vmware federal secure desktop - ingram micro€¦ · the vmware horizon view infrastructure...
Post on 10-Jul-2020
7 Views
Preview:
TRANSCRIPT
VMware® Federal Secure Desktop™ VA L I D AT E D D E S I G N G U I D E
VMware Federal Secure Desktop
VA L I D AT E D D E S I G N G U I D E / 2
Table of Contents
About the Validated Design Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4What Is Federal Secure Desktop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Federal Secure Desktop Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Solution Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Lab Equipment List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Optional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Key Components of the Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 vSphere and vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 VMware Horizon View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 VMware vCloud Networking and Security and vShield Endpoint . . . . . . . . . . . . . . . . . . . . . 10 CAC Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 HBSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Zero Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 802.1X Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Additional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Persona and User-Installed Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 CAC Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 McAfee HBSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 vCloud Networking and Security and vShield Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Endpoint Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Key Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 CAC Certificate Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Deploying the Base Image and Desktop Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 McAfee HBSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Configuring Zero Clients and 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 User Connection Flow Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
VA L I D AT E D D E S I G N G U I D E / 3
VMware Federal Secure Desktop
About the Validated Design GuideVMware® Validated Design Guides provide an overview of a solution architecture and implementation. The validated designs and solutions have been created through architectural design development and lab testing.
The guide is an introduction to proof of concepts, emerging new technology and architectures, and enhancement of customer use cases.
The Validated Design Guides:
• Incorporategenerallyavailableproductsintothedesign
•Employrepeatableprocessesforthedeployment,operation,andmanagementofcomponentswithinthesolution
Validated Designs are tested for a specific use case or architectural practice on a limited scale and duration. These guides ensure the viability of theoretical designs or concepts in real-world practices.
The Validated Design Guides include:
•Usecasescateredtothedesign
•Productsvalidatedaspartofdesigntesting
•Softwareusedforeachcomponentofthedesign
•Configurationsusedtosupportthedesigntestcases
•Alistofdesignlimitationsandissuesdiscoveredduringtesting
VA L I D AT E D D E S I G N G U I D E / 4
VMware Federal Secure Desktop
IntroductionThisValidatedDesignGuideisanoverviewoftheVMwareHorizonView™FederalSecureDesktop™solution,whichisbasedontheVMwareHorizonViewMobileSecureWorkplace™solution.Thearchitectureusesproducts from VMware and its ecosystem of partners to build a comprehensive solution that satisfies the specific requirements of use cases within the federal vertical such as mobility, bring your own device (BYOD), security, and compliance.
This document provides an overview of the logical solution architecture and results of the tested configuration. Thesolutionisnotexclusivetotheproductstestedwithinthearchitecture.ConsultyourVMwarerepresentativefor more information about how to modify the architecture with your preferred vendors.
AudienceThis document is intended to assist solution architects, sales engineers, field consultants, advanced services specialists,andcustomerswhowillconfigureanddeployasecuredesktopsolutionforfederalagenciesororganizations.
Business CaseRecentnaturalevents,includingtheNorthAmericanblizzardof2010andHurricaneSandy,causedheavydamagetothefederalinfrastructureandclosedregionalfederalofficesformanyworkdays.Whilesuchdisasters cost the government millions of dollars, they can serve as the ideal use case to support the recently enactedTeleworkEnhancementActof2010,H.R.1722.
NearlyeveryfederalITorganizationtodayisworkingtoembracemobilecomputingforanumberofreasons,including:
• Loweringitscarbonfootprintandenergycostsbyreducingemployeecommutes
• Improvingemployeesatisfactionandwork/lifebalance,especiallyforworkerswhomaximizeuseofmobiledevicesandwhoexpectmoreflexiblemobileworkarrangements
•Strivingforanalways-on,agilee-governmentinfrastructurethatgivesemployeesimmediateaccesstoinformation
•SupportingContinuityofOperations(COOP)intheeventofemergenciesbyhelpingemployeesdotheirjobseffectively from home or remote locations
TheTeleworkEnhancementActandinitiativesarounddisasterrecoveryandCOOPposebothanopportunityandachallengeforfederalITleaders.Usersexpectandrequireaccesstoapplicationsanddataonavarietyofdevicestomaximizeproductivity;butITispressuredtosecureinformation,controlcriticalprocessesanddata,and ensure that all compliance requirements are met.
VA L I D AT E D D E S I G N G U I D E / 5
VMware Federal Secure Desktop
What Is Federal Secure Desktop?TheVMwareHorizonViewFederalSecureDesktopsolutionisbuiltontheVMwarevalidatedMobileSecureWorkplacesolution.Itprovidessecureaccessforenduserstodesktopsthatmeetvariousfederalcompliancerequirements. The solution design supports end-user mobility, streamlines application updates, enhances data security, and delivers the highest-fidelity user experience.
DMZ Infrastructure
Management
Horizon ViewClient Devices
Horizon View Security Servers
Horizon View Connection Servers
ActiveDirectory
vCenter Antivirus vCM vCOps
ManagementvSphere Infrastructure
Virtual DesktopvSphere Infrastructure
Local SSD Datastores for Horizon View Composer
Linked Clone Storage
Shared Storage Infrastructurefor Persona, User Data, ThinApp
Applications and VM Master Images
vCNS
PrintServer
Certi�cateAuthority
RADIUS SSO
Virtual Desktops
VMware
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
VMware
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
VMware
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
Layer 7 Load Balancer for Horizon View Security and Connection Servers
ExternalNetwork
Internal Network
AndroidTablet
iPad
PDA
ZeroClient
ThinClient
Windows Horizon View Client
Windows Horizon View Client with Local Mode
Macintosh Horizon View Client
Figure 1: Mobile Secure Workplace Solution
ThissolutionenablestheaudiencetoaddressthefollowingthreekeyrequirementsaddressedbytheVMwareMobileSecureWorkplacesolution:
•Mobility
•Security
•Management
Mobility
TheFederalSecureDesktopsolution,builtonVMwareHorizonView,placesdesktopsinthedatacenter.ThesolutionprovidesusersaccesstotheirremotelydisplayeddesktopthroughanydeviceviatheFIPS140-2certifiedPCoIPprotocol.Desktopscanbeaccessedfromzeroclients,workstations,thinclients,ormobiledevices.WithVMwareHorizonViewPersonaManagement,FederalSecureDesktopprovidestruesessionpersistenceacrossdevicesandsessions. The variety of endpoints enables true BYOD support, and session persistence enables session mobility across devices.
VA L I D AT E D D E S I G N G U I D E / 6
VMware Federal Secure Desktop
Security
WithsupportforCommonAccessCards(CAC)builtintoandvalidatedinthedesign,theFederalSecureDesktopsolutionsupportsandextendsanexistingdataandapplicationsecurityinfrastructure.Inadditiontoproviding the right level of access to the right resources, the solution also simplifies patch management and updatemanagementforalldesktops.ITadministratorscanupdateandpatchdesktopsinthedatacentertothe latest version, ensuring that no vulnerabilities exist in the environment due to unpatched or orphaned systems.DataresidesinthedatacenterandisprotectedbyVMwarevCloud®NetworkingandSecurity™andVMwarevShieldEndpoint™,whichprovidesuperiorsecuritytotheenvironment.ThedesignusesPCoIP-basedzeroclientsfromTeradici,whichprovidetheutmostendpointsecurity.Teradicialsoincorporates802.1Xauthenticationtoallowonlyauthorizeddevicestoconnecttothenetwork.
Management
Oneofthekeychallengesfacingorganizationstodayistoobtainanoverviewoftheirdesktopenvironmentandmanagetheenvironment,desktops,accesspolicies,andservicelevels.TheFederalSecureDesktopsolution,withoptionallyintegratedVMwarevCenter™OperationsManager™forHorizonView,providesanintegrateddashboardwithintelligentdataonalldesktop-relatedevents.ThishelpsITadministratorsprovidetherightamount of intervention and guidance when virtual infrastructure performance falls below an expected range ofbehavior.ThesolutioncanalsoincludeVMwarevCenterConfigurationManager™(vCM)forimportingsuggested configurations and to meet regulatory compliance.
User ProfilesTheFederalSecureDesktopsolutionisapplicabletoallusecasesinfederalagencieswhichrequiremobility,ahighlevelofsecurity,andalways-onaccesstodesktops.Theseusecasesincludebutarenotlimitedtoteleworkersandfirstresponders.Theworkloadprofilesincludeaspectrumofusers:office-basedandhomeoffice-basedworkers,remote-officeknowledgeworkers,powerusers,andmobileworkers.
ThevalidateddesigninthisdocumentsupportstheuniquerequirementsoftheseuserprofilesandhelpstheITteam manage the environment securely.
VA L I D AT E D D E S I G N G U I D E / 7
VMware Federal Secure Desktop
Federal Secure Desktop Architecture OverviewTheFederalSecureDesktopsolutionisbuiltontheVMwarevalidatedMobileSecureWorkplacesolution.
ThefollowingdiagramshowsthelogicaltopologyfortheFederalSecureDesktopsolution:
AD
APPOS
APPOS
APPOS
APPOS
APPOS
CAC Infrastructure
CA
APPOS
vCenter
Pool 1
APPOSAPP
OS APPOS
Pool 2
APPOSAPP
OS APPOS
Pool 3
APPOSAPP
OS APPOS
vCNS McAfee Antivirus
McAfee HBSS
L7 802.1X
Figure 2: Federal Secure Desktop Logical Topology
The architecture consists of:
•VMwareHorizonViewinfrastructure
•AccessinfrastructurewithCACcardsetup,802.X,andzeroclients
The VMware Horizon View infrastructure consists of two virtual machine clusters for scalability purposes, a management cluster and a virtualdesktopcluster. The management cluster includes all the management componentsrequiredforVMwareHorizonViewbasearchitecturealongwithVMwarevCenterOperationsManager,vCloudNetworkingandSecurity,andvShieldEndpoint.
VA L I D AT E D D E S I G N G U I D E / 8
VMware Federal Secure Desktop
Thevirtualdesktopclusterisdedicatedtohostingstatelessvirtualdesktopsaccessedbyendusers.Theenvironments are segregated to effectively utilize underlying hardware resources, and support storage layer tiering where required.
The management architecture can host multiple connection servers, load balanced to provide redundancy andavailability.Userscanaccesstheclosestdesktopimmediatelybyaccessingthenetworkofloadbalancerswithasinglenamespace.RemoteuserscanaccesstheenvironmentthroughHorizonViewSecurityServersdeployedinthedemilitarizedzone(DMZ).UsageofHorizonViewsecurityserversensuressecureaccesstoremotedesktopsviaPCoIP,whilemaintaininganoptimaluserexperience.
TheCACinfrastructureissetupinastandardformatasitwouldbeinaphysicalenvironment.ThecertificationsareprovidedbyDISA,andthespecificationscanbefoundintheCommon Access Card (CAC) User Guide.
CertificationsareprovidedviaaCAConNIPRNet(Non-classifiedInternetProtocolRouterNetwork).Thisemulatesthestandardaccessmethodthatisusedbyfederalagencies.TheUnitedStatesDepartmentofDefense(DoD)integrationisachievedbyallowingtheCertificateAuthorities(CAs)tousetherelevantfieldsinthecertificatechain,withtheDISACAasthetrustedsource.
Tosecuredesktopsandmeetfederalrequirements,HBSScombinedwithMcAfee’sePolicyOrchestrator(ePO)andotherhost-basedintrusionpreventionsystems(HIPSs)wereaddedtotheenvironment.
Toprovideenhancedsecurity,802.1Xauthenticationwasaddedtothesolutiontolockdownthedevicesthatcanconnecttothenetwork.Inconjunctionwithzeroclientsastheaccessdevices,802.1Xauthenticationlocksdown the environment securely while giving end users mobility and a superior user experience.
The architecture is scalable and is based on the standard reference architectures published by VMware.
VA L I D AT E D D E S I G N G U I D E / 9
VMware Federal Secure Desktop
Solution ValidationForfunctionaltestingandvalidation,thesolutionwasimplementedwith100desktopsanddeployedonthehardwareinTable1.Thesolutionimplementedinthelabwasdesignedtoscaletomanythousandsofdesktopsaccording to the sizing guidelines provided in VMware published reference architectures. The architecture was built in podsorbuildingblockssothesolutioncouldbescaledeasily.
Lab Equipment List
PrODUCt DEtAILS
Servers 5–1Userverswith2IntelXeonE788372.67GHzprocessors,96GBRAM
1–2Userverswith2IntelXeonE788372.67GHzprocessors,128GBRAM
Hard drives 8–300GBIntel320SSDDrives
8–600GB7200RPMHDD
Attachedstorage iSCSIstoragearray,RawDiskCapacity:8TB,RawFlashCache160GB,24GBRAM, 4–1GbEnetworkports
Networking Layer2–10/100/100024-portswitch
Table 1: Lab Equipment
Solution Components
PrODUCt DESCrIPtIOn
VMwarevSphere® 5.0.1
vSpherewithVMwarevCenter 5.0
VMware Horizon View 5.1
VMwareHorizonViewComposer 3.0
vCloudNetworkingandSecurity 5.1.2a
vShieldEndpoint 5.0.1
CAC CACinfrastructurewithfederalNIPRandSIPRcards
Desktopantivirus McAfeeePOAVstack
HBSS McAfeeHBSS
Clients Teradici zero clients
Table 2: Solution Components
Optional Components
PrODUCt DESCrIPtIOn
vCenterOperationsManagerforHorizon View
1.0
Loadbalancer F5BIG-IPLTM,GTM,andAPM
Table 3: Optional Components
VA L I D AT E D D E S I G N G U I D E / 1 0
VMware Federal Secure Desktop
Key Components of the ArchitectureThough the solution architecture is vendor agnostic, the following components are part of the validated design:
Core Components
vSphere and vCenterThesolutionisbuiltontopofvSphere,theindustry-leadingvirtualizationplatform.TherearemanybenefitstousingvSphere,andmoreinformationontheplatformcanbefoundontheVMware Web site.
VMware Horizon ViewThe central component of the solution architecture is VMware Horizon View, the industry-leading virtual desktopinfrastructure(VDI)product.
VMware vCloud Networking and Security and vShield EndpointVMwarevCloudNetworkingandSecurityistheleadingsoftware-definednetworkingandsecuritysolutionthatenhancesoperationalefficiency,unlocksagility,andenablesextensibilitytorapidlyrespondtobusinessneeds.Itprovidesabroadrangeofservicesinasinglesolution,includingvirtualfirewall,VPN,loadbalancingandVXLANextendednetworks.
VMwarevShieldEndpointstrengthenssecurityinVMwarevSphereandHorizonViewenvironmentswhileimproving performance for endpoint protection by orders of magnitude, offloading antivirus and antimalware agent processing to a dedicated secure virtual appliance delivered by VMware partners.
VisittheVMwareWebsiteformoreinformationonvCloud Networking and Security and vShield Endpoint.
CAC CardsTheCAC,asmartcardaboutthesizeofacreditcard,isthestandardidentificationforactive-dutymilitarypersonnel,SelectedReserve,DoDcivilianemployees,andeligiblecontractorpersonnelinsecureFederalenvironments.Itisalsotheprincipalcardusedtoenablephysicalaccesstobuildingsandcontrolledspaces,andprovidesaccesstodefensecomputernetworksandsystems.MoreinformationonCACcardscanbefoundattheDoD ID Card Reference Center.
TheDoDhasadoptedandusedthePublicKeyInfrastructure(PKI)-basedCACforyearsastheirprimaryauthenticationmethodintotheNIPRNet.NIPRNetiscomposedofInternetProtocolroutersownedbytheDoD.
SeveralagencieshavealsomigratedtoSIPR(SecureInternetProtocolRouter)hardwaretokensastheirprimaryauthenticationmethodforaccessingtheSIPRnetwork.OtheragenciesarealsomovingtowardaPKI-basedPersonalIdentityVerification(PIV)cardforauthenticationintothefederalnetwork.
HBSSHBSSistheofficialnamegiventotheDoDcommercial-off-the-shelf(COTS)suiteofsoftwareapplicationsusedwithintheDoDtomonitor,detect,andcounterattacksagainstcomputernetworksandsystems.Forthisvalidation,weusedMcAfeeHBSSproductstomeetthecompliancerequirements.HBSSistheMcAfeeePOsuitewithantivirusHIPS.
McAfeeHBSSisarequirementformostdatacenters,andisrequiredbytheDepartmentoftheNavy.HBSSisrequiredformanagingeveryendpointgeneral-purposeoperatingsystem(serversanddesktops).Themajorrequirementforany802.1XdeploymentistheuseofFIPS140-2validatedcryptomodulestoprotectthedata.
Zero ClientsPCoIPzeroclientsareultra-secure,easy-to-managedevicesthatoffertherichestuserexperienceinaVMwareHorizonViewenvironment.PCoIPzeroclientsarebasedontheTERAchipsetbyTeradiciandareavailableinavarietyofformfactorsfromanumberoftrustedOEMs.Furtherinformationisavailableatwww.teradici.com.
VA L I D AT E D D E S I G N G U I D E / 1 1
VMware Federal Secure Desktop
802.1X Network Access ControlPCoIPzeroclientssupport802.1XnetworkdeviceauthenticationusingEAP-TLScertificates.Underthismethod,allnetworkendpointdevicesmustbeauthenticatedbeforetheyaregrantedaccesstothenetwork.Thisisa typical method of device authentication for high-security environments, providing an additional layer of security beyond username and password credentials.
The802.1Xauthenticationprotocolhasgrowninusage.IEEE802.1XisanIEEEstandardforport-basedNetworkAccessControl(PNAC)thatprovidesanauthenticationmechanismfordevicestryingtoattachtoaLANorWLAN.
TheDoDhasaddedarequirementthatallnetworkportsoron-rampsbeprotected.Applications,serversanddataarenormallyprotected;however,mostnetworkportsareleftopen.Typically,usersaccessanetworkbysimplypluggingintoaport,andanetworkaddressisallocatedfortheconnection.Computerswithoutproperaccesstodataandserversareopentoattackslaunchedfromthenetwork.Networkportprotectionlockdownrestrictsanonymousaccessandpreventsthese“attacks.”
802.1Xauthenticationinvolvesthreeparties:asupplicant, an authenticator, and an authentication server. The supplicantisaclientdevice(thinclientorzeroclient)thattriestoattachtotheLANorWLAN.Theterm‘supplicant’isalsousedinterchangeablytorefertothesoftwarerunningontheclientdevicethatprovidescredentialstotheauthenticator.TheauthenticatorisanetworkdevicesuchasanEthernetswitchorwirelessaccesspoint.TheauthenticationserveristypicallyahostrunningsoftwaresupportingtheRADIUSandEAPprotocols.1
Inthisvalidation,routingwasdoneattheswitch(authenticator).WecreatedaDMZVLANandconfigured802.1Xontheswitchtospeaktoourauthenticationserver(MicrosoftNetworkPolicyServerservingasaRADIUSserver).Additionally,vCloudNetworkingandSecuritywasusedforportgroupprotectiononintra-virtual-machine traffic.
Additional Components
ManagementOneofthebiggestchallengesfacedbyanITgroupison-demandmanagementoftheentireenvironmentand the ability to identify and plan the infrastructure. VMware vCenter Operations Manager for Horizon View provides the management infrastructure required for the environment.
ComplianceOneofthekeyrequirementsofmanyverticalindustriesistheabilitytomanagecompliancewithvariousindustry regulations. VMware Horizon View is compliant with FIPS 140-2.
TeradiciTera2ZeroClientsupports AES-256 and NSA Suite B crypto security protocols.
Persona and User-Installed AppsMany use cases defined in the solution have a requirement to persist user information across sessions. But thebiggestcostsavingsbothintermsofCapExandOpExcanbeachievedbyusingstatelessdesktops.Toeffectivelymeetbothgoals,VMwareHorizonViewhasafeaturecalledPersonaManagementtomaintainuserdataandprofilepersistenceacrossstatelesssessions.Inadditiontoprofilepersistence,someusecasesrequiresupport for user-installed applications. This can be achieved by implementing some of our partner products.
1. Cloud Centrics Technology Blog, “802.1X Challenges for Department of Defense,” Aamir Lakhani, September 16, 2012.
VA L I D AT E D D E S I G N G U I D E / 1 2
VMware Federal Secure Desktop
Architecture Overview
Server Architecture
IntheFederalSecureDesktopsolutiondesign,itisimportanttoseparatethemanagementanddesktopcomponentsastwodiscreteblocksofinfrastructure.Inthisdesign,wecreatedamanagementclusteranda VMware Horizon View cluster, in order to establish a subscription- or consumption-based model. This methodology is important for the solution to scale easily, as another Horizon View pod can be plugged into the architecture as required, and services can be extended to accommodate the expansion.
VMwarevCloudNetworkingandSecurityandvShieldEndpointwereconfiguredtoprovidethesecurityarchitecture,specificallyaroundvirtualdesktopcommunicationandapplicationprotocolflowinandoutofthemanagement,services,anddesktoppoolsecurityzones.
Inordertosatisfystrictfederaldesktoprequirements,thearchitecturealsoincludedintegrationofCACandHBSScomponents.
The infrastructure components required for the environment are configured in the management cluster, and ViewServicesisconfiguredintheViewServicescluster.
ThemanagementclusterincludestwoActiveDirectoryvirtualmachinesforredundancy,avCenterserverwithaSQLServervirtualmachineandaCertificateAuthoritywithCACenabled,alongwiththeMcAfeeHBSScomponents(ePOserver,AVserver).
TheViewServicesclusterincludestheHorizonViewConnectionServer,vCenterComplianceManager,vShieldSecurityManager,andHorizonViewSecurityServers.Theseformthecoreandoptionalservicesrequiredforthe environment.
Separateresourcepoolswereaddedtosimulatethevarioususerprofilesaccessingtheenvironment.ThevCloudNetworkandSecurityEdgegatewaycomponentwasconfiguredtoensurethattheseresourcepoolsaresegregatedandcannottalktoeachother.
Storage
FollowingtheMobileSecureWorkplacebasedesign,intheFederalSecureDesktopdesignthetypicalstorageconfiguration was logically segregated into two clusters: management and VDI. The management cluster in turn issegregatedintogeneral,SQL,vCloudNetworkingandSecurity,andthird-party(ifnecessary)segments.TheVDIclusterissegregatedintovirtualdesktopsanduserandcorporatedatasegments.Thislogicalsegregationisinalignmentwiththeworkloadsinthesedatastores.
The general datastore clusterinthemanagementsegmentconsistsofActiveDirectory,DNS,HorizonViewConnectionServer,HorizonViewSecurityServers,andMcAfeeHBSScomponents.Allgeneralinfrastructurecomponentsarelocatedinthissegment.Storagebestpracticeswerefollowedwhenthedatastoreswerecreated(e.g.,twoinstancesofAD,andHorizonViewConnectionServerandHorizonViewSecurityServerarelocated in two separate datastores for failover protection).
The SQLlogicalclustercontainsthedatastoresforallSQLdatabasesusedforComposerandvCenter,andthevCloudNetworkingandSecurityclustercontainsthedatastoresforallvCloudNetworkingandSecurityvirtualmachines.Inadditiontotheabove,aseparatedatastoreclustercanbeaddedifnecessarytohostallthird-partysoftware that needs to be included in the design.
The VDIlogicalclustercontainsdatastoresforvirtualdesktopsanduserandcorporatedata.
Typically, the management logical clustercanbeFiberChanneloriSCSI,andthevirtualdesktopdatastoresareinSSDforhigherperformance.TheuserdataandcorporatedataarelocatedinNFSdatastores.
VA L I D AT E D D E S I G N G U I D E / 1 3
VMware Federal Secure Desktop
Inthislabdesign,themanagement logical cluster(general,SQL,vCloudNetworkingandSecurity,andthird-partyvirtualmachinedatastores)islocatediniSCSIdatastores.TheVDIcluster(virtualdesktops)islocatedinSSDandtheuserdataislocatedinNFSdatastores.Forproductionenvironments,itisrecommendedthatITadministrators review storage best practices documentation to determine the best storage options for various types of virtual machines.
Networking
Forthisarchitecture,vSpherenetwork-distributedswitchtechnologywasleveragedtosimplifytheconfiguration.
StandardVLANswereusedtosegregatevSpheremanagement,servicesmanagement,anddesktopvirtualmachinetraffic.AlluplinkportswereconfiguredasVTPtrunkportsintothevSpherehosts.Allnetworkingwasthenbrokenoutatthevirtualdistributedswitch(vDS)level.
Security
TheFederalSecureDesktopsolutionplacesveryhighemphasisonsecurityandmeetsallthecompliancerequirementsofafederaldeployment.ThekeycomponentsofSecurityintegratedintothisarchitectureare:
•CACcardsupport
•McAfeeHBSS
•802.1Xauthentication
• vCloudNetworkingandSecurityandvShieldEndpoint
•Zeroclients
Wewilllookatsomeofthesekeycomponentsinmoredetailinthesectionsthatfollow.
CAC Card SupportVMwareHorizonViewhassupportedtheuseofsmartcardsforyears.Severalfederalagencieshavesuccessfully deployed VMware solutions, which meet the smart card standards. VMware Horizon View supports bothCertificateRevocationList(CRL)andOnlineCertificateStatusProtocol(OCSP)toensurethatdigitalcertificate status is up to date and valid.
Teradici has tested these specific smart card models:
PrODUCt SPECIFICAtIOn AnD/Or APPLEt
Middleware Provider
SuPPorTed by FirMware deScriPTion nOtES
Pre-SeSSion auThenTicaTion
in-SeSSion uSe
CyberflexAccess64KV2c
CAC(GSC-IS),ActivClientv2.6.1applet
ActivIdentity Yes(FW3.2.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Gemalto Access64KV2
None
ID-OneCosmov5.2D64K
CAC(GSC-IS),ActivClientvv2.6.1applet
ActivIdentity Yes(FW3.2.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Oberthur Cosmo64V5.2D
None
ID-OneCosmov5.272K
CAC(GSC-IS),ActivClientv2.6.1applet
ActivIdentity Yes(FW3.2.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Oberthur IDOneV5.2
None
CyberflexAccessv2c64K
CAC(GSC-IS),ActivClientv2.6.1applet
ActivIdentity Yes(FW3.2.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Gemalto Access64KV2
None
ID-OneCosmov5.2D72K
CAC(PIVTransitional), ActivClientv2.6.2applet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Oberthur IDOneV5.2Dual
This card has both contact and contactless interfaces. Teradici only supports the contact interface.
VA L I D AT E D D E S I G N G U I D E / 1 4
VMware Federal Secure Desktop
PrODUCt SPECIFICAtIOn AnD/Or APPLEt
Middleware Provider
SuPPorTed by FirMware deScriPTion nOtES
Gemalto GemComb-iXpressoR4dualinterface
CAC(PIVTransitional), ActivClientv2.6.2applet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Gemalto GCX472KDI
This card has both contact and contactless interfaces. Teradici only supports the contact interface.
ID-OneCosmov5.2D72K
CAC(PIVEndpoint),ActivClientv2.6.2applet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Oberthur IDOneV5.2Dual
This card has both contact and contactless interfaces. Teradici only supports the contact interface.
Gemalto GemComb-iXpressoR4dualinterface
CAC(PIVEndpoint),ActivClientv2.6.2applet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Gemalto GCX472KDI
This card has both contact and contactless interfaces. Teradici only supports the contact interface.
GemaltoTOPDLGX4144K
CAC(PIVEndpoint),ActivClientv2.6.2bapplet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Gemalto TOPDLGX4144K
This card has both contact and contactless interfaces. Teradici only supports the contact interface.
OberthurID-OneCosmo128v5.5forDoDCAC
CAC(PIVEndpoint),ActivClientv2.6.2bapplet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Oberthur IDOne128v5.5Dual
This card has both contact and contactless interfaces. Teradici only supports the contact interface.
CosmopolIC64KV5.2
CAC(GSC-IS),ActivClientv2.6.2applet
ActivIdentity Yes(FW3.2.0and higher)
Yes(FW3.2.0and higher)
None
ID-OneCosmov7.0withOberthurPIVAppletSuite2.3.2
CAC(PIVEndpoint),ActivClientv2.3.2applet
ActivIdentity Yes(FW3.4.0and higher)
Yes(FW3.4.0and higher)
APIVEndpointcardusestheT=1protocol
None
GemComb-iXpresso
CAC(PIVEndpoint),ActivClientv2.6.2bapplet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Gemalto TOPDLGX472K
None
ID-OneCosmo64v5.2DFastATRwithPIVapplicationSDK
CAC(PIVEndpoint),ActivClientv2.6.2bapplet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
Alsoreferredtoas the Oberthur CSPIVEndPointv1.08FIPS201
None
ID-OneCosmov7.0128K
CAC(PIVEndpoint),ActivClientv2.6.2bapplet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
None
SmartCafeExpert144KDIv3.2
CAC(PIVEndpoint),ActivClientv2.6.2bapplet
ActivIdentity Yes(FW3.3.0and higher)
Yes(FW3.2.0and higher)
None
CyberflexAccess64KV2c
ACSPKI1.12 GemaltoAccessClient
Yes(FW4.0.0and higher)
Yes(FW3.2.0and higher)
None
CyberflexAccess64KV2c
ACSPKI1.14 GemaltoAccessClient
Yes(FW4.0.0and higher)
Yes(FW3.2.0and higher)
None
AxaltoCryptoflex.NET
Gemalto.NET Gemalto/Windows
Yes(3.4.1andhigher)
Yes(FW3.2.0and higher)
ImplementstheGemalto.NETstandard. The middleware is built into Windows.
None
VA L I D AT E D D E S I G N G U I D E / 1 5
VMware Federal Secure Desktop
PrODUCt SPECIFICAtIOn AnD/Or APPLEt
Middleware Provider
SuPPorTed by FirMware deScriPTion nOtES
SafeNetSC650 Coolkeyapplet 90meter Yes(3.5.1andhigher)
Yes(FW3.2.0and higher)
Thiscarduses3Vpower, which many readers do notsupply.Pleasesee the reader list for compatible readers.
Notes: Your card may be on the supported card list; however, the applet of the card may not be supported.
PCoIPzeroclientslocallyterminatethesmartcardreadersforpre-sessionauthentication.Thismeansthattheyarenotre-directedviaUSB.Assuch,theViewAgent’sPCoIPsmartcardcomponentmustbeinstalledfortheguestOStoseethesmartcardreader(thisisnotinstalledbydefault).
Pre-sessionsmartcardauthenticationtoremoteworkstationsusingPCoIPhostcardsisnotsupportedatthistime.
Supporteddevicesaresubjecttochange.VisittheTeradici Web siteforthelatestupdates,oropenaticketwithTeradici Systems Engineering to request support for additional readers and smart card variants.
Table 4: Teradici-Supported CAC Card Models
Note:AlthoughonlyzeroclientsfromTeradiciarehighlightedintheabovetable,thinclientpartnerslikeWyseandHPhavefullproductlinessupportingPKI-enableddevicesandtokenaccesstothefederalagencynetwork.
McAfee HBSSForvirtualdesktopantivirusprotection,McAfeeMOVEAVisfullyvalidatedandcompatiblewithVMwarevShieldEndpoint,includedwithvSphere5.1.
Figure 3: A Single McAfee MOVE Virtual Appliance Installed on the Hypervisor Provides Antivirus Protection for Multiple Virtual Machines
HBSSprovidesadvancedmitigationeffortsnecessarytodetect,defend,reactanddeter,inrealtime,againstknowncyber-threats.InthecurrentDoDnetworkenvironment,HBSSiscriticaltomaintainingnetworksecurity,andaddressescurrentnetworkvulnerabilitiestopreventfutureintrusions.RefertotheDISAWebsiteformoreinformation on the HBSS components.FormoreinformationonMcAfeeMOVEAVandHBSSconfigurationandbestpracticesfortheFederaldesktop,pleaserefertotheMcAfee MOVE /VMware Collaboration Best Practices guide.
802.1X AuthenticationDependingontheauthenticationsettingonaswitchorrouter,802.1XauthenticationcanallowaremoteroutertoconnectauthenticatedVPNuserstoasecurenetworkthroughaVPNtunnel.UsersarethenauthenticatedinthesecurenetworkthroughaRADIUSserver.InFederalSecureDesktop,thedesigncoversend-to-endsecuritypractices.Inthelabvalidation,weenabled802.1Xauthenticationontheswitchport.Pleaserefertoyournetworkequipmentuserguideformoreinformationonhowtoenable802.1Xauthentication.
vCloud Networking and Security and vShield EndpointThe following virtual appliances were deployed in the design:
• Edge–Securestheedgeofthevirtualdatacenterbybeingconfiguredtobethefirewall,VPN,Webloadbalancer,NATandDHCPservicestomonitorpacketheadersforsourceanddestinationIPaddresses.
• App–Protectsapplicationsinthevirtualdatacenterfromnetwork-basedthreats.
VA L I D AT E D D E S I G N G U I D E / 1 6
VMware Federal Secure Desktop
• vShield Endpoint–IncludedinvSphere5.1,vShieldEndpointstrengthenssecurityforvirtualmachinesandtheirWindowsServerhostswhileimprovingperformance.
VMwarevCloudNetworkingandSecurityAppcanbeusedasaloadbalancerforinternalViewConnectionServersaccessedexclusivelybyusersinsidethecorporatenetwork.Theexternalconnectionsareloadbalancedvianetworkloadbalancers.
Management
TheHorizonViewAdministratorconsoleshowsthehealthofvariouscomponentsdeployedwithintheinfrastructure (not including third-party products). This level of information is very basic but can be sufficient for many organizations.
For organizations that require enhanced monitoring and management, including capacity planning, this architectureintegratestheVMwarevCenterOperationsManagerforHorizonViewasanoptionalcomponent.Whenintegrated,thisproductprovidesend-to-endvisibilityintotheHorizonViewenvironment.Thepatentedanalytics and integrated approach to performance, capacity, and configuration management delivers simplified health and performance management along with a better end-user experience, as any issues can be identified and solved proactively.
Inadditiontotheaboveanalytics,thearchitecturealsosupportsaddingmorethird-partyanalyticsandmonitoring tools to suit any such organizational needs.
Endpoint Management WevalidatedtheTeradici zero clientthathasnolocalembeddedOSfootprint.
PCoIPZeroClientManagementsoftwareisasimple,web-basedtoolwithautomatedconfigurationtomanagetheentireecosystemofPCoIPdevices.
The PCoIP Management Console is a web-based management tool that allows administrators to deploy and manageanentireenterprisedeploymentofPCoIPdevicesfromacentralconsole,furtherstreamliningthealreadyminimalmanagementofaPCoIPinfrastructure.
WiththePCoIPManagementConsole,administratorscan:
•Monitor,configureandupdateallPCoIPdevicesfromanywhere
•Graphicallyviewstatusandconnectioninformation
•Remotelyaccessandupdateconfigurationsettings
•Auto-configuredeviceswhendevicesarediscoveredonthenetwork
•Managedevicesindividuallyorbygroup(i.e.,location,department,function)
•Schedulefirmwareupdates,profileapplicationmodifications,andpowerstatechanges
•AssignstaticconnectionsbetweenPCoIPhardwarehostandclientdevices
•Applyconfigurationdatatoindividualdevicesorgroupsofdevices
•Deploybulkfirmwareupdates
•Supportmultipledevicediscoverymechanisms
•Viewandmanagedevicelogs
•Managethepowerofdevices
VA L I D AT E D D E S I G N G U I D E / 1 7
VMware Federal Secure Desktop
Persona Management Inatraditionalphysicaldesktopwithlocalstorage,allthechangesausermakestotheirprofilearestoredonthelocalharddisk.Inthevirtualdesktopworld,desktopsareavailableintwoversions:dedicateddesktops (alsoknownaspersistentdesktops)inwhichusersareassignedaspecificdesktopandusethatdesktopeachtime they log in; and floatingdesktops(alsoknownasnonpersistent)whichprovidetheuseranyavailabledesktopforeachsession.Fordedicateddesktops,theuser’sprofileisstoredinapersistentdatadisk.Butdedicateddesktopsarenotstorageefficientandincreasethetotalcostofownershipforthesolution.
TheFederalSecureDesktopsolution(liketheMobileSecureWorkplacesolution)employsfloatingdesktopswithPersonaManagementenabled.Thisfeatureseamlesslypreservesauser’sprofileonanetworkshareforsafekeepingbetweensessions.PersonaManagementpersistsdataandsettingsstoredintheprofilewithoutspecificknowledgeofhowaparticularapplicationworks.Thisenablesthearchitecturetobemorestorage-efficient.ThePersonaManagementfeatureisalsoefficientduringlogintimes,asitdownloadsonlythefilesthatWindowsrequires,suchasuserregistryfiles.Otherfilesarecopiedtothedesktopwhentheuseroranapplication opens them from the profile folder, thus increasing efficiency.
VA L I D AT E D D E S I G N G U I D E / 1 8
VMware Federal Secure Desktop
Key Deployment ConsiderationsThedeploymentdetailscanbesegregatedintofivekeycategories:
• Initialsetup
•CACcertificatesetup
•Deployingthebaseimageanddesktoppools
•McAfeeHBSS
•Configuringzeroclientsand802.1Xauthentication
Thefollowingsectioncoversthedetailsandkeyconsiderationsineachcategory.
Initial Setup
Oneofthekeyconsiderationsindeployingthisfederalsolutionisthat,inatypicalDoDenvironment,therearemultipleunreachabledomains,andcontrolisoftennotatthelocallevel.WhentheViewConnectionServerisinstalled,ensurethatitisinstalledasalocal/internalserver,andtheconnectionto<HTTP:// FQDN_Of_ViewManager/admin>isverified.Ensurethatnootherserviceisusingports80and443.Also,ensurethattheIISserviceisnotrunningintheViewConnectionServerandthatallportslistedintheVMwareKnowledgeBase article Network connectivity requirements for VMware View Manager 4.5 and later are open.
AtypicalDoDsetupcanhavemultipledomains,soitisimportanttoexcludenon-essentialdomainsfromeachHorizon View installation to reduce start-up times. The non-essential and unreachable domains can be excluded bytheVDMAdmincommand:
vdmadmin -N -domains -exclude -domain <Domain Name> -add
CAC Certificate Setup
AllU.S.federalemployeesaremandatedtousePIVcards.Thethreevariationsare:
• FederalPIVCards
•CommonAccessCards(CAC)
•SIPRTokens
DoDhasadoptedthePKI-basedCACastheirprimaryauthenticationmethodintotheNIPRNet.NIPRNetiscomposedofInternetProtocolroutersownedbytheDoD.
SeveralagencieshavealsomigratedtoSIPRhardwaretokensastheirprimaryauthenticationmethodforaccessingtheSIPRnetwork.OtheragenciesarealsomovingtowardaPKI-basedPIVcardforauthenticationintothefederalnetwork.
AllarebasedonPKI/X.509certificatesandanyoneofthemcanbeusedtoaccessvirtualdesktopsinthisdesign.
PKIisdesignedtoallowsecurecommunications,nonrepudiation,andauthenticationbetweentwoentities.Itusestwokeystogenerateaweboftrust.
Inthisdesign,theCertificateAuthority(CA)isusedtoissuecertificatesandkeypairstoentities(servers,devices,users,etc.).Inourdesign,weuseacombinationofRootCertificateAuthority(RootCA)andIntermediateCAforscalabilitypurposes.RootCAhasthehighestauthoritytoissuecertificatesanddelegatessomeoftheworkloadtotheIntermediateCAforscalabilityandredundancy.RefertotheVMware Horizon View Administration guide for more information.
VA L I D AT E D D E S I G N G U I D E / 1 9
VMware Federal Secure Desktop
ToenablesmartcardstoworkwithHorizonView,thefollowingstepsmustbeperformed:
1. Obtain all required root and intermediate CA certificates.
2. Import certificates into a keystore file.
3. Build a locked.properties file. Make the following entries to the file:
trustKeyfile=masterkeystore
trustStoretype=JKS
useCertAuth=true
4. Put keystore and locked.properties into the <installdir>\server\sslgateway\conf folder.
5. Restart the View Connection Server to make your changes take effect.
To obtain DoD root or intermediate certificates, visit the Military CACWebsite.
Deploying the Base Image and Desktop Pools
Whendeployingabaseimageforthissolution,itiscriticaltostartfromanewimageinsteadofusingaphysicaltovirtualdesktopimage.OptimizetheimagebasedontherecommendationsintheVMware Horizon View Administration guideandconfiguretheimagebasedonorganizationalpolicies.Accordingly,disableWindowsFirewallonthedomainnetworkifallowed,oropenports4172UDP,4172TCP,3389TCP(onlyifRDPistobeused),32111TCP,and9427TCPintheWindowsFirewallandanyotherclient-side,port-filteringapplicationsbeing used.
ForSingleSign-Ontofunction,theTerminalService/RemoteDesktopservicemustbeenabled.Bydefault,allimagesbasedonFederalDesktopCoreConfiguration(FDCC)havetheservicedisabled,andyouneedtoperform the following steps to enable the service:
1. In Windows Vista or Windows 7, right click Computer from the Start Menu and select Properties. On the upper left side of the Properties dialog, select Remote Settings.
2. In the Remote Settings dialog, make sure Allow connections only from computers running remote desktop with network level authentication is checked and then click Select Users to assign the users that are allowed to connect.
3. In the Remote Desktop Users dialog, click Add, and in the Select Users dialog enter the group or groups that contain all potential Horizon View users and the View Connection Server service account (typically the Domain Users group from the local authentication domain).
4. Ensure there are no denials for remote desktop connectivity. By default these images typically have Everyone denied access. This explicit deny will override the Allow that was set up in the above steps.
a. Open a command prompt using Run As Administrator.
b. Type gpedit.msc <Enter>.
c. IntheLocalGroupPolicyEditornavigatetoComputer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
d. Intherightpanel,scrolldowntoDeny log in through Terminal Services.Double-clickandchecktoseeifthereareanygroupsthere.Ifthereareanygroupslisted,theywillbeunabletoconnecttoaHorizonViewdesktop.Selecteachgroup(especiallytheEveryonegroup)andclickRemove to removethemfromthedenylist.ThenclickOK.
VA L I D AT E D D E S I G N G U I D E / 2 0
VMware Federal Secure Desktop
5. Scroll up to Allow log in through Remote Desktop Services and double-click. By default, Administrators and Remote Desktop Users are granted this right. Add the Domain Users group from the authentication domain (or any group or groups that contain all the potential Horizon View desktop users and the View Connection Server service account). Click OK and close the Group Policy Editor.
Note: Ensurethatthedomain-levelGPOdoesnotoverridetheabovesettings.Afterthebaseimageiscreated,toactivateitinDoD,avalidCACcardisrequired.CACcanbepassedthroughtotheimageviathevSphere5clientthroughtheconsole,withtheUSBcontrolleraddedtotheparentimagetoallowthis(DamewareandRDPcanalsobeused).OncetheCACispassedthrough,activateWindows,selectthecertificate,andenteraCACPINunderControl Panel\System and Security\System.
6. Finally, ensure that VMware Tools is installed before installing Horizon View Agent.
Fordesktoppoolsinthisarchitecture,itisrecommendedthatyouusefloatingpoolswithThinApp,PersonaandUserDatalocationsredirectedatlogin.Toenhancetheuserexperience,third-partypersonamanagementtools can also be used.
Asabestpracticeforthissolution,ensurethatusersareloggedout120minutesafterdisconnectandthatthedesktopsarerefreshedimmediatelyafterlogout.EnsurethatPCoIPissetasthedefaultprotocoltoaccessdesktops,anddisableusersfromchoosingtheprotocol.Also,forabetteruserexperience,ensurethatAdobeFlashQualityissettoMediuminthepoolsettingsintheViewConnectionServer.
McAfee HBSS
ForoptimalperformanceofMcAfeeHBSS,thefollowingconsiderationsarerecommended:
•SetMcAfee agent to server communication interval to 720 minutes or less
•Setpolicy enforcement interval to 30 minutes or less
•Performafullscanontheparentimagebeforebuildingpools
• Ifallowed,onlyscanonRead,notWrite
•DisablethesettingRunMissedJobsatstartup
Configuring Zero Clients and 802.1X Authentication
ZeroclientsbasedontheTeradiciTERAchipsetareultra-secure,easy-to-managedevicesthatoffertherichestuserexperienceinthissolution.Inadditiontosupportingavarietyofauthenticationmethods(SIPRTokens,CACcards)andencryptiontypes(TLS1.0withAES-128-CBC-SHA,TLS1.0withAES-256-CBC-SHA,SuiteBciphers,AES-128-GCM,AES-256-GCMandSalsa20-256-Round12),zeroclientsalsosupport802.1XnetworkdeviceauthenticationusingEAP-TLScertificates.Underthismethod,allnetworkendpointdevicesmustbeauthenticatedbeforetheyaregrantedaccesstothenetwork,thusaddinganadditionallayerofsecuritybeyondusernameandpasswordcredentials.Toconfigurethis,an802.1X-supportedswitchwasusedinthisarchitecture.
VA L I D AT E D D E S I G N G U I D E / 2 1
VMware Federal Secure Desktop
User Connection Flow Sequence
Thissequenceshowshowadesktop,laptop,ormobiledeviceconnectstovirtualmachinesinadatastoremanagedbyVMwarevSphere.ThisincludessecureimplementationsthatrequireaNIPRNettokenortokensfromthenewerSIPRNet.
VMware vSphere
VMVM
VM
VMVM
VM
Active Directory
VMware vCenter
Horizon View Composer(Optional)
Horizon ViewConnection
Server
Zero Client• PKI-enabled• CAC• 802.1X authentication
Horizon View Security Server
• Allow TCP 443; TCP/UDP4172
• IPS SSM module configure to prevent basic IPS signature for malicious attack
• Enforce PKI auth• NIAP approved for
suite B encryption
• Security Server ACL to only allow TCP8009 and 4001 to Connection Server for pairing.
• TCP/UDP 4172 to WIN7 VDI VLAN
• VIN7 VDI VLAN• HBSS suite installed• HTTP traffic proxied• PKI enable for SIPRNET
token
• Server VLAN• Separated by strict
FW/IPS policy
NIPRNET
SIPRNet
Figure 4: Virtual Desktop Connection Path
Summary TheFederalSecureDesktopsolutionprovidesavalidatedend-to-endarchitectureforDoDandotherfederalagencydeploymentswhichtakesintoaccountallthekeycomponentsrequiredforasecureHorizonViewimplementation.
This architecture, built with VMware Horizon View and ecosystem partner components, was tested for the ability of various integrated products to provide a validated solution. The architecture, while tightly integrated, isalsobuilttobemodularsocustomerscanpickandchoosethevariouscomponentsthatfittheirspecificneeds. The architecture is also scalable per the guidelines provided in VMware Horizon View reference architectures.
Thisdesigncaterstothethreekeyvirtualdesktoprequirementsinanyfederalorganization—mobility,securityandmanagement.WithVMwareHorizonViewandothermanagementproductslikevCenterOperationsManager,thisdesignenhancesthesecurityrequirementbyaddingfederal-specificcomponentslikeCommonAccessCards,SIPRTokens,andHBSS.Thesolutionalsoprovidesenhancednetwork-levelsecurity,integrating802.1Xauthenticationwithzeroclients.
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-VDG-FEDSECDKTP-USLET-02130429-WEB
VMware Federal Secure Desktop
About the AuthorsMuthuSomasundaramandCynthiaHsiehwrotethisdocument.MuthuisProductLineMarketingManagerinEnd-UserComputingSolutionsatVMware.CynthiaisGroupProductManager,SolutionManagement,inEnd-UserComputingatVMware.
TheauthorswouldliketothankGlennExline,SystemsEngineeringManageratVMware;ElcioMellofromTeradici;andChristieKarrelsandChristopherBeckhamfromMcAFeefortheircontributionstothecontentandvalidation of the solution.
Tocommentonthispaper,contacttheVMwareEnd-UserComputingSolutionsManagementandTechnicalMarketingteamattwitter.com/vmwareeucsmtm.
top related