Securing Web Traffic from Horizon Virtual Desktops & Apps with SASE Cloud Web Security

With VMware SASE for Anywhere Workspace, VMware has combined the consistent, secure cloud application access functionality of VMware SD-WAN, Secure Access, and Cloud Web Security with the capability of Workspace ONE to allow only trusted devices and users to access applications hosted on-premises or in the cloud.

In this walkthrough we'll show you how Cloud Web Security secures Web Traffic from Horizon Virtual Desktops and published Apps.

Contents

Before You Begin 

In order to perform the full end-to-end demo make sure you have the following: 

  • An active VMware TestDrive account. More info here.  
  • Outbound network access to TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP4172 
  • Latest Horizon Client installed. Downloadhere. 

Get Started

Open up a web browser and sign in to TestDrive's Workspace ONE user portal with your TestDrive username and password. 

Attention VMware Employees

Click here for important user account information.

https://testdrive.vidmpreview.com  

mceclip0.png

mceclip1.png

After authentication, go to Apps.

Go to categories > filter by Horizon.

Apps___Intelligent_Hub.png

Horizon Apps

The demo flow outlined in this guide uses the TD-WINDOWS10 Virtual Desktop.  Alternatively, you can perform a Horizon app demo with Google Chrome.  To get started with this Horizon app demo flow, click the plus below.

Horizon App Google Chrome

In Workspace ONE, find the Google Chrome Horizon app and perform the same actions outlined for the Horizon desktop. Apps___Intelligent_Hub_HzChrome.png

Ex. Cloud Access Security Broker (CASB) policy blocking Facebook.com:
mceclip1.png

In Workspace ONE, locate TD-WINDOWS10. 

Click the dots menu on TD-WINDOWS10 and add to favorites.

Horizon_category___Intelligent_Hub.png

Go to your favorites and you'll now seeTD-WINDOWS10 placed there for quick access. Move your cursor over the tile and click the dots. You'll be presented with a list of options, two of which are for Horizon:

  • Launch from Client
  • Launch from Browser

ClickLaunch from Client , which requires the VMware Horizon Client to be installed on your local machine. You'll be prompted to install the Horizon Client if you have not already. Horizon Client uses Blast Extreme as the default protocol and should be used for optimal performance. 

Launch from Browser will use your browser to open the virtual desktop in a separate browser tab.

Favorites___Intelligent_Hub.png

TD-WINDOWS10 will launch and your desktop should look like below.

Fullscreen_1_10_22__4_17_PM.png

The desktops in the TD-WINDOWS10 pool have been deployed as non-persistent linked clones, configured with App Volumes writable volumes and Dynamic Environment Manager. 

Explore the Windows 10 virtual desktop functionality and performance. 

From within the Horizon Virtual Desktop, launch the Chrome browser and access the Anywhere Workspace SA SASE Pop Demo video hosted on YouTube. More on this later. You may want to mute the video in the meantime.

Preventing Undesirable Content with Cloud Web Security 

Talking Points

  • VMware SD-WAN is an integral part of the VMware Cloud Web Security. 

  • VMware Cloud Web Security is a cloud-hosted service that protects users and infrastructure accessing SaaS and Internet applications from a changing threat landscape while providing visibility and control and ensure compliance with Enterprise IT security policies. 

  • Cloud Web Security implements policy and control in a number of ways depending on Enterprise requirements such as URL filtering, Content Filtering, Anti-Malware, Sandbox Inspection and CASB. 

  • VMware SD-WAN provides visibility into the applications accessed by the remote mobile users on their devices. 

Attention VMware Employees

Click here for important user account information.

In Workspace ONE, launch VMware SD-WAN Orchestrator. Your TestDrive account will provide SSO. 
mceclip0.png

After you successfully authenticate, the orchestrator console will look like below.

blobid1.png

InEdges, go toHorizon-Edge > Applicationstab. Traffic details are displayed for applications accessed via virtual desktops. ViewPast 60 Minutes. 

blobid2.png

Earlier, from within the TD-WINDOWS10 virtual desktop, you launched the YouTube-hosted Anywhere Workspace SA SASE Pop Demo video in Chrome. This HD video's traffic is routing through SD-WAN and optimizations are being applied to enhance the user experience. Note the spike.

Go to Cloud Web Security > Configure > Security Policies.

CWS_Security_Policies.png

A custom Cloud Web Security policy called Horizon-Policy is configured. Within we enabled a Cloud Access Security Broker (CASB) policy to block Dropbox login and facebook.com, a URL filter to prevent access to Gambling sites, a Content Filter to prevent file uploads, and Content Inspection policy to inspect ZIP files. 

Cloud Access Security Broker (CASB)

In Security Policies > Horizon-Policy > CASB you'll see Block Dropbox Login and Block Facebook.com policies.

CASB___EUC_TestDrive___VMware_SD-WAN_Orchestrator_by_VeloCloud.png

Open a tab in the Chrome browser and access dropbox.com.

When you try to sign in to Dropbox, the attempt should be blocked. You will see a quick “Forbidden” notification and then be presented with the same sign-in page again. 

blobid0.png

The Block Facebook.com policy does just that: blocks all navigation to facebook.com.  

mceclip0.png

URL Filtering

A custom URL Filtering policy, Denied Websites, is configured to block access to a number of categories including gambling.

URL_Filtering___EUC_TestDrive___VMware_SD-WAN_Orchestrator_by_VeloCloud.png

Launch the Chrome browser and navigate to http://www.gambling.comAccess will be blocked based on the URL filter policy. 

blobid1.png

Content Filtering

A custom Content Filtering policy, Block File Upload, is configured to block any attempt to upload a file from the Horizon desktop. 

Content_Filtering___EUC_TestDrive___VMware_SD-WAN_Orchestrator_by_VeloCloud.png

Right click the desktop and create a New Microsoft Word Document on the desktop.

Go to https://gofile.io/uploadFiles.

Attempt to upload the newly created Word document. The upload will be blocked by the Content Filtering policy. 

GoFiles_Upload_Block.png

Content Inspection

A custom Content Inspection policy, Inspect Archives, is configured to inspect any downloaded archives or packages. 

Content_Inspection___EUC_TestDrive___VMware_SD-WAN_Orchestrator_by_VeloCloud.png

Use the Chrome browser to navigate to https://www.eicar.org/.

Click on the "download anti malware testfile" image/link.  

Eicar___EUROPEAN_EXPERT_GROUP_FOR_IT-SECURITY.png

 

On the next page, scroll down to the download links.

Attempt to download the eicar_com.zip file.

VMware_Horizon.png

The download of the eicar_com.zip file is detected as malware and is blocked by Cloud Web Security. 

blobid2.png

Monitoring Cloud Web Security

In Cloud Web Security > Monitor, you can view the following four monitored areas:

  • Threat Analysis
  • Traffic Analysis
  • CASB Analysis
  • Web Logs

The Threat Analysis dashboard ensures that a user can get detailed visibility into threats. The dashboard displays: 

Threat_Analysis___EUC_TestDrive___VMware_SD-WAN_Orchestrator_by_VeloCloud.png

Review Traffic Analysis for visibility into user traffic.

Go to CASB Analysis for a general overview of what categories and apps are being monitored.  

CASB_Analysis___EUC_TestDrive___VMware_SD-WAN_Orchestrator_by_VeloCloud.png

Go to Web Logs. Cloud Web Security automatically logs every session and threat. 

View past 60 minutes and filter the view by action is "block."  

Web_Logs___action_is_block.png

With the filtered view you will see a list of the policies' recently performed actions.

Select one of your blocked actions to view its log entry details. Web_Logs_Item_Selected.png

Cloud Web Security Integration with Workspace ONE Access

Instead of unknown or anonymous users listing in Web Logs, Cloud Web Security can be integrated with Workspace ONE Access and other third party IdPs for authentication and username resolution, as seen below. In TestDrive this integration is disabled for security reasons.
Web_Logs___Usernames.png

SD-WAN QoE 

VMware SD-WAN is an important aspect of the user experience. To enhance the user experience when using Horizon Virtual Desktop and Applications, QoS is automatically applied to the traffic between the VDI or RDSH and the internal/external application. Time-sensitive traffic like voice and video are automatically identified and classified a high priority. VMware SD-WAN also automatically chooses the best path to the data center or SaaS and applies remediation for latency, jitter and packet loss induced from the Internet to enhance the user experience. 

Click theQoE tab. The tab shows how the application performed with and without VMware SD-WAN. 

Below is an example of SD-WAN QoE enhancements from another environment which illustrates dramatic discrepancies with and without SD-WAN. 

blobid4.png

Below is a user experience example showing how VMware SD-WAN improved the video conferencing quality after 2% packet loss was seen without VMware SD-WAN.

image24.gif

Without VMware SD-WAN

 

image25.gif

With VMware SD-WAN

 

More Info

 

 

 

 

Have more questions? Submit a request

Article is closed for comments.