VMware is now working with OPSWAT to provide extra security measurement on VDI solution.
The idea of the solution is integrating OPSWAT with UAG. Each user session will be passed to OPSWAT for compliance checking. Only those end point machine passed the checking will be allowed for VDI access.
The solution will involve 2 components; OPSWAT and UAG. This sharing will walk you through the procedure.
The whole procedure will involve following major steps:
1. Create OPSWAT oAuth app
The first step will require to register an OPSWAT account with following URL
Once the account is ready. You may login following portal with your registered account.
On the portal, Click "Register New Application".
Assign a name for the Application.
Provide a Description to the Application.
Input Website URL. It is normally the URL for accessing the Horizon.
Input "http://127.0.0.1/opswat" for Callback URL.
Click "Create".
Input the predefined security PIN. Click "Create".
The Application is created. Click the "Reveal Keys" button. Copy down the Client Key and Client secret for future steps.
2. Configure Device Policy on OPSWAT
Next step will be creating the compliance policy.
Logon the OPSWAT portal.
Click "Policies". You can create and edit policy from this page.
We will make use the default policy for testing purpose.
Click the "Default" policy.
You may fine tune the policy base on your need. For the testing purpose, this sharing will just make use the default setting of this policy. The default policy will check on the end point device is updated with latest patch and encrypted all local disk or not.
3. Install client on End Point Machine
Up to now, all the configuration on portal is done. Next will be installing the OPSWAT client on end point device.
Logon to the OPSWAT portal.
Click the "Device" tab. Click "Add Devices".
Check "Device will be automatically assigned to this group". And select the group you want to put the end point to.
Select the corresponding OS type and click "Persistent Client". This sharing will use a Windows end point as an example.
Lunch the client setup after download. Click "Accept the terms ...". Click "Install".
Wait until the completion. Click "Finish".
Go back to the device tab on the OPSWAT portal. There you will find the end point machine with the client just installed. Since the end point is missing of the latest Windows patch and that's why showing non-compliance on the portal.
4. UAG Integration
The last step of the sharing is configuring the integration on UAG.
Logon the UAG server.
Click the "Gear" button next to the "Endpoint Compliance Check Provider Setting".
Click the "Add" button.
Paste the Client Key and Client Secret created on previous step.
Input "gears.opswat.com" for Hostname.
Select "Minutes" for "Compliance Check interval Timeunit".
Provide the value of intervals. From my example, the different values mean the following configuration.
-No delay on initial checking. Status of end point device will be immediately checked once login.
- After 2 minutes from login, the end point device will be checked again.
- And the end point device will be checked each 5 minutes after the first checking.
Click "Save".
Go back to UAG general setting.
Check "Edge Service Setting".
Click the "Gear" button next to the "Horizon Setting".
Click the "More" button at the bottom of the page.
Select "OPSWAT" for the Endpoint Compliance Check Provider. Click "Save".
Once completed all above setup. Go back to the end point Windows machine. Launch the Horizon client and connect to the UAG.
Since the testing Windows end point machine is failing the compliance requirement, the connection will be dropped.
----- END -----
Comments