The 28 March VMware released a new version of App Volumes (it is a minor version) to fix some known Issues of previous versions.
VMware App Volumes 4, version 2312.2 Release Notes
In this case, it’s a relief for me because I just happened to find a bug in version 2312 on a customer with vSAN and App Volumes storage group. This version should fix the following issue: In the next few days, I will install the update and possibly update the post.
When approaching the upgrade of an infrastructure in the EUC world (as with most technologies in the IT world) it is necessary to define a roadmap of activities and follow it carefully. In many cases, IT technology vendors already have update procedures in place that should be followed carefully. When I started working as a consultant, the documentation was very scarce (we are talking about the end of the 20th century and the beginning of the 21st…) and the procedures were poorly documented and only those who took courses or had experience could approach with a certain “tranquility” updates of production environments.
Going back to EUC infrastructures and focusing on the VMware by Broadcom world (still for a while….given the transfer of the technology in question) we have a precise update sequence, especially if we talk about + technologies that interact with each other, and the need to verify the interoperability between the various technologies.
For example, we have this KB that gives us the upgrade sequence of a Horizon 8 infrastructure:
Update sequence for Horizon 7, Horizon 8, and compatible VMware products (78445)
And the ability to use the interoperability portal:
https://interopmatrix.vmware.com/Interoperability
In my ten-year experience in updates and maintenance of vSphere and Horizon infrastructures, it has often happened that I have had to intervene and manage post-upgrade problems, where in most cases the problems were generated by the fact that I did not perform the update in the correct order or even did not complete all the upgrade steps.
For example, I have experienced situations where, following upgrades, the copy and glue to and from VDI sessions no longer worked correctly in a Horizon infrastructure.
In the end, the problem was solved by also performing the update step of the Horizon ADMX templates in Active Directory, something that the customer or whoever had done the update for him had not done.
There is a Unified Access Gateway (UAG) configuration that can help to apply different Horizon Smart Policies (Like clipboard) to Horizon VDI Sessions
Normally I can suggest using UAG not only for external access (Home Worker) but also for internal access (Office Worker)* and I deploy a UAG group (two or plus UAG) for external and another for internal.
The Gateway location can Help us for example to enable Clipboard for internal access and disable for external access, It is possible to integrate this information (Gateway location) with a Dynamic Environment Manager Condition
In my example, I have configured two Horizon Smart Policies:
Clipboard_From_Internet 🡪 Where I disabled the clipboard with this condition:
Clipboard_From_Internal 🡪 Where I enabled the clipboard with this condition:
With those values, I can configure different functions depending on where the client is trying to connect to the VDIs
*The use of UAG on internal access can help to not deploy an Internal Load balancing (We can use UAG HA) and not use a balancing for Horizon Connection Servers. (I always suggest to map 1:1 the UAG with Connection Server)
Publishing VDI outside our company network is an activity that has become a necessity for many companies since COVID-19 (employee smart working, workstations dedicated to consultants, etc.). In all the implementations, that I have done in recent years, one of the key points of my installations is the need to implement MFA solutions to increase the level of security.
In this post, I want to explain how to configure the integration of Workspace One Access WS1A, Horizon, and FIDO2 devices (I use a Yubikey 5 Series with NFC and Fingerprint)
What is VMware WorkSpace One Access?
Workspace ONE Access (vmware.com)
What is VMware Horizon?
VMware Horizon | VDI Software Solutions | VMware
What is FIDO2?
FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
What is Yubikey 5 Series?
Multi-protocol security key, eliminate account takeovers with strong two-factor, multi-factor, and passwordless authentication, and seamless touch-to-sign. Multi-protocol support allows for strong security for legacy and modern environments. A full range of form factors allows users to secure online accounts on all of the devices that they love, across desktops and mobile.
USB-A YubiKey 5 NFC Two Factor Security Key | Yubico
Configure Workspace one Access(WS1A) SaaS for use FIDO2 authentication
Enable Authentication methods on WS1A.
Go to integrations -> Authentication Methods -> Click on FIDO2 -> Enable FIDO2 Adapter
Now we need to associate the authentication method to Identity provider (created to integrate WS1A with Active Directory)
Go to integrations -> Identity providers -> Click on correct IdP -> Flag FIDO2
After associating the FIDO2 to IdP we need to create the policy to enable self-services FIDO2 device registration (it is possible to pre-configure the FIDO2 device registration)
Go to resources -> Policies -> Click on default_access_policy_set -> Edit
Create to rule:
Rule 1 -> enable self-service registration FIDO2 Device
Rule 2 -> enable the login with only FIDO2 Device
In the next image, there are the Policy Rule configurations
Self-service registration key
Insert the Yubikey 5 into to USB port and log to the Workspace One Access portal.
Now the web portal requires two choices:
To register the device we need to select Register
Login with the correct domain name account
Now we need to select the authenticator
Select another device
Select Security Key where store the passkey
Insert the security pin
Touch the key (there is a fingerprint ….)
Add a name for the Security Key
Now you are ready to log in with the security key
User Experience login
Access to company workspace one access website
Insert PIN number associated with FIDO2
Now touch the key for fingerprint authentication Chiara2013!
You are redirected to Workspace One catalog portal
If you want to show and reset the User FIDO2 device you need to:
Login to Workspace One Access SaaS admin console, go to Accounts, Users and click on the user that you want to reset the device association
Select two-factor authentication
And delete the FIDO2 security key
Otherwise, the administrator can associate the new device with the user.