Lab 9: Dynamic Environment Manager - Delivery use cases

Delivering a consistent yet secure user experiencing can be very challenging in a mobile use case. The remote might sometimes work from home and again in the office. The user might be working from their hotel or out of an Airport.

The Objective of this session is help anyone wanting to do this what configurations one would use to get started. We will use a scenario where a user connects from a remote device into their Horizon environment and would potentially be on an untrusted network, versus connecting to the same infrastructure on a trusted network

Expand or collapse content Part 1: Setting up Smart Policies with Dynamic Environment Manager for Trusted Networks
  1. Launch, the DEM Management Console
    • Use the shortcut from the Windows taskbar on your ControlCenter server
  1. In the Dynamic Environment Manager Console
    • Select the User Environment tab
  1. Create a new Horizon Smart Policy
    • Select Horizon Smart Policies from the left-hand menu
    • Right-click and select Create Horizon Smart Policies setting...
  1. Define the Settings for the Horizon Smart Policy
    • On the Settings tab enter the following:
      • General Settings
        • Name = Internal Networks
        • Label = USB, Clipboard and Client drive
        • Tag = Internal
    • Select the checkboxes next to the following items, and set the values shown below:
      • Audio Playback = Enable
      • Bandwidth Profile = LAN
      • Blast Extreme protocol
        • Blast codec = Enable
        • Max frame rate = 30
      • Drag and drop = Allow all
      • Printing = Enable
      • Redirection
        • Browser = Enable
        • Client drive = Allow all
        • Clipboard = Allow all
        • Storage drive = Enable
        • USB = Enable
      • Web and Chrome file transfer = Allow all
  1. Define the Conditions for the Horizon Smart Policy
    • Select the Conditions tab
    • Click Add
  1. From the Add Condition dropdown
    • Select Horizon Client Property
  • Note: By default
    • If you connect directly to a Horizon Connection Server, the Client Location is recognized as Internal.
    • If you connect via a Unified Access Gateway, the Client Location is seen as External
  1. Define the Horizon Client Property condition
    • Select Client location from the Property dropdown
    • Select Internal from the Is equal to dropdown
    • Click OK
  1. Add a condition for Endpoint IP Address
    • Click Add
    • Select Endpoint IP Address from the Add Condition dropdown
  1. Define the Endpoint IP Address condition
    • Enter 192.168.110.1 in the field to the right of IP address between:
    • Enter 192.168.110.254 in the field to the right of and
    • Click OK
  1. Add another condition for Endpoint IP Address
    • Click Add
    • Select Endpoint IP Address from the Add Condition dropdown
  1. Define the Endpoint IP Address condition
    • Enter 172.16.10.1 in the field to the right of IP address between:
    • Enter 172.16.10.254 in the field to the right of and
    • Click OK
  1. Change the logical operator for the second Endpoint IP address condition
    • Select and right-click the AND Endpoint IP address is in range 172.16.10.1 - 172.16.10.254
    • Select OR from the dropdown
    • Click Save
Expand or collapse content Part 2: Setting up Smart Policies with Dynamic Environment Manager for Untrusted Networks
  1. Create a new Horizon Smart Policy
    • Select Horizon Smart Policies from the left-hand menu
    • Right-click and select Create Horizon Smart Policies setting...
  1. Define the Settings for the Horizon Smart Policy
    • On the Settings tab enter the following:
      • General Settings
        • Name = External Networks
        • Label = USB, Clipboard and Client drive disabled
        • Tag = External
    • Select the checkboxes next to the following items, and set the values shown below:
      • Audio Playback = Enable
      • Bandwidth Profile = Broadband WAN
      • Blast Extreme protocol
        • Blast Codec = Enable
        • Max frame rate = 30
      • Drag and drop = Disable
      • Printing = Disable
      • Redirection
        • Client drive = Disable
        • Clipboard = Allow copy from client to agent
        • Storage drive = Disable
        • USB = Disable
      • Web and Chrome file transfer = Allow upload from client to agent
  1. Define the Conditions for the Horizon Smart Policy
    • Select the Conditions tab
    • Click Add
  1. From the Add Condition dropdown
    • Select Horizon Client Property
  1. Define the Horizon Client Property condition
    • Select Client location from the Property dropdown
    • Select External from the Is equal to dropdown
    • Click OK
  1. Add a condition for Endpoint IP Address
    • Click Add
    • Select Endpoint IP Address from the Add Condition dropdown
  1. Define the Endpoint IP Address condition
    • Enter 172.16.30.1 in the field to the right of IP address between:
    • Enter 172.16.30.254 in the field to the right of and
    • Click OK
  1. Save the Horizon Smart Policy
    • Click Save
Expand or collapse content Part 3: Testing your Smart Policies.
  1. On the ControlCenter server
    • Open File Explorer from the Windows taskbar
    • Browse to C:\DEMProfiles\Craig\Logs
  1. Create a new text file to capture debug logs for the user craig
    • Right-click in the space below the files that are already in the directory
    • Select New > Text Document
  1. Name the new text file
    • Name the file FlexDebug.txt

In this environment, the default logging level in Dynamic Environment Manager is set to INFO logs. We intend to use the Craig account for testing purposes and this is how we increase the logging level for individual users

  1. Launch the Horizon Client
    • Start the Horizon Client on your ControlCenter server desktop
    • Double-click on horizon-01a.techseals.co
  1. Login to Horizon
  1. Start a session with a W11-INST desktop
    • Double-click on W11-INST
  1. In the Horizon Client
    • Select the dropdown arrow next to USB Devices
    • Note, No suitable USB devices available, is the message you get.

For the next step to work. Make sure your Horizon Client session is not in Full Screen

  1. From your ControlCenter server desktop
    • Select the Software shortcut
    • Hold down the left-hand mouse button and drag it over into the Horizon Client session
    • Note that just below your cursor, you will get a + type Icon ,
    • Release your mouse button to copy the Software shortcut within the Horizon Session
  1. In the Horizon Client session
    • Select the File Explorer shortcut from the Windows taskbar
  1. Open the network drive in File Explorer
    • Select and expand This PC in the Quick Access bar
    • Select and open Network Drive (Z:)
  1. Open the Downloads folder on the network drive (Z:)
    • Open the Downloads folder
  1. View the files in the Downloads folder
  • Note that these are files and folder on your ControlCenter server where you launched the Horizon Client.
  1. On the ControlCenter server
    • Open File Explorer from the Windows taskbar
    • Browse to C:\DEMProfiles\Craig\Logs
  1. Open the Dynamic Environment Manger log for the user craig
    • Select and right-click the FlexEngine.log
    • Select Edit with Notepad++
  1. Find the last entry for craig in the Notepad++ session
    • Scroll down right to the very bottom of the logs file
    • Scroll up until you find an entry
      • Performing path-based import
      • User TECHSEALS\Craig

To help find entries, you can use the Find function (CTRL-F) in Notepad++.

You can also change the search direction by selecting the Backward direction in the Find dialog.

  1. View the conditions that were evaluated and matched
    • In this log entry the session has the following values
      • Broker_GatewayLocation = Internal
      • endpoint ip address = 192.168.110.10
    • The External Networks conditions are not matched and the Smart Policies for that are skipped.
    • The Internal Networks conditions are matched and the Smart Policies for that are applied.
  1. Note the Applied Horizon Smart Policies settings
    • Scroll down until you find Applied Horizon Smart Policies settings
  1. On the ControlCenter server switch back to your Horizon Client session
    • Select the 3 dots to the right of Fullscreen
    • Select Log Off Desktop
    • Click OK in the Disconnect and log off desktop? window
  1. On the ControlCenter server switch back to your W11Client-01a RDP session
    • If you closed the remote console and need to relaunch:
      • Open the Remote Desktops > Site 1 folder on the ControlCenter server desktop
      • Launch the appvolprov-01a.RDP shortcut
    • You should already be logged in as Techseals\craig

W11Client-01a desktop is on the 172.16.30.x network which we have configured as external.

We will also be connecting to Horizon via a Unified Access Gateway in this exercise

  1. On the W11Client-01a desktop launch the Horizon Client
  1. Login to Horizon
  1. Start a session with a W11-INST desktop
    • Double-click on W11-INST
  1. In the Horizon Client
    • Select the dropdown arrow next to USB Devices
    • Note, USB Unavailable, is the message you get.
  1. View updates to the Dynamic Environment Manager log for user craig
    • On the ControlCenter server switch back to the NotePad++ session and the FlexEngine.log file
    • Click Yes in the Reload window
  1. Find the last entry for craig in the Notepad++ session
    • Scroll down right to the very bottom of the logs file
    • Scroll up or use Find until you find the last entry
      • Performing path-based import
        • User TECHSEALS\Craig
  1. View the conditions that were evaluated and matched
    • In this log entry the session has the following values
      • Broker_GatewayLocation = External
      • Endpoint IP address = 172.16.30.40
    • The External Networks conditions are matched and the Smart Policies for that are applied.
    • The Internal Networks conditions are not matched and the Smart Policies for that are skipped.
  1. Note the Applied Horizon Smart Policies settings
    • Scroll down until you find Applied Horizon Smart Policies settings
  1. Switch back to the Horizon Client Desktop
    • Open File Explorer from the Windows taskbar
    • Select This PC from the left inventory
    • Notice that you have no Network drive Mappings

With your Horizon Client, make sure you are not in full screen mode

  1. In the W11Client-01a Desktop
    • Attempt to drag the Software shortcut from the W11Client-01a desktop into the Horizon desktop session.
    • Attempt to drag the README file from the Horizon desktop session to the W11Client-01a desktop
  1. On the W11Client-01a desktop switch back to your Horizon Client session
    • Select the 3 dots to the right of Fullscreen
    • Select Logoff Desktop
    • Click OK in the Disconnect and log off desktop? window
Expand or collapse content Part 4: Using Triggered Tasks to enforce Horizon Smart Policies
  1. Create a new Triggered Task
    • In the Dynamic Environment Manager console, select the User Environment tab
    • Select and right-click on Triggered Tasks
    • Select Create Triggered Task...
  1. Define the General Settings for the Triggered Task
    • On the Settings tab, in the General Settings area, enter the following:
      • Name = Refresh Smart Policies at Reconnection
  2. Define the Triggered Tasks Settings
    • On the Settings tab, in the Triggered Tasks Settings area, enter the following
      • Trigger = Session reconnected
      • Action = User Environment refresh
    • Select the checkboxes next to the following items:
      • Horizon Smart Policies
      • Application Blocking Settings
    • Select the checkbox next to Show message and enter the following:
      • Caption = Your Configurations have been updated
      • Message = This is Corp IT. We have re-evaluated and updated your Desktop settings
    • Select the checkbox next to Close automatically after and enter the value:
      • seconds = 10
    • Click Save
  1. Deactivate a triggered task in the Triggered Tasks area
    • Select and right-click Message at unlock
    • Select Deactivate
  1. Open the Horizon Admin console
    • On your ControlCenter server using the Chrome Browser
    • From the Favorites bar, open the Horizon-01a bookmark
    • Login to the Horizon Admin Console
      • Username = administrator
      • Password = Pa$$w0rd
  1. In the Horizon Admin console
    • Expand Inventory
    • Select Desktops
  1. Edit the desktop pool
    • Select the checkbox next to W11-INST
    • Click EDIT
  1. Change the Desktop Pool Settings
    • Select the Desktop Pool Settings tab
  1. In the Edit Pool - W11-INST
    • Change the Remote Settings
      • Logoff After Disconnect = After
      • minutes = 30
    • Click OK

We will now move forward in two phases

  • Phase 1 - You will log in to Horizon from a Internal network. You will disconnect the session, NOT log off.
  • Phase 2 - You will then log back in to the same Horizon session session from an External network.
  • Please ensure, once you start the following steps you complete the tests within 30 minutes
  1. Launch the Horizon Client
    • Start the Horizon Client on your ControlCenter server desktop
    • Double-click on horizon-01a.techseals.co
    • Login as
    • Click Login
  1. Start a session with a W11-INST desktop
    • Double-click on W11-INST
      • Notice you still have all your configurations for an Internal Network environment.
    • Test some of your configurations.
      • Check that you have USB redirection available
      • Drag the Software shortcut from the Controlcenter to your virtual desktop
  1. Disconnect from the Horizon session
    • On the Horizon Client session select the 3 dots to the right of Fullscreen
    • Select Disconnect
    • Click OK in the Disconnect and log off desktop? window

you have 30 minutes to complete the next part

  1. On your W11Client-01a.RDP session launch the Horizon Client
    • If you closed the remote console and need to relaunch:
      • Open the Remote Desktops > Site 1 folder on the ControlCenter server desktop
      • Launch the appvolprov-01a.RDP shortcut
    • Connect via the external Gateway by double-clicking on uag-hzn-01a.techseals.co
    • Login to Horizon
    • Click Login
    • Start a session with a W11-INST desktop by double-clicking on W11-INST
    • Notice the prompt that your Desktop settings have been re-evaluated
  1. Open File Explorer in your Horizon Virtual Desktop session
    • Launch File Explorer from the Windows taskbar
    • Select This PC from the Quick Access bar
    • Note There are no Network Drive Mappings
  1. Check functionality available from an external connection
    • Note that you still have the file dragged on to the desktop when you were on your Internal network.
    • However, we are unable to drag and drop in and out of this desktop session
  1. Logoff the virtual desktop
    • In the Horizon Client, on your W11Client-01a desktop
    • Select the 3 dots to the right of Fullscreen
    • Select Logoff Desktop
    • Click OK in the Disconnect and log off desktop? window
Expand or collapse content Part 5: Configuring Application Block and integrating with Horizon Smart Policies
  1. Enable Application Blocking functionality
    • In the Dynamic Environment Manager console, select the User Environment tab
    • Select Application Blocking from the left-hand menu
    • Select Global Configuration from the ribbon menu at the top
  1. Enable the Application Blocking - Global Configuration setting
    • Select the checkbox next to Activate Application Blocking
    • Click OK
    • Read the note in the Application Blocking window
    • Click OK
  1. Create an Application Blocking setting
    • Select and right-click Application Blocking
    • Select Create Application Blocking setting....
  1. Define the General Settings for the Application Blocking window
    • In the General Settings area, enter the following
      • Name = PuTTy
      • Label = Admins
      • Tag = Internal only
  1. Define the Application Blocking Settings
    • Type = Path-based
    • In the Block area:
      • Click Add (this is the Add button at the bottom of the screen)
      • Click Select file.... in the Select path to block window
      • Browse to C:\Program Files\PuTTY
        • Select putty.exe
        • Click Open
      • Click OK to close the Select path to block, window
  1. Define the Conditions for the Application Blocking setting
    • Select the Conditions tab
    • Click Add
    • Select Group Membership
  1. Select the Group to add to the Condition
    • Click Browse in the Group Membership window
    • Type Developers in the box under Enter the object name to select
    • Click Check Names
      • IT Support should underlined
    • Click OK to close the Select Group window
    • Click OK to close the Group Membership window
  1. Add a Horizon Client Property condition
    • Select and right-click the condition you have just added for IT support
      • User is a member of group 'TECHSEALS\Developers'
    • Select Add > Horizon Client Property from the Add Condition dropdown
  1. Define the Horizon Client Property condition
    • Select Client location from the Property dropdown
    • Select External from the Is equal to dropdown
    • Click OK
    • Click Save
Expand or collapse content Part 6: Testing Application Block with Dynamic Environment Manager
  1. Launch the Horizon Client
    • Start the Horizon Client on your ControlCenter server desktop
    • Double-click on horizon-01a.techseals.co
  1. Login to Horizon
    • Username [email protected]
      • Note: craig is a member of Developers
    • Password = Pa$$w0rd
    • Click Login
  1. Start a session with a W11-INST desktop
    • Double-click on W11-INST
    • Wait for the desktop session to load
  1. Open the software file share in your Horizon session
    • Select and right-click the Windows start button, then select Run
    • In the Run window enter \\horizon-01a.techseals.co\software
    • Click OK
  1. Start the installation of Putty
    • Open the Applications folder
    • Double-click putty-64bit-0.78-installer.msi
  1. Complete the installation of Putty
    • Complete the Putty setup wizard using default responses Next  Next Install
    • When prompted in User Account Control use the following credentials
      • User name = Administrator
      • Password = Pa$$w0rd
      • Click Yes
    • Click Finish to close the Putty installer
  1. Launch Putty
    • Enter Putty in the Search area next to the START button
    • Launch the PuTTy App
      • Notice that Putty opens successfully
    • Click Cancel to close the Putty window

Note it is important for the next steps to work that PuTTy is closed

  1. Disconnect the Horizon session
    • In the Horizon Client, select the 3 dots to the right of Fullscreen
    • Select Disconnect
    • Click OK in the Disconnect desktop? window
  1. On the ControlCenter server switch back to your W11Client-01a RDP session
    • If you closed the remote console and need to relaunch:
      • Open the Remote Desktops > Site 1 folder on the ControlCenter server desktop
      • Launch the appvolprov-01a.RDP shortcut
      • You should already be logged in as Techseals\craig
    • Double-click on uag-hzn-01a.techseals.co
  1. Login to Horizon and launch a desktop
    • Login into Horizon as:
    • Click Login
    • Double-click on W11-INST to start a desktop session
  1. Find the Putty App
    • Enter Putty in the Search area next to the START button
  1. Attempt to launch Putty
    • Select Open for the PuTTy App from the Search results
    • Notice your App has been blocked, using a combination of App Blocking and Horizon
    • Click Close to close the App Block message window

Note make sure you select the PuTTy application and not the Website

  1. Logoff the Horizon session
    • On the ControlCenter server switch back to your Horizon Client session
    • Select the 3 dots to the right of Fullscreen
    • Select Log Off Desktop
    • Click OK in the Disconnect and log off desktop? window

This is the end of the lab

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.