Table of Contents - VMware Hands On Lab Manuals

HOL-1741-USE-1
Table of Contents
Lab Overview - HOL-1741-USE-1 - Horizon and NSX: Use Cases to Secure and Protect
Healthcare ........................................................................................................................ 2
Lab Guidance .......................................................................................................... 3
Module 1 - Just-In-Time Application Deployment with AppVolumes (30 minutes) ............. 9
Module 1 Introduction ........................................................................................... 10
Just-In-Time Application Deployment Application delivery using App Volumes ..... 11
Module 1 Summary ............................................................................................... 18
Module 2 - Protecting Horizon Desktops with NSX and Trend Micro Deep Security (45
minutes).......................................................................................................................... 19
Module 2 Introduction ........................................................................................... 20
Protecting Horizon Desktops with NSX and Trend Micro Deep Security................. 21
Module 2 Summary ............................................................................................... 27
Module 3 - Securing and protecting internal access using VMware NSX Load Balancing
(45 minutes) ................................................................................................................... 28
Module 3 Introduction ........................................................................................... 29
Securing and protecting internal access using VMware NSX Load Balancing........ 30
Module 3 Summary ............................................................................................... 37
Module 4 - Securing and protecting external access using VMware Horizon access
servers (45 minutes)....................................................................................................... 38
Module 4 introduction ........................................................................................... 39
Securing and protecting external access using VMware Horizon access servers .. 40
Module 4 Summary ............................................................................................... 48
HOL-1741-USE-1
Page 1
HOL-1741-USE-1
Lab Overview HOL-1741-USE-1 - Horizon
and NSX: Use Cases to
Secure and Protect
Healthcare
HOL-1741-USE-1
Page 2
HOL-1741-USE-1
Lab Guidance
Note: It will take more than 90 minutes to complete this lab. You should
expect to only finish 2-3 of the modules during your time. The modules are
independent of each other so you can start at the beginning of any module
and proceed from there. You can use the Table of Contents to access any
module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the
Lab Manual.
Healthcare organizations frequently perceive that security and speed are mutually
exclusive benefits. Most healthcare organizations are stuck with archaic and brittle
forms of securing their data centers and end points. These same organizations have yet
to modernize their approach to application delivery. With HIPAA, HITECH, and PCI
compliance requirements, healthcare organizations need to look at innovative ways to
secure one of the most vulnerable access points: the end point. We need to address a
better way to provision new clinical applications and services, and we need to do so in
real-time.
Virtualization has brought tremendous efficiency, flexibility and speed to the
consumption of resources in the datacenter. These benefits are enabled by the
abstraction of compute and memory resources from the underlying physical hardware.
What if we did the same thing for network and application provisioning?
In this lab we'll show you some new and exciting ways to provision applications in realtime to clinicians and end users. We'll also take a look at securing the end point
leveraging identity-based dynamic firewalls including Trend Micro Deep Security to
secure the desktop.
A brief description of each module follows:
Lab Module List:
• Module 1 - Real Time Application Delivery with AppVolumes (30
minutes)
• Module 2 - Protecting Horizon Desktops with NSX and Trend Micro Deep
Security (30 minutes)
• Module 3 - Securing and protecting internal access using VMware NSX
Load Balancing (45 minutes)
• Module 4 - Securing and protecting external access using VMware
Horizon access servers (45 minutes)
Lab Captains:
Kevin Moats, Senior Technical Account Manager, USA
HOL-1741-USE-1
Page 3
HOL-1741-USE-1
David Coleman, Sr. Systems Engineer, USA
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.vmware.com
This lab may be available in other languages. To set your language preference and have
a localized manual deployed with your lab, you may utilize this document to help guide
you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
Location of the Main Console
1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
HOL-1741-USE-1
Page 4
HOL-1741-USE-1
Alternate Methods of Keyboard Data Entry
During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.
Click and Drag Lab Manual Content Into Console Active
Window
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
HOL-1741-USE-1
Page 5
HOL-1741-USE-1
Click once in active console window
In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.
1. Click once in the active console window.
2. Click on the Shift key.
Click on the @ key
1. Click on the "@" key.
Notice the @ sign entered in the active console window.
HOL-1741-USE-1
Page 6
HOL-1741-USE-1
Activation Prompt or Watermark
When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.
This cosmetic issue has no effect on your lab.
Look at the lower right portion of the screen
HOL-1741-USE-1
Page 7
HOL-1741-USE-1
Please check to see that your lab is finished all the startup routines and is ready for you
to start. If you see anything other than "Ready", please wait a few minutes. If after 5
minutes you lab has not changed to "Ready", please ask for assistance.
HOL-1741-USE-1
Page 8
HOL-1741-USE-1
Module 1 - Just-In-Time
Application Deployment
with AppVolumes (30
minutes)
HOL-1741-USE-1
Page 9
HOL-1741-USE-1
Module 1 Introduction
In module one, we are going to discuss and demonstrate Real Time application
deployment. This will demonstrate the ability to provision applications in real time and
how doing so is valuable to clinicians. The solution saves clinicians and end users time
spent waiting for IT and adds time back to seeing patients.
HOL-1741-USE-1
Page 10
HOL-1741-USE-1
Just-In-Time Application Deployment
Application delivery using App
Volumes
In this module you will leverage VMware App Volumes for real time application delivery.
Access the VMware Horizon Client
1. From the main console machine double click VMware Horizon Client.
Connect to the Horizon desktop
1. Double Click the view-external.corp.local icon to connect to the Horizon
infrastructure and your virtual desktop.
HOL-1741-USE-1
Page 11
HOL-1741-USE-1
Logon
A new Clinician was hired and provisioned a virtual desktop.
Logon as Dr. Melissa Null using the following credentials:
1.
2.
3.
4.
User name: mnull.
Password: VMware1!.
Domain: CORP.
Click Login.
Select Healthcare_Win_7 desktop
1. As you can see Dr. Null has two desktops provisioned to her. Double click the
HealthCare_Win_7 desktop.
HOL-1741-USE-1
Page 12
HOL-1741-USE-1
Open the Chrome Browser
From the Main Console desktop.
1. Launch the Google Chrome browser.
Open a new tab to App Volumes Manager
1.
2.
3.
4.
5.
Click to open a New Tab.
Click the App Volumes Manager bookmark to open the manager.
Username: Administrator.
Password: VMware1!.
Click Login to open the manager.
App Volumes Manager
1. Click on the Volumes tab to locate the application container.
Review the AppStack
1. Click the AppStacks tab.
2. Click the Plus sign to Expand the Fuji Synapse Workstation AppStack.
Go back to the Healthcare Desktop
1. From the taskbar of the main console machine click the HealthCare_Win_7
desktop.
Launch Fuji Synapse
HOL-1741-USE-1
Page 13
HOL-1741-USE-1
1. Launch the Fuji Synapse Application.
Wait, where is the application ?
Note the connection information: Desktop (Host) name is WIN7-VIEW-01A and the user
name is mnull.
Start Menu...Programs
Maybe the Application Icon was not placed on the desktop, let's go check.
1. Click the Windows Start icon.
2. Click on All Programs.
Fuji Program Folder
Notice that there is no Fuji application folder, the application is not installed on this
machine.
Go Back to App Volumes Manager.
1. Click on the App Volumes Manager object on the Taskbar.
Assign the AppStack
It appears that we need to assign the application(s) or AppStack to the desktop.
1. Click Assign.
Assign Fuji Synapse Workstation AppStack
1.
2.
3.
4.
5.
In the search windows enter Win7.
Click Search to look up the machine in Active Directory.
Click on the Corp\WIN7-VIEW-01A machine.
Check the Available box.
Click on Assign.
Confirm the Assignment
Notice you have multiple choices for how the application will be attached. You can either
attach the applications on the next login or immediately.
1. You have the choice to provision the AppStack in real time or on next login or
reboot. Click the radio button Attach AppStacks immediately.
HOL-1741-USE-1
Page 14
HOL-1741-USE-1
2. Click Assign to complete.
Return to the Horizon View Session
Let's return to your Horizon desktop.
1. Click HealthCare_Win_7 from the main console task bar.
Real Time Application Delivery
Notice that you are connected to the same desktop Win7-View-01a and connected as
user mnull
Based on your assignment AppVolumes delivered the Fuji Synapse Application without
modifying the desktop or going through an install process.
Start Menu...Programs
Lets go verify the Application Icon was also placed in the start menu.
1. Click the Windows Start icon.
2. Click on All Programs.
Fuji Program Folder
Notice that you now have a FujiFilm Medical application folder.
Launch Fuji Synapse
1. Double Click the application icon to launch the Fuji Synapse Application from the
desktop.
Connect to Synapse
1. Double Click the Synapse network (this may take a moment).
All Studies
1. Double Click the All Studies (with images) folder
Search for Patient
HOL-1741-USE-1
Page 15
HOL-1741-USE-1
1. In Patient Name search for Allen and press enter.
2. From the filtered list find the patient " Allen, Ted" with the Acc# 1378 and
double click the record.
Minimize the Patient Information
Wait a moment for the Patient window to appear and then minimize it.
1. Click the minus to minimize.
Expose The Hidden Toolbar
Fuji Synapse has a full set of features located in the hidden toolbar
1. Move your mouse pointer to the top of the window to expose the Toolbar.
Close the Patient record
1. Click Organize.
2. Click Close on Patient Image to return to the records.
Search on Acc # 1203
1. Clear any Patient Name data.
2. Enter 1203 in the Acc # field to filter the view.
3. Double-Click the patient record to open
Close Patient Information
1. Close the Patient Information to view the image.
Image Tools
1. Right Click in the image to reveal the Image Tools
2. Click on the Cine... option (short or Cinema)
Lossless Image review
You can review a lossless image in motion based on the stored image scan.
1. Click the X to close the Cine tool.
HOL-1741-USE-1
Page 16
HOL-1741-USE-1
Close the Images
1. Click Organize.
2. Click Close on Patient Image to return to the records.
Close Synapse
To Close Synapse.
1. Click the X.
Disconnect from the Healthcare_Win_7 Desktop session
1. Right click HealthCare_Win_7.
2. Click on Close window.
Confirm disconnect
1. Click OK
Close the VMware Horizon Client
1. Click the X.
HOL-1741-USE-1
Page 17
HOL-1741-USE-1
Module 1 Summary
In Module 1 we discussed and demonstrated leveraging Real Time application
deployment without interrupting clinician workflows. Leveraging this solution will enable
clinicians to receive near instantaneous application access and does so seamlessly from
the end user perspective.
HOL-1741-USE-1
Page 18
HOL-1741-USE-1
Module 2 - Protecting
Horizon Desktops with
NSX and Trend Micro
Deep Security (45
minutes)
HOL-1741-USE-1
Page 19
HOL-1741-USE-1
Module 2 Introduction
In Module 2 we are going to take a look at the ability of Trend Micro Deep Security to
detect a virus on a VDI instance then leveraging VMware NSX we will use a firewall rule
to block all traffic to and from the VM. In a production environment we could implement
more advanced NSX firewall rules to allow an anti virus server the ability to access the
infected machine and remediate the threat. This functionality could be leveraged further
by utilizing vSphere API's to capture the current state of the virtual machine just after
infection for further investigation.
HOL-1741-USE-1
Page 20
HOL-1741-USE-1
Protecting Horizon Desktops with NSX
and Trend Micro Deep Security
Launch Google Chrome
1. Double click google chrome from the Main Console desktop.
Select Trend Micro Deep Security from the menu bar
1. Double click Trend Micro Deep Security from the menu bar.
Log into Trend Micro Deep Security
Log into Trend Micro Deep Security.
1. Username: admin.
2. Password: VMware1!.
3. Click Sign in.
Trend Micro Deep Security Main screen
1. From the main screen select computers.
View Win7-VIEW-01A.corp.local (Win7-View-01a)
Scroll down and find Win7-VIEW-01A.corp.local (Win7-View-01a).
Note that it is "Managed (Online)".
Launch the Horizon View Client
1. Go back to the Main console desktop and Double Click the Horizon View
Client icon.
Double Click the cloud icon to connect to the "viewexternal" Horizon infrastructure and your virtual desktop.
The View-external.corp.local name space will connect you to one of the redundant
Horizon access servers through the edge services gateway load balancer services.
HOL-1741-USE-1
Page 21
HOL-1741-USE-1
1. Double click the view-external.corp.local icon. (They may not be in order
shown.)
Login
Log in as Dr. Melissa Null using the following credentials.
1.
2.
3.
4.
User name: mnull.
Password: VMware1!.
Domain: CORP.
Click Login.
Connect to your Health care desktop
1. Double click the HealthCare_Win_7 Icon.
Open the Trend Micro Deep security notifier
1. Click the task bar arrow
2. Double click the Trend Icon
Verify Trend protection
Due to the nature of the Hands on Lab environment occasionally the Trend system will
start up in a degraded state. If it is in a degraded state this module will not work as
expected.
1. If the trend Micro Deep security reports as "Appliance Running" move on to the
next step your lab is functional.
2. If the trend Micro Deep security reports as "Appliance Unknown/Unreachable"
please END YOUR LAB and start a new one as it is degraded and will not
function as required.
From the the desktop of the Healthcare_Win_7 machine
locate the Temp Shortcut folder
1. From the HealthCare_Win_7 desktop double click on the "temp-Shortcut" folder.
Copy the eicar.com file
EICAR.com is the European Institute of Computer Anti-virus Research's Standard AntiMalware Test file is a special 'dummy' virus file which we will now use to test the correct
HOL-1741-USE-1
Page 22
HOL-1741-USE-1
operation of our Trend Micro Deep Security along with NSX rulesets. (For purposes of
this test the "Temp" directory has been excluded from detection)
1. Right click the eicar.com file
2. Select copy.
Paste the eicar.com file to the desktop
1. Click anywhere on the desktop.
2. Right click on the desktop.
3. Select Paste.
Malware will be detected
the eicar file will not be permitted to be pasted to the desktop and will be detected as
malicious code. A firewall rule will block all traffic to and from the desktop. This will
cause your session to terminate and if you try to reconnect to the desktop you'll be
unable to at this point. Let's investigate further.
Malware detection message will appear.
Open Browser
1. Go back to the Google Chrome browser on the Main Console.
Open the vCenter Web Client
Lets investigate further.
1. Open a new Tab.
2. Select the link for vCenter - Region A .
Log in to the VMware Web Client
1. Check the box for Use Windows session authentication.
2. Click Login.
Search for the Win7 desktop
HOL-1741-USE-1
Page 23
HOL-1741-USE-1
1. At the upper right of the home page of the vSphere Web Client go to the search
bar.
2. Type in Win7 (Win7-View-01a appears below).
3. Click on the Win7-View01a VM.
Review the Win7 VM
1. From the summary tab of the Win7-View-01a tab scroll down to Security Tags.
Note that the VM has been tagged with "ANTI_VIRUS.VirusFound.threat=medium"
tag.
View Firewall rules
1. Click on the home button.
2. From the dropdown select Networking & Security.
View NSX Service composer
1. On the left side of the NSX Home page click Service Composer.
View Security Groups
1. Click on Security Group tab.
2. Click the Quarantine Group.
3. In the Virtual Machine column you see there is one member of the group. Click
the number.
Notice the name of the VM in the Group. We can now verify that our Win7-View-01a VM
has indeed been caught by this NSX Firewall rule due to the virus file we tried
copying to the View desktop.
4. Click the "x" to close the window.
Switch to Trend
Go back to the Trend Deep Security Tab in Chrome
1. Switch to the Trend Deep Security tab in Chrome.
(Log back in if you have been timed out. ) username: admin
password: VMware1!
HOL-1741-USE-1
Page 24
HOL-1741-USE-1
Click Sign in
Trend Micro Deep Security Main screen
1. From the main screen select computers.
View Win7-VIEW-01A.corp.local (Win7-View-01a)
1. Scroll down and find Win7-VIEW-01A.corp.local (Win7-View-01a)
2. Double click the WIN7-VIEW-01A.corp.local VM
View Anti-Malware detection
1. From the WIN7-VIEW-01A.corp.local system select Anti-Malware.
View Events
1. Click on the Events Tab.
2. Note that the Eicar file is li.sted as a quarantined file. This tells us that our file
was quarantined and remediated.
3. Close the WIN7-VIEW-01A.corp.local Tab.
Rescan the VM
1. Right Click WIN7-VIEW-01A.corp.local in Trend.
2. Select Actions.
3. Select Full Scan for Malware (allow 60 seconds or so for this to complete) .
View NSX Service Composer
1. Go back to the vSphere Web Client Tab in Google Chrome
2. You should still be on the service composer tab click refresh at the top of the
page.
View the quarantined machines
Note that the number of Quarantined machines is now back at zero. This tells us that
our machine has been effectively cleaned by Trend and put back into the active machine
network.
Verify your connection to the Horizon desktop works once
again
HOL-1741-USE-1
Page 25
HOL-1741-USE-1
1. From the bottom task bar select VMware Horizon Client.
Connect to your Health care desktop
1. Double click the HealthCare_Win_7 Icon.
Login
Log in as Dr. Melissa Null using the following credentials.
1.
2.
3.
4.
User name: mnull.
Password: VMware1!.
Domain: CORP.
Click Login.
HOL-1741-USE-1
Page 26
HOL-1741-USE-1
Module 2 Summary
In Module 2 we've seen how we can leverage both NSX and Trend Micro Deep Security
together to detect and quarantine a Horizon desktop. We then showed how after
remediation the threat in Trend we were able to automatically detect that the VM was
clean with NSX and place it back out of the quarantine group and the system is back
and ready for use. This automated workflow is a huge advantage for Heathcare
organizations to quickly quarantine and remediate threats.
HOL-1741-USE-1
Page 27
HOL-1741-USE-1
Module 3 - Securing and
protecting internal access
using VMware NSX Load
Balancing (45 minutes)
HOL-1741-USE-1
Page 28
HOL-1741-USE-1
Module 3 Introduction
In module three we are going to demonstrate access to two load balanced Horizon
connection brokers through a NSX load balancer. We will use a Windows 10 virtual
machine configured on an internal corporate network to demonstrate a connection to a
Windows 7 Horizon managed virtual machine through a redundant pair of Horizon
connection brokers with a single connection name space and SSL certificate.
This Module contains the following lessons:
• Lesson 1: Connection to a Horizon hosted virtual machine through a NSX load
balancer
• Lesson 2: Exploring the NSX load balancing configuration
• Lesson 3: Verify redundant connection server used for Horizon View connection
Module 3 Topology
The key components are outlined here.
1.
2.
3.
4.
5.
External endpoint
Endpoint on an internal secure network
Target Health Care virtual machine
Load balancing services
Redundant connection servers
HOL-1741-USE-1
Page 29
HOL-1741-USE-1
Securing and protecting internal
access using VMware NSX Load
Balancing
In this module you will connect to an internal Windows 7 Health Care desktop through
one of two redundant Horizon connection servers, verify redundancy and explore the
NSX configuration.
Connect to the internal clinical desktop
1. Double Click the Internal Clinical Desktop Icon.
Log in
Log in as Administrator using the following credentials:
1. Verify user: corp\administrator.
2. Type Password: VMware1!.
3. Click OK.
Check your desktop, then Launch the VMware Horizon
Client
Based on the Hand on Labs environment you will be using the Win10-internal virtual
machine as a desktop endpoint. This would normally be a physical device located on an
internal trusted corporate network.
Validate that you are connected to the Win10-internal desktop and that you are
connected to the 172.16.30.0 subnet
1. Double click the VMware Horizon Client to launch it.
Double Click the cloud icon to connect to the "viewinternal" Horizon infrastructure and your virtual desktop.
The View-internal.corp.local name space will connect you to one of the redundant
Horizon connection servers through a NSX load balancer.
1. Double click the view-internal.corp.local icon.
HOL-1741-USE-1
Page 30
HOL-1741-USE-1
Log in
Log in as Dr. Melissa Null using the following credentials:
1.
2.
3.
4.
User name: mnull.
Password: VMware1!.
Domain: CORP.
Click Login.
Connect to your Health care desktop
1. Double click the HealthCare_Win_7 Icon
Verify connection to Horizon hosted virtual machine
You are now connected to your Health Care Windows 7 Virtual machine through one of
two redundant connection servers, HVCS-01a or HVCS-02a (It should be HVCS-02a)
1. Verify you are connected to Win7-view-01a.
2. Make note of the connection server you are connected to and write it down or
remember it.
Disconnect from the Healthcare_Win_7 Desktop session
1. Click options.
2. Click Disconnect.
Confirm disconnect
1. Click OK
Close the VMware Horizon Client
1. Click the X.
Confirm disconnect
1. Click OK.
Explore NSX load balancing configuration
In this lesson we will explore the NSX load balancing configuration and force a
connection server failure.
HOL-1741-USE-1
Page 31
HOL-1741-USE-1
Launch the VMware Web client
1.
Launch Chrome from your Main console machine.
Log in to the VMware Web Client
1. Check the box for Use Windows session authentication.
2. Click Login.
Navigate to networking and Security
1. Click the Home button.
2. Click on Networking & Security.
Open NSX Edges
1. Click on NSX Edges.
Open the view-internal Load Balancer
1. Double Click the view-internal-LoadBalancer edge gateway.
Open the view-internal application profile
1.
2.
3.
4.
Click the manage tab.
Click on the Load Balancer tab.
Select Application profiles.
Click the edit icon.
Explore the Application Profile for Horizon View
1. Notice that the Application profile is set to HTTPS and is using a certificate
assigned at the load balancer in termination mode with the name viewinternal.corp.local
2. Once complete Click Cancel (note: you may need to maximize your chrome
window and drag the configuration widow up to access the cancel
button)
Open the Horizon View service monitor
1. Select service monitoring.
2. Highlight the HVCS monitor-4.
HOL-1741-USE-1
Page 32
HOL-1741-USE-1
3. Click the Edit icon.
Explore the HVCS service monitor settings
1. Notice that the monitor is set to HTTPS and is configured to detect a /portal page.
2. Once complete Click Cancel (note: you may need to maximize your chrome
window and drag the configuration widow up to access the cancel
button)
Explore the pool statistics
1.
2.
3.
4.
Select the Pools section.
Click on Show Pool statistics.
Click on Pool-1.
At this point both servers should show as UP. (Note: Due to the nature of Hands
on labs one server may be down.)
If both servers show as up please move to the next step, if one server shows
down this completes the module and shows that even with one connection
server UP the connection was still successful. Please move on to the next
module or end your lab.
Close the Pool statistics window
1. Click the X button.
Find the connection server virtual machine.
Proceed with this step only if both connection servers show as UP in the load
balanced Pool Status.
1. Type the connection server name you noted in Lesson 1 into the search box.
2. Click on the connection server name.
Power off the selected connection server to simulate a
failure
1. Right click the connection server.
2. Hover over Power.
3. Click Power Off.
Confirm power off of virtual machine
HOL-1741-USE-1
Page 33
HOL-1741-USE-1
1. Click Yes.
Navigate back to networking and Security
1. Click the Home button.
2. Click on Networking & Security.
Open NSX Edges again
1. Click on NSX Edges.
Open the view-internal Load Balancer again
1. Double Click the view-internal-LoadBalancer edge gateway.
Explore the pool statistics after failure
1.
2.
3.
4.
Select the Pools section.
Click on Show Pool statistics.
Click on Pool-1.
At this point one server will show as DOWN, verify this is the one you shut down
in an earlier step.
Close the Pool statistics window
1. Click the X button.
Verify redundant connection server used for Horizon View
connection
Verify redundant connection server used for Horizon View connection.
Return to the RDP session
1. Click the open RDP session
Relaunch the Horizon View Client
1. Double Click the Horizon Client
HOL-1741-USE-1
Page 34
HOL-1741-USE-1
Double Click the cloud icon to connect to the "viewinternal" Horizon infrastructure and your virtual desktop.
The View-internal.corp.local name space will connect you to the remaining redundant
Horizon connection server through the edge gateway we just explored.
1. Double click the view-internal.corp.local icon
Log in
Logon as Dr. Melissa Null using the following credentials:
1.
2.
3.
4.
User name: mnull
Password: VMware1!
Domain: CORP
Click Login
Connect to your Health care desktop
1. Double click the HealthCare_Win_7 Icon
Verify connection to Horizon hosted virtual machine
You are once again connected to your Health Care Windows 7 Virtual machine now
through the redundant connection server
1. Verify you are one again connected to Win7-view-01a
2. Make note you are now connected to the only remaining connection server
Close the vSphere Web Client
1. Right click Chrome in the task bar
2. Select close window
Disconnect from the Healthcare_Win_7 Desktop session
1. Click options
2. Click Disconnect
Confirm disconnect
Click OK
HOL-1741-USE-1
Page 35
HOL-1741-USE-1
Close the VMware Horizon Client
1. Click the X
Close the RDP session
1. Click the X to close the RDP session
Confirm the RDP session disconnect
1. Click OK
HOL-1741-USE-1
Page 36
HOL-1741-USE-1
Module 3 Summary
In module three we demonstrated access to two load balanced Horizon connection
brokers through a NSX load balancer. We also simulated a failure of one Horizon
connection server and verified redundancy. This redundancy is key when designing a
virtual desktop environment for Healthcare organizations.
How to End Lab
To end your lab click on the END button.
HOL-1741-USE-1
Page 37
HOL-1741-USE-1
Module 4 - Securing and
protecting external
access using VMware
Horizon access servers
(45 minutes)
HOL-1741-USE-1
Page 38
HOL-1741-USE-1
Module 4 introduction
In module four we are going to demonstrate access to two Horizon View Access servers
through a NSX load balancer. We will simulate an external firewall protected connection
to a Windows 7 Horizon managed virtual machine through a redundant pair of Horizon
Access servers with a single connection name space and SSL certificate. The Access
Point functions as a secure gateway for users who want to access Horizon 6 desktops
and applications from outside the corporate firewall.
This Module contains the following lessons:
• Lesson 1: Verify external access to internal protected network is secure
• Lesson 2: Exploring the NSX firewall configuration
• Lesson 3: Connection to a Horizon hosted virtual machine through a NSX edge
gateway to a protected internal network.
Module 4 topology
The key components are outlined here.
1.
2.
3.
4.
5.
6.
7.
External endpoint
Endpoint on an internal secure network
Target Health Care virtual machine
Load balancing services
Redundant connection servers
Redundant access points
Edge services Gateway and Load balancer
HOL-1741-USE-1
Page 39
HOL-1741-USE-1
Securing and protecting external
access using VMware Horizon access
servers
In this module we are going to demonstrate access to two Horizon View Access servers
through a NSX load balancer
Lesson 1: Verify external access to internal protected
network is secure
1. Double Click the Horizon View Client icon on your Main Console
Double Click the cloud icon to connect to the "viewinternal" Horizon infrastructure and your virtual desktop.
The View-internal.corp.local name space will connect you to one of the redundant
Horizon connection servers through a NSX load balancer.
1. Double click the view-internal.corp.local icon
This connection will timeout and fail
After approximately one minute and 30 seconds this connection will timeout and fail.
This is by design, the Client is attempting to connect to the internal name space viewinternal.corp.local
1. Click on the OK button
Launch the command prompt
1. From the task bar click the command prompt icon
Determine what resource the view-internal.corp.local
name space is mapped to
1. At the command prompt type the following and press enter
ping view-internal.corp.local
HOL-1741-USE-1
Page 40
HOL-1741-USE-1
2. Note that the target is 172.16.60.100
Topology explanation
The reason the timeout is occurring is because there is a distributed firewall rule
blocking TCP 443 authentication access between our source machine and the viewinternal load balancer for Horizon View services.
1. Source machine
2. Destination Load balancing services
3. Distributed firewall rule
Close the command prompt window
1. Click the X button
Lesson 2: Exploring the NSX firewall configuration
In this lesson we will explore the Distributed firewall rules blocking the access.
Launch the VMware Web client
1.
Launch Chrome from your Main console machine
Log in to the VMware Web Client
1. Input user name administrator@vsphere.local
2. Input password VMware1!
3. Click Login
Navigate to networking and Security
1. Click the Home button
2. Click on Networking and security
Open the distributed firewall
1. Click on the Firewall section
2. Click the arrow next to Secure Horizon connection servers (Rule4)
Explore the block rule
HOL-1741-USE-1
Page 41
HOL-1741-USE-1
Feel free to explore the rule settings and note the firewall rule settings below:
1.
2.
3.
4.
5.
Source = Any
Service = Any
Action = Block
Applied to = Perimeter Gateway
Hover over the Destination pencil icon and click it (note: pencil will not appear
until you hover over the area noted in step 5)
Verify firewall rule destination set
Reference the Topology map from a previous step if needed
1. Note that the destination = our 172.16.60.100 IP address mapped to viewinternal.corp.local
2. Note that the second destination = the Connection servers network that also
includes the load balancer
3. Click Cancel to close
Disable edge services gateway rule
1. Click the green check box next to rule 4 to tun it gray
2. click Publish Changes
Disable distributed firewall rule
Now disable the rule that blocks all traffic to the VDI network. Feel free to explore the
rule if desired.
1. Click the arrow to expand the Secure-VDI-Desktops rule
2. Click the green check next to rule 9 to turn it gray (note: you may have to scroll
the window to access rule 9)
3. Click Publish Changes
Connect to the view-internal.corp.local name space from
the external network
1. Click the vSphere Web Client Chrome session to minimize it
HOL-1741-USE-1
Page 42
HOL-1741-USE-1
Double Click the cloud icon to connect to the "viewinternal" Horizon infrastructure and your virtual desktop.
The View-internal.corp.local name space will connect you to one of the redundant
Horizon connection servers through a NSX load balancer.
1. Double click the view-internal.corp.local icon
Logon
Logon as Dr. Melissa Null using the following credentials. Notice that with the firewall
rules disabled a connection can now be made.
1.
2.
3.
4.
User name: mnull
Password: VMware1!
Domain: CORP
Click Login
Connect to the Health Care desktop
1. Double click the HealthCare_Win_7 icon
Verify connection to Win7-View01a
1. Note the Internal connection
Return focus to the vSphere Web Client
1. Click the vSphere Web Client Chrome session to maximize it
Re-enable firewall rules
1. Click on the gray rule 9 check to turn it green
2. Click on the gray rule 4 check to turn it green
3. Click publish changes
Your connection will now terminate
Due to the firewall rules being enabled the VMware horizon client will disconnect and
start flashing. This will take about thirty seconds to a minute. The session window will
remain during this time but if you click in the window nothing will happen.
1. Click on the flashing View Client to maximize it
HOL-1741-USE-1
Page 43
HOL-1741-USE-1
2. Read the error and Click OK
Close the View Client and minimize the vSphere Web
Client
1. Click the X to close the Web Client
2. Click the vSphere Web Client chrome session to minimize it.
Lesson 3: Connection to a Horizon hosted virtual machine
through a NSX edge gateway to a protected internal
network.
In this Lesson we will explore how to use a Horizon Access point server to connect to our
Windows 7 Health care machine from the external network.
Launch the Horizon View Client
1. Double Click the Horizon View Client icon on your Main Console
Double Click the cloud icon to connect to the "viewexternal" Horizon infrastructure and your virtual desktop.
The View-external.corp.local name space will connect you to one of the redundant
Horizon access servers through the edge services gateway load balancer services
1. Double click the view-external.corp.local icon
Logon
Logon as Dr. Melissa Null using the following credentials. Notice that with the firewall
rules disabled a connection can now be made.
1.
2.
3.
4.
User name: mnull
Password: VMware1!
Domain: CORP
Click Login
Connect to your Health care desktop
1. Double click the HealthCare_Win_7 Icon
HOL-1741-USE-1
Page 44
HOL-1741-USE-1
Verify external connection to Horizon hosted virtual
machine
You are now connected to your Health Care Windows 7 Virtual machine through an
access point server and then one of two redundant connection servers, HVCS-01a or
HVCS-02a
1. Verify you are connected to Win7-view-01a
2. Make note that you are now connected from an external source
Log off from the Healthcare_Win_7 Desktop session
1. Click the WIndows start button
2. Click the arrow next to shutdown
3. Click Log off
Close the VMware Horizon Client
1. Click the X
Lesson 4: Explore the Horizon Access Server load balencer
configuration
In lesson 4 we will explore the Horizon view access point configuration
A Horizon View Access Point functions as a secure gateway for users who want to access
Horizon 6 desktops and applications from outside the corporate firewall.
Access Point appliances typically reside within a DMZ and act as a proxy host for
connections inside your company’s trusted network. This design provides an additional
layer of security by shielding View virtual desktops, application hosts, and View
Connection Server instances from the public-facing Internet.
Lesson 4 Topology
The key components are outlined here.
1.
2.
3.
4.
5.
6.
7.
External endpoint
Endpoint on an internal secure network
Target Health Care virtual machine
Load balancing services
Redundant connection servers
Redundant access points
Edge services Gateway and Load balancer
HOL-1741-USE-1
Page 45
HOL-1741-USE-1
View components and protocols
1. The Access point appliance is placed between the DMZ and the internal secure
connection servers to proxy View connections from external networks.
Launch the VMware Web client
1.
Launch Chrome from your Main console machine
Log in to the VMware Web Client
1. Input user name administrator@vsphere.local
2. Input password VMware1!
3. Click Login
Navigate to networking and Security
1. Click the Home button
2. Click on Networking and security
Open the perimeter-Gateway-01
1. Click NSX Edges
2. Double Click edge-2 Perimeter-Gateway-01
Open the view-external-auth application profile
1.
2.
3.
4.
Click the manage tab
Click on the Load Balancer tab
Select Application profiles
Click the edit icon
Explore the Application Profile for Horizon View
1. Notice that the Application profile is set to HTTPS and is using a certificate
assigned at the load balancer in termination mode with the name viewexternal.corp.local
2. Once complete Click Cancel (note: you may need to drag the configuration
widow up to access the cancel button)
Open the Access point service monitor
HOL-1741-USE-1
Page 46
HOL-1741-USE-1
1. Select service monitoring
2. Highlight the view-external-auth monitor-4
3. Click the Edit icon
Explore the view-external service monitor settings
1. Notice that the monitor is set to HTTPS and is configured to detect a /portal page
2. Once complete Click Cancel (note: you may need to drag the configuration
widow up to access the cancel button)
Explore the pool statistics
1.
2.
3.
4.
Select the Pools section
Click on Show Pool statistics
Click on Pool-1
Notice that there are two access servers configured to receive requests.
Close the vSphere Web Client
1. Right Click the Chrome task bar item
2. Click on close
HOL-1741-USE-1
Page 47
HOL-1741-USE-1
Module 4 Summary
In module four we demonstrated access to two load balanced Horizon access servers
through a NSX load balancer. We also explored the firewall configuration required to
secure external connections to a Horizon View environment. This secure external
access enables internal applications to be securely delivered for Healthcare
organizations.
How to End Lab
To end your lab click on the END button.
HOL-1741-USE-1
Page 48
HOL-1741-USE-1
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-1741-USE-1
Version: 20170721-144817
HOL-1741-USE-1
Page 49