VMware Identity Manager – Workspace ONE – Provide Access to Horizon Desktops and Apps & Workspace ONE mode

In this post, we will integrate VMware Identity Manager with Horizon.

First go to Catalog, and select connector to use under Manage Desktop Apps (if you have followed my previous posts, I have Outbound connection mode, that is, WSONE is in DMZ with connector appliance deployed in LAN)

This will redirect you to Connector Appliance’s page to Enable Horizon View Apps and Desktops. Provide information of connection server:

Then Save, and Confirm SSL.

For SAML, go to Horizon Connection server;

You may also choose Required instead of Allowed. This will block accessing horizon directly.

SAML Required

And with required, you may also choose to tick “Enable Workspace ONE mode” to redirect users back to WSONE

Workspace one mode

There is already great demo video here about Workspace ONE mode:

 

Once you configure, you need to change the external access URL of Horizon. This will be done in Network Ranges section of VMware Workspace ONE…

All set ­čÖé

Good Luck

VMware Identity Manager 2.9.2 – Workspace ONE – Installation in DMZ with Outbound-Only Connection Mode

Hi All,

In this post, we will go over one of the many deployment scenarios of VMware Identity Manager 2.9.2 aka Workspace ONE. As always please check the latest guides available at http://docs.vmware.com, more precisely for Identity Manager: https://docs.vmware.com/en/VMware-Identity-Manager/2.9.1/com.vmware.wsp-install_29/GUID-96E2F98A-5B90-4F81-A302-8264E6362494.html . VMware Identity Manager deployment topology and procedures can change based on your requirements in your environment and and also per integration needs on-premise or cloud with Airwatch, Horizon etc. For deployment options, please also visit here.

I will try to summarize what needs to be done when deployed on-premise (for Demo) within DMZ;┬á“On Premises Deployment Model Using VMware Identity Manager Connector in Outbound-Only Connection Mode”. ┬áAnd, we will build on this post later…

The topology I will be following is:

OutboundMode

This mode supports all authentication methods, namely;

  • Password – uses the connector
  • RSA Adaptive Authentication – uses the connector
  • RSA SecurID – uses the connector
  • RADIUS – uses the connector
  • Certificate (cloud deployment) – through the Built-in identity provider
  • VMware Verify – through the Built-in identity provider
  • Mobile SSO (iOS) – through the Built-in identity provider
  • Mobile SSO (Android) – through the Built-in identity provider
  • Inbound SAML through a third-party identity provider

Installation Video:

Lets get our hands dirty:

  1. The OVF is provided for VMware Identity Manager. Download both Identity Manager Server and its Connector appliance
  2. For required network ports, please refer to the documentation.
  3. Create DNS (Forward and Reverse) for VMware Identity Manager: SPLIT DNS is required for the scenario mentioned here, and appliance needs to point to your internal DNS Servers.
  4. For Production, external DB is required but as the scope here is for demo, built-in internal DB will be used.
  5. Deploy OVF… Nothing extraordinary, IP, subnet, hostname, DNS etc.
    Note:┬áThe┬áDomain Name┬áand┬áDomain Search Path┬áare not used. You can leave these blank….
    FQDN might change per your environment. In this scenario, my FQDN will be public FQDN: I want to have my users to use the same name while connecting internally and externally, and this will be only server.
  6. Once the appliance is deployed, power on the appliance, and go to configuration page at: https://FQDN:8443 after powering on the appliance…If you get HSTS Error, you need to delete the FQDN from your browser as stated at “VMware Identity Manager self signed certificate gives a HSTS message (2147071)”
    Per my experience, also clear the browsing history, cached files etc. and then try to relaunch browser.

IDM

Specify Passwords:

IDM

Choose DB.

IDM

Processing…

IDM

And Done.

 

Now, login to administrator console, go to “Appliance Settings > Manage Configuration” (or https://FQDN:8443 > Appliance Settings) to Update SSL certificate depending on your FQDN and then change Identity Manager FQDN if necessary. ┬áUpdating the SSL certificate might take some time, so be patient. then you may use the new FQDN to login to administrator console. You need to have private key and chain certificates in PEM format to copy/paste. ┬áYou can also user Terminate SSL on a load balancer option if your IDM is behind a load balancer within this page.

certificate

 

That’s all for the Identity Manager server deployment. You may login to administrator console with the password you provided earlier, https://FQDN..

Before configuring it, lets get done with deployment and lets deploy connector appliance now. Again for all great stuff, visit documentation for the connector. Per your requirements, you may (or not) need the connector as it is also built within the server appliance as well.

During installation of the connector appliance you will need an activation key. For this, login to VMware Identity Manager Administrator console and go to “Setup > Connectors > Add Connector”, and Enter name and click generate activation Code. Save it!

Deploying connector Appliance is pretty similar. Once deployed and powered on, go to https://FQDN_Connector to configure. You will need to provide appliance passwords and need to paste the activation code created earlier. Done…

Now, you can setup Directory settings to sync up with. Go to Administrator console under Directories Section, and Add Directory:

  • Choose Active Directory over LDAP if there is only one domain.

  • Choose, Integrated Windows Authentication if you want to connect to connect to multi-domain/forest.

    Directory

    Scroll down:

Directory

Click Save and Next:

Directory

Select User Attributes

Directory

 

Then go to connectors page again, click on the connector created and select Auth adapters, enable at least one (Password for now)… This might have already be enabled for you.

auth adapters

Once you click on PasswordIdpAdapter, if you followed the design here, you will be redirected to the connector appliance page with the following screen:

auth adapters

 

 

In order to apply outbound connection mode, associate the connector with the Built-in provider. Go to Identity Providers, click on Built In,

 

Provider

And, in the Connectors Section, select the Connector within Dropdown box and click Add. Then you can specify Users, Network, etc.

Provider

And the last but not the least configuration is to change Policies to be able to use Cloud Deployed (Connector) password (If you miss this step, when you try to login, IDM server will redirect you to connector appliance’s URL.

Go to Policies and select default access policy set:

Policies

Select Authentication method and

 

Policies

Change the “the user may authenticate using the following method” to “Password (Cloud Deployment)

Policies

That is it for initial setup. More later.

 

 

 

 

Deploy Unified Access Gateway (UAG) 3.0 with Horizon

Hi All,

We will be deploying UAG 3.0 for Horizon with this post. As you might be aware, UAG is the next Security server for Horizon. It is also a UNIFIED gateway for other services; Horizon, Reverse Proxy, VMware Tunnel, and SEG (Secure Email Gateway) as tech preview for Airwatch or Workspace ONE!

Edge Services

There are lots of deployment options so use the guides wisely. It can also place in front of VMware Identity Manager as reverse proxy. Please check the latest guides as always as there are lots of new stuff within each versions. You can find the latest at: https://www.vmware.com/support/pubs/access-point-pubs.html

I must note that with UAG, the need to 1-1 pair with Connection server is no longer necessary. The UAG can now cross talk to pair of Connection servers:

 

UAG Topology in DMZ

UAG Topology in DMZ

The deployment is very easy and quick:

  1. Need to download OVF
  2. Deploy OVF
  3. Create DNS records for OVF
  4. Login to Admin interface and configure Edge Services.

Thats all.

Quick recap with screenshots (I am not going into the details of deploying OVF Templates but during the deployment you need to select one, two, nic leg option per your environment and then enter IP/DNS etc.. information into configuration. There is already great guide about this:

https://docs.vmware.com/en/Unified-Access-Gateway/3.0/com.vmware.access-point-30-deploy-config.doc/GUID-FFC6B49E-07E2-42F0-AA6D-8811E5340BD6.html 

You can also use Powershell to deploy ovf… Up to you.

Once you login to UAG Admin interface https://UAGServer:9443/admin, unhide Edge Services and configure Horizon:

Horizon-EdgeServices-UAG

Go to connection server, and edit Tunnel settings, that is Untick all of them

 

ConnectionSErver

Then you are almost set. One thing you need to remember is that if you  will be using HTML access, due to security settings on Connection server, you need to make some changes to config file:

You need to create locked.properties (the path is: C:\Program Files\VMware\VMware View\Server\sslgateway\conf) and add one of the followings per your environment to this file:

  • checkorigin=false
  • balancedHost=Loadbalancer FQDN
  • portalHost.1=UAGName1
    portalHost.2=UAGName2

Please also refer to:

It may also be good idea (recommended) to change the self signed certificate upon installation… Within UAG Admin interface, go to┬áTLS Server Certificate Settings and upload PFX or PEM. For PFX, if you get error as below, try to copy GUID within error message to Alias field:

 

pfx

You may also refer to the video at my another post (although it is in Turkish)

Hope helps.

Good luck.

UAG – Unified Access Gateway 3.0 Kurulumu

T├╝rk├že olarak VMware Unified Access Gateway kurulumu hakk─▒nda k─▒sa bir ├Âzet yapmak istedim. Kurulum tamamen demo ama├žl─▒ olup, t├╝m best practiceÔÇÖler i├žin ├╝r├╝n dok├╝mantasyonlar─▒n─▒ inceleyebilirsiniz.

 

Horizon 7.2 – AppVolumes 2.12.1 Kurulumu

Merhabalar,

T├╝rk├že olarak VMware AppVolumes 2.12.1 kurulumu hakk─▒nda k─▒sa bir ├Âzet yapmak istedim. Kurulum tamamen demo ama├žl─▒ olup, t├╝m best practiceÔÇÖler i├žin ├╝r├╝n dok├╝mantasyonlar─▒n─▒ inceleyebilirsiniz.

 

Ayr─▒ca daha ├Ânce haz─▒rlam─▒┼č oldu─čum Demo video’suna da buradan eri┼čebilirsiniz:

Horizon 7.2 – Connection Server ve Composer Kurulumu

Merhabalar,

T├╝rk├že olarak VMware Horizon’─▒n kurulumu hakk─▒nda k─▒sa bir ├Âzet yapmak istedim. Kurulum tamamen demo ama├žl─▒ olup, t├╝m best practice’ler i├žin ├╝r├╝n dok├╝mantasyonlar─▒n─▒ inceleyebilirsiniz.

Defer 1703 update

To prevent upgrade to 1703, you can use the group policy object:

First copy GPO called windowsupdate.admx and adml files from Windows 10 to your DC’s policydefinitions folder under sysvol. (You can also download Windows 10 admx files from MS)

Then edit the policy under Computer>Administrative Templates > Windows Components > Windows Update

Windows 10 Defer Upgrades Updates 1703

Windows 10 Defer Upgrades Updates 1703

 

 

VMware App Volumes ile Gerçek Zamanl─▒ Uygulama Da─č─▒t─▒m─▒

(Real-time Application Delivery with App Volumes)

Merhabalar, VMware App VolumesÔÇÖ├╝n VDI ortamlar─▒nda uygulama da─č─▒t─▒m─▒n─▒ saniyeler i├žerisinde nas─▒l yap─▒labildi─čini ve daha da ├Ânemlisi uygulamalar─▒n ya┼čam d├Âng├╝s├╝n├╝ kolayla┼čt─▒rarak y├Ânetimini nas─▒l basit ve g├╝venli bir hale getirebildi─či hakk─▒nda k─▒sa bir payla┼č─▒m yapmak istedim.

├ľncelikle, App Volumes, uygulamalar─▒z─▒ son kullan─▒c─▒ ve cihazlar─▒na, tek bir klik ile saniyeler i├žerisinde da─č─▒tabilmekte ve kullan─▒labilir hale getirebilmektedir. Uygulamalar dinamik bir bi├žimde kullan─▒c─▒lara, kullan─▒c─▒ gruplar─▒na, veya kullan─▒c─▒ masa├╝stlerine kullan─▒c─▒ log-in olsa dahi atanabilmektedir. Bu uygulamalar (appstacks), kullan─▒c─▒ya herhangi bir kesinti yaratmadan kolayl─▒kla g├╝ncellenebilmekte, kullan─▒c─▒dan geri al─▒nabilmekte ve dolay─▒s─▒yla t├╝m uygulama d├Âng├╝s├╝ kolayl─▒kla y├Ânetilebilmektedir. Yava┼č ve s─▒k─▒nt─▒l─▒ olan uygulama kurulum, y├Ânetim, ve bak─▒m s├╝re├žleri ├žok kolay bir hale gelerek g├╝venilir olmayan tekil uygulama kurulumlar─▒ bu sayede g├╝venilir hale getirilebilmekte, uygulama sorunlar─▒ i├žin harcanan zaman da minimize edilebilmektedir.

VMware App Volumes App Volumes genel anlamda bir uygulama sanalla┼čt─▒rma ve katmanlama (layering) teknolojisidir. App Volumes ile uygulamalar ayr─▒ bir sanal diskÔÇÖte tutulmaktad─▒r (App Container). Bu containerÔÇÖlar i├žinde 1ÔÇÖden fazla uygulama bar─▒nd─▒rabilmekteyiz. App VolumesÔÇÖun AgentÔÇÖ─▒ sayesinde bu uygulamalar son kullan─▒c─▒ i┼čletim sistemi i├žerisine tan─▒t─▒lmaktad─▒r. Bu sayede mevcut masa├╝stlerine uygulamalar─▒ kurmak yerine, t├╝m i┼čletim sistemlerinin kullanaca─č─▒ tek bir sanal disk yaratarak depolama taraf─▒nda b├╝y├╝k bir kazan├ž da elde edilebilmekteyiz. Di─čer bir yandan ise, uygulamalar son kullan─▒c─▒ i┼čletim sisteminden ba─č─▒ms─▒z y├Ânetilebildi─či i├žin uygulama y├Ânetimini daha kolay, basit ve sorunsuz bir hale getirebilmekteyiz.

Bir g├Ârselin bin kelimeden daha iyi olaca─č─▒ kan─▒s─▒yla, App Volumes ile uygulamalar─▒n anl─▒k olarak son kullan─▒c─▒lara nas─▒l da─č─▒t─▒ld─▒─č─▒ hakk─▒nda k─▒sa bir video payla┼čmak istedim:

 

Daha fazla bilgi i├žin: https://www.vmware.com/products/appvolumes/

VMware Hands-on-Labs da lab ortamda App VolumesÔÇÖ├╝ deneyebilrisiniz: http://vmware.com/go/avlab

App Volumes 3.0 ile yeni gelen ├Âzellikleri bir sonraki yaz─▒m ile payla┼č─▒yor olaca─č─▒m.

“Enabling the Digital Enterprise” Etkinli─či

Enabling the Digital Enterprise

VMwareÔÇÖin ÔÇťOne Cloud, Any Application, Any DeviceÔÇŁ IT mimarisi ile  ÔÇťDigital EnterpriseÔÇŁ etkinle┼čtirmek i├žin mobil cihazlardan veri merkezine ve buluta kadar nas─▒l  yard─▒mc─▒ oldu─ču hakk─▒nda en son haberleri ilk duyan siz olun.

Bu etkinlik 2 b├Âl├╝mden olu┼čmaktad─▒r.

1. b├Âl├╝mde Pat Gelsinger (CEO)  ve Sanjay Poonen (EVP & GM, End User Computing)  VMwareÔÇÖin ÔÇťDigital WorkspaceÔÇŁ vizyonunu ve heyacan verici duyurular─▒ payla┼č─▒yor olacak. Bizim b├Âlgemiz i├žin (EMEA), 10 Subat g├╝n├╝ 11:30ÔÇÖda etkinlik ba┼čl─▒yor olacak.

2. b├Âl├╝mde ise Pat Gelsinger (CEO) ve Raghu Raghuram (EVP, Software-Defined Data Center Division) VMwareÔÇÖin Software-Defined yakla┼č─▒m─▒ ile hibrid bulut, bulut y├Ânetim platformu ve hyper-converged altyap─▒ ├ž├Âz├╝mleri hakk─▒nda yenilikleri payla┼č─▒yor olacak. Bu b├Âl├╝m i├žin kay─▒t esnas─▒nda bulut y├Ânetim platformu (Cloud Management Platform ÔÇô CMP) sunumunu veya Hyper-Converged altyap─▒lar (HCI) sunumlar─▒ndan birini se├žebilirsiniz. Etkinli─čin 2. b├Âl├╝m├╝ 11 ┼×ubat g├╝n├╝ 11:30ÔÇÖda ba┼člayacakt─▒r.

Daha fazla bilgi ve kay─▒t i├žin: http://www.vmware.com/digitalenterprise?src=WWW_Q1Launch_US_HPHero1_RegisterForOnlineEvent

Kay─▒t olmak i├žin: http://www.vmware.com/digitalenterprise/registration

Post Navigation

 
Share
Translate ┬╗