Virtual Desktops and Applications are nowadays accessible from any device, from any time and location. Therefore, the security of these virtual workplaces is very important. After all, if company-sensitive information is accessible from any type of device, then every employee and customer is a potential target of cybercriminals.

VMware partners with OPSWAT to provide a joint solution which ensures that end-user client devices are first checked for posture, and if the assessment complies with a set of predefined security policies, access to virtual desktop and applications is granted.

OPSWAT comes with the MetaAccess integration. MetaAccess performs extensive security and compliance checks as well as remediation before allowing devices to access corporate data.  It will automatically enforce company security policies on the devices that are trying to access remote services. Through this integration, all risky devices will be denied access to company resources.

 

Unified Access Gateway

The MetaAccess integration is where the Unified Access Gateway (UAG) comes in. For every VMware Horizon environment, the UAG appliances are the new standard for providing external users (i.e. users who connect to the environment from the internet) access to their company resources, such as published desktops, applications, and corporate data.

MetaAccess can be leveraged by UAG version 3.1 and newer to provide enhanced compliance checking capabilities for Horizon Client access to virtual desktops and RDS hosted applications.

Below steps and illustration explain how the different components work together:

  1. Via the MetaAccess Agent, the Endpoint device checks the status with the OPSWAT MetaAccess Cloud Service.
  2. The end-user logs in with the Horizon Client to the Horizon Environment and launches an assigned resource.
  3. Via the endpoint Device ID, the UAG appliance checks Endpoint device for configured Device Policies with the OPSWAT MetaAccess Cloud Service.
  4. If the endpoint is compliant, the user may log in to access the company resources.

During this process, no local endpoint configuration is sent to the OPSWAT MetaAccess Cloud Service.

2019-02-05 11_59_31-VMware _ OPSWAT

To configure the integration with OPSWAT MetaAccess means you must be able to manage and configure the UAG appliances yourself.  If you do not manage the UAG appliances yourself, for example in Horizon Cloud environments (which is managed by VMware) the integration with OPSWAT is currently not possible.

HTML Access

External users who are accessing the VMware Horizon environment through the browser, do not receive a compliance check. Only the Horizon CLient is supported at this time.

When Horizon Client runs on native Operating Systems – such as Windows, Linux, MacOS, iOS and Android – users have access to advanced remote features such as client drive redirection (CDR) and USB redirection. These features make it is easy for users to move files between their virtual desktop and the local client machine, and so an administrator may want to use compliance checks to ensure the use of an encrypted drive and particular levels of antivirus protection and operating system patches.

However, Horizon HTML Access doesn’t support CDR and USB redirection, and according to OPSWAT, the compliance checks for HTML Access are less necessary and unsupported by this feature.

If you have the requirement that all devices are checked, you can disable HTML Access in the UAG configuration to ensure that only compliant endpoints via the Horizon Client are granted access.

Configuration

The following steps will walk you through creating the OPSWAT MetaAccess configuration.  To sum up, the steps involved are:

  1. Register a new application in the MetaAccess oAuth Portal
  2. Configure the UAG’s through the UAG Admin Portal
  3. Define (critical) issues and Policies through the OPSWAT MetaAccess Portal
  4. Install and/or distribute the MetaAccess Agent on the Endpoint devices

MetaAccess oAuth Portal

Using your OPSWAT MetaAccess account, register and log in to the MetaAccess oAuth Portal at https://gears.opswat.com/o

Register a new application and fill in the Application Name and the Website URL for VMware Horizon environment.

In addition;

  • Make sure to set the callback URL to http://127.0.0.1/opswat.
  • Make a note of the client key and client secret for use in later steps.

2018-09-03 15_43_10-List Apps

UAG configuration

Next, login to the UAG Admin Console. This is reached by opening the browser and type in https://UAG_FQDN_or_IP_Address:9443/admin

In the Admin Console in General Settings, Click Show Edge Service Settings. Click on the Settings button next to Horizon Settings.

Next, from the Endpoint Compliance Check Provider dropdown list, select OPSWAT.

Save the configuration.

2018-09-03 16_44_50-LoginHQ Desktop

2018-09-03 16_45_03-LoginHQ Desktop

2018-09-03 16_45_20-LoginHQ Desktop

Next, go to Advanced Settings and select the Settings icon next to Endpoint Compliance Check Provider Settings.

2018-09-03 16_45_38-LoginHQ Desktop
Click Add. From the Endpoint Compliance Check Provider dropdown list, select OPSWAT.
Copy and paste the client_id and client_secret values that you obtained in the previous step in the MetaAccess oAuth Portal. Leave the hostname set to the default of gears.opswat.com and click Save and Close (Please note, all active external user connections will now get reset!)

2018-09-03 16_47_24-Windows10-IC

2018-09-03 16_47_42-Windows10-IC

The UAG configuration is now done! If you have two UAG’s for HA, you are also required to perform the same configuration on the second UAG.

OPSWAT MetaAccess Portal

Now the UAG configuration is completed, we can open the OPSWAT MetaAccess Portal at https://gears.opswat.com/console/dashboard

2018-09-03 17_01_12-Dashboard _ MetaAccess

It is here we can define device policies to indicate what you consider an issue or critical issue. For instance, you can configure the Windows Firewall must be activated, or Windows Defender must be running and up-to-date. With the requirement of a MetaAccess Agent, the UAG will then deny access from any endpoint that has one or more critical issues for end-users who connect to the VMware Horizon environment through the Horizon Client.

MetaAccess Agent

To install the MetaAccess Agent on the endpoint device, go to the Dashboard page, click Add Devices. You are prompted to download the MetaAccess Agent which you can use for distribution.

2018-09-03 17_01_33-Dashboard _ MetaAccess

Configuring Policies

Configuring policies is very easy. There are literally dozens of built-in policies to choose from. There is also a very good Default Policy created you can assign, or if you want to manually create a new one go to the Policy menu and click on Create Policy.

2019-02-05 11_21_03-Postvak IN - A.Meijroos@loginconsultants.nl - Outlook

In here you can define certain critical “issues” which are important for your company.

Once you are done configuring. Click Save.

Next, you must assign the created Policy to a Group. Click the Inventory Menu, Groups and create a new Group. Give a Group description and Click Assign Devices to Group.

2019-02-05 11_28_00-Groups _ MetaAccess

End-user Experience

If an end-user device not compliant, or the MetaAccess Agent is not installed, the message in the Horizon Client will be as follows:

2018-09-03 16_39_38-LoginHQ Desktop

Furthermore, if the MetaAccess Agent is installed, the Agent will create a systray popup warning. When you click on this, a browser page will be opened with the reason why the endpoint is not compliant. Here are some examples:

2018-09-03 16_23_08-Remediation _ MetaAccess

2018-09-03 16_23_29-Remediation _ MetaAccess

If the end-user resolved the problem, the login process is done as normal. This is an example of an endpoint which is compliant:

2018-09-03 16_29_59-Remediation _ MetaAccess

Conclusion

Implementing OPSWAT MetaAccess integration can be a good alternative for companies who do not want the Workspace One UEM solution but do want to increase security for their VMware Horizon environment, based on endpoint compliance.

As shown in this blog, the implementation is fairly simple and very fast but has some limitations. As stated, you cannot use device compliance with end-users who access the environment through the web browser. Only the Horizon Client is supported at this time.

In addition, it is required to install the MetaAccess Agent on the endpoint device, which can be a challenging task for BYOD.