What you are asking is a much deeper and complex conversation than can likely be answered here. I would highly recommend engaging VAR that can understand all of your requirements and guide you to the best solution.
Hello, Thank you for your reply.
Please can i know what you mean by VAR? Can you help me please to have an answer on my question?
There is a trouble VDI description, does it rely on User-ID? or ip Address? and if it's on user id , where this ID will be specified , through the Domain Control or whom?
A value-added reseller or VAR is a company that you use for purchasing hardware, software or professional services.
To answer your initial question you might be better off tunneling all of the endpoint traffic through a connection server or Unified Access Gateway (UAG). This would allow for all the connections to the virtual desktops to source from known IP addresses. Logging on the connection servers would then tell you the source IP if it's needed.
1. Usually, when you are not tunneling, which means a Horizon virtual desktop connects to a Horizon client directly, you will need to specify the firewall rules based on the IP subnet or IP range of your virtual desktops that is used for DHCP, for example:
Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from all the Horizon clients in range 10.10.10.20 to 10.10.10.251 on X ports.
Like BenFB said, when you are tunneling, which means a Horizon virtual desktop connects to a Horizon Connection Server or Unified Access Gateway, you will need to specify the firewall rules based on the IP subnet or IP range of your virtual desktops that is used for DHCP, and the tunneling server, for example:
Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from Horizon Connection server 10.2.2.5 on X ports.
2. Installing PGP in a golden image -- have not used PGP, but I can imagine possible problems with it and non-persistent (linked or instant clone) virtual desktops.
However, you can use other full disk encryption systems with persistent (full clone) Horizon virtual desktops:
VMware's own vSphere Virtual Machine Encryption:
3. SIEM systems -- for persistent virtual desktops, there will be a persistent user name assigned to the desktop, and a DHCP IP address, that rarely, but may change. Therefore, best is to get a SIEM system that understands Active Directory user logons and can correlate events based on them. Otherwise, you will need to rely on the fact that the user will usually (but not always) get the same IP address from DHCP.
For non-persistent virtual desktops, the DHCP address may change much more often, and the user gets a fresh virtual desktop every time. Therefore, your SIEM system MUST understand Active Directory user logons and correlate events based on them.
4. Overall, VDI has some issues with various Security tools, but at the same time improves Security in other areas. For example, all data stays in the datacenter. In addition, in a non-persistent virtual desktop environment, viruses can be killed by logging off, destroying the virtual desktop and the virus in it.
Allow all virtual desktops in range 192.168.1.20 to 192.168.1.251 to send/receive traffic to/from Horizon Connection server 10.2.2.5 on X ports,installing pgp in a golden image -have not used pgp but can imaginie possible problems with it.