vmware federal secure desktop - enterprise mobility ... view persona management, federal secure...

VMware® Federal Secure Desktop™ VA L I D AT E D D E S I G N G U I D E

VMware Federal Secure Desktop

VA L I D AT E D D E S I G N G U I D E / 2

Table of Contents

About the Validated Design Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4What Is Federal Secure Desktop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Federal Secure Desktop Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Solution Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Lab Equipment List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Optional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Key Components of the Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 vSphere and vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 VMware Horizon View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 VMware vCloud Networking and Security and vShield Endpoint . . . . . . . . . . . . . . . . . . . . . 10 CAC Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 HBSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Zero Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 802.1X Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Additional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Persona and User-Installed Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 CAC Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 McAfee HBSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 vCloud Networking and Security and vShield Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Endpoint Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Key Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 CAC Certificate Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Deploying the Base Image and Desktop Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 McAfee HBSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Configuring Zero Clients and 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 User Connection Flow Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22



About the Validated Design GuideVMware® Validated Design Guides provide an overview of a solution architecture and implementation. The validated designs and solutions have been created through architectural design development and lab testing.

The guide is an introduction to proof of concepts, emerging new technology and architectures, and enhancement of customer use cases.

The Validated Design Guides:

• Incorporategenerallyavailableproductsintothedesign

•Employrepeatableprocessesforthedeployment,operation,andmanagementofcomponentswithinthesolution

Validated Designs are tested for a specific use case or architectural practice on a limited scale and duration. These guides ensure the viability of theoretical designs or concepts in real-world practices.

The Validated Design Guides include:

•Usecasescateredtothedesign

•Productsvalidatedaspartofdesigntesting

•Softwareusedforeachcomponentofthedesign

•Configurationsusedtosupportthedesigntestcases

•Alistofdesignlimitationsandissuesdiscoveredduringtesting



IntroductionThisValidatedDesignGuideisanoverviewoftheVMwareHorizonView™FederalSecureDesktop™solution,whichisbasedontheVMwareHorizonViewMobileSecureWorkplace™solution.Thearchitectureusesproducts from VMware and its ecosystem of partners to build a comprehensive solution that satisfies the specific requirements of use cases within the federal vertical such as mobility, bring your own device (BYOD), security, and compliance.

This document provides an overview of the logical solution architecture and results of the tested configuration. Thesolutionisnotexclusivetotheproductstestedwithinthearchitecture.ConsultyourVMwarerepresentativefor more information about how to modify the architecture with your preferred vendors.

AudienceThis document is intended to assist solution architects, sales engineers, field consultants, advanced services specialists,andcustomerswhowillconfigureanddeployasecuredesktopsolutionforfederalagenciesororganizations.

Business CaseRecentnaturalevents,includingtheNorthAmericanblizzardof2010andHurricaneSandy,causedheavydamagetothefederalinfrastructureandclosedregionalfederalofficesformanyworkdays.Whilesuchdisasters cost the government millions of dollars, they can serve as the ideal use case to support the recently enactedTeleworkEnhancementActof2010,H.R.1722.

NearlyeveryfederalITorganizationtodayisworkingtoembracemobilecomputingforanumberofreasons,including:

• Loweringitscarbonfootprintandenergycostsbyreducingemployeecommutes

• Improvingemployeesatisfactionandwork/lifebalance,especiallyforworkerswhomaximizeuseofmobiledevicesandwhoexpectmoreflexiblemobileworkarrangements

•Strivingforanalways-on,agilee-governmentinfrastructurethatgivesemployeesimmediateaccesstoinformation

•SupportingContinuityofOperations(COOP)intheeventofemergenciesbyhelpingemployeesdotheirjobseffectively from home or remote locations

TheTeleworkEnhancementActandinitiativesarounddisasterrecoveryandCOOPposebothanopportunityandachallengeforfederalITleaders.Usersexpectandrequireaccesstoapplicationsanddataonavarietyofdevicestomaximizeproductivity;butITispressuredtosecureinformation,controlcriticalprocessesanddata,and ensure that all compliance requirements are met.



What Is Federal Secure Desktop?TheVMwareHorizonViewFederalSecureDesktopsolutionisbuiltontheVMwarevalidatedMobileSecureWorkplacesolution.Itprovidessecureaccessforenduserstodesktopsthatmeetvariousfederalcompliancerequirements. The solution design supports end-user mobility, streamlines application updates, enhances data security, and delivers the highest-fidelity user experience.

DMZ Infrastructure

Management

Horizon ViewClient Devices

Horizon View Security Servers

Horizon View Connection Servers

ActiveDirectory

vCenter Antivirus vCM vCOps

ManagementvSphere Infrastructure

Virtual DesktopvSphere Infrastructure

Local SSD Datastores for Horizon View Composer

Linked Clone Storage

Shared Storage Infrastructurefor Persona, User Data, ThinApp

Applications and VM Master Images

vCNS

PrintServer

Certi�cateAuthority

RADIUS SSO

Virtual Desktops

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

Layer 7 Load Balancer for Horizon View Security and Connection Servers

ExternalNetwork

Internal Network

AndroidTablet

iPad

PDA

ZeroClient

ThinClient

Windows Horizon View Client

Windows Horizon View Client with Local Mode

Macintosh Horizon View Client

Figure 1: Mobile Secure Workplace Solution

ThissolutionenablestheaudiencetoaddressthefollowingthreekeyrequirementsaddressedbytheVMwareMobileSecureWorkplacesolution:

•Mobility

•Security

•Management

Mobility

TheFederalSecureDesktopsolution,builtonVMwareHorizonView,placesdesktopsinthedatacenter.ThesolutionprovidesusersaccesstotheirremotelydisplayeddesktopthroughanydeviceviatheFIPS140-2certifiedPCoIPprotocol.Desktopscanbeaccessedfromzeroclients,workstations,thinclients,ormobiledevices.WithVMwareHorizonViewPersonaManagement,FederalSecureDesktopprovidestruesessionpersistenceacrossdevicesandsessions. The variety of endpoints enables true BYOD support, and session persistence enables session mobility across devices.



Security

WithsupportforCommonAccessCards(CAC)builtintoandvalidatedinthedesign,theFederalSecureDesktopsolutionsupportsandextendsanexistingdataandapplicationsecurityinfrastructure.Inadditiontoproviding the right level of access to the right resources, the solution also simplifies patch management and updatemanagementforalldesktops.ITadministratorscanupdateandpatchdesktopsinthedatacentertothe latest version, ensuring that no vulnerabilities exist in the environment due to unpatched or orphaned systems.DataresidesinthedatacenterandisprotectedbyVMwarevCloud®NetworkingandSecurity™andVMwarevShieldEndpoint™,whichprovidesuperiorsecuritytotheenvironment.ThedesignusesPCoIP-basedzeroclientsfromTeradici,whichprovidetheutmostendpointsecurity.Teradicialsoincorporates802.1Xauthenticationtoallowonlyauthorizeddevicestoconnecttothenetwork.

Management

Oneofthekeychallengesfacingorganizationstodayistoobtainanoverviewoftheirdesktopenvironmentandmanagetheenvironment,desktops,accesspolicies,andservicelevels.TheFederalSecureDesktopsolution,withoptionallyintegratedVMwarevCenter™OperationsManager™forHorizonView,providesanintegrateddashboardwithintelligentdataonalldesktop-relatedevents.ThishelpsITadministratorsprovidetherightamount of intervention and guidance when virtual infrastructure performance falls below an expected range ofbehavior.ThesolutioncanalsoincludeVMwarevCenterConfigurationManager™(vCM)forimportingsuggested configurations and to meet regulatory compliance.

User ProfilesTheFederalSecureDesktopsolutionisapplicabletoallusecasesinfederalagencieswhichrequiremobility,ahighlevelofsecurity,andalways-onaccesstodesktops.Theseusecasesincludebutarenotlimitedtoteleworkersandfirstresponders.Theworkloadprofilesincludeaspectrumofusers:office-basedandhomeoffice-basedworkers,remote-officeknowledgeworkers,powerusers,andmobileworkers.

ThevalidateddesigninthisdocumentsupportstheuniquerequirementsoftheseuserprofilesandhelpstheITteam manage the environment securely.



Federal Secure Desktop Architecture OverviewTheFederalSecureDesktopsolutionisbuiltontheVMwarevalidatedMobileSecureWorkplacesolution.

ThefollowingdiagramshowsthelogicaltopologyfortheFederalSecureDesktopsolution:

AD

APPOS

APPOS

APPOS

APPOS

APPOS

CAC Infrastructure

CA

APPOS

vCenter

Pool 1

APPOSAPP

OS APPOS

Pool 2

APPOSAPP

OS APPOS

Pool 3

APPOSAPP

OS APPOS

vCNS McAfee Antivirus

McAfee HBSS

L7 802.1X

Figure 2: Federal Secure Desktop Logical Topology

The architecture consists of:

•VMwareHorizonViewinfrastructure

•AccessinfrastructurewithCACcardsetup,802.X,andzeroclients

The VMware Horizon View infrastructure consists of two virtual machine clusters for scalability purposes, a management cluster and a virtualdesktopcluster. The management cluster includes all the management componentsrequiredforVMwareHorizonViewbasearchitecturealongwithVMwarevCenterOperationsManager,vCloudNetworkingandSecurity,andvShieldEndpoint.



Thevirtualdesktopclusterisdedicatedtohostingstatelessvirtualdesktopsaccessedbyendusers.Theenvironments are segregated to effectively utilize underlying hardware resources, and support storage layer tiering where required.

The management architecture can host multiple connection servers, load balanced to provide redundancy andavailability.Userscanaccesstheclosestdesktopimmediatelybyaccessingthenetworkofloadbalancerswithasinglenamespace.RemoteuserscanaccesstheenvironmentthroughHorizonViewSecurityServersdeployedinthedemilitarizedzone(DMZ).UsageofHorizonViewsecurityserversensuressecureaccesstoremotedesktopsviaPCoIP,whilemaintaininganoptimaluserexperience.

TheCACinfrastructureissetupinastandardformatasitwouldbeinaphysicalenvironment.ThecertificationsareprovidedbyDISA,andthespecificationscanbefoundintheCommon Access Card (CAC) User Guide.

CertificationsareprovidedviaaCAConNIPRNet(Non-classifiedInternetProtocolRouterNetwork).Thisemulatesthestandardaccessmethodthatisusedbyfederalagencies.TheUnitedStatesDepartmentofDefense(DoD)integrationisachievedbyallowingtheCertificateAuthorities(CAs)tousetherelevantfieldsinthecertificatechain,withtheDISACAasthetrustedsource.

Tosecuredesktopsandmeetfederalrequirements,HBSScombinedwithMcAfee’sePolicyOrchestrator(ePO)andotherhost-basedintrusionpreventionsystems(HIPSs)wereaddedtotheenvironment.

Toprovideenhancedsecurity,802.1Xauthenticationwasaddedtothesolutiontolockdownthedevicesthatcanconnecttothenetwork.Inconjunctionwithzeroclientsastheaccessdevices,802.1Xauthenticationlocksdown the environment securely while giving end users mobility and a superior user experience.

The architecture is scalable and is based on the standard reference architectures published by VMware.

https://reg.intranet.disa.mil/help/cac_user_guide.pdf



Solution ValidationForfunctionaltestingandvalidation,thesolutionwasimplementedwith100desktopsanddeployedonthehardwareinTable1.Thesolutionimplementedinthelabwasdesignedtoscaletomanythousandsofdesktopsaccording to the sizing guidelines provided in VMware published reference architectures. The architecture was built in podsorbuildingblockssothesolutioncouldbescaledeasily.

Lab Equipment List

PrODUCt DEtAILS

Servers 5–1Userverswith2IntelXeonE788372.67GHzprocessors,96GBRAM

1–2Userverswith2IntelXeonE788372.67GHzprocessors,128GBRAM

Hard drives 8–300GBIntel320SSDDrives

8–600GB7200RPMHDD

Attachedstorage iSCSIstoragearray,RawDiskCapacity:8TB,RawFlashCache160GB,24GBRAM, 4–1GbEnetworkports

Networking Layer2–10/100/100024-portswitch

Table 1: Lab Equipment

Solution Components

PrODUCt DESCrIPtIOn

VMwarevSphere® 5.0.1

vSpherewithVMwarevCenter 5.0

VMware Horizon View 5.1

VMwareHorizonViewComposer 3.0

vCloudNetworkingandSecurity 5.1.2a

vShieldEndpoint 5.0.1

CAC CACinfrastructurewithfederalNIPRandSIPRcards

Desktopantivirus McAfeeePOAVstack

HBSS McAfeeHBSS

Clients Teradici zero clients

Table 2: Solution Components

Optional Components

PrODUCt DESCrIPtIOn

vCenterOperationsManagerforHorizon View

1.0

Loadbalancer F5BIG-IPLTM,GTM,andAPM

Table 3: Optional Components

VA L I D AT E D D E S I G N G U I D E / 1 0


Key Components of the ArchitectureThough the solution architecture is vendor agnostic, the following components are part of the validated design:

Core Components

vSphere and vCenterThesolutionisbuiltontopofvSphere,theindustry-leadingvirtualizationplatform.TherearemanybenefitstousingvSphere,andmoreinformationontheplatformcanbefoundontheVMware Web site.

VMware Horizon ViewThe central component of the solution architecture is VMware Horizon View, the industry-leading virtual desktopinfrastructure(VDI)product.

VMware vCloud Networking and Security and vShield EndpointVMwarevCloudNetworkingandSecurityistheleadingsoftware-definednetworkingandsecuritysolutionthatenhancesoperationalefficiency,unlocksagility,andenablesextensibilitytorapidlyrespondtobusinessneeds.Itprovidesabroadrangeofservicesinasinglesolution,includingvirtualfirewall,VPN,loadbalancingandVXLANextendednetworks.

VMwarevShieldEndpointstrengthenssecurityinVMwarevSphereandHorizonViewenvironmentswhileimproving performance for endpoint protection by orders of magnitude, offloading antivirus and antimalware agent processing to a dedicated secure virtual appliance delivered by VMware partners.

VisittheVMwareWebsiteformoreinformationonvCloud Networking and Security and vShield Endpoint.

CAC CardsTheCAC,asmartcardaboutthesizeofacreditcard,isthestandardidentificationforactive-dutymilitarypersonnel,SelectedReserve,DoDcivilianemployees,andeligiblecontractorpersonnelinsecureFederalenvironments.Itisalsotheprincipalcardusedtoenablephysicalaccesstobuildingsandcontrolledspaces,andprovidesaccesstodefensecomputernetworksandsystems.MoreinformationonCACcardscanbefoundattheDoD ID Card Reference Center.

TheDoDhasadoptedandusedthePublicKeyInfrastructure(PKI)-basedCACforyearsastheirprimaryauthenticationmethodintotheNIPRNet.NIPRNetiscomposedofInternetProtocolroutersownedbytheDoD.

SeveralagencieshavealsomigratedtoSIPR(SecureInternetProtocolRouter)hardwaretokensastheirprimaryauthenticationmethodforaccessingtheSIPRnetwork.OtheragenciesarealsomovingtowardaPKI-basedPersonalIdentityVerification(PIV)cardforauthenticationintothefederalnetwork.

HBSSHBSSistheofficialnamegiventotheDoDcommercial-off-the-shelf(COTS)suiteofsoftwareapplicationsusedwithintheDoDtomonitor,detect,andcounterattacksagainstcomputernetworksandsystems.Forthisvalidation,weusedMcAfeeHBSSproductstomeetthecompliancerequirements.HBSSistheMcAfeeePOsuitewithantivirusHIPS.

McAfeeHBSSisarequirementformostdatacenters,andisrequiredbytheDepartmentoftheNavy.HBSSisrequiredformanagingeveryendpointgeneral-purposeoperatingsystem(serversanddesktops).Themajorrequirementforany802.1XdeploymentistheuseofFIPS140-2validatedcryptomodulestoprotectthedata.

Zero ClientsPCoIPzeroclientsareultra-secure,easy-to-managedevicesthatoffertherichestuserexperienceinaVMwareHorizonViewenvironment.PCoIPzeroclientsarebasedontheTERAchipsetbyTeradiciandareavailableinavarietyofformfactorsfromanumberoftrustedOEMs.Furtherinformationisavailableatwww.teradici.com.

http://www.vmware.com/products/vsphere

http://www.vmware.com/products/view/overview.html

http://www.vmware.com/products/datacenter-virtualization/vcloud-network-security/overview.html

http://www.vmware.com/products/datacenter-virtualization/vsphere/endpoint.html

http://www.cac.mil/

http://www.teradici.com



802.1X Network Access ControlPCoIPzeroclientssupport802.1XnetworkdeviceauthenticationusingEAP-TLScertificates.Underthismethod,allnetworkendpointdevicesmustbeauthenticatedbeforetheyaregrantedaccesstothenetwork.Thisisa typical method of device authentication for high-security environments, providing an additional layer of security beyond username and password credentials.

The802.1Xauthenticationprotocolhasgrowninusage.IEEE802.1XisanIEEEstandardforport-basedNetworkAccessControl(PNAC)thatprovidesanauthenticationmechanismfordevicestryingtoattachtoaLANorWLAN.

TheDoDhasaddedarequirementthatallnetworkportsoron-rampsbeprotected.Applications,serversanddataarenormallyprotected;however,mostnetworkportsareleftopen.Typically,usersaccessanetworkbysimplypluggingintoaport,andanetworkaddressisallocatedfortheconnection.Computerswithoutproperaccesstodataandserversareopentoattackslaunchedfromthenetwork.Networkportprotectionlockdownrestrictsanonymousaccessandpreventsthese“attacks.”

802.1Xauthenticationinvolvesthreeparties:asupplicant, an authenticator, and an authentication server. The supplicantisaclientdevice(thinclientorzeroclient)thattriestoattachtotheLANorWLAN.Theterm‘supplicant’isalsousedinterchangeablytorefertothesoftwarerunningontheclientdevicethatprovidescredentialstotheauthenticator.TheauthenticatorisanetworkdevicesuchasanEthernetswitchorwirelessaccesspoint.TheauthenticationserveristypicallyahostrunningsoftwaresupportingtheRADIUSandEAPprotocols.1

Inthisvalidation,routingwasdoneattheswitch(authenticator).WecreatedaDMZVLANandconfigured802.1Xontheswitchtospeaktoourauthenticationserver(MicrosoftNetworkPolicyServerservingasaRADIUSserver).Additionally,vCloudNetworkingandSecuritywasusedforportgroupprotectiononintra-virtual-machine traffic.

Additional Components

ManagementOneofthebiggestchallengesfacedbyanITgroupison-demandmanagementoftheentireenvironmentand the ability to identify and plan the infrastructure. VMware vCenter Operations Manager for Horizon View provides the management infrastructure required for the environment.

ComplianceOneofthekeyrequirementsofmanyverticalindustriesistheabilitytomanagecompliancewithvariousindustry regulations. VMware Horizon View is compliant with FIPS 140-2.

TeradiciTera2ZeroClientsupports AES-256 and NSA Suite B crypto security protocols.

Persona and User-Installed AppsMany use cases defined in the solution have a requirement to persist user information across sessions. But thebiggestcostsavingsbothintermsofCapExandOpExcanbeachievedbyusingstatelessdesktops.Toeffectivelymeetbothgoals,VMwareHorizonViewhasafeaturecalledPersonaManagementtomaintainuserdataandprofilepersistenceacrossstatelesssessions.Inadditiontoprofilepersistence,someusecasesrequiresupport for user-installed applications. This can be achieved by implementing some of our partner products.

1. Cloud Centrics Technology Blog, “802.1X Challenges for Department of Defense,” Aamir Lakhani, September 16, 2012.

http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html

https://www.vmware.com/support/support-resources/certifications.html

http://www.teradici.com/news-and-events/press-releases/2012-08-14



Architecture Overview

Server Architecture

IntheFederalSecureDesktopsolutiondesign,itisimportanttoseparatethemanagementanddesktopcomponentsastwodiscreteblocksofinfrastructure.Inthisdesign,wecreatedamanagementclusteranda VMware Horizon View cluster, in order to establish a subscription- or consumption-based model. This methodology is important for the solution to scale easily, as another Horizon View pod can be plugged into the architecture as required, and services can be extended to accommodate the expansion.

VMwarevCloudNetworkingandSecurityandvShieldEndpointwereconfiguredtoprovidethesecurityarchitecture,specificallyaroundvirtualdesktopcommunicationandapplicationprotocolflowinandoutofthemanagement,services,anddesktoppoolsecurityzones.

Inordertosatisfystrictfederaldesktoprequirements,thearchitecturealsoincludedintegrationofCACandHBSScomponents.

The infrastructure components required for the environment are configured in the management cluster, and ViewServicesisconfiguredintheViewServicescluster.

ThemanagementclusterincludestwoActiveDirectoryvirtualmachinesforredundancy,avCenterserverwithaSQLServervirtualmachineandaCertificateAuthoritywithCACenabled,alongwiththeMcAfeeHBSScomponents(ePOserver,AVserver).

TheViewServicesclusterincludestheHorizonViewConnectionServer,vCenterComplianceManager,vShieldSecurityManager,andHorizonViewSecurityServers.Theseformthecoreandoptionalservicesrequiredforthe environment.

Separateresourcepoolswereaddedtosimulatethevarioususerprofilesaccessingtheenvironment.ThevCloudNetworkandSecurityEdgegatewaycomponentwasconfiguredtoensurethattheseresourcepoolsaresegregatedandcannottalktoeachother.

Storage

FollowingtheMobileSecureWorkplacebasedesign,intheFederalSecureDesktopdesignthetypicalstorageconfiguration was logically segregated into two clusters: management and VDI. The management cluster in turn issegregatedintogeneral,SQL,vCloudNetworkingandSecurity,andthird-party(ifnecessary)segments.TheVDIclusterissegregatedintovirtualdesktopsanduserandcorporatedatasegments.Thislogicalsegregationisinalignmentwiththeworkloadsinthesedatastores.

The general datastore clusterinthemanagementsegmentconsistsofActiveDirectory,DNS,HorizonViewConnectionServer,HorizonViewSecurityServers,andMcAfeeHBSScomponents.Allgeneralinfrastructurecomponentsarelocatedinthissegment.Storagebestpracticeswerefollowedwhenthedatastoreswerecreated(e.g.,twoinstancesofAD,andHorizonViewConnectionServerandHorizonViewSecurityServerarelocated in two separate datastores for failover protection).

The SQLlogicalclustercontainsthedatastoresforallSQLdatabasesusedforComposerandvCenter,andthevCloudNetworkingandSecurityclustercontainsthedatastoresforallvCloudNetworkingandSecurityvirtualmachines.Inadditiontotheabove,aseparatedatastoreclustercanbeaddedifnecessarytohostallthird-partysoftware that needs to be included in the design.

The VDIlogicalclustercontainsdatastoresforvirtualdesktopsanduserandcorporatedata.

Typically, the management logical clustercanbeFiberChanneloriSCSI,andthevirtualdesktopdatastoresareinSSDforhigherperformance.TheuserdataandcorporatedataarelocatedinNFSdatastores.



Inthislabdesign,themanagement logical cluster(general,SQL,vCloudNetworkingandSecurity,andthird-partyvirtualmachinedatastores)islocatediniSCSIdatastores.TheVDIcluster(virtualdesktops)islocatedinSSDandtheuserdataislocatedinNFSdatastores.Forproductionenvironments,itisrecommendedthatITadministrators review storage best practices documentation to determine the best storage options for various types of virtual machines.

Networking

Forthisarchitecture,vSpherenetwork-distributedswitchtechnologywasleveragedtosimplifytheconfiguration.

StandardVLANswereusedtosegregatevSpheremanagement,servicesmanagement,anddesktopvirtualmachinetraffic.AlluplinkportswereconfiguredasVTPtrunkportsintothevSpherehosts.Allnetworkingwasthenbrokenoutatthevirtualdistributedswitch(vDS)level.

Security

TheFederalSecureDesktopsolutionplacesveryhighemphasisonsecurityandmeetsallthecompliancerequirementsofafederaldeployment.ThekeycomponentsofSecurityintegratedintothisarchitectureare:

•CACcardsupport

•McAfeeHBSS

•802.1Xauthentication

• vCloudNetworkingandSecurityandvShieldEndpoint

•Zeroclients

Wewilllookatsomeofthesekeycomponentsinmoredetailinthesectionsthatfollow.

CAC Card SupportVMwareHorizonViewhassupportedtheuseofsmartcardsforyears.Severalfederalagencieshavesuccessfully deployed VMware solutions, which meet the smart card standards. VMware Horizon View supports bothCertificateRevocationList(CRL)andOnlineCertificateStatusProtocol(OCSP)toensurethatdigitalcertificate status is up to date and valid.

Teradici has tested these specific smart card models:

PrODUCt SPECIFICAtIOn AnD/Or APPLEt

Middleware Provider

SuPPorTed by FirMware deScriPTion nOtES

Pre-SeSSion auThenTicaTion

in-SeSSion uSe

CyberflexAccess64KV2c

CAC(GSC-IS),ActivClientv2.6.1applet

ActivIdentity Yes(FW3.2.0and higher)

Yes(FW3.2.0and higher)

Alsoreferredtoas the Gemalto Access64KV2

None

ID-OneCosmov5.2D64K

CAC(GSC-IS),ActivClientvv2.6.1applet



Alsoreferredtoas the Oberthur Cosmo64V5.2D

None

ID-OneCosmov5.272K




Alsoreferredtoas the Oberthur IDOneV5.2

None

CyberflexAccessv2c64K




Alsoreferredtoas the Gemalto Access64KV2

None

ID-OneCosmov5.2D72K

CAC(PIVTransitional), ActivClientv2.6.2applet



Alsoreferredtoas the Oberthur IDOneV5.2Dual

This card has both contact and contactless interfaces. Teradici only supports the contact interface.

http://www.vmware.com/technical-resources/products/view.html




Middleware Provider


Gemalto GemComb-iXpressoR4dualinterface

CAC(PIVTransitional), ActivClientv2.6.2applet



Alsoreferredtoas the Gemalto GCX472KDI


ID-OneCosmov5.2D72K

CAC(PIVEndpoint),ActivClientv2.6.2applet



Alsoreferredtoas the Oberthur IDOneV5.2Dual


Gemalto GemComb-iXpressoR4dualinterface




Alsoreferredtoas the Gemalto GCX472KDI


GemaltoTOPDLGX4144K

CAC(PIVEndpoint),ActivClientv2.6.2bapplet



Alsoreferredtoas the Gemalto TOPDLGX4144K


OberthurID-OneCosmo128v5.5forDoDCAC




Alsoreferredtoas the Oberthur IDOne128v5.5Dual


CosmopolIC64KV5.2




None

ID-OneCosmov7.0withOberthurPIVAppletSuite2.3.2




APIVEndpointcardusestheT=1protocol

None

GemComb-iXpresso




Alsoreferredtoas the Gemalto TOPDLGX472K

None

ID-OneCosmo64v5.2DFastATRwithPIVapplicationSDK




Alsoreferredtoas the Oberthur CSPIVEndPointv1.08FIPS201

None

ID-OneCosmov7.0128K




None

SmartCafeExpert144KDIv3.2




None


ACSPKI1.12 GemaltoAccessClient



None


ACSPKI1.14 GemaltoAccessClient



None

AxaltoCryptoflex.NET

Gemalto.NET Gemalto/Windows

Yes(3.4.1andhigher)


ImplementstheGemalto.NETstandard. The middleware is built into Windows.

None




Middleware Provider


SafeNetSC650 Coolkeyapplet 90meter Yes(3.5.1andhigher)


Thiscarduses3Vpower, which many readers do notsupply.Pleasesee the reader list for compatible readers.

Notes: Your card may be on the supported card list; however, the applet of the card may not be supported.

PCoIPzeroclientslocallyterminatethesmartcardreadersforpre-sessionauthentication.Thismeansthattheyarenotre-directedviaUSB.Assuch,theViewAgent’sPCoIPsmartcardcomponentmustbeinstalledfortheguestOStoseethesmartcardreader(thisisnotinstalledbydefault).

Pre-sessionsmartcardauthenticationtoremoteworkstationsusingPCoIPhostcardsisnotsupportedatthistime.

Supporteddevicesaresubjecttochange.VisittheTeradici Web siteforthelatestupdates,oropenaticketwithTeradici Systems Engineering to request support for additional readers and smart card variants.

Table 4: Teradici-Supported CAC Card Models

Note:AlthoughonlyzeroclientsfromTeradiciarehighlightedintheabovetable,thinclientpartnerslikeWyseandHPhavefullproductlinessupportingPKI-enableddevicesandtokenaccesstothefederalagencynetwork.

McAfee HBSSForvirtualdesktopantivirusprotection,McAfeeMOVEAVisfullyvalidatedandcompatiblewithVMwarevShieldEndpoint,includedwithvSphere5.1.

Figure 3: A Single McAfee MOVE Virtual Appliance Installed on the Hypervisor Provides Antivirus Protection for Multiple Virtual Machines

HBSSprovidesadvancedmitigationeffortsnecessarytodetect,defend,reactanddeter,inrealtime,againstknowncyber-threats.InthecurrentDoDnetworkenvironment,HBSSiscriticaltomaintainingnetworksecurity,andaddressescurrentnetworkvulnerabilitiestopreventfutureintrusions.RefertotheDISAWebsiteformoreinformation on the HBSS components.FormoreinformationonMcAfeeMOVEAVandHBSSconfigurationandbestpracticesfortheFederaldesktop,pleaserefertotheMcAfee MOVE /VMware Collaboration Best Practices guide.

802.1X AuthenticationDependingontheauthenticationsettingonaswitchorrouter,802.1XauthenticationcanallowaremoteroutertoconnectauthenticatedVPNuserstoasecurenetworkthroughaVPNtunnel.UsersarethenauthenticatedinthesecurenetworkthroughaRADIUSserver.InFederalSecureDesktop,thedesigncoversend-to-endsecuritypractices.Inthelabvalidation,weenabled802.1Xauthenticationontheswitchport.Pleaserefertoyournetworkequipmentuserguideformoreinformationonhowtoenable802.1Xauthentication.

vCloud Networking and Security and vShield EndpointThe following virtual appliances were deployed in the design:

• Edge–Securestheedgeofthevirtualdatacenterbybeingconfiguredtobethefirewall,VPN,Webloadbalancer,NATandDHCPservicestomonitorpacketheadersforsourceanddestinationIPaddresses.

• App–Protectsapplicationsinthevirtualdatacenterfromnetwork-basedthreats.

http://www.evga.com/support/faq/afmmain.aspx?faqid=59361

http://techsupport.teradici.com/ics/support/mylogin.asp?splash=1

http://www.disa.mil/Services/Information-Assurance/HBS/HBSS/Components

http://www.vmware.com/files/pdf/techpaper/vmw-mcafee-security-protection-best-practices.pdf



• vShield Endpoint–IncludedinvSphere5.1,vShieldEndpointstrengthenssecurityforvirtualmachinesandtheirWindowsServerhostswhileimprovingperformance.

VMwarevCloudNetworkingandSecurityAppcanbeusedasaloadbalancerforinternalViewConnectionServersaccessedexclusivelybyusersinsidethecorporatenetwork.Theexternalconnectionsareloadbalancedvianetworkloadbalancers.

Management

TheHorizonViewAdministratorconsoleshowsthehealthofvariouscomponentsdeployedwithintheinfrastructure (not including third-party products). This level of information is very basic but can be sufficient for many organizations.

For organizations that require enhanced monitoring and management, including capacity planning, this architectureintegratestheVMwarevCenterOperationsManagerforHorizonViewasanoptionalcomponent.Whenintegrated,thisproductprovidesend-to-endvisibilityintotheHorizonViewenvironment.Thepatentedanalytics and integrated approach to performance, capacity, and configuration management delivers simplified health and performance management along with a better end-user experience, as any issues can be identified and solved proactively.

Inadditiontotheaboveanalytics,thearchitecturealsosupportsaddingmorethird-partyanalyticsandmonitoring tools to suit any such organizational needs.

Endpoint Management WevalidatedtheTeradici zero clientthathasnolocalembeddedOSfootprint.

PCoIPZeroClientManagementsoftwareisasimple,web-basedtoolwithautomatedconfigurationtomanagetheentireecosystemofPCoIPdevices.

The PCoIP Management Console is a web-based management tool that allows administrators to deploy and manageanentireenterprisedeploymentofPCoIPdevicesfromacentralconsole,furtherstreamliningthealreadyminimalmanagementofaPCoIPinfrastructure.

WiththePCoIPManagementConsole,administratorscan:

•Monitor,configureandupdateallPCoIPdevicesfromanywhere

•Graphicallyviewstatusandconnectioninformation

•Remotelyaccessandupdateconfigurationsettings

•Auto-configuredeviceswhendevicesarediscoveredonthenetwork

•Managedevicesindividuallyorbygroup(i.e.,location,department,function)

•Schedulefirmwareupdates,profileapplicationmodifications,andpowerstatechanges

•AssignstaticconnectionsbetweenPCoIPhardwarehostandclientdevices

•Applyconfigurationdatatoindividualdevicesorgroupsofdevices

•Deploybulkfirmwareupdates

•Supportmultipledevicediscoverymechanisms

•Viewandmanagedevicelogs

•Managethepowerofdevices

http://www.teradici.com/pcoip-solutions/zero-clients/specifications.php

http://www.teradici.com/pcoip-solutions/management-console/overview.php



Persona Management Inatraditionalphysicaldesktopwithlocalstorage,allthechangesausermakestotheirprofilearestoredonthelocalharddisk.Inthevirtualdesktopworld,desktopsareavailableintwoversions:dedicateddesktops (alsoknownaspersistentdesktops)inwhichusersareassignedaspecificdesktopandusethatdesktopeachtime they log in; and floatingdesktops(alsoknownasnonpersistent)whichprovidetheuseranyavailabledesktopforeachsession.Fordedicateddesktops,theuser’sprofileisstoredinapersistentdatadisk.Butdedicateddesktopsarenotstorageefficientandincreasethetotalcostofownershipforthesolution.

TheFederalSecureDesktopsolution(liketheMobileSecureWorkplacesolution)employsfloatingdesktopswithPersonaManagementenabled.Thisfeatureseamlesslypreservesauser’sprofileonanetworkshareforsafekeepingbetweensessions.PersonaManagementpersistsdataandsettingsstoredintheprofilewithoutspecificknowledgeofhowaparticularapplicationworks.Thisenablesthearchitecturetobemorestorage-efficient.ThePersonaManagementfeatureisalsoefficientduringlogintimes,asitdownloadsonlythefilesthatWindowsrequires,suchasuserregistryfiles.Otherfilesarecopiedtothedesktopwhentheuseroranapplication opens them from the profile folder, thus increasing efficiency.



Key Deployment ConsiderationsThedeploymentdetailscanbesegregatedintofivekeycategories:

• Initialsetup

•CACcertificatesetup

•Deployingthebaseimageanddesktoppools

•McAfeeHBSS

•Configuringzeroclientsand802.1Xauthentication

Thefollowingsectioncoversthedetailsandkeyconsiderationsineachcategory.

Initial Setup

Oneofthekeyconsiderationsindeployingthisfederalsolutionisthat,inatypicalDoDenvironment,therearemultipleunreachabledomains,andcontrolisoftennotatthelocallevel.WhentheViewConnectionServerisinstalled,ensurethatitisinstalledasalocal/internalserver,andtheconnectionto<HTTP:// FQDN_Of_ViewManager/admin>isverified.Ensurethatnootherserviceisusingports80and443.Also,ensurethattheIISserviceisnotrunningintheViewConnectionServerandthatallportslistedintheVMwareKnowledgeBase article Network connectivity requirements for VMware View Manager 4.5 and later are open.

AtypicalDoDsetupcanhavemultipledomains,soitisimportanttoexcludenon-essentialdomainsfromeachHorizon View installation to reduce start-up times. The non-essential and unreachable domains can be excluded bytheVDMAdmincommand:

vdmadmin -N -domains -exclude -domain <Domain Name> -add

CAC Certificate Setup

AllU.S.federalemployeesaremandatedtousePIVcards.Thethreevariationsare:

• FederalPIVCards

•CommonAccessCards(CAC)

•SIPRTokens

DoDhasadoptedthePKI-basedCACastheirprimaryauthenticationmethodintotheNIPRNet.NIPRNetiscomposedofInternetProtocolroutersownedbytheDoD.

SeveralagencieshavealsomigratedtoSIPRhardwaretokensastheirprimaryauthenticationmethodforaccessingtheSIPRnetwork.OtheragenciesarealsomovingtowardaPKI-basedPIVcardforauthenticationintothefederalnetwork.

AllarebasedonPKI/X.509certificatesandanyoneofthemcanbeusedtoaccessvirtualdesktopsinthisdesign.

PKIisdesignedtoallowsecurecommunications,nonrepudiation,andauthenticationbetweentwoentities.Itusestwokeystogenerateaweboftrust.

Inthisdesign,theCertificateAuthority(CA)isusedtoissuecertificatesandkeypairstoentities(servers,devices,users,etc.).Inourdesign,weuseacombinationofRootCertificateAuthority(RootCA)andIntermediateCAforscalabilitypurposes.RootCAhasthehighestauthoritytoissuecertificatesanddelegatessomeoftheworkloadtotheIntermediateCAforscalabilityandredundancy.RefertotheVMware Horizon View Administration guide for more information.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1027217

http://www.vmware.com/support/pubs/view_pubs.html




ToenablesmartcardstoworkwithHorizonView,thefollowingstepsmustbeperformed:

1. Obtain all required root and intermediate CA certificates.

2. Import certificates into a keystore file.

3. Build a locked.properties file. Make the following entries to the file:

trustKeyfile=masterkeystore

trustStoretype=JKS

useCertAuth=true

4. Put keystore and locked.properties into the <installdir>\server\sslgateway\conf folder.

5. Restart the View Connection Server to make your changes take effect.

To obtain DoD root or intermediate certificates, visit the Military CACWebsite.

Deploying the Base Image and Desktop Pools

Whendeployingabaseimageforthissolution,itiscriticaltostartfromanewimageinsteadofusingaphysicaltovirtualdesktopimage.OptimizetheimagebasedontherecommendationsintheVMware Horizon View Administration guideandconfiguretheimagebasedonorganizationalpolicies.Accordingly,disableWindowsFirewallonthedomainnetworkifallowed,oropenports4172UDP,4172TCP,3389TCP(onlyifRDPistobeused),32111TCP,and9427TCPintheWindowsFirewallandanyotherclient-side,port-filteringapplicationsbeing used.

ForSingleSign-Ontofunction,theTerminalService/RemoteDesktopservicemustbeenabled.Bydefault,allimagesbasedonFederalDesktopCoreConfiguration(FDCC)havetheservicedisabled,andyouneedtoperform the following steps to enable the service:

1. In Windows Vista or Windows 7, right click Computer from the Start Menu and select Properties. On the upper left side of the Properties dialog, select Remote Settings.

2. In the Remote Settings dialog, make sure Allow connections only from computers running remote desktop with network level authentication is checked and then click Select Users to assign the users that are allowed to connect.

3. In the Remote Desktop Users dialog, click Add, and in the Select Users dialog enter the group or groups that contain all potential Horizon View users and the View Connection Server service account (typically the Domain Users group from the local authentication domain).

4. Ensure there are no denials for remote desktop connectivity. By default these images typically have Everyone denied access. This explicit deny will override the Allow that was set up in the above steps.

a. Open a command prompt using Run As Administrator.

b. Type gpedit.msc <Enter>.

c. IntheLocalGroupPolicyEditornavigatetoComputer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

d. Intherightpanel,scrolldowntoDeny log in through Terminal Services.Double-clickandchecktoseeifthereareanygroupsthere.Ifthereareanygroupslisted,theywillbeunabletoconnecttoaHorizonViewdesktop.Selecteachgroup(especiallytheEveryonegroup)andclickRemove to removethemfromthedenylist.ThenclickOK.

http://militarycac.com





5. Scroll up to Allow log in through Remote Desktop Services and double-click. By default, Administrators and Remote Desktop Users are granted this right. Add the Domain Users group from the authentication domain (or any group or groups that contain all the potential Horizon View desktop users and the View Connection Server service account). Click OK and close the Group Policy Editor.

Note: Ensurethatthedomain-levelGPOdoesnotoverridetheabovesettings.Afterthebaseimageiscreated,toactivateitinDoD,avalidCACcardisrequired.CACcanbepassedthroughtotheimageviathevSphere5clientthroughtheconsole,withtheUSBcontrolleraddedtotheparentimagetoallowthis(DamewareandRDPcanalsobeused).OncetheCACispassedthrough,activateWindows,selectthecertificate,andenteraCACPINunderControl Panel\System and Security\System.

6. Finally, ensure that VMware Tools is installed before installing Horizon View Agent.

Fordesktoppoolsinthisarchitecture,itisrecommendedthatyouusefloatingpoolswithThinApp,PersonaandUserDatalocationsredirectedatlogin.Toenhancetheuserexperience,third-partypersonamanagementtools can also be used.

Asabestpracticeforthissolution,ensurethatusersareloggedout120minutesafterdisconnectandthatthedesktopsarerefreshedimmediatelyafterlogout.EnsurethatPCoIPissetasthedefaultprotocoltoaccessdesktops,anddisableusersfromchoosingtheprotocol.Also,forabetteruserexperience,ensurethatAdobeFlashQualityissettoMediuminthepoolsettingsintheViewConnectionServer.

McAfee HBSS

ForoptimalperformanceofMcAfeeHBSS,thefollowingconsiderationsarerecommended:

•SetMcAfee agent to server communication interval to 720 minutes or less

•Setpolicy enforcement interval to 30 minutes or less

•Performafullscanontheparentimagebeforebuildingpools

• Ifallowed,onlyscanonRead,notWrite

•DisablethesettingRunMissedJobsatstartup

Configuring Zero Clients and 802.1X Authentication

ZeroclientsbasedontheTeradiciTERAchipsetareultra-secure,easy-to-managedevicesthatoffertherichestuserexperienceinthissolution.Inadditiontosupportingavarietyofauthenticationmethods(SIPRTokens,CACcards)andencryptiontypes(TLS1.0withAES-128-CBC-SHA,TLS1.0withAES-256-CBC-SHA,SuiteBciphers,AES-128-GCM,AES-256-GCMandSalsa20-256-Round12),zeroclientsalsosupport802.1XnetworkdeviceauthenticationusingEAP-TLScertificates.Underthismethod,allnetworkendpointdevicesmustbeauthenticatedbeforetheyaregrantedaccesstothenetwork,thusaddinganadditionallayerofsecuritybeyondusernameandpasswordcredentials.Toconfigurethis,an802.1X-supportedswitchwasusedinthisarchitecture.



User Connection Flow Sequence

Thissequenceshowshowadesktop,laptop,ormobiledeviceconnectstovirtualmachinesinadatastoremanagedbyVMwarevSphere.ThisincludessecureimplementationsthatrequireaNIPRNettokenortokensfromthenewerSIPRNet.

VMware vSphere

VMVM

VM

VMVM

VM

Active Directory

VMware vCenter

Horizon View Composer(Optional)

Horizon ViewConnection

Server

Zero Client• PKI-enabled• CAC• 802.1X authentication

Horizon View Security Server

• Allow TCP 443; TCP/UDP4172

• IPS SSM module configure to prevent basic IPS signature for malicious attack

• Enforce PKI auth• NIAP approved for

suite B encryption

• Security Server ACL to only allow TCP8009 and 4001 to Connection Server for pairing.

• TCP/UDP 4172 to WIN7 VDI VLAN

• VIN7 VDI VLAN• HBSS suite installed• HTTP traffic proxied• PKI enable for SIPRNET

token

• Server VLAN• Separated by strict

FW/IPS policy

NIPRNET

SIPRNet

Figure 4: Virtual Desktop Connection Path

Summary TheFederalSecureDesktopsolutionprovidesavalidatedend-to-endarchitectureforDoDandotherfederalagencydeploymentswhichtakesintoaccountallthekeycomponentsrequiredforasecureHorizonViewimplementation.

This architecture, built with VMware Horizon View and ecosystem partner components, was tested for the ability of various integrated products to provide a validated solution. The architecture, while tightly integrated, isalsobuilttobemodularsocustomerscanpickandchoosethevariouscomponentsthatfittheirspecificneeds. The architecture is also scalable per the guidelines provided in VMware Horizon View reference architectures.

Thisdesigncaterstothethreekeyvirtualdesktoprequirementsinanyfederalorganization—mobility,securityandmanagement.WithVMwareHorizonViewandothermanagementproductslikevCenterOperationsManager,thisdesignenhancesthesecurityrequirementbyaddingfederal-specificcomponentslikeCommonAccessCards,SIPRTokens,andHBSS.Thesolutionalsoprovidesenhancednetwork-levelsecurity,integrating802.1Xauthenticationwithzeroclients.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-VDG-FEDSECDKTP-USLET-02130429-WEB


About the AuthorsMuthuSomasundaramandCynthiaHsiehwrotethisdocument.MuthuisProductLineMarketingManagerinEnd-UserComputingSolutionsatVMware.CynthiaisGroupProductManager,SolutionManagement,inEnd-UserComputingatVMware.

TheauthorswouldliketothankGlennExline,SystemsEngineeringManageratVMware;ElcioMellofromTeradici;andChristieKarrelsandChristopherBeckhamfromMcAFeefortheircontributionstothecontentandvalidation of the solution.

Tocommentonthispaper,contacttheVMwareEnd-UserComputingSolutionsManagementandTechnicalMarketingteamattwitter.com/vmwareeucsmtm.

http://www.twitter.com/vmwareeucsmtm

vmware federal secure desktop - enterprise mobility ... view persona management, federal secure...

Documents