Securing VSPEX VMware View 5.1 End- User Computing Solutions with RSA

Similar documents
EMC VSPEX END-USER COMPUTING

EMC VSPEX END-USER COMPUTING

EMC VSPEX END-USER COMPUTING

Dell EMC Ready Architectures for VDI

Dell EMC vsan Ready Nodes for VDI

EMC VSPEX FOR VIRTUALIZED MICROSOFT EXCHANGE 2013 WITH MICROSOFT HYPER-V

Dell EMC Ready System for VDI on XC Series

Dell EMC Ready Architectures for VDI

Dell EMC Ready System for VDI on VxRail

EMC VSPEX END-USER COMPUTING

EMC VSPEX END-USER COMPUTING

Virtual Exchange 2007 within a VMware ESX datastore VMDK file replicated

EMC VSPEX with Brocade Networking Solutions for END-USER COMPUTING

EMC VSPEX END-USER COMPUTING

Copyright 2015 EMC Corporation. All rights reserved. Published in the USA.

Surveillance Dell EMC Storage with FLIR Latitude

EMC VSPEX END-USER COMPUTING Citrix XenDesktop 7.5 and VMware vsphere with EMC XtremIO

Veeam Cloud Connect. Version 8.0. Administrator Guide

EMC VSPEX SERVER VIRTUALIZATION SOLUTION

EMC VSPEX END-USER COMPUTING

EMC VSPEX END-USER COMPUTING

EMC VSPEX END-USER COMPUTING

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Symantec Protection Center Getting Started Guide. Version 2.0

VMware View Upgrade Guide

version 5.4 Installation Guide

Surveillance Dell EMC Storage with Cisco Video Surveillance Manager

EMC VSPEX FOR VIRTUALIZED ORACLE DATABASE 12c OLTP

Installing VMware vsphere 5.1 Components

EMC VSPEX END-USER COMPUTING Citrix XenDesktop 7.6 and VMware vsphere with EMC XtremIO

EMC VSPEX END-USER COMPUTING

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Copyright 2015 EMC Corporation. All rights reserved. Published in the USA.

Surveillance Dell EMC Storage with Digifort Enterprise

DATA PROTECTION IN A ROBO ENVIRONMENT

Virtualizing SQL Server 2008 Using EMC VNX Series and VMware vsphere 4.1. Reference Architecture

Video Surveillance EMC Storage with Godrej IQ Vision Ultimate

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

EMC VSI for VMware vsphere Web Client

Dell EMC SAN Storage with Video Management Systems

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Basic Configuration Installation Guide

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

INTEGRATED INFRASTRUCTURE FOR VIRTUAL DESKTOPS ENABLED BY EMC VNXE3300, VMWARE VSPHERE 4.1, AND VMWARE VIEW 4.5

EMC CLARiiON CX3-40. Reference Architecture. Enterprise Solutions for Microsoft Exchange 2007

EMC Ionix Network Configuration Manager Version 4.1.1

Copyright 2015 EMC Corporation. All rights reserved. Published in the USA.

Video Surveillance EMC Storage with Digifort Enterprise

EMC Backup and Recovery for Microsoft Exchange 2007 SP1. Enabled by EMC CLARiiON CX4-120, Replication Manager, and VMware ESX Server 3.

EMC SourceOne Management Pack for Microsoft System Center Operations Manager

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Surveillance Dell EMC Storage with Bosch Video Recording Manager

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

PHD Virtual Backup Exporter. version 6.5 Users Guide. Document Release Date: August 26,

QuickStart Guide vcenter Server Heartbeat 5.5 Update 1 EN

Getting Started with ESX Server 3i Embedded ESX Server 3i version 3.5 Embedded and VirtualCenter 2.5

Video Surveillance EMC Storage with Genetec Security Center

EMC VSPEX FOR VIRTUALIZED MICROSOFT EXCHANGE 2013 WITH HYPER-V

EMC VSPEX PRIVATE CLOUD

Getting Started with VMware View View 3.1

Getting Started with ESXi Embedded

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

VMware vstorage APIs FOR ARRAY INTEGRATION WITH EMC VNX SERIES FOR SAN

EMC VSPEX END-USER COMPUTING

Netwrix Auditor. Virtual Appliance and Cloud Deployment Guide. Version: /25/2017

VMware vsphere with ESX 4.1 and vcenter 4.1

VMware vfabric Data Director Installation Guide

EMC VSPEX END-USER COMPUTING

EMC SAN Copy Command Line Interfaces

Surveillance Dell EMC Storage with Cisco Video Surveillance Manager

EMC BUSINESS CONTINUITY FOR VMWARE VIEW 5.1

Audience Profile Experienced system administrators and system integrators responsible for implementing desktop solutions

Virtual Appliance Installation Guide

EMC VNXe Series. Configuring Hosts to Access NFS File Systems. Version 3.1 P/N REV. 03

Backup and Restore of the vcenter Server using the Avamar VMware Image Protection Solution

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Getting Started with ESX Server 3i Installable Update 2 and later for ESX Server 3i version 3.5 Installable and VirtualCenter 2.5

Surveillance Dell EMC Storage with Genetec Security Center

Logical Operations Certified Virtualization Professional (CVP) VMware vsphere 6.0 Level 1 Exam CVP1-110

Reference Architecture for Dell VIS Self-Service Creator and VMware vsphere 4

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

Technical Notes. EMC NetWorker SharePoint BLOB Backup and Recovery by using NetWorker Module for Microsoft and Metalogix StoragePoint TECHNICAL NOTES


VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

70-414: Implementing an Advanced Server Infrastructure Course 01 - Creating the Virtualization Infrastructure

EMC VSPEX FOR VIRTUALIZED MICROSOFT SQL SERVER 2012 WITH MICROSOFT HYPER-V

Virtualization with VMware ESX and VirtualCenter SMB to Enterprise

Course CXS-203 Citrix XenServer 6.0 Administration

VMware - VMware vsphere: Install, Configure, Manage [V6.7]

Dell EMC NetWorker Module for Microsoft for Exchange Server VSS

Dell EMC. VxRack System FLEX Architecture Overview

Virtualization with VMware ESX and VirtualCenter SMB to Enterprise

Veritas System Recovery 16 Management Solution Readme

Citrix XenDesktop 5 Administration

dctrack Quick Setup Guide Virtual Machine Requirements Requirements Requirements Preparing to Install dctrack

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

Transcription:

Design Guide Securing VSPEX VMware View 5.1 End- User Computing Solutions with RSA VMware vsphere 5.1 for up to 2000 Virtual Desktops EMC VSPEX Abstract This guide describes required components and a configuration overview for deploying RSA SecurID two-factor authentication in any of the VSPEX VMware View end-user computing proven infrastructures. This guide and its associated Implementation Guide are designed to be used as addtions, or overlays, to one of the specific VSPEX View proven infrastructure documents. January, 2013

Copyright 2013 EMC Corporation. All rights reserved. Published in the USA. Published January 2013 EMC believes the information in this publication is accurate of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC 2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date regulatory document for your product line, go to the technical documentation and advisories section on the EMC online support website. VMware vsphere 5.1 for up to 2000 Virtual Desktops Design Guide Part Number H11375 2

Contents Chapter 1 Introduction... 9 Purpose... 10 Business value... 10 Scope... 10 Audience... 11 Chapter 2 Before You Start... 13 Essential reading... 14 Support resources... 14 Chapter 3 Solution Overview... 15 Overview... 16 High Availability... 17 Existing infrastructure... 17 Key components... 17 RSA SecurID with Authentication Manager... 17 EMC VSPEX... 17 Backup and recovery... 18 Solution architecture... 18 High-level solution architecture... 18 Architecture overview... 18 RSA SecurID Authentication Control Flow... 19 Chapter 4 Solution Design Considerations and Best Practices... 21 Overview... 22 Network design considerations... 22 Overlay design considerations... 22 Storage layout and design considerations... 23 Virtualization design considerations... 23 3

Contents Backup and recovery implementation... 23 Chapter 5 Solution Validation Methodologies... 25 Baseline hardware validation methodology... 26 Application validation methodology... 26 Key metrics... 26 Define the test scenarios... 26 Appendix A References... 27 References... 28 EMC documentation... 28 Other documentation... 28 4

Figures Figure 1. SecurID authentication control flow for View access requests... 16 Figure 2. Logical architecture: generalized VSPEX VMware View 5.1 proven infrastructure with RSA Authentication Manager overlaid in a redundant configuration... 18 Figure 3. VMware View Client SecurID authentication dialog... 19 Figure 4. VMware View Client Active Directory authentication dialog... 20 5

Figures 6

Tables Table 1. Baseline compute, memory, and storage requirements for Authentication Manager in the SecurID overlay... 22 7

Tables 8

Chapter 1 Introduction This chapter presents the following topics: Purpose... 10 Business value... 10 Scope... 10 Audience... 11 9

Introduction Purpose This document describes security enhancements provided and infrastructure components required for the deployment of RSA SecurID two-factor authentication in a new or existing VSPEX VMware View end-user computing infrastructure. Business value Scope EMC VSPEX End-User Computing Solutions for VMware View 5.1 and VMware vsphere 5.1 provide proven, best-of-breed solutions for end-user computing. Customers requiring additional access protection for remotely available or sensitive View environments can enable RSA SecurID two-factor authentication as a highly-effective additional layer of virtual desktop access protection. In addition to Active Directory credentials, accessing a SecurID-protected resource requires a personal identification number and a constantly-changing code from a hardware or software-based token. Credentials based on something the user knows (the PIN) and something the user has (the token code) is the basis of two-factor authentication and is a standard in access security. Implementation of SecurID in VSPEX View infrastructures requires deployment of RSA Authentication Manager as part of the supporting infrastructure. SecurID is tightly integrated into View 5.1; once Authentication Manager is online, activation of SecurID through the View Administrator Console and Authentication Manager Security Console takes minutes. The companion Implementation Guide provides basic end-to-end configuration steps and references to additional information. As described in their individual infrastructure documentation, VSPEX VMware View end-user computing solutions provide defined infrastructures with proven, tested performance, scalability and functionality for up to 250 desktops (using EMC VNXe storage) or up to 2000 desktops (using EMC VNX storage). This overlay enhances the value proposition by strengthening access security, especially for remote connections. The access and security enhancements presented in this guide are assembled as an overlay to the VMware View VSPEX solutions. This document briefly describes SecurID and Authentication Manager, illustrates their integration into the VSPEX solution, and presents a configuration framework. The overlay is not intended as a stand-alone solution; infrastructure services built into the VSPEX solutions (notably Active Directory and DNS) are used to support the extended functionality described here. This guide is intended to be used in conjunction with the VSPEX Proven Infrastructure documents for VMware View. Familiarity with the relevant documents is a minimum prerequisite for using this guide. 10

Introduction Audience This guide is targeted to EMC internal staff and channel partners. It is not intended for external distribution or the VSPEX end users. 11

Introduction 12

Chapter 2 Before You Start This chapter presents the following topics: Essential reading... 14 Support resources... 14 13

Before You Start Essential reading Support resources Read the following materials before you start to use this guide. EMC VSPEX End-User Computing: VMware View 5.1 and VMware vsphere 5.1 for up to 250 Virtual Desktops, Enabled by EMC VNXe and EMC Next Generation Backup VSPEX Proven Infrastructure EMC VSPEX End-User Computing: VMware View 5.1 and VMware vsphere 5.1 for up to 2000 Virtual Desktops, Enabled by EMC VNX and EMC Next Generation Backup VSPEX Proven Infrastructure Support of SecurID and Authentication Manager is provided through RSA (http://www.rsa.com). Support for VMware View and VMware vsphere is provided through VMware (http://www.vmware.com). 14

Chapter 3 Solution Overview This chapter presents the following topics: Overview... 16 High Availability... 17 Existing infrastructure... 17 Key components... 17 Solution architecture... 18 15

Solution Overview Overview This overlay adds access security enhancements to the VSPEX end-user computing solutions for VMware View 5.1 and VMware vsphere 5.1. Typically, SecurID is used to authenticate user connections from a remote network while local connections authenticate against Active Directory only. In an environment with multiple highavailability View servers, some servers may have SecurID enabled for remote access and others are designated for local access only. In a standard View deployment without SecurID, connection to a desktop through the View client on a local network is authenticated against Active Directory only. In the SecurID-enabled configuration, the user is first challenged for a SecurID passcode; upon successful authentication through Authentication Manager, the normal challenge for AD credentials is then presented as shown in Figure 1. SecurID is enabled and disabled on a given View Connection Server via a simple selection list in the View Administrator Console. Figure 1. SecurID authentication control flow for View access requests 16

Solution Overview High Availability Existing infrastructure Key components Authentication Manager is deployed as a redundant pair of nodes for high-availability operation. The RSA Authentication Agent built into VMware View controls connectivity to these nodes. Other built-in features provide node-to-node synchronization, internal database backup, etc. The View environment and supporting infrastructure services such as Active Directory and DNS should be configured according to the appropriate VSPEX end-user computing proven infrastructure document. Compute and storage resource for the components described below may be added for the purpose or consumed from the solution pool as described later in this overlay document. RSA SecurID with Authentication Manager RSA SecurID provides enhanced access security through two-factor authentication, which requires the user to answer an authentication challenge with two pieces of information: A personal identification number (PIN) something the user knows, analogous to a password. A one-time token code or password from a hardware or software-based token something the user has in possession. This token code changes every 60 seconds. SecurID functionality is managed by RSA Authentication Manager, which for this overlay is installed on redundant Windows Server 2008 R2 virtual machines. Built-in Authentication Manager features provide backup and synchronization services. Authentication Manager is used to create an Authentication Record corresponding to the Authentication Agent that is built into the View Connection Server. With creation of the record, the View Connection server is registered as an authentication agent with Authentication Manager. A configuration file containing this information is then generated. When SecurID is enabled on the View connection server, this file is uploaded to complete the link between View and Authentication Manager. Note Authentication Manager (version 7.1) can be installed on Windows or Linux and is also available as a physical appliance. This overlay utilizes the virtualized Windows Server environment on which the VSPEX VMware View solutions are built. EMC VSPEX VSPEX validated and modular architectures are built with proven best-of-breed technologies to create complete virtualization solutions that enable you to make an informed decision about the hypervisor, compute and networking layers. VSPEX eliminates desktop virtualization planning and configuration burdens. VSPEX accelerates your IT Transformation by enabling faster deployments, greater choice, efficiency, and lower risk. 17

Solution Overview Backup and recovery Backup and recovery are covered at the infrastructure level in the documentation for the VSPEX solution. RSA recommends the use of its native toolset for backup and restoration of the Authentication Manager internal database. Solution architecture High-level solution architecture Figure 2 shows the generalized logical architecture of the VSPEX VMware View infrastructures with the Authentication Manager hosts added. The VNX with Fibre Channel variant is shown. NFS and VNXe variants are described in the VMware View VSPEX proven infrastructure documents. Figure 2. Logical architecture: generalized VSPEX VMware View 5.1 proven infrastructure with RSA Authentication Manager overlaid in a redundant configuration Architecture overview The SecurID overlay architecture consists of the following components. EMC VSPEX End-User Computing: VMware View 5.1 and VMware vsphere 5.1 for up to 250 or 2000 Virtual Desktops The foundation infrastructure supports View and provides Active Directory, DNS, DHCP, and SQL Server services. Active Directory and DNS are also utilized by the overlay. RSA Authentication Manager (version 7.1 SP4) Authentication Manager controls all operational aspects of SecurID functionality. Authentication agent functionality is built into VMware View, eliminating the necessity of manually installing agent software. Once Authentication Manager is online, enabling SecurID in the View environment consists of the following steps: 1. Create an authentication record in Authentication Manager Security console to register the View server as an authentication client. 18

2. Generate and download a configuration file from the Authentication Manager to provide shared secret and other information to the View server(s). 3. Enable SecurID in the View Administrator console and upload the configuration file. The RSA Authentication Manager 7.1 Administrator s Guide contains steps for importing and assigning SecurID tokens to users. Solution Overview Redundant nodes provide high availability. Authentication Manager s installation wizard provides easy setup of primary and secondary nodes. After setup, changes are made to the primary, and are then ported to the secondary via a synchronization process. If one node becomes unavailable, the remaining node services traffic. Note For VMware installation, ensure that nodes are installed on different physical hosts to preclude a service interruption caused by hardware failure. RSA SecurID Authentication Control Flow With SecurID enabled, the user is authenticated twice after connecting to the View management server through the View client. 1. A dialog appears for SecurID ID and passcode as shown in Figure 3. For this overlay, the SecurID ID is forced to be the same as the Active Directory ID. Figure 3. VMware View Client SecurID authentication dialog 19

Solution Overview 2. Upon successful SecurID authentication, the user is prompted for Active Directory credentials as Figure 4 shows. This dialog also appears if SecurID is not enabled. Figure 4. VMware View Client Active Directory authentication dialog 3. After successful Active Directory authentication, the user desktop is presented. 20

Chapter 4 Solution Design Considerations and Best Practices This chapter presents the following topics: Overview... 22 Network design considerations... 22 Overlay design considerations... 22 Storage layout and design considerations... 23 Virtualization design considerations... 23 Backup and recovery implementation... 23 21

Solution Design Considerations and Best Practices Overview The overlay is designed to run as part of the relevant VSPEX configuration. Only the new overlay components are discussed; foundation components such as View and supporting infrastructure are addressed in the applicable VSPEX Proven Infrastructure documents. Network design considerations This overlay fits into the network layout described in the relevant VSPEX VMware View Proven Infrastructure documents. Refer to those documents for more details on individual component networking. Overlay design considerations Authentication Manager can be hosted on existing infrastructure servers, or new hardware can be added if necessary. To maintain high availability, ensure that VMware guests running nodes of redundant pairs are placed on separate physical servers. Table 1 shows the minimum CPU, memory, and disk space values for VMware guests hosting Authentication Manager. This level of capacity is equivalent to four VSPEX Reference Virtual Machines. Table 1. Baseline compute, memory, and storage requirements for Authentication Manager in the SecurID overlay CPU (cores) Memory (GB) Disk (GB) Reference RSA Authentication Manager 2 8* 60 RSA Authentication Manager 7.1 Performance and Scalability Guide * RSA recommends an 8 GB minimum for VMware-based deployments. A 4 GB or even 2 GB configuration is acceptable on stand-alone servers. According to the RSA Authentication Manager 7.1 Performance and Scalability Guide, a small current-generation server with a single dual-core processor and 2 GB RAM can process 40 SecurID authentications per second. Thus, an entire user database for a 2,000 desktop VSPEX environment can be authenticated in under a minute (RSA tests performed on dedicated hardware with no antivirus, security, or other software installed). Note Deployment of Authentication Manager on VMware guests involves specific requirements and restrictions. Allocated memory should be set to 8 GB for 64-bit operating systems Cloning, physical-to-virtual conversion, and virtual-to-physical conversion are supported. 22

Solution Design Considerations and Best Practices Snapshots, vmotion, High Availability, and several other VMware virtualization features are not supported. RSA recommends the use of Authentication Manager built-in features for these types of services. See Authentication Manager 7.1 Service Pack 4 Release Notes (available on RSA SecurCare Online) for more information. Storage layout and design considerations Table 1 shows that the total disk storage requirement for the SecurID infrastructure is 60 GB or less. This capacity should be drawn from storage allocated for the relevant proven infrastructure document. Virtualization design considerations This overlay fits into the virtualization design described in the relevant VSPEX VMware View proven infrastructure document. Refer to that document for more details on individual component networking. Backup and recovery implementation Backup and recovery services for the overall solution are described in the relevant VSPEX View proven infrastructure document. RSA recommends using the built-in tools for backup and recovery of the Authentication Manager internal database. 23

Solution Design Considerations and Best Practices 24

Chapter 5 Solution Validation Methodologies This chapter presents the following topics: Baseline hardware validation methodology... 26 Application validation methodology... 26 25

Solution Validation Methodologies Baseline hardware validation methodology Hardware validation is beyond the scope of this document. Refer to the VSPEX View proven infrastructure documents for more information. Application validation methodology The only function added by the overlay is SecurID authentication. See Define the test scenarios for test steps. Key metrics Beyond proper operation at the VSPEX proven infrastructure increments of 250, 500, 1000, or 2000 desktops, no metrics are generated during overlay testing. SecurID has no effect on View performance after authentication is complete. Define the test scenarios Authentication Manager You can test the following features of the Authentication Manager. Authentication success: The presentation of the View client dialog prompting for SecurID name and passcode and subsequent successful authentication is the practical success criterion. You can take the following steps to get more information. a. On Authentication Manager Security Console, click Reporting Realtime Activity Monitors Authentication Activity Monitor. Type the user name to be verified in the Search field if necessary. b. Click Start Monitor. c. Log in to a desktop through the View Client, going through the two-step authentication process. d. On the monitor dialog, verify that the SecurID credentials are validated. e. Close the monitor. High Availability: 1. Using VMware vsphere, edit the settings for the primary Authentication Manager node to disconnect the guest virtual NIC, or shut down the guest. 2. Verify successful SecurID authentication. 3. Reconnect the virtual NIC of the primary node. 4. Repeat the preceding steps with the virtual NIC of the secondary node. 26

Appendix A References This appendix presents the following topic: References... 28 27

References References EMC documentation The following documents, located on the EMC online support website or Powerlink, provide additional and relevant information. Access to these documents depends on your login credentials. If you do not have access to a document, contact your EMC representative., - Implementation Guide EMC VSPEX End-User Computing: VMware View 5.1 and VMware vsphere 5.1 for up to 250 Virtual Desktops, Enabled by EMC VNXe and EMC Next Generation Backup VSPEX Proven Infrastructure EMC VSPEX End-User Computing: VMware View 5.1 and VMware vsphere 5.1 for up to 2000 Virtual Desktops, Enabled by EMC VNX and EMC Next Generation Backup VSPEX Proven Infrastructure Other documentation For documentation related to RSA, refer to the following documents on RSA website at http://www.rsa.com: RSA Authentication Manager 7.1 Installation and Configuration Guide RSA Authentication Manager 7.1 Administrator s Guide RSA Authentication Manager 7.1 Performance and Scalability Guide 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback