17. Ensuring a functional and consistent user experience with organisational policy for the remote worker

As a minimum requirement, you must complete Lab 2 , Lab 6 and Lab 12  before starting this lab.

Delivering a consistent yet secure user experiencing can be very challenging in a mobile use case. The remote might sometimes work from home and again in the office. The user might be working from their hotel or out of an Airport.

The Objective of this session is help anyone wanting to do this what configurations one would use to get started. We will use a scenario where a user connects from a remote device into their Horizon environment and would potentially be on an untrusted network, versus connecting to the same infrastructure on a trusted network

PART 1: Setting up Smart Policies with Dynamic Environment Manager for Trusted Networks
  1. On your ControlCenter server
    • from your Task Bar
      • launch, the DEM Management Console shortcut
  1. In the Dynamic Environment Manager Console
    • select the User Environment tab
  1. In the User Environment Inventory
    • select Horizon Smart Policies,
      • right-click and select Create Horizon Smart Policies setting...
  1. In the Horizon Smart Policies, Settings tab enter the following:-
    • under General Settings,
      • enter the following, next to:
        • Name: Internal Networks
        • Label: USB, Clipboard and Client drive
        • Tag: Internal
    • In the Horizon Smart Policy Settings, enable the following checkboxes, next to:
      • Audio Playback : Enable
      • Bandwidth Profile : LAN
      • Blast Extreme protocol
        • Blast codec: Enable
        • Max frame rate :  30
    • Drag and drop : Allow all
    • Printing : Enable
    • under Redirection:
      • enable the following checkboxes with associated dropdown setting
        • next to:
          • Browser :  Enable
          • Client drive : Allow all
          • Clipboard : Allow all
          • Storage drive :  Enable
          • USB : Enable
    • Web and Chrome file transfer: Allow all
  1. In the Horizon Smart Policies window
    • select the Conditions tab
    • under Conditions,
      • next to Add
        • select the dropdown
  1. In the Add Condition dropdown
    • select Horizon Client Property
  • Note:  By default
    • If one connects directly to a Horizon Connection Server,  the Client Location is recognized as Internal.
    • If one connects to via the Unified Access Gateway Server, the Client Location is seen as External
  1. In the Horizon Client Property,
    • add the following:
      • next to Property
        • from the dropdown
          • select Client location
      • next to Is equal to
        • from the dropdown
          • select Internal
      • to close the Horizon Client Property
        • select OK
  1. In the Horizon Smart Policies window, Conditions tab
    • select Add
      • from the dropdown
        • select Endpoint IP Address
  1. In the Endpoint IP Address window,
    • enter the following
      • under Settings
        • next to IP address between:
          • enter 192.168.110.1
        • next to and :
          • enter: 192.168.110.254
      • to close the window
        • select OK
  1. In the Horizon Smart Policies window,
    • Conditions tab
      • next to Add
        • select the dropdown
      • from the dropdown
        • select Endpoint IP Address
  1. In the Endpoint IP Address window,
    • enter the following
      • under Settings,
        • next to IP address between:
          • enter 172.16.10.1
        • next to and
          • enter 172.16.10.254
      • to close the window
        • select OK
  1. In the Horizon Smart Policies window
    • Select and right-click the
      • AND Endpoint IP address is in range 172.16.10.1 - 172.16.10.254
        • from the dropdown
          • select OR
    • Confirm your configuration with the Screenshot
      • select Save
PART 2: Setting up Smart Policies with  Dynamic Environment Manager for Untrusted Networks
  1. In the User Environment Inventory
    • select Horizon Smart Policies,
    • Right-click and select
      • Create Horizon Smart Policies setting...
  1. In the Horizon Smart Policies, Settings tab
    • under General Settings,
      • enter the following, next to:
        • Name: External Networks
        • Label: USB, Clipboard and Client drive disabled
        • Tag: External
    • In the Horizon Smart Policy Settings, enable the following checkboxes, next to:
      • Audio Playback : Enable
      • Bandwidth Profile : Broadband WAN
      • Blast Extreme protocol
        • Blast Codec: Enable
        • Max frame rate :  30
    • Drag and drop : Disable
    • Printing: Disable
    • under Redirection
      • enable the following checkboxes and dropdown settings,
        • next to:
          • Client drive : Disable
          • Clipboard : Allow copy from client to agent
          • Storage drive: Disable
          • USB : Disable
    • Web and Chrome file transfer: Allow upload from client to agent
  1. In the Horizon Smart Policies window
    • select the Conditions tab
    • under Conditions,
      • next to Add
        • select the dropdown
  1. In the Add Condition dropdown
    • Select Horizon Client Property
  1. In the Horizon Client Property
    • add the following:
      • next to Property
        • from the dropdown
          • select Client location
      • next to Is equal to
        • from the dropdown
          • select External
        • to close the Horizon Client Property
          • select OK
  1. In the Horizon Smart Policies window
    • In the Conditions area
      • select and right-click  the the existing client property
        • from the dropdown
          • select Add
            • select Endpoint IP Address
  1. In the Endpoint IP Address window, enter the following
    • under Settings
      • next to IP address between:
        • enter 172.16.30.1
      • next to and
        • enter 172.16.30.254
    • to close the window
      • select OK
  1. In the Horizon Smart Policies window
    • Confirm your configuration with the Screenshot
      • select Save
PART 3 : Testing your Smart Policies.

Due to constraints in our training environment with external access, we will demonstrate only one of the features in Horizon Smart Policies

  • That being Drag and Drop functionality.

We have limitations in terms of what we can demonstrate with USB Redirection

We will use the Dynamic Environment Manager Logs, to see if the settings are effective.

At present all our Horizon Sessions are set to External communications.

For this test to effective and to allow the Test user to authenticate Directly against the Horizon Connection server so that we can see a difference between Internal and External communications, we will disable Workspace ONE Mode on the Connection server on Site 1

We will also increase the logging level to Debug logging to ensure we can effectively see what is happening

  1. On the ControlCenter server
    • from the Taskbar
      • open your File Explorer Icon,
        • go to  C: >  DEMProfiles > Craig > Logs folder
  1. In File Explorer window
    • under Logs
      • select and right-click
        • In the menu
          • select New > Text Document
  1. In the File Explorer window
    • name the file FlexDebug.txt

In this environment, the default logging level in Dynamic Environment Manager is set to INFO logs. We intend to use the Craig account for testing purposes and this is how we increase the logging level for individual users

  1. On your ControlCenter server desktop
    • launch the Horizon Client
      • select horizon-01a.techseals.co
  1. In the  Horizon Client login
    • in the username area
    • below password area
      • enter Pa$$w0rd
    • select Login
  1. In the Horizon Client
    • select Enterprise_Desktop
  1. In the  Horizon Client
    • next to USB Devices
      • select the dropdown arrow,
        • Note, No suitable USB devices available, is the message you get.

For the next step to work. Make sure your Horizon Client session is not in Full Screen

  1. From your ControlCenter server
    • using your mouse
      • select the Software shortcut
        • drag over into the Horizon Client session
          • Note just below your cursor,  you will get a + type Icon ,
            • release your mouse button to Drop the Software shortcut within the Horizon Session
  1. In the Horizon Client session
    • From the Taskbar,
      • select the File Explorer folder shortcut
  1. In the File Explorer Window
    • in the Quick Access bar
      • select This PC
        • to the right,
          • select and open Network Drive (Z:)
  1. In the File Explorer Window
    • in the Network Drive (Z:)
      • select Downloads
  1. In the File Explorer Window
    • in the Downloads folder
  • Note that these are files and folder on your ControlCenter server where you launched the Horizon Client from
  1. On the ControlCenter server
    • from the Taskbar
      • open your File Explorer Icon,
        • go to  C: >  DEMProfiles > Craig > Logs folder
  1. In the File Explorer window
    • under C:\UEMProfiles\Craig\Logs
      • select and right-click the FlexEngine.log
        • select Edit with Notepad++
  1. In the Notepad++ session
    • Scroll down, right to the bottom of your logs,
      • Scroll up
        • until you find User  TECHSEALS\Craig, Performing path-based import
  1. In the Notepad++ file
    • note that the Horizon client property 'Broker_GatewayLocation = true for internal
    • note the Horizon client property 'Broker_GatewayLocation = false for External
    • scroll down until you find
      • " Applied Horizon Smart Policies settings "
  1. In the Notepad++ file
    • note the " Applied Horizon Smart Policies settings "
  1. On the ControlCenter server
    • switch back to your Horizon Client session
      • next to Fullscreen
        • select the (3 buttons),
      • select Log Off Desktop
        • on the Disconnect and log off desktop? window
          • select OK
  1. On the ControlCenter server
    • switch back to your W11Client-01a RDP session
    • you should already be logged in as Techseals\craig session

Note. W11Client-01a desktop is on a network which we have configured as external.

That being the 172.16.30.x network

  • We will also be connecting via the Unified Access Gateway in this exercise
  1. On the W11Client-01a desktop
    • launch the  Horizon Client
      • in the  Horizon Client window
        • launch corp.techseals.co
  1. In the  Horizon Client window
    • in the User name area
    • in the Password area
      • enter:  Pa$$w0rd
    • select Login
  1. In the  Horizon Client window
    • select Enterprise_Desktop
  1. In the  Horizon Desktop session
    • In the Horizon client Menu bar
      • select USB Devices
    • notice it says USB Unavailable
      • on the ControlCenter server
        • switch to the FlexEngine.log
  1. In the NotePad++ FlexEngine.log file
    • in the Reload window
      • select Yes
  1. In the Notepad++ session
    • Scroll down, right to the bottom of your logs,
      • Scroll up
        • until you find User  TECHSEALS\Craig, Performing path-based import
  1. In the Notepad++ file
    • Note that the Horizon client property 'Broker_GatewayLocation = true for External
    • Note the Horizon client property 'Broker_GatewayLocation = false for Internal
    • scroll down until you find
      • " Applied Horizon Smart Policies settings "
  1. In the Notepad++ file
    • note the " Applied Horizon Smart Policies settings "
  1. In the Horizon Client Desktop
    • On the title bar, select the File Explorer Icon
    • Ensure This PC is selected in the left inventory
      • Scroll down on the right side to the bottom of the window.
        • Notice that you have no Network drive Mappings

With your Horizon Client, make sure you are not in full screen mode

  1. In the W11Client-01a Desktop
    • attempt to drag the Software Shortcut from the W11Client-01a into the Horizon Desktop session.
    • attempt to drag the README file from the Horizon Desktop session to the W11Client-01a Desktop
  1. On the W11Client-01a desktop
    • switch back to your Horizon Client session
      • select the drop down,
        • to the right of FullScreen,
          • select Log Off Desktop
        • In the Disconnect and log off desktop? window
          • select OK
PART 4: Using Triggered Tasks to enforce Horizon Smart Policies
  1. In the Dynamic Environment Manager console
    • User Environment tab
      • select Triggered Tasks
        • select Create Triggered Task...
  1. In the Triggered Task window
    • configure the following:
      • In the General Settings area
        • add the following
        • next to Name:
          • enter 
Refresh Smart Policies at Reconnection
  • In the Triggered Tasks area,  
    • Trigger: Session reconnected
    • next to Action:
      • from the drop down
        • select User Environment refresh
    • In the Refresh: area, enable the
      • select the checkbox next to
        • Horizon Smart Policies
        • Application Blocking Settings
      • next to Show message
        • select the Check box
      • enter the following:-
        • next to Caption:
          • enter 
Your Configurations have been updated
  • In the Message Box:
    • enter 
This is Corp IT. We have re-evaluated and updated your Desktop settings
  • next to Close automatically after
    • select the checkbox
      • in front of seconds
        • type 10
  • to close the window
    • select Save
  1. In the Triggered Tasks area
    • select and right-click
      • Message at unlock
        • select Deactivate
  1. On your ControlCenter Desktop
    • on your Site 1 Chrome Browser
      • in the Favourites bar
        • select the Horizon Site 1 shortcut
    • In the Horizon login
      • User name area :
        • enter Administrator
      • Password area:
        • enter Pa$$w0rd
    • select SIGN IN1
  1. In the  Horizon Admin console
    • expand Inventory
      • select Desktops
  1. In the Desktop Pools area
    • next to W11-BLR-INST
      • select EDIT
  1. In the Edit Pool - W11-BLR-INST window
    • select the Desktop Pool Settings tab
  1. In the Edit Pool - W11-BLR-INST
    • under Remote Settings
      • below Logoff After Disconnect
        • from the dropdown
          • change from Immediately to After
      • under After change 120 minutes to 30 minutes
        • to close the window
          • select OK

We will now move forward in two phases

  • Phase 1
    • We will log in to  Horizon from a Internal Network. We will disconnect  we will NOT log off.
  • Phase 2
    • We will then log back in to the same  Horizon session session from an External Network source.
  • Please ensure , once you start the following steps you complete the tests within 30 minutes
  1. On your ControlCenter server desktop
    • launch your Horizon client
      • In the Horizon Client
        • as the launch option
          • select horizon-01a.techseals.co
      • login as [email protected]
        • in the password area
          • enter Pa$$w0rd
        • select Login
  1. In the Horizon Client
    • select the Enterprise_Desktop entitlement
    • Notice you still have all your configurations for an Internal Network environment.
    • Test some of your configurations.
      • Check that you have USB redirection available
      • From the Controlcenter
        • Drag the Site 1 - Bangalore Chrome shortcut
          • to your Virtual Desktop
  1. In the Horizon Client,
    • next to Exit Fullscreen,
      • select the see more 3 buttons
        • select Disconnect
      • When prompted by the Disconnect desktop? window
        • select OK

you have 30 minutes to complete the next part

  1. On your W11Client-01a.RDP session
    • launch your Horizon Client
      • connect via your external Gateway,
        • corp.techseals.co
          • in the Enter your user name area
          • in the Enter your password area
            • enter Pa$$w0rd
          • select Login
        • select your Enterprise_Desktop desktop Entitlement
          • notice the prompt that your Desktop settings have been re-evaluated
  1. On your Horizon Virtual Desktop session
    • notice that the message USB Unavailable
  1. On your Horizon Virtual Desktop session
    • from the Taskbar
      • launch the folder icon
        • In the File Explorer window
          • Quick Access bar
            • select This PC
        • Note There is no Network Drive Mapping
  1. On the W11Client-01a Desktop
    • Note that you still have the file dragged on to the desktop when you were on your Internal network.
    • However, we are unable to drag and drop in and out of this desktop session
  1. On your W11Client-01a desktop
    • In the Horizon Client,
      • next to Exit Fullscreen,
        • select the see more 3 buttons
          • select Logoff Desktop
        • When prompted by the Disconnect and log off desktop? window
          • select OK
        • on the W11Client-01a desktop
        • log off and close all Horizon client windows
PART 5: Configuring Application Block and integrating with Horizon Smart Policies
  1. On you ControlCenter server desktop
    • In the DEM Admin Console
      • select  the User Environment tab
        • In the left Inventory pane
          • select  Application Blocking
            • In the the title bar,
              • select Global Configuration
  1. In the Application Blocking - Global Configuration window
    • next to Activate Application Blocking
      • select the Checkbox
        • select OK
    • In the Application Blocking window,
      • read the note
        • select OK
  1. In the Dynamic Environment Manager Console
    • on the User Environment tab
      • Inventory pane
        • select and right-click Application Blocking
          • select Create Application Blocking setting....
  1. In the Application Blocking window
    • In the General Settings area,
      • add the following next to:
        • Name: PuTTy
        • Label: Admins
        • Tag: Internal only
  1. In the Application Blocking window
    • next to Type
      • from the drop down
        • validate the type is Path-based,
    • in the Block area:
      • select Add
      • In the Select path to block window
        • select Select file....
        • browse to C:\Program Files\PuTTY,
          • select putty.exe
        • select Open
      • to close the Select path to block, window
        • select OK
  1. In the Application Blocking window
    • select the Conditions tab.
      • under Conditions,
        • next to Add
          • select the dropdown
      • from the dropdown
        • select Group Membership
  1. In the Group Membership window
    • select Browse
    • In the Select Group window,
      • under Enter the object name to select
        • type IT
          • then select Check Names
            • IT Support should show
      • to close the Select Group window
        • select OK
      • to close the Group Membership window
        • select OK
  1. In the Application Blocking window
    • Conditions Tab
      • select and right-click the condition you have just added for IT support
        • select Add >
          • In the Add Condition dropdown
            • select Horizon Client Property
  1. In the Horizon Client Property window
    • under Settings,
      • next to Property address
        • from the dropdown
          • select Client location
      • ensure that next to Is equal to:"External" is selected (this should default)
      • select OK
      • select Save
PART 6: Testing Application Block with  Dynamic Environment Manager
  1. On the ControlCenter server desktop
    • launch the Horizon Client
      • select horizon-01a.techseals.co
  1. In the Horizon Client login window
    • in the Enter your User name area
    • in the Enter your password area
      • enter Pa$$w0rd
    • select Login
  1. In the  Horizon Client
    • select the Enterprise_Desktop entitlement
      • Wait for the Desktop session to load
  1. On your Horizon Client session
    • on your Taskbar
    • select and right-click the START button
      • select Run
    • In the Run window
      • next to Open:
        • enter
          • \\horizon-01a\software
      • select OK
  1. On your Horizon Client session
    • Software Folder
      • open the Applications folder
        • double-click putty-64bit-0.78-installer.msi
  1. On your Horizon Client session
    • In the PuTTY setup window
      • select Next > Next > Install
        • when prompted in User Account Control
          • in User name area
            • enter Administrator
          • In the Password area
            • enter Pa$$w0rd
        • select Yes
      • select Finish
  1. On your Horizon Client session
    • next to the START button
      • Search area
        • enter Putty
    • from the Start menu
      • launch Putty
        • notice you have your PuTTy window
    • to close the window the Putty window
      • select Cancel

Note it is important for this work that PuTTy is closed

  1. On your ControlCenter desktop
    • In the Horizon Client, next to Exit Fullscreen,
      • select the see more 3 buttons
        • from the dropdown
          • select Disconnect
        • when prompted by the Disconnect desktop? window
          • select OK
  1. On your ControlCenter Desktop
    • switch to your W11Client-01a.rdp session
      • In the W11Client-01a desktop
        • from the Horizon Client
          • select corp.techseals.co
  1. In the W11Client-01a desktop
    • in the Enter as user name area
    • in the Enter as password area
      • enter Pa$$w0rd
        • select Login
    • select your Enterprise_Desktop entitlement
  1. In the Horizon Desktop session
    • to the right of START
      • In the Search area
        • enter PuTTY

Note make sure you select the PuTTy application and not the Website

  1. In the Horizon Desktop session
    • from the Search result
      • Open PuTTy
        • Notice your App has been blocked, using a combination of App Blocking and Horizon
    • to close the App Block message window
      • select Close
  1. In the Horizon Desktop session
    • next to Exit Fullscreen
      • select the ... dropdown,
        • select Log Off Desktop
      • in the Disconnect and log off desktop? window
        • select OK

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.