Enhancing Workplace Mobility and BYOD with the

VMware Mobile Secure Workplace

Marilyn Basanta

Technical Solutions Architect

VMware End User Computing

@marilynbasanta

EUC5509

#EUC5509

Agenda

Solution overview

Breakdown of elements

Load balancing and namespace services

AD configuration for PKI and Certificate Services

RADIUS integration

Persona management

vCloud Network and Security

vShield Endpoint and Anti Malware

vSphere and View configuration considerations

Horizon Workspace configuration considerations

Horizon Workspace - Mobile

Partner Solution – Trend Micro Mobile Security

Final comments

Solution Overview

L7

End User Devices

Internal Network

External Network/

INTERNET

AD

SSO CA

RADIUS

F&P BACKUP

vC

VCNS AV

Knowledge

Workers

Mobile

Knowledge

Power

Users

MOBILITY

SECURITY

USER EXPERIENCE

VMware View Security Server

VMware View Connection Managers

HW: Gateway VM

vCOPs

Horizon

Workspace vApp

Trend Micro Mobile Security

Before we dive in, some top level items to consider…

TCP/IP Schema, VLANs, routing

and name resolution

considerations

Active Directory topology and

requirements

Network security requirements

and policies

Application workload

requirements, user roles and

behavior

LAN/WAN Topology and design

for real time protocols Compliance requirements

Load Balancing and namespace services

L7

VMware View

Security Servers

VMware View

Connection Managers

End User Devices

Internal Network

External Network/

INTERNET

• Ensure dedicated LB networks are planned for and

exist in advance of deployment INTERNAL EXTERNAL HA DMZ

• Plan for redundant configurations, N+1 and vSphere HA/DRS affinity

rules

Active Directory considerations

• Evaluate any existing AD

infrastructure

• New child domain? Security

requirements

• Enough DC resources in the

necessary sites?

• Enterprise CA will need to be

configured from the FRD down if

you are deploying a Windows based

PKI

• Sites and subnets configured

appropriately to localize domain

operations to the closest DCs

• Configuration steps are provided in the

solution design document

RADIUS Integration

• More choices for RADIUS integration

• Plan for extra connection servers to

provide redundant support for users

authenticating with RADIUS

• Validated solution uses Microsoft

RADIUS in the design.

Persona Management

• Considerations for virtual machines hosting

profile volumes

• Tuning the profile upload interval for scale

• When possible use Persona instead of

Windows Roaming profiles to avoid conflict

• Folder redirection balanced with roaming

data

• Application specific requirements such as

ThinApp sandbox roaming

• AV strategy using Persona, in band scanning

as part of vShield Endpoint or out of band on

the persona management fileservers

vSphere and View considerations

vDS

• Where possible leverage vDS in

management and View VDI infrastructure

• Auto-Deploy and host profiles for rollout

and ongoing compliance, conformity at

scale

• vCNS Edge for network services such as

DHCP, load balancing

• vMA for host management and

administration, vSphere web client

vCNS – App Firewall and Edge

VMware vSphere

Knowledge

Workers

Power

Users LOB Apps

• vCNS App and Edge services

to provide security for our

logical groupings of VMs

• Define in advance the access

rules that will be required to

secure your resources

effectively

• Remember to define rules for

View agent/client/server

communication and display

protocols!

• Get familiar with the

troubleshooting techniques

required for vShield, you

*WILL* need to debug at some

stage!

Start with an open policy then

lock it down as you go

vSphere Feature – vShield Endpoint

Partner Solution: Trend

Micro Deep Security

Security API

ESX

Anti-Virus

Workload VM’s

VMDK

EPSec

• Understand the impact

on density, plan for

dedicated resources

required by security

VM per host

• Fully evaluate performance characteristics

• Look out for gotcha’s in on-access scanning and scheduled

scanning defaults

• Ensure all hosts successfully install vShield Endpoint as part of the

deployment process prior to deploying infrastructure or VDI

services. If possible integrate the vendor specific VIBs into your

ESXi installation image.

Deep Security Virtual Appliance

• Intrusion prevention

• Firewall

Virtualization Security with Deep Security Agentless Security Platform for Private Cloud Environments

• Anti-malware

• Web reputation

• Integrity monitoring

VM VM VM

The Old Way

Security Virtual

Appliance VM VM VM

With Deep Security

VM

Easier

Manageability

Higher

Density Fewer

Resources Stronger

Security

VM

More VMs

13 10/17/2013 Confidential | Copyright 2012 Trend Micro Inc.

Horizon Workspace vApp

Workspace vApp

Configurator

VA

OS (SLES)

tcserver

Service VA

OS (SLES)

App

API

DB tcserver

Data VA

OS (SLES)

App

API

DB LDAP Jetty

App

Connector

VA

OS (SLES)

tcserver

App

Gateway

VA

OS (SLES)

Nginx

Modules

• Central Wizard UI

• Distributes settings

across VAs

• Network, Gateway,

vCenter, SMTP

attributes

• Add / remove modules

• Manage certs, security

• User authentication (RSA SecureID)

• AD secure bind and synchronization

• Set replication schedule

• Sync View pools and ThinApp

• Enables single user-

facing domain

• Routes requests to

correct node

• Workspace Admin UI

• Application Catalog

• Manage user entitlements

• Workspace Groups

• Reporting

• Stores files

• Controls file sharing policy for

internal and external users

• Manage file preview server

• Serves end user web UI

Horizon Workspace Deploy Considerations

• Ensure DNS name resolution is prepared in advance

• Split brain considerations for Gateway FQDN

• Prepare Signed Certificates in advance, the entire SSL chain

must be exported

• Create an Active Directory BIND DN account

• Ensure Active Directory group structure is in place to support

Workspace services (applications, data)

Horizon Workspace Deploy Considerations

• Prepare ThinApp repositories

• Configure SAML settings for View, the

default the SAML Timeout is 15 minutes

• Decide on a preview strategy (LibreOffice or

Microsoft Preview Server)

• User Principal Name (UPN) set as a required

attribute for View

• Horizon Data storage sizing

Horizon Workspace – Gateway-va Diagram

L7 Load Balancer

Load balancing strategy and technical preparation complete

Virtualization on Android (Mobile Virtualization Platform)

Personal Corporate

Corporate Workspace

Enterprise Catalog

Mail/Calendar App

Custom Apps

3rd Party Apps

Own your full version of Android OS

Consistent native mobile experience

Deploy applications without modifying them

Solve Android fragmentation

Strict corporate assets isolation

Corporate data encryption

VPN policy for corporate traffic

Prevent data leakage

Exchange email, calendar, secure browser, file browser and contacts

Your Line Of Business application

Provide productivity features

How do Employees Obtain VMware Horizon Workspace/Mobile?

Employees’ Device

VMware Switch

Confidential

Sony is supporting Vmware Ready devices as standard feature

Coming soon: Xperia Z1

and Xperia Ultra Z will be

VMware Ready for

World Wide coverage.

Today’s Attacks: Social, Sophisticated, Stealthy!

Attacker

Moves laterally across network

seeking valuable data

Establishes Command

& Control server

Extracts data of interest – can go

undetected for months!

$$$$

Gathers intelligence about

organization and individuals

Targets individuals

using social engineering

Employees

MOBILE MALWARE Yes… It’s real.

It’s not just “malware”, but, privacy leaks..

Well Known Apps Leak Data ..

Device Management & Control

Employees

Trend Micro

Mobile Security

Email SharePoint Corp Data Web Traffic

• Easy onboarding: email, URL, QR code

• Apple (iOS), Android, Blackberry, Windows Phone 7

and 8

• Optional Cloud Communication Server

• Device Discovery

• Device Provisioning

• Remote Control

• Reporting

• Inventory Management

Cloud

Comm.

Server

Threat Protection

Employees

Email SharePoint Corp Data Web Traffic

Trend Micro

Mobile Security

• Android AV and Website

Reputation

• Leveraging Smart Protection

Network

• Anti-Malware

• Firewall

• Web Threat Protection

• Call Filtering

• SMS/WAP Anti-Spam

Complete End User Protection

Email &

Messaging

Web

Access

Device Hopping

Collaboration

Cloud Sync

& Sharing

Social

Networking File/Folder &

Removable Media

Anti-Malware Encryption Application

Control

Device

Management Data Loss

Prevention

Content

Filtering

Employees

IT Admin

Security

Trend Micro Mobile Security

Manage Device Management

• Device Discovery

• Device Enrollment

• Device Provisioning

• Asset Tracking

• S/W Management

• Remote Control

• Reporting

• Summary Views

• Summery Reports

Mobile Device Security

• Anti-Malware

• Firewall

• Web Threat Protection

• Call Filtering

• SMS/WAP Anti-Spam

• Jail break detection

• App Reputation

Data Protection

• Encryption Enforcement

• Remote Wipe

• Selective Wipe

• Remote Lock

• Feature Lock

• Password Policy

Application Management

• App Black Listing

• App White Listing

• App Push

• Required

• Optional

• App Inventory

Stand Alone/Integrated

Horizon Virtual Workspace

Windows Management

and Delivery

(server hosted & local)

(apps and desktops)

VMware Horizon View & Mirage

Secure Mobile

Workspace

(across all devices)

(apps, data, collaboration)

VMware Horizon Workspace

Virtual

Workspace

Secure access to all my

stuff, anywhere, anytime

Next Steps

For more information on Mobile Secure Desktop design, please visit:

Mobile Secure Desktop Validated Design

Guidehttp://www.vmware.com/files/pdf/view/Mobile-Secure-Desktop-Solution-Brief.pdf

Mobile Secure Desktop Solution Guidehttp://www.vmware.com/files/pdf/view/Mobile-

Secure-Desktop-Solution-Brief.pdf

View Design

Resourceshttp://www.vmware.com/products/desktop_virtualization/view/technical-

resources.html#Design

Horizon Workspace Reviewer’s Guide

http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reviewers-

guide.pdf

Integrating Horizon Workspace and Horizon View

http://www.vmware.com/files/pdf/techpaper/vmware-horizon-view-integration-horizon-

workspace.pdf

Configuring Horizon Switch

http://blogs.vmware.com/horizontech/2013/08/configuring-vmware-switch-for-android-

with-vmware-horizon-workspace-1-5.html

THANK YOU