShield App policies that limit where those desktops can go.   The key is to deploy these desktops to resource pools on vSphere (as opposed to folders) and then create the policies in vShield App based on those resource pools. 

Unfortunately we can't talk about any type of future functionality on a public list like this and would require an NDA for additional discussion of what is on the roadmap for any of our products.

Reply
0 Kudos
AlexKamalov2011
Contributor
Contributor

Ah, thank you so much for your reply. We're using Citrix Desktop + VMware ESXi 4.1. Also, we do not want to use persistent desktops. Thus, what we've been asked to do is to create an environment where firewall rules can be dynamically created/deleted based on UserID authenticated off MS AD. Another requirement is to have "expiring" UserID based FW rules where a consultant would every time he/she logs in would have a FW rule dynamically injected into FW rule table, but have "expiration tag" used as a reference to see if this person can or cannot access certain system (i.e, modify user id profile to give a particular user access to systems for only 24 hours, etc).

Thanks again!!!

Alex

Reply
0 Kudos
admin
Immortal
Immortal

Alex,

The solution I'm mentioning would work well with nonpersistant desktops. You could also script the addition of firewall rules with the RESTful APIs if you wish as well. Of course this requires a bit of work to set it up.

AlexKamalov2011
Contributor
Contributor

Thanks yet again for your reply. I will be looking into RESTful and how we can take an advantage of it. Any links that I can hit to view examples of dynamic firewall rule injection ?

Thanks a metric ton!!

Alex

Reply
0 Kudos
admin
Immortal
Immortal

Sorry for the delay in responding.  See this link: http://communities.vmware.com/community/developer/codecentral/vshield for some script examples.

Reply
0 Kudos
alexkamalov
Contributor
Contributor

Thanks a ton!!! Smiley Happy

Reply
0 Kudos