Sometimes I really love the #vCommunity – Just kidding: I love them all of the time. I was confronted with a scenario where only certain users of a Horizon environment should be allowed to access their own Desktop via the Internet.
In general you have certain options to do some kind of restrictions:
- Using Tags on the Connection Server and Create Desktop Pools that only allow the usage by Users coming from a tagged Connection Server
- Using VMware vIDM (Identity Manager) and create conditonal access rules. This will work, but will also create some new overhead to implement vIDM in a high-available fashion.
Fortuneatly the EUC-Champion Slack Community came up with another idea I haven’t really heard about before (The feature was introduced with Horizon 7). Thx Sven and Joe for your help here.
What does this feature mean? We can define that all users coming from a Unified Access Gateway (UAG) or Security Server (SecSrv) will only have access via the Internet (which means when they pass the UAG/SecSrv) if they are member of a specific AD-Group.
In the following example I want that flenz is able to always use his Desktop via secure and un-secure networks, while Saggy Naggy is only allowed to access from a secure internal LAN.
Just navigate to the Users section within the Horizon Administrator and choose Remote Access. Define which group you want to have access via the Internet and voila. That’s it. Pretty useful.
Important: The AD-Group membership is applied to all ‘external’ connection points. There is no way to differentiate between different UAGs or SecSrvs.
As soon as Saggy Naggy tries to connect via the Internet:
Important: This remote access restriction is only valid if you come from an UAG that is labeled as external UAG.
I created a small video to demonstrate the functionality to you: