Enhancing Workplace Mobility and BYOD with the
VMware Mobile Secure Workplace
Marilyn Basanta
Technical Solutions Architec...
Agenda
 Solution overview
 Breakdown of elements
 Load balancing and namespace services
 AD configuration for PKI and ...
Solution Overview
L7
End User Devices
Internal Network
External Network/
INTERNET
AD
SSO CA
RADIUS
F&P BACKUP
vC
VCNS AV
K...
Before we dive in, some top level items to consider…
TCP/IP Schema, VLANs, routing
and name resolution
considerations
Acti...
Load Balancing and namespace services
L7
VMware View
Security Servers
VMware View
Connection Managers
End User Devices
Int...
Active Directory considerations
• Evaluate any existing AD
infrastructure
• New child domain? Security
requirements
• Enou...
• Configuration steps are provided in the
solution design document
RADIUS Integration
• More choices for RADIUS integratio...
Persona Management
• Considerations for virtual machines hosting
profile volumes
• Tuning the profile upload interval for ...
vSphere and View considerations
vDS
• Where possible leverage vDS in
management and View VDI infrastructure
• Auto-Deploy ...
vCNS – App Firewall and Edge
VMware vSphere
Knowledge
Workers
Power
Users
LOB Apps
• vCNS App and Edge services
to provide...
vSphere Feature – vShield Endpoint
Partner Solution: Trend
Micro Deep Security
Security API
ESX
Anti-Virus
Workload VM’s
V...
Deep Security Virtual Appliance
• Intrusion prevention
• Firewall
Virtualization Security with Deep Security
Agentless Sec...
Horizon Workspace vApp
Workspace vApp
Configurator
VA
OS (SLES)
tcserver
Service VA
OS (SLES)
App
API
DBtcserver
Data VA
O...
Horizon Workspace Deploy Considerations
• Ensure DNS name resolution is prepared in advance
• Split brain considerations f...
Horizon Workspace Deploy Considerations
• Prepare ThinApp repositories
• Configure SAML settings for View, the
default the...
Horizon Workspace – Gateway-va Diagram
L7 Load Balancer
Load balancing strategy and technical preparation complete
Virtualization on Android (Mobile Virtualization Platform)
Personal Corporate
Corporate Workspace
Enterprise Catalog
Mail/...
How do Employees Obtain VMware Horizon Workspace/Mobile?
Employees’ Device
VMware Switch
Confidential
Sony is supporting Vmware Ready devices as standard feature
Coming soon: Xperia Z1
and Xperia Ultra Z will be
VMware Ready...
Today’s Attacks: Social, Sophisticated, Stealthy!
Attacker
Moves laterally across network
seeking valuable data
Establishe...
MOBILE MALWARE
Yes… It’s real.
It’s not just “malware”, but, privacy leaks..
Well Known Apps Leak Data ..
Device Management & Control
Employees
Trend Micro
Mobile Security
Email SharePoint Corp Data Web Traffic
• Easy onboarding...
Threat Protection
Employees
Email SharePoint Corp Data Web Traffic
Trend Micro
Mobile Security
• Android AV and Website
Re...
Complete End User Protection
Email &
Messaging
Web
Access
Device Hopping
Collaboration
Cloud Sync
& Sharing
Social
Network...
Trend Micro Mobile Security
Manage Device
Management
• Device Discovery
• Device Enrollment
• Device Provisioning
• Asset ...
Horizon Virtual Workspace
Windows Management
and Delivery
(server hosted & local)
(apps and desktops)
VMware Horizon View ...
Next Steps
For more information on Mobile Secure Desktop design, please visit:
Mobile Secure Desktop Validated Design
Guid...
THANK YOU
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Secure Workplace
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Secure Workplace
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Secure Workplace
Upcoming SlideShare
Loading in …5
×

VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Secure Workplace

644 views

Published on

VMworld Europe 2013

Marilyn Basanta, VMware

Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
644
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Secure Workplace

  1. 1. Enhancing Workplace Mobility and BYOD with the VMware Mobile Secure Workplace Marilyn Basanta Technical Solutions Architect VMware End User Computing @marilynbasanta EUC5509 #EUC5509
  2. 2. Agenda  Solution overview  Breakdown of elements  Load balancing and namespace services  AD configuration for PKI and Certificate Services  RADIUS integration  Persona management  vCloud Network and Security  vShield Endpoint and Anti Malware  vSphere and View configuration considerations  Horizon Workspace configuration considerations  Horizon Workspace - Mobile  Partner Solution – Trend Micro Mobile Security  Final comments
  3. 3. Solution Overview L7 End User Devices Internal Network External Network/ INTERNET AD SSO CA RADIUS F&P BACKUP vC VCNS AV Knowledge Workers Mobile Knowledge Power Users MOBILITY SECURITY USER EXPERIENCE VMware View Security Server VMware View Connection Managers HW: Gateway VM vCOPs Horizon Workspace vApp Trend Micro Mobile Security
  4. 4. Before we dive in, some top level items to consider… TCP/IP Schema, VLANs, routing and name resolution considerations Active Directory topology and requirements Network security requirements and policies Application workload requirements, user roles and behavior LAN/WAN Topology and design for real time protocols Compliance requirements
  5. 5. Load Balancing and namespace services L7 VMware View Security Servers VMware View Connection Managers End User Devices Internal Network External Network/ INTERNET • Ensure dedicated LB networks are planned for and exist in advance of deployment INTERNAL EXTERNAL HA DMZ • Plan for redundant configurations, N+1 and vSphere HA/DRS affinity rules
  6. 6. Active Directory considerations • Evaluate any existing AD infrastructure • New child domain? Security requirements • Enough DC resources in the necessary sites? • Enterprise CA will need to be configured from the FRD down if you are deploying a Windows based PKI • Sites and subnets configured appropriately to localize domain operations to the closest DCs
  7. 7. • Configuration steps are provided in the solution design document RADIUS Integration • More choices for RADIUS integration • Plan for extra connection servers to provide redundant support for users authenticating with RADIUS • Validated solution uses Microsoft RADIUS in the design.
  8. 8. Persona Management • Considerations for virtual machines hosting profile volumes • Tuning the profile upload interval for scale • When possible use Persona instead of Windows Roaming profiles to avoid conflict • Folder redirection balanced with roaming data • Application specific requirements such as ThinApp sandbox roaming • AV strategy using Persona, in band scanning as part of vShield Endpoint or out of band on the persona management fileservers
  9. 9. vSphere and View considerations vDS • Where possible leverage vDS in management and View VDI infrastructure • Auto-Deploy and host profiles for rollout and ongoing compliance, conformity at scale • vCNS Edge for network services such as DHCP, load balancing • vMA for host management and administration, vSphere web client
  10. 10. vCNS – App Firewall and Edge VMware vSphere Knowledge Workers Power Users LOB Apps • vCNS App and Edge services to provide security for our logical groupings of VMs • Define in advance the access rules that will be required to secure your resources effectively • Remember to define rules for View agent/client/server communication and display protocols! • Get familiar with the troubleshooting techniques required for vShield, you *WILL* need to debug at some stage! Start with an open policy then lock it down as you go
  11. 11. vSphere Feature – vShield Endpoint Partner Solution: Trend Micro Deep Security Security API ESX Anti-Virus Workload VM’s VMDK EPSec • Understand the impact on density, plan for dedicated resources required by security VM per host • Fully evaluate performance characteristics • Look out for gotcha’s in on-access scanning and scheduled scanning defaults • Ensure all hosts successfully install vShield Endpoint as part of the deployment process prior to deploying infrastructure or VDI services. If possible integrate the vendor specific VIBs into your ESXi installation image.
  12. 12. Deep Security Virtual Appliance • Intrusion prevention • Firewall Virtualization Security with Deep Security Agentless Security Platform for Private Cloud Environments • Anti-malware • Web reputation • Integrity monitoring VM VM VM The Old Way Security Virtual Appliance VM VM VM With Deep Security VM Easier Manageability Higher Density Fewer Resources Stronger Security VM More VMs 1310/17/2013 Confidential | Copyright 2012 Trend Micro Inc.
  13. 13. Horizon Workspace vApp Workspace vApp Configurator VA OS (SLES) tcserver Service VA OS (SLES) App API DBtcserver Data VA OS (SLES) App API DB LDAPJetty App Connector VA OS (SLES) tcserver App Gateway VA OS (SLES) Nginx Modules • Central Wizard UI • Distributes settings across VAs • Network, Gateway, vCenter, SMTP attributes • Add / remove modules • Manage certs, security • User authentication (RSA SecureID) • AD secure bind and synchronization • Set replication schedule • Sync View pools and ThinApp • Enables single user- facing domain • Routes requests to correct node • Workspace Admin UI • Application Catalog • Manage user entitlements • Workspace Groups • Reporting • Stores files • Controls file sharing policy for internal and external users • Manage file preview server • Serves end user web UI
  14. 14. Horizon Workspace Deploy Considerations • Ensure DNS name resolution is prepared in advance • Split brain considerations for Gateway FQDN • Prepare Signed Certificates in advance, the entire SSL chain must be exported • Create an Active Directory BIND DN account • Ensure Active Directory group structure is in place to support Workspace services (applications, data)
  15. 15. Horizon Workspace Deploy Considerations • Prepare ThinApp repositories • Configure SAML settings for View, the default the SAML Timeout is 15 minutes • Decide on a preview strategy (LibreOffice or Microsoft Preview Server) • User Principal Name (UPN) set as a required attribute for View • Horizon Data storage sizing
  16. 16. Horizon Workspace – Gateway-va Diagram L7 Load Balancer Load balancing strategy and technical preparation complete
  17. 17. Virtualization on Android (Mobile Virtualization Platform) Personal Corporate Corporate Workspace Enterprise Catalog Mail/Calendar App Custom Apps 3rd Party Apps  Own your full version of Android OS  Consistent native mobile experience  Deploy applications without modifying them Solve Android fragmentation  Strict corporate assets isolation  Corporate data encryption  VPN policy for corporate traffic Prevent data leakage  Exchange email, calendar, secure browser, file browser and contacts  Your Line Of Business application Provide productivity features
  18. 18. How do Employees Obtain VMware Horizon Workspace/Mobile? Employees’ Device VMware Switch Confidential
  19. 19. Sony is supporting Vmware Ready devices as standard feature Coming soon: Xperia Z1 and Xperia Ultra Z will be VMware Ready for World Wide coverage.
  20. 20. Today’s Attacks: Social, Sophisticated, Stealthy! Attacker Moves laterally across network seeking valuable data Establishes Command & Control server Extracts data of interest – can go undetected for months! $$$$ Gathers intelligence about organization and individuals Targets individuals using social engineering Employees
  21. 21. MOBILE MALWARE Yes… It’s real.
  22. 22. It’s not just “malware”, but, privacy leaks..
  23. 23. Well Known Apps Leak Data ..
  24. 24. Device Management & Control Employees Trend Micro Mobile Security Email SharePoint Corp Data Web Traffic • Easy onboarding: email, URL, QR code • Apple (iOS), Android, Blackberry, Windows Phone 7 and 8 • Optional Cloud Communication Server • Device Discovery • Device Provisioning • Remote Control • Reporting • Inventory Management Cloud Comm. Server
  25. 25. Threat Protection Employees Email SharePoint Corp Data Web Traffic Trend Micro Mobile Security • Android AV and Website Reputation • Leveraging Smart Protection Network • Anti-Malware • Firewall • Web Threat Protection • Call Filtering • SMS/WAP Anti-Spam
  26. 26. Complete End User Protection Email & Messaging Web Access Device Hopping Collaboration Cloud Sync & Sharing Social Networking File/Folder & Removable Media Anti-Malware Encryption Application Control Device Management Data Loss Prevention Content Filtering Employees IT Admin Security
  27. 27. Trend Micro Mobile Security Manage Device Management • Device Discovery • Device Enrollment • Device Provisioning • Asset Tracking • S/W Management • Remote Control • Reporting • Summary Views • Summery Reports Mobile Device Security • Anti-Malware • Firewall • Web Threat Protection • Call Filtering • SMS/WAP Anti-Spam • Jail break detection • App Reputation Data Protection • Encryption Enforcement • Remote Wipe • Selective Wipe • Remote Lock • Feature Lock • Password Policy Application Management • App Black Listing • App White Listing • App Push • Required • Optional • App Inventory Stand Alone/Integrated
  28. 28. Horizon Virtual Workspace Windows Management and Delivery (server hosted & local) (apps and desktops) VMware Horizon View & Mirage Secure Mobile Workspace (across all devices) (apps, data, collaboration) VMware Horizon Workspace Virtual Workspace Secure access to all my stuff, anywhere, anytime
  29. 29. Next Steps For more information on Mobile Secure Desktop design, please visit: Mobile Secure Desktop Validated Design Guidehttp://www.vmware.com/files/pdf/view/Mobile-Secure-Desktop-Solution-Brief.pdf Mobile Secure Desktop Solution Guidehttp://www.vmware.com/files/pdf/view/Mobile- Secure-Desktop-Solution-Brief.pdf View Design Resourceshttp://www.vmware.com/products/desktop_virtualization/view/technical- resources.html#Design Horizon Workspace Reviewer’s Guide http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reviewers- guide.pdf Integrating Horizon Workspace and Horizon View http://www.vmware.com/files/pdf/techpaper/vmware-horizon-view-integration-horizon- workspace.pdf Configuring Horizon Switch http://blogs.vmware.com/horizontech/2013/08/configuring-vmware-switch-for-android- with-vmware-horizon-workspace-1-5.html
  30. 30. THANK YOU

×