VMworld Europe 2013 Marilyn Basanta, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare

1. Enhancing Workplace Mobility and BYOD with the
VMware Mobile Secure Workplace
Marilyn Basanta
Technical Solutions Architect
VMware End User Computing
@marilynbasanta
EUC5509
#EUC5509

2. Agenda
 Solution overview
 Breakdown of elements
 Load balancing and namespace services
 AD configuration for PKI and Certificate Services
 RADIUS integration
 Persona management
 vCloud Network and Security
 vShield Endpoint and Anti Malware
 vSphere and View configuration considerations
 Horizon Workspace configuration considerations
 Horizon Workspace - Mobile
 Partner Solution – Trend Micro Mobile Security
 Final comments

3. Solution Overview
L7
End User Devices
Internal Network
External Network/
INTERNET
AD
SSO CA
RADIUS
F&P BACKUP
vC
VCNS AV
Knowledge
Workers
Mobile
Knowledge
Power
Users
MOBILITY
SECURITY
USER EXPERIENCE
VMware View Security Server
VMware View Connection Managers
HW: Gateway VM
vCOPs
Horizon
Workspace vApp
Trend Micro Mobile Security

4. Before we dive in, some top level items to consider…
TCP/IP Schema, VLANs, routing
and name resolution
considerations
Active Directory topology and
requirements
Network security requirements
and policies
Application workload
requirements, user roles and
behavior
LAN/WAN Topology and design
for real time protocols
Compliance requirements

5. Load Balancing and namespace services
L7
VMware View
Security Servers
VMware View
Connection Managers
End User Devices
Internal Network
External Network/
INTERNET
• Ensure dedicated LB networks are planned for and
exist in advance of deployment
INTERNAL EXTERNAL HA DMZ
• Plan for redundant configurations, N+1 and vSphere HA/DRS affinity
rules

6. Active Directory considerations
• Evaluate any existing AD
infrastructure
• New child domain? Security
requirements
• Enough DC resources in the
necessary sites?
• Enterprise CA will need to be
configured from the FRD down if
you are deploying a Windows based
PKI
• Sites and subnets configured
appropriately to localize domain
operations to the closest DCs

7. • Configuration steps are provided in the
solution design document
RADIUS Integration
• More choices for RADIUS integration
• Plan for extra connection servers to
provide redundant support for users
authenticating with RADIUS
• Validated solution uses Microsoft
RADIUS in the design.

8. Persona Management
• Considerations for virtual machines hosting
profile volumes
• Tuning the profile upload interval for scale
• When possible use Persona instead of
Windows Roaming profiles to avoid conflict
• Folder redirection balanced with roaming
data
• Application specific requirements such as
ThinApp sandbox roaming
• AV strategy using Persona, in band scanning
as part of vShield Endpoint or out of band on
the persona management fileservers

9. vSphere and View considerations
vDS
• Where possible leverage vDS in
management and View VDI infrastructure
• Auto-Deploy and host profiles for rollout
and ongoing compliance, conformity at
scale
• vCNS Edge for network services such as
DHCP, load balancing
• vMA for host management and
administration, vSphere web client

10. vCNS – App Firewall and Edge
VMware vSphere
Knowledge
Workers
Power
Users
LOB Apps
• vCNS App and Edge services
to provide security for our
logical groupings of VMs
• Define in advance the access
rules that will be required to
secure your resources
effectively
• Remember to define rules for
View agent/client/server
communication and display
protocols!
• Get familiar with the
troubleshooting techniques
required for vShield, you
*WILL* need to debug at some
stage!
Start with an open policy then
lock it down as you go

11. vSphere Feature – vShield Endpoint
Partner Solution: Trend
Micro Deep Security
Security API
ESX
Anti-Virus
Workload VM’s
VMDK
EPSec
• Understand the impact
on density, plan for
dedicated resources
required by security
VM per host
• Fully evaluate performance characteristics
• Look out for gotcha’s in on-access scanning and scheduled
scanning defaults
• Ensure all hosts successfully install vShield Endpoint as part of the
deployment process prior to deploying infrastructure or VDI
services. If possible integrate the vendor specific VIBs into your
ESXi installation image.

12. Deep Security Virtual Appliance
• Intrusion prevention
• Firewall
Virtualization Security with Deep Security
Agentless Security Platform for Private Cloud Environments
• Anti-malware
• Web reputation
• Integrity monitoring
VM VM VM
The Old Way
Security
Virtual
Appliance
VM VM VM
With Deep Security
VM
Easier
Manageability
Higher
Density
Fewer
Resources
Stronger
Security
VM
More VMs
1310/17/2013 Confidential | Copyright 2012 Trend Micro Inc.

13. Horizon Workspace vApp
Workspace vApp
Configurator
VA
OS (SLES)
tcserver
Service VA
OS (SLES)
App
API
DBtcserver
Data VA
OS (SLES)
App
API
DB LDAPJetty
App
Connector
VA
OS (SLES)
tcserver
App
Gateway
VA
OS (SLES)
Nginx
Modules
• Central Wizard UI
• Distributes settings
across VAs
• Network, Gateway,
vCenter, SMTP
attributes
• Add / remove modules
• Manage certs, security
• User authentication (RSA SecureID)
• AD secure bind and synchronization
• Set replication schedule
• Sync View pools and ThinApp
• Enables single user-
facing domain
• Routes requests to
correct node
• Workspace Admin UI
• Application Catalog
• Manage user entitlements
• Workspace Groups
• Reporting
• Stores files
• Controls file sharing policy for
internal and external users
• Manage file preview server
• Serves end user web UI

14. Horizon Workspace Deploy Considerations
• Ensure DNS name resolution is prepared in advance
• Split brain considerations for Gateway FQDN
• Prepare Signed Certificates in advance, the entire SSL chain
must be exported
• Create an Active Directory BIND DN account
• Ensure Active Directory group structure is in place to support
Workspace services (applications, data)

15. Horizon Workspace Deploy Considerations
• Prepare ThinApp repositories
• Configure SAML settings for View, the
default the SAML Timeout is 15 minutes
• Decide on a preview strategy (LibreOffice or
Microsoft Preview Server)
• User Principal Name (UPN) set as a required
attribute for View
• Horizon Data storage sizing

16. Horizon Workspace – Gateway-va Diagram
L7 Load Balancer
Load balancing strategy and technical preparation complete

17. Virtualization on Android (Mobile Virtualization Platform)
Personal Corporate
Corporate Workspace
Enterprise Catalog
Mail/Calendar App
Custom Apps
3rd Party Apps
 Own your full version of Android OS
 Consistent native mobile experience
 Deploy applications without modifying them
Solve Android fragmentation
 Strict corporate assets isolation
 Corporate data encryption
 VPN policy for corporate traffic
Prevent data leakage
 Exchange email, calendar, secure browser,
file browser and contacts
 Your Line Of Business application
Provide productivity features

18. How do Employees Obtain VMware Horizon Workspace/Mobile?
Employees’ Device
VMware Switch
Confidential

19. Sony is supporting Vmware Ready devices as standard feature
Coming soon: Xperia Z1
and Xperia Ultra Z will be
VMware Ready for
World Wide coverage.

20. Today’s Attacks: Social, Sophisticated, Stealthy!
Attacker
Moves laterally across network
seeking valuable data
Establishes Command
& Control server
Extracts data of interest – can go
undetected for months!
$$$$
Gathers intelligence about
organization and individuals
Targets individuals
using social engineering
Employees

22. MOBILE MALWARE
Yes… It’s real.

24. It’s not just “malware”, but, privacy leaks..

25. Well Known Apps Leak Data ..

26. Device Management & Control
Employees
Trend Micro
Mobile Security
Email SharePoint Corp Data Web Traffic
• Easy onboarding: email, URL, QR code
• Apple (iOS), Android, Blackberry, Windows Phone 7
and 8
• Optional Cloud Communication Server
• Device Discovery
• Device Provisioning
• Remote Control
• Reporting
• Inventory Management
Cloud
Comm.
Server

27. Threat Protection
Employees
Email SharePoint Corp Data Web Traffic
Trend Micro
Mobile Security
• Android AV and Website
Reputation
• Leveraging Smart Protection
Network
• Anti-Malware
• Firewall
• Web Threat Protection
• Call Filtering
• SMS/WAP Anti-Spam

28. Complete End User Protection
Email &
Messaging
Web
Access
Device Hopping
Collaboration
Cloud Sync
& Sharing
Social
Networking
File/Folder &
Removable Media
Anti-Malware Encryption
Application
Control
Device
Management
Data Loss
Prevention
Content
Filtering
Employees
IT Admin
Security

29. Trend Micro Mobile Security
Manage Device
Management
• Device Discovery
• Device Enrollment
• Device Provisioning
• Asset Tracking
• S/W Management
• Remote Control
• Reporting
• Summary Views
• Summery Reports
Mobile Device
Security
• Anti-Malware
• Firewall
• Web Threat Protection
• Call Filtering
• SMS/WAP Anti-Spam
• Jail break detection
• App Reputation
Data Protection
• Encryption Enforcement
• Remote Wipe
• Selective Wipe
• Remote Lock
• Feature Lock
• Password Policy
Application
Management
• App Black Listing
• App White Listing
• App Push
• Required
• Optional
• App Inventory
Stand Alone/Integrated

30. Horizon Virtual Workspace
Windows Management
and Delivery
(server hosted & local)
(apps and desktops)
VMware Horizon View & Mirage
Secure Mobile
Workspace
(across all devices)
(apps, data, collaboration)
VMware Horizon Workspace
Virtual
Workspace
Secure access to all my
stuff, anywhere, anytime

31. Next Steps
For more information on Mobile Secure Desktop design, please visit:
Mobile Secure Desktop Validated Design
Guidehttp://www.vmware.com/files/pdf/view/Mobile-Secure-Desktop-Solution-Brief.pdf
Mobile Secure Desktop Solution Guidehttp://www.vmware.com/files/pdf/view/Mobile-
Secure-Desktop-Solution-Brief.pdf
View Design
Resourceshttp://www.vmware.com/products/desktop_virtualization/view/technical-
resources.html#Design
Horizon Workspace Reviewer’s Guide
http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reviewers-
guide.pdf
Integrating Horizon Workspace and Horizon View
http://www.vmware.com/files/pdf/techpaper/vmware-horizon-view-integration-horizon-
workspace.pdf
Configuring Horizon Switch
http://blogs.vmware.com/horizontech/2013/08/configuring-vmware-switch-for-android-
with-vmware-horizon-workspace-1-5.html

32. THANK YOU