Securing Web Traffic from Horizon Virtual Desktops & Apps with SASE Cloud Web Security

Updated on

With VMware SASE for Anywhere Workspace, VMware has combined the consistent, secure cloud application access functionality of VMware SD-WAN, Secure Access, and Cloud Web Security with the capability of Workspace ONE to allow only trusted devices and users to access applications hosted on-premises or in the cloud.

In this walkthrough we'll show you how Cloud Web Security secures Web Traffic from Horizon Virtual Desktops and published Apps.

Before You Begin

In order to perform the full end-to-end demo make sure you have the following: 

  • An active VMware TestDrive account. More info here.  
  • Latest Horizon Client installed. Download  here
  • Outbound network access to TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172 


Open up a web browser and sign in to TestDrive's Workspace ONE user portal (https://testdrive.vidmpreview.com) with your TestDrive username and password. 

After authentication, go to Apps.

Go to categories > filter by Horizon.

In Workspace ONE, locate TD-WINDOWS11. 

Click the dots menu on TD-WINDOWS11 and add to favorites.

Go to your favorites and you'll now see TD-WINDOWS11 placed there for quick access.  Move your cursor over the tile and click the dots. You'll be presented with a list of options, two of which are for Horizon:

  • Launch from Client
  • Launch from Browser

Click Launch from Client , which requires the VMware Horizon Client to be installed on your local machine. You'll be prompted to install the Horizon Client if you have not already. Horizon Client uses Blast Extreme as the default protocol and should be used for optimal performance. 

(Launch from Browser will use your browser to open the virtual desktop in a separate browser tab.)

TD-WINDOWS11 will launch a nd your desktop should look like below.  

The desktops in the TD-WINDOWS11 pool have been deployed as non-persistent linked clones, configured with App Volumes writable volumes and Dynamic Environment Manager.

Explore the Windows 10 virtual desktop functionality and performance.

From within the Horizon Virtual Desktop, launch the Chrome browser and access the Anywhere Workspace SA SASE Pop Demo video hosted on YouTube. More on this later. You may want to mute the video in the meantime.

Preventing Undesirable Content with Cloud Web Security

Alternate Horizon App Demo Flow

As an alternative to the default demo flow which uses the TD-WINDOWS10 Virtual Desktop, you can perform a Horizon app demo with Google Chrome.  This expanded section explains how to do it.

In Workspace ONE, find the Google Chrome Horizon app and perform the same actions outlined for the Horizon desktop. 

Ex. Cloud Access Security Broker (CASB) policy blocking Facebook.com:

Talking Points

  • VMware SD-WAN is an integral part of the VMware Cloud Web Security.
  • VMware Cloud Web Security is a cloud-hosted service that protects users and infrastructure accessing SaaS and Internet applications from a changing threat landscape while providing visibility and control and ensure compliance with Enterprise IT security policies.
  • Cloud Web Security implements policy and control in a number of ways depending on Enterprise requirements such as URL filtering, Content Filtering, Anti-Malware, Sandbox Inspection and CASB.
  • VMware SD-WAN provides visibility into the applications accessed by the remote mobile users on their devices.

In Workspace ONE, launch VMware SD-WAN Orchestrator. Your TestDrive account will provide SSO. 

After you successfully authenticate, the orchestrator console will look like below.

In Edges, go to Horizon-Edge > Applications tab.  Traffic details are displayed for applications accessed via virtual desktops. View Past 60 Minutes. 

Earlier, from within the TD-WINDOWS11 virtual desktop, you launched the YouTube-hosted Anywhere Workspace SA SASE Pop Demo video in Chrome. This HD video's traffic is routing through SD-WAN and optimizations are being applied to enhance the user experience. Note the spike.

Go to Cloud Web Security > Configure > Security Policies.

A custom Cloud Web Security policy called Horizon-Policy is configured. Within we enabled a Cloud Access Security Broker (CASB) policy to block Dropbox login and facebook.com, a URL filter to prevent access to Gambling sites, a Content Filter to prevent file uploads, and Content Inspection policy to inspect ZIP files. 

Cloud Access Security Broker (CASB)

In Security Policies > Horizon-Policy > CASB you'll see Block Dropbox Login and Block Facebook.com policies.

Open a tab in the Chrome browser and access dropbox.com.

When you try to sign in to Dropbox, the attempt should be blocked. You will briefly see the "forbidden" notification and then the Dropbox sign-in page is presented again. 

The Block Facebook.com policy does just that: blocks all navigation to facebook.com.  

URL Filtering

A custom URL Filtering policy, Denied Websites, is configured to block access to a number of categories including gambling.

Launch the Chrome browser and navigate to http://www.gambling.com.  Access will be blocked based on the URL filter policy. 

Content Filtering

A custom Content Filtering policy, Block File Upload, is configured to block any attempt to upload a file from the Horizon desktop. 

Right click the desktop and create a New Microsoft Word Document on the desktop.

Go to https://gofile.io/uploadFiles.

Attempt to upload the newly created Word document. The upload will be blocked by the Content Filtering policy. 

Content Inspection

A custom Content Inspection policy, Inspect Archivesis configured to inspect any downloaded archives or packages.

Use the Chrome browser to navigate to https://www.eicar.org/.

Click on the "download anti malware testfile" image/link.

On the next page, scroll down to the download links.

Attempt to download the eicar_com.zip file.

The download of the eicar_com.zip file is detected as malware and is blocked by Cloud Web Security.

Monitoring Cloud Web Security

In Cloud Web Security > Monitor, you can view the following four monitored areas:

  • Threat Analysis
  • Traffic Analysis
  • CASB Analysis
  • Web Logs

The Threat Analysis dashboard ensures that a user can get detailed visibility into threats. The dashboard displays: 

Review Traffic Analysis for visibility into user traffic.

Go to CASB Analysis for a general overview of what categories and apps are being monitored.  

Go to Web Logs. Cloud Web Security automatically logs every session and threat. 

View past 60 minutes and filter the view by action is "block."  

With the filtered view you will see a list of the policies' recently performed actions.

Select one of your blocked actions to view its log entry details.

Cloud Web Security Integration with Workspace ONE Access

Instead of unknown or anonymous users listing in Web Logs, Cloud Web Security can be integrated with Workspace ONE Access and other third party IdPs for authentication and username resolution, as seen below. In TestDrive this integration is disabled for security reasons.


VMware SD-WAN is an important aspect of the user experience. To enhance the user experience when using Horizon Virtual Desktop and Applications, QoS is automatically applied to the traffic between the VDI or RDSH and the internal/external application. Time-sensitive traffic like voice and video are automatically identified and classified a high priority. VMware SD-WAN also automatically chooses the best path to the data center or SaaS and applies remediation for latency, jitter and packet loss induced from the Internet to enhance the user experience. 

Click the QoE tab. The tab shows how the application performed with and without VMware SD-WAN.  

Below is an example of SD-WAN QoE enhancements from another environment which illustrates dramatic discrepancies with and without SD-WAN. 

Below is a user experience example showing how VMware SD-WAN improved the video conferencing quality after 2% packet loss was seen without VMware SD-WAN.

Without VMware SD-WAN
With VMware SD-WAN
Previous Article Enabling Secure and Optimized Access for Remote Workers with SASE for Anywhere Workspace
Next Article Securing Windows with Workspace ONE Intelligence and Carbon Black