Basic Deployment of NSX for Horizon

Solution Overview

This process includes an outline of the steps needed to deploy a micro-segmentation policy for VDI desktops using NSX for Horizon. The goal is to create a few groups of rules. These rule groups include the following:

  • ID-based Rules – Identity-based rules are used to allow access to applications. Multiple ID-based rules can be used to allow specific AD groups access to specific applications. These rules include access to system that would not be required when a user is not logged in.
  • Computer Rules – This rule set allows access from VDI desktops to talk to computer-level services, like domain controllers, KMS, Connection Servers, and DHCP. These services would need to be available to the system at startup.
  • Block Rules – These rules will block East-West traffic among the desktops to ensure desktops cannot communicate with one another; block all remaining traffic out of the desktop (and into the desktop if desired).
  • Client Access – This rule allows client endpoints the ability to access the desktop using display protocols and virtual channels for USB Redirection and Client Drive Redirection.

This solution assumes a kiosk setup. The desktops are configured to use local mandatory profiles. The solution does not include user profile persistence, nor does it leverage App Volumes.

Preliminary Steps

This preliminary section is required in order to ensure all components function properly and the components for all of the rules are created and available when it comes time to create the rules.

Deployment Assumptions

  • NSX Manager deployed and registered
  • VIBs deployed to hosts
  • Licenses allocated
  • Log Insight deployed and configured
  • Appropriate permissions assigned
  • vDS configured for all hosts

Create Exclusions

  • Create exclusion for vCenter

Prepare for ID Rules

  • Connect to domain – will need to create a specific service account
    • The domain account must have AD read permission for all objects in the domain tree. The event log reader account must have read permissions for security event logs – KB2122706
  • Create VDI User AD Group
  • Create Super User Group
  • Validate VMware Tools Versions
    • 10.0.8
    • KB 2139740
  • Deploy Guest Introspection
    • 1x IP address per host
    • Create IP Pool

Create Objects

Security Groups

  • Contains VDI Desktops
    • based on VM name or OS-type
  • Contains AD group
    • user accounts that will be used to login to desktops
  • Contains AD super users group (Domain Admins)

IP Sets

  • Network Address ranges that should be able to access VDI desktops
  • Proxy Server
  • DHCP Servers
  • DNS/Domain Controllers
  • Connection Server
  • KMS Server

Service Objects

  • Blast Extreme – 22443 TCP
  • Blast Extreme UDP – 22443 UDP
  • KMS – 1688
  • MMR – 9457
  • VMware-View6.x-JMS – 4002

Service Group Objects

  • Client Access
    • VMware-View-PCoIP
    • Horizon 6 PCoIP UDP traffic from View Agent to Client
    • VMware-View5.x-PCoIP-UDP
    • Blast Extreme
    • Blast Extreme UDP
    • Horizon 6 USB Access to desktops
    • MMR
    • RDP

Create Firewall Rules Desktops

This section describes how to use the newly created objects as well as pre-existing objects to create the various rule groups.

Group – Block E/W

Source

Service

Destination

Purpose

VDI Security Group

Any

VDI Security Group

Block E/W Traffic

Group – Grant Client Access

Source

Service

Destination

Purpose

Client Access IP Set

-Client Access (Group)

VDI Security Group

PCoIP

Blast Extreme

USB Redirection

MMR/CDR

RDP

Group – Permit User Applications

Source

Service

Destination

Purpose

Desktop User Secuirty Group

-HTTP

-HTPS

Proxy Server IP Set

Internet Access/Proxy

Super User Security Group

Any

Any

Super User – Unrestricted

Group – Permit Computer Applications

Source

Service

Destination

Purpose

VDI Security Group

-DHCP Server

-DHCP Client

DHCP Server IP Set

DHCP Relay

VDI Security Group

-Win 2008 – RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS

– Microsoft Active Directory (Group)

Domain Controller IP Set

Domain Authentication

VDI Security Group

-MKS

KMS Server IP Set

KMS

VDI Security Group

– VMware-View6.x-JMS

– VMware-View5.x-JMS

Connection Server IP Set

Connection Server Management of Desktop Agents

Connection Server IP Set

– Blast Extreme

VDI Security Group

HTML 5 Access

Block All – All traffic from VMs

Source

Service

Destination

Purpose

VDI Security Group

Any

Any

Block All other traffic

OR

Block All – All traffic to AND from VMs

Source

Service

Destination

Apply To

Purpose

Any

Any

Any

VDI Security Group

Block All other traffic

Wrap Up & Validation

  • Enable Logging on all rules
  • Enable flow monitoring – Validate

Validate

  • Log in to VDI desktop via HTML
  • Log in to VDI desktop via Client using PCoIP
  • Log in to VDI desktop via Client using Blast
  • Verify USB Redirection
  • Verify Connection Server reports desktops are reachable
  • Verify Internet is reachable
  • Verify other desktops are not reachable within a VDI desktop
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s