So einfach geht modernes Roaming fuer Notes und Nomad.pdf
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Secure Workplace
1. Enhancing Workplace Mobility and BYOD with the
VMware Mobile Secure Workplace
Marilyn Basanta
Technical Solutions Architect
VMware End User Computing
@marilynbasanta
EUC5509
#EUC5509
2. Agenda
Solution overview
Breakdown of elements
Load balancing and namespace services
AD configuration for PKI and Certificate Services
RADIUS integration
Persona management
vCloud Network and Security
vShield Endpoint and Anti Malware
vSphere and View configuration considerations
Horizon Workspace configuration considerations
Horizon Workspace - Mobile
Partner Solution – Trend Micro Mobile Security
Final comments
3. Solution Overview
L7
End User Devices
Internal Network
External Network/
INTERNET
AD
SSO CA
RADIUS
F&P BACKUP
vC
VCNS AV
Knowledge
Workers
Mobile
Knowledge
Power
Users
MOBILITY
SECURITY
USER EXPERIENCE
VMware View Security Server
VMware View Connection Managers
HW: Gateway VM
vCOPs
Horizon
Workspace vApp
Trend Micro Mobile Security
4. Before we dive in, some top level items to consider…
TCP/IP Schema, VLANs, routing
and name resolution
considerations
Active Directory topology and
requirements
Network security requirements
and policies
Application workload
requirements, user roles and
behavior
LAN/WAN Topology and design
for real time protocols
Compliance requirements
5. Load Balancing and namespace services
L7
VMware View
Security Servers
VMware View
Connection Managers
End User Devices
Internal Network
External Network/
INTERNET
• Ensure dedicated LB networks are planned for and
exist in advance of deployment
INTERNAL EXTERNAL HA DMZ
• Plan for redundant configurations, N+1 and vSphere HA/DRS affinity
rules
6. Active Directory considerations
• Evaluate any existing AD
infrastructure
• New child domain? Security
requirements
• Enough DC resources in the
necessary sites?
• Enterprise CA will need to be
configured from the FRD down if
you are deploying a Windows based
PKI
• Sites and subnets configured
appropriately to localize domain
operations to the closest DCs
7. • Configuration steps are provided in the
solution design document
RADIUS Integration
• More choices for RADIUS integration
• Plan for extra connection servers to
provide redundant support for users
authenticating with RADIUS
• Validated solution uses Microsoft
RADIUS in the design.
8. Persona Management
• Considerations for virtual machines hosting
profile volumes
• Tuning the profile upload interval for scale
• When possible use Persona instead of
Windows Roaming profiles to avoid conflict
• Folder redirection balanced with roaming
data
• Application specific requirements such as
ThinApp sandbox roaming
• AV strategy using Persona, in band scanning
as part of vShield Endpoint or out of band on
the persona management fileservers
9. vSphere and View considerations
vDS
• Where possible leverage vDS in
management and View VDI infrastructure
• Auto-Deploy and host profiles for rollout
and ongoing compliance, conformity at
scale
• vCNS Edge for network services such as
DHCP, load balancing
• vMA for host management and
administration, vSphere web client
10. vCNS – App Firewall and Edge
VMware vSphere
Knowledge
Workers
Power
Users
LOB Apps
• vCNS App and Edge services
to provide security for our
logical groupings of VMs
• Define in advance the access
rules that will be required to
secure your resources
effectively
• Remember to define rules for
View agent/client/server
communication and display
protocols!
• Get familiar with the
troubleshooting techniques
required for vShield, you
*WILL* need to debug at some
stage!
Start with an open policy then
lock it down as you go
11. vSphere Feature – vShield Endpoint
Partner Solution: Trend
Micro Deep Security
Security API
ESX
Anti-Virus
Workload VM’s
VMDK
EPSec
• Understand the impact
on density, plan for
dedicated resources
required by security
VM per host
• Fully evaluate performance characteristics
• Look out for gotcha’s in on-access scanning and scheduled
scanning defaults
• Ensure all hosts successfully install vShield Endpoint as part of the
deployment process prior to deploying infrastructure or VDI
services. If possible integrate the vendor specific VIBs into your
ESXi installation image.
12. Deep Security Virtual Appliance
• Intrusion prevention
• Firewall
Virtualization Security with Deep Security
Agentless Security Platform for Private Cloud Environments
• Anti-malware
• Web reputation
• Integrity monitoring
VM VM VM
The Old Way
Security
Virtual
Appliance
VM VM VM
With Deep Security
VM
Easier
Manageability
Higher
Density
Fewer
Resources
Stronger
Security
VM
More VMs
1310/17/2013 Confidential | Copyright 2012 Trend Micro Inc.
13. Horizon Workspace vApp
Workspace vApp
Configurator
VA
OS (SLES)
tcserver
Service VA
OS (SLES)
App
API
DBtcserver
Data VA
OS (SLES)
App
API
DB LDAPJetty
App
Connector
VA
OS (SLES)
tcserver
App
Gateway
VA
OS (SLES)
Nginx
Modules
• Central Wizard UI
• Distributes settings
across VAs
• Network, Gateway,
vCenter, SMTP
attributes
• Add / remove modules
• Manage certs, security
• User authentication (RSA SecureID)
• AD secure bind and synchronization
• Set replication schedule
• Sync View pools and ThinApp
• Enables single user-
facing domain
• Routes requests to
correct node
• Workspace Admin UI
• Application Catalog
• Manage user entitlements
• Workspace Groups
• Reporting
• Stores files
• Controls file sharing policy for
internal and external users
• Manage file preview server
• Serves end user web UI
14. Horizon Workspace Deploy Considerations
• Ensure DNS name resolution is prepared in advance
• Split brain considerations for Gateway FQDN
• Prepare Signed Certificates in advance, the entire SSL chain
must be exported
• Create an Active Directory BIND DN account
• Ensure Active Directory group structure is in place to support
Workspace services (applications, data)
15. Horizon Workspace Deploy Considerations
• Prepare ThinApp repositories
• Configure SAML settings for View, the
default the SAML Timeout is 15 minutes
• Decide on a preview strategy (LibreOffice or
Microsoft Preview Server)
• User Principal Name (UPN) set as a required
attribute for View
• Horizon Data storage sizing
17. Virtualization on Android (Mobile Virtualization Platform)
Personal Corporate
Corporate Workspace
Enterprise Catalog
Mail/Calendar App
Custom Apps
3rd Party Apps
Own your full version of Android OS
Consistent native mobile experience
Deploy applications without modifying them
Solve Android fragmentation
Strict corporate assets isolation
Corporate data encryption
VPN policy for corporate traffic
Prevent data leakage
Exchange email, calendar, secure browser,
file browser and contacts
Your Line Of Business application
Provide productivity features
18. How do Employees Obtain VMware Horizon Workspace/Mobile?
Employees’ Device
VMware Switch
Confidential
19. Sony is supporting Vmware Ready devices as standard feature
Coming soon: Xperia Z1
and Xperia Ultra Z will be
VMware Ready for
World Wide coverage.
20. Today’s Attacks: Social, Sophisticated, Stealthy!
Attacker
Moves laterally across network
seeking valuable data
Establishes Command
& Control server
Extracts data of interest – can go
undetected for months!
$$$$
Gathers intelligence about
organization and individuals
Targets individuals
using social engineering
Employees
26. Device Management & Control
Employees
Trend Micro
Mobile Security
Email SharePoint Corp Data Web Traffic
• Easy onboarding: email, URL, QR code
• Apple (iOS), Android, Blackberry, Windows Phone 7
and 8
• Optional Cloud Communication Server
• Device Discovery
• Device Provisioning
• Remote Control
• Reporting
• Inventory Management
Cloud
Comm.
Server
27. Threat Protection
Employees
Email SharePoint Corp Data Web Traffic
Trend Micro
Mobile Security
• Android AV and Website
Reputation
• Leveraging Smart Protection
Network
• Anti-Malware
• Firewall
• Web Threat Protection
• Call Filtering
• SMS/WAP Anti-Spam
28. Complete End User Protection
Email &
Messaging
Web
Access
Device Hopping
Collaboration
Cloud Sync
& Sharing
Social
Networking
File/Folder &
Removable Media
Anti-Malware Encryption
Application
Control
Device
Management
Data Loss
Prevention
Content
Filtering
Employees
IT Admin
Security