With VMware SASE for Anywhere Workspace, VMware has combined the consistent, secure cloud application access functionality of VMware SD-WAN, Secure Access, and Cloud Web Security with the capability of Workspace ONE to allow only trusted devices and users to access applications hosted on-premises or in the cloud.
This guide will walk you through demonstrating SASE for Anywhere Workspace in the ready to use TestDrive environment.
Before You Begin
In order to complete a VMware Secure Access Walkthrough, you'll need the following:
- A valid VMware TestDrive account with Workspace ONE UEM enabled in the VMware TestDrive portal.
- A recommended device: Recent, updated Windows 10 physical or VM. Windows 10 Enterprise evaluation ISO is available via Microsoft download. Maintain a clean VM snapshot, or System Restore point on a physical device, for a fast roll back.
- Tip! To keep your VM in tip-top shape, first build a new completely updated Windows VM, then create a snapshot. At intervals, revert to the snapshot, update it, then create a new snapshot.
- You can also use an iOS, Android, or macOS device. If using one of those, enrollment and Workspace ONE experience is the same. Windows is covered herein.
- Access to the ready to use Workspace ONE UEM Console.
- Workspace ONE UEM administrator role: Device Administrator at World Wide Enterprises
- For the console-side discussion, be sure you have the UEM console open with the necessary console views already loaded in your browser's tabs.
- A Dropbox account. Any Dropbox account will do.
- Network access from your device and TCP 443 enabled on your local network.
Introduction
VMware Secure Access enables secure, optimized, and high-performance access for remote and mobile workers.
The VMware Secure Access solution is designed to address enterprise concerns over inconsistent access, poor user experience, and stress on enterprise infrastructure. It will provide a multi-region, per-app VPN service for iOS, Android, Windows and MacOS clients, with role-specific policies allowing for persona-based controls.
VMware Secure Access is delivered as a service through a global network of VMware SASE points of presence (PoPs).
Enrollment
Hub-initiated enrollment is currently the recommended Windows enrollment method for a Windows device with an existing user profile.
- Go to https://getwsone.com. Download the Workspace ONE Intelligent Hub (Hub) and install it.
- When prompted, enter your Workspace ONE enrollment email address to be automatically routed to testdrive.awmdm.com, choose the enrollment OG, and authenticate into Workspace ONE.
- Proceed through accepting all prompts until enrollment is completed.
Enrollment email: <username>@vmtestdrive.com
Organization Group: Enterprise - Corporate Owned Demo
Enrollment credentials: TestDrive username & password
The Enterprise - Corporate Owned Demo flow (corp) supports modern Windows management including the functionality showcase for VMware Secure Access integrated with Workspace ONE. Alternatively, Enterprise - BYOD Demo (BYOD) flow is also set up for VMware Secure Access. However, the BYOD flow is sensitive to a user's privacy where restrictions of any type would be considered intrusive on a personal device, therefore BYOD contains minimal management.
Check your device in the Workspace ONE UEM console to verify that enrollment has completed.
Workspace ONE UEM Console Overview
Talking Points
- An enrolled device will receive a set of automatically delivered profiles. Those profiles represent a baseline configuration how the PC should be set up, and additional profiles can be applied to meet specific requirements.
- Profiles are the settings, when combined with compliance policies, that help enforce organizational security policies.
- Passcode, Wi-Fi, certificate issuance, app whitelist/blacklist, and device restrictions are just a few profile types that may be created for Windows 10.
Go to Resources > Profiles on the left-side console menu. On the far right, in the Search List box, enter "WWE - Windows" to quickly filter your view to list only Windows 10 profiles. You can identify the WWE – Windows – WS1 Tunnel profile, which enables Per-App Tunnel access on your enrolled device.
Drill Into UEM Profiles
If you wish, click through individual profiles to see review its payload. Use any pre-configured optional device profiles as needed.
Switch to your browser tab open with the device list. Find your device by filtering by your username. Drill into your device details and discuss profiles, apps, content and other features your audience would find important.
On the profiles tab, note the installed statuses and the assignment types, automatic vs optional, from this view. Again, use optional profiles to aid your discussion.
Workspace ONE Intelligent Hub
Talking Points
- VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs.
- The Unified App Catalog transforms employee on-boarding. Simply accessing the Workspace ONE Intelligent Hub app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization.
- Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual desktops (VDI) and applications (RDSH).
- Internal web apps through a secured browser
- SaaS apps with SAML-based SSO and provisioning framework
- Native public mobile apps through brokerage of public app stores
- Modern Windows apps through the Windows Business Store
- Legacy Windows apps through Windows app package delivery
- Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.
After enrollment, Workspace ONE Intelligence Hub automatically launches, preconfigured with the Workspace ONE Access tenant.
With Workspace ONE UEM managed authentication, the user's access into Workspace ONE Intelligent Hub is seamless. Manual user authentication is not required, but can be configured as a fallback method.
Locate Windows Desktop Apps
Proceed into Workspace ONE Intelligent Hub. Review the streamlined user access to all assigned apps: native, web, or virtual.
Once inside Workspace ONE Intelligent Hub, go to Apps > Categories.
Categories are configurable and provide quick filters for sorting various app types.
Note the rapid and seamless access Workspace ONE Intelligent Hub provides for VDI and RDSH under the Virtual Apps category.
Finally, in categories, select Windows Apps at the top. More details on those are next.
Automatic Provisioning of Windows Apps
Talking Points
- No longer do PCs need to be tied to local area network (LAN) computer management systems for native Windows app management. Both Windows 10 desktops and Windows 10 mobile devices can now have Windows apps managed over-the-air (OTA) by Workspace ONE UEM.
- Workspace ONE UEM provides a variety of different application distribution options to meet the variety of installation scenarios found in an enterprise. The application deployment framework supports MSI, EXE and ZIP based deployments, public apps from the Windows Store, as well as complex script-based applications through product provisioning.
- Content Delivery Network (CDN) integration globally extends your organization's app deployment for fast and secure app delivery.
The following Windows apps are configured to automatically deploy:
- Workspace ONE Tunnel
- VMware Horizon Client
- Carbon Black Cloud Sensor
- Google Chrome
- Zoom
These apps are configured in Workspace ONE UEM and delivered by UEM's software distribution over CDN (powered by Akamai).
Workspace ONE UEM's Windows app distribution and management is doing the same thing that traditional LAN-based tools, like SCCM, have done with native apps. However, Workspace ONE UEM is doing it over the air. Devices no longer have to be tied to the organization's LAN.
Several additional Windows Apps are set up for software distribution. Select Windows Apps to filter out all Windows apps, both Windows Desktop and UWP apps:
Deploy an App.
Choose one of the Windows Apps and push it to your device. 7-Zip is a good one to pick as it’s small deployment. You’ll receive a notifications on the device regarding the installation.
In Workspace ONE UEM, apps delivered via software delivery are set up through the familiar UEM workflow. Additionally with Windows Apps, comprehensive deployment, install, dependency, detection, and uninstall settings are configured to suit enterprises' various complex app deployment needs.
VPN with the Workspace ONE Tunnel
Talking Points
- Workspace ONE Tunnel enables secure access for all workers and devices working anywhere with an internet connection outside the office.
- Users never have a 'no-touch' Tunnel experience. Its setup and configuration are 100% managed by Workspace ONE UEM.
- IT organizations can take a least-privilege approach to enterprise access, ensuring only managed devices, defined apps and domains have access to the internal network.
- Zero Trust goals can be reached by combining explicit definitions for managed applications and integration with the Workspace ONE compliance engine.
Workspace ONE UEM will automatically push both the Workspace ONE Tunnel app, the Tunnel app's device profile, and Google Chrome to your device. Workspace ONE UEM manages Chrome as the per-app Tunnel app.
UEM-Managed Device Traffic Rules
Workspace ONE UEM also manages the VMware Tunnel's fundamental configurations which establish connectivity and trust within an organization's environment. Inside this UEM system settings area—elemental to the Workspace ONE Tunnel app's configuration—are the Device Traffic Rules.
VMware Tunnel configuration/Device Traffic Rules are restricted by Workspace ONE UEM RBAC in testdrive.awmdm.com.
Go to the intranet site.
Launch Chrome and navigate to intranet.vmtestdrive.com. You can also use the Hub's Intranet web app.
Next, try to go to the same site using an unmanaged browser (e.g., Microsoft Edge). Since Edge is not configured as a managed Workspace ONE Tunnel app, Edge has no access to the internal site.
Go to a blocked site.
Attempt to load one of the intranet-listed blocked domains. The connection will be refused by the Workspace ONE Tunnel.
If you desire, on the Windows desktop, launch the Workspace ONE Tunnel app to see its configuration which displays its connected state, managed domains (i.e., domains accessible via the Tunnel), and blocked domains.
Play the VMware SASE video.
Next, from the intranet page, play the VMware SASE video from the intranet site. The video is hosted on the internal server inside the demo organization. Note the high performance and no observable lag.
Preventing Undesirable Content with Cloud Web Security
To perform this first demo, you either need the Dropbox service enabled on your TestDrive account or your own Dropbox account.
A custom security policy, Block Dropbox Operations, is configured in the SASE Cloud Web Security environment.
Try to create a document in Dropbox.com.
Using the managed, tunneled browser app (Chrome on Windows), launch Dropbox.com.
Attempt to CREATE a document. Create > Document > Word Document
View Cloud Web Security Actions.
To view the logged "block" action, view TestDrive's instance of VMware SD-WAN Orchestrator where you have read only access.
Either click here to SSO with your TestDrive account into VMware SD-WAN Orchestrator or use the VMware SD-WAN Orchestrator web app in the Workspace ONE user portal.
Initially in VMware SD-WAN Orchestrator you'll have the SD-WAN view.
Go to Web Logs .
In Cloud Web Security, select Web Logs.
- Change the view to past 60 minutes.
- Filter the list to "action is block".
You should see the blocked action in Dropbox.
Cloud Web Security Integration with Workspace ONE Access
Cloud Web Security Integration with Workspace ONE Access
Instead of unknown or anonymous users listing in Web Logs, Cloud Web Security can be integrated with Workspace ONE Access and other third party IdPs for authentication and username resolution, as seen below. In TestDrive this integration is disabled for security reasons.
Securing & Optimizing Network Traffic with VMware SD-WAN Orchestrator
Talking Points
- VMware SD-WAN is an integral part of the VMWare Secure Access.
- As traffic integrates into the SD-WAN overlay, Dynamic Multipath Optimization (DMPO) benefits are applied, reducing latency, packet loss, and jitter while improving bandwidth utilization.
- VMware SD-WAN also provides visibility into the applications accessed by the remote mobile users on their devices.
Go back to VMware SD-WAN Orchestrator.
After you successfully authenticate, the orchestrator console should look as shown.
Go to Edges > Secure-Access-Edge.
In Edges, go to Secure-Access-Edge > Applications tab. All of the tunneled applications that are accessed by managed mobile devices are displayed.
Previously, you played this SASE video from the demo intranet site. You can see the activity spike caused by the high bandwidth activity of the HD video.
Activity is shown as a spike when the traffic hits the SD-WAN buffer. As SD-WAN optimizes the traffic, the spike subsides and resources are normalized.
SD-WAN QoE
Another important aspect of VMware SD-WAN is the user experience. To enhance user experience, QoS is automatically applied to the traffic. Time sensitive traffic like voice and video are automatically identified and classified a high priority. VMware SD-WAN also automatically chooses the best path to the Data Center or SaaS and apply remediation from latency, jitter and packet loss induced from internet to enhance user experience.
Click the QoE tab. The tab shows how the application faired with and without VMware SD-WAN.
Above is an example of SD-WAN QoE enhancements from another environment which illustrious dramatic discrepancies with and without SD-WAN.