How to setup 2 factor authentication in Horizon View using Google Authenticator – Part 1

Getting 2FA setup in View can be a hard requirement with many organisations opting to use the tried and tested RSA SercureID suite. However, with budgets tightening more and more, many of the paid for solutions can end up chewing up a large chunk of your financials.

But is doesn’t have to… the folks over at Google have created their over own authenticator, called Google Authenticator. That combined with PAM and FreeRadius will give us a good alternative (IMHO).

I’ve broken the below into sections. Prepping the OS, Configuring Radius, Joining the Domain, and OS security bits. All sections need to be completed.

NOTE: Before you copy and paste this into any production environment I strongly recommend you do your research into PAM, Firewalls, and FreeRadius

To begin we’ll need:

  • Clean install of CentOS 7.X with a fully resolvable name.
  • DNS configured (correctly)
  • The Google Authenticator app installed on your phone.

Prepping the OS

  1. Update the OS
    1. yum -y update
    2. yum -y install epel-release
    3. yum -y install freeradius freeradius-utils google-authenticator bind-utils realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp libvirt-client open-vm-tools rsync
  2. Enable NTP:
    1. Edit ntp.conf and add your own NTP servers (you can replace *.centos.pool.ntp.org as required, or not).
    2. systemctl enable ntpd
    3. systemctl start ntpd

Configuring Radius

  1. Edit Radius. The below is a bit of a work around, I would recommend using a dedicated radius account.
    1. vi /etc/raddb/radiusd.conf
    2. Hash out “user = radiusd” and “group = radiusd”
    3. Under the above add in “user = root” And “group = root”
  2. Set Pam as an authentication model
    1. vi /etc/raddb/sites-enabled/default
    2. Remove the # infront of pam
  3. Link the pam module to the enabled folder
    1. ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
    2. chown -h root:radiusd /etc/raddb/mods-enabled/pam
  4. Add as many Client as needed. These will be the different clients (servers) that need access to the 2FA. The following need to added above localhost client section. In this example I’m adding the lab connection server.
    1. vi /etc/raddb/clients.conf
    2. client <connection01> {
              ipaddr = X.X.X.X
              secret = Secret
              require_message_authenticator = no
      }
  5. Change the default auth type in freeradius to PAM
    1. vi /etc/raddb/users
    2. Add DEFAULT Auth-Type := PAM right below
      1. DEFAULT Group == “disabled”, Auth-Type := Reject
      2. Reply-Message = “Your account has been disabled.

Joining the Domain.

  1. Join the domain (watch out for funky characters).
    1. echo ‘<password>’ | realm join –user=<user>@<domain> <domain>
      1. Example echo ‘password123’ | realm join –user=cmaritz@port115.com port115.com
  2. Test the domain join
    1. realm list. This will give you an output with the details of the Domain relationship.

OS Security Bits.

  1. Set the firewall settings
    1. firewall-cmd –list-service –zone=public
    2. firewall-cmd –permanent –zone=public –add-service=radius
    3. firewall-cmd –reload
    4. firewall-cmd –list-service –zone=public
  2. Edit PAM to check the google authenticator and AD
    1. vi /etc/pam.d/radiusd
    2. Hash out all the lines and add
      1. auth required pam_google_authenticator.so forward_pass
      2. account required pam_permit.so
      3. account required pam_sss.so audit

Generating the key.

  1. Switch to the AD user that needs a key
    1. su – <user>@<domain.com>.
  2. type in google-authenticator and hit enter.
  3. When prompted: Do you want authentication tokens to be time-based (y/n), type y and hit enter.
  4. When the QR code pops up, open the Google Authenticator app on your phone, and scan it. This will create a new authenticator entry in the app with a 6 digit number on you phone that changes every 30 seconds.
  5. Back to the bash window. When asked to update your .google_authenticator file type y and hit enter.
  6. Type y to disallow multiple users of the same token and hit enter.
  7. Depending on your security requirement, you may or may not want to allow for time skew. If you do, the authenticator PAM module will accept the token before and after the current one. If you choose n, make sure your NTP settings are working well.
  8. When asked if you want to enable rate limiting, type y and hit enter (This is good practice, you don’t want to have somebody trying to brute force your key.)

Part 2 will look at getting Pointing your UAG (or Connection Broker) at the radius server and a couple of trouble shooting tips.

How to setup Dynamic Environment Manager – Installing the Desktop Agent in NoAD Mode.

[Edit – 31/10/19 – Updated for Dynamic Environment Manager]

The desktop agent is the work horse in the UEM/DEM world during login time it goes out and reads the files in the config directory (which we created here).

Installing the desktop agent can be done in two ways:

  1. .The command line.
  2. The GUI.

The GUI installer is fine if you are doing the install to a single desktop image but if you are either, doing automated, monthly builds of the desktop, which you’d most likely want to do silently, or need to install the agent across several parent images, or are looking at installing in NoAD mode, its just easier via the command line. This post we’ll install is NoAD mode.

Silent Install.

  1. Copy the management agent installer across to the desktop.
  2. Click start.
  3. Type cmd, right click the command app and select “run as Administrator”
  4. Change to the directory you copied the DEM agent.
  5. Run the Installer.
    msiexec /i "VMware Dynamic Environment Manager 9.9 x64.msi" /qn /l* c:\repo\installdem.log NOADCONFIGFILEPATH=\\<full_UNC_To_DEMconfig_Share>\general
  6. So let’s take a quick look at the switches:
    1. /i – install the msi.
    2. /qn – Quiet, no reboot.
    3. /l* – Logfile location.

Additional prep for NoAD Mode.

NoAD mode is really powerful and you don’t need to mess about with GPO’s but as with all things it’s not that simple. Since we are not using GPO’s to tell DEM where the user profile lives, we need to create a config file with the required details. During the install above we told DEM where to find said file.

  1. Browse to your DEM Config folder, created in this post.
  2. Go to general -> flexrepository
  3. Create a folder called NoAD
  4. In the NoAD folder create a file called NoAD.xml.
  5. Copy in the example from the from the VMware DEM Documentation found here, change as needed, and save.

The example below is directly from the site. You’ll need to modify as appropriate. Also Please don’t copy blindly from some random persons blog. Go to the DEM documentation site, find out what the various settings do and modify as it suits you.

<?xml version="1.0" encoding="utf-8"?>
  <userEnvironmentSettings>
            <setting type="noAD" 
                            ProfileArchivePath="\\Filesrv\DemUsers$\%username%\Archives" 
                            LogFileName="\\Filesrv\DemUsers$\%username%\Logs\FlexEngine.log"
                            LogLevel="1" 
                           ConfigPathMissingAction="0"
                           ArchivePathMissingAction="1"
                           AppBlockingEventLog="1"
                           EventLog="1"
                           EventLogAsync="1"
                           EventLogDirectFlexRefresh="1"
                            EventLogUEMRefresh="1"
             />
</userEnvironmentSettings>

How to setup Dynamic Environment Manager – Installing the Management Console.

[Edit – 31/10/19 – Updated for Dynamic Environment Manager]

In this post we’ll be installing the management console and starting it for the first time. This is what I really like about this solution “No server backend. The management console is a fairly small executable and once installed gets pointed at the share we put together in the previous post, where it goes off and creates the folder structure, if it isn;t already there.=.

It’s a smart way of controlling desktops and in my opinion is much more powerful and flexible than using GPO’s.

Installing the Management Console.

  1. Extract the downloaded DEM ZIP.
  2. Run the executable VMware Dynamic Environment Manager
  3. Click Next.
  4. Tick “I accept the terms in the License Agreement“.
  5. Click Next.
  6. Select Typical and click Next.
  7. Unselect VMware DEM FlexEngine and Select VMware DEM Management Console.
  8. Click Install.
  9. Click Finish.

Installing the Management Console.

  1. Select Start -> VMware DEM -> Management Console.
  2. During the first run you’ll be asked for the location of the confguration share.
  3. Select Application Migration and Click OK.

We’re almost ready to go. Next we need to install the agent onto a desktop. This can be a physical or virtual machine.

How to setup Dynamic Environment Manager – Setting up the config share

The first step we need to take on the road to DEM domination is to get the share setup. This will hold the configuration files that the agent will read to apply to the desktop. Once the share is setup you install the DEM manager and point it at the share, at which point it will create the initial directory structure, if it isn’t already there.OK

There are two types of permissions we need to address. Share permissions and security permissions. Thankfully in this case we’ll set the same for both. The DEM admins will need full control and DEM users will need read only. I’d consider it best practice to create separate AD groups called DEM admins and DEM Users.

Creating and configuring the DEM Share.

  1. Connect to your file server. When testing this out in my lab I just created a share on my DC, but in a prod environment you’ll want to get this setup on a dedicated file server.
  2. Create a folder. In my case I called it DEMConfig.
  3. Right click on the folder and select properties. Select the tab labeled Sharing and click Advanced Sharing.
  4. In the Advnced Sharing window check “Share this folder”. If you add a $ sign to the end of your folder name it becomes hidden from casual browsing. Click Permissions.
  5. Select Everybody and click Remove. Click Add and add your DEM user and Admin groups. The DEM Users should only have read and the DEM Admins should have full control. Click OK. Click OK.
  6. Back in the Properties windows select the Security tab and click Edit. Add the DEM user and administrators.  The DEM Users should only have read and the DEM Admins should have full control. Click OK. Click OK.

Now we’ve created the share it’s on to installing the management console and putting together the first XML file for noAD mode.

 

How to setup Dynamic Environment Manager – Intro

[Edit – 31/10/19 – Updated for Dynamic Environment Manager]

In the next few posts wel’ll look at setting up Dynamic Environt Manager. User Environment Manager or Dynamic Envirnment Manager as its now called is a very powerful tool for EUC. It gives admins a very flexable way to configure desktops without needing to work the base image. VMware are pushing it as a replacement for Persona Manager, which makes sense as then they do not need to support two products. Persona manager can be configured to use physical as well as virtual desktops.

DEM can have its initial config delivered through GPO or, in the case of noAD mode, an XML file. Infact all configuration is pickedup via XML files. The management dashboard is a local install of a few hundred MB which you point at the file share, and really only makes sure the formatiing is correct. All the hardwork is done via the agent. There is an argument to be had about whether or not to have some of the desired config baked into your parent images. I prefer to have as much of the the config delivered via DEM as possible to prevent any more recomposes than nessesary.

I particuarily like the fact that this product does not need a server backend and can run without the need for active directory GPO’s. Infact to get up and running there are only 4 things to setup.

  1. File share and correct permissions
  2. The Managment interface
  3. The various customisations you’d like
  4. And (obviously) the agent on the parent image (or physical machines

The next post will look at getting the file share setup.

 

Horizon View – How to create a Manual Desktop Pool

This is the most simple of pools that you can create. It requires a Desktop VM that has the Horizon view agent installed. It doesn’t really matter if its Windows or Linux as long as the Desktops are built and ready to go.

Before anybody asks, there are a few legitimate reasons that you’d want to have a manual pool. The most obvious be that the company security policy is that all Desktops need to be deployed from a central location such as a RedHat satellite server.

  1. Connect to your View Connection Server https://<connection_server>/admin with an account that has administrator permission.
  2. Expand Category and select Desktop Pools.
  3. Click Add.
  4. Select Manual Desktop Pool and click Next.
  5. Select Dedicated . Its up to you whether you select Enable Automatic Assignment. All it does is automatically assign a user to a free desktop, which will be a permanent assignment. Click Next.
  6. Select vCenter virtual machines. Click Next.
  7. Select your vCenter and clict Next.
  8. Fill in a name for the ID and a Display name. While you can change the display name, teh ID name won’t change. 
  9. In this page there a quite a lot of options you can configure, I’ll break them down in a later post but for now select HTML Access as this will allow us to connect to the desktop using a browser and click Next
  10. Select the VM’s you’d like to add to the pool, click Add and click Next.
  11. Click Next
  12.  Select Entitle Users After this wizard Finishes to add users. `This will allow you to add users after the wizard finishes. Not necessary but a bit of a time saver. Click Finish.
  13.  Once you’ve finished the New Pool wizard the entitlements wizard opens if you’ve selected it in the previous step. Click Add.
  14. In the Name/User name box type the name of the group or user you’d like to add and click find. Once it appears, select it and click OK. In production environments you’d usually add an AD group rather than an individual user. This allows for greater flexibility and monitoring.
  15. To entitle other groups or users click add or if you are finished click close.

Testing our new pool.

  1. Log out of your Connection server and connect back to the server but this time without the /admin. just https://connection_server; Log back in as a regular user that is entitled to the Desktop pool
  2.  Click VMware Horizon HTML Access.
  3.  Enter in your username and password, and click Login. 
  4.  Select the pool you created earlier. In my case I called it Manual_01. 
  5.  If everything went according to plan you’ll now have access to your VM.  

Troubleshooting:

  • If you experience issues connecting via the web interface go back and have a look at step 9, did you tick the box to enable HTML access?
  • Can you connect using the full client?
  • Check the firewall on the Desktop OS. The agent on the desktop needs to speak to the connection server on port 4001.
  • Is the View agent installed?

We’ve created a very basic pool. Next few posts will look whats needed to create an automated Desktop pool using both Windows and Linux. We’ll also look at optimizing the Widows Desktop, including various design and storage considerations,  As well as discussing the various options available in the Desktop Pool wizard.

Horizon View – How to install the Linux Desktop agent.

In the previous post we looked at joining the Linux desktop to an Active Directory domain. While its not necessary for Linux desktop to be domain members I feel it should be done if a domain is available.

As before we’ll be focusing on two business ready distro’s; Centos 7.X (RHEL) and Ubuntu 18.04 (LTS). We’ll get the correct dependencies setup, and the agents installed.

To begin I have deployed CentOS 7, with a GUI (Gnome) and Ubuntu 18.04 LTS. VM’s. Both VM’s are fully patched and running the latest available official kernels as of 16/11/18. A local user has been created during install time called viewuser01. The VM’s are called centosdt-01 and ubuntudt-01 respectively. Static IP’s have been assigned. Ubuntu is running the GNOME desktop and CentOS is running KDE.

In addition I would recommend you go and take a look at this page System Requirements For Horizon 7 for Linux.

[EDIT 26/01/19]: Depending how your VM is installed you might get an error when trying to install the agent stating that the hostname is resolvable.  This is common if you are setting up a template to be referenced by an automated desktop pool and the hostname of the desktop pool isn’t in DNS. The fix is to add the hostname to the /etc/hosts file next to the entry 127.0.0.1.

Ubuntu:

Only certain desktop environments are supported in Ubuntu and unity is not one of them. VMware have written a kb detailing how to change the desktop in Ubuntu:  KB2151294.  Since I’m using 18.04 LTS its not an issue as the default desktop is Gnome.

  1. Open a terminal and run the following to update and install dependencies. Note that you’ll be asked to choose a display manager, choose lightdm:
  2.  sudo apt-get update
    sudo apt-get -y upgrade
    sudo apt-get -y install open-vm-tools python python-dbus python-gobject lightdm 
  3. Reboot (might not be strictly necessary but if there is a kernel update its a good idea)
  4. Download or copy across the VMware Linux agent. (Currently VMware-horizonagent-linux-x86_64-7.6.0-9857537.tar.gz)
  5. Open a terminal and locate the downloaded agent. Usually in /home/<user>/Downloads/
  6. Unpack the file.
  7.  tar zxvf VMware-horizonagent-linux-x86_64-7.6.0-9857537.tar.gz 
  8. Change into the unpacked directory
  9.  cd VMware-horizonagent-linux-x86_64-7.6.0-9857537 
  10. Run the installer, type y to accept the EULA
  11.  sudo sh ./install_viewagent.sh 
  12. Reboot your VM
  13.  sudo reboot 

Ubuntu is configured and ready to go.

CentOS:

It’s usually easier to get dependancies resolved in CentOS and CentOS is “aware” its running as a VM and will usually have the open VMtools installed.

  1. Open a terminal, switch to root and run the following to update and install dependencies, and fix the networking.
     yum -y update&amp;amp;amp;amp;lt;/li&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;li&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;pre&amp;amp;amp;amp;gt;yum -y install glibc
    virsh net-destroy default
    virsh net-undefine default
    service libvirtd restart
    
  2. Reboot (might not be strictly necessary but if there is a kernel update its a good idea),
  3. Download or copy across the VMware Linux agent. (Currently VMware-horizonagent-linux-x86_64-7.6.0-9857537.tar.gz)
  4. Open a terminal and locate the downloaded agent. Usually in /home/<user>/Downloads/.
  5. Unpack the file.
     tar zxvf VMware-horizonagent-linux-x86_64-7.6.0-9857537.tar.gz 
  6. Change into the unpacked directory
     cd VMware-horizonagent-linux-x86_64-7.6.0-9857537 
  7. Run the installer, type y to accept the EULA
     sh ./install_viewagent.sh 
  8. Add a Firewall rule so that the agent can talk to the Connection server
     firewall-cmd --add-port=4001/tcp --permanent
  9. Reboot your VM
  10. reboot 

CentOS is configured and ready to go.

VCP-DTM 2018 Exam and My Studies 2V0-51.18

One of the reasons I’ve been a bit lax posing new content is that I’ve busy spending my free time (what little of it there is) studying for the VCP-DTM exam, the 2V0-51.18 to be exact. VCP-DTM is the certification. I’ve been involved in a View deployment at work and  since I’ve been working with the tech a fair bit over the last few months I though “why not?”.

There are three exams currently offered for Horizon View:

  • 2VO 51.18 – VCP-DTM 2018
  • 2V0-751 – VCP7-DTM
  • 2V0-651 – VCP6-DTM

The 2VO 51.18 is the latest and fits into VMware’s new Certification naming. There is a bit of a write up about it here.

The main notable difference between the 751 and 51.18 exams is that the requirement for Mirage is missing from the latter and the exam preparation guide clearly states that it is focused on Horizon View 7.5 and related products. So get the preparation guide and use that as your base to get going.

Studying – The Lab:

So first and foremost was my trusty lab. I am fortunate enough to have a fairly beefy workstation with 64GB RAM, running ESXi. This allowed me to run quite a few infrastructure VM’s and 4 or 5 desktops. While a machine of this spec isn’t strictly necessary, you will need a lab of some kind.

When you start looking at whats needed it can look like a lot of infra is needed but it doesn’t all need to be running at the same time. You can get away with only one running desktop as you test the different deployment types. The Composer server is more than happy to run on the same VM as the SQL Express install and once the VCSA is deployed you can shave off some of the RAM. vROPS, Identity Manager, App Volumes and User Manager don’t need to be up and running all the time or even together. If this is internal, turn off the UAG as soon as you’re done with it.

Much of this can be run in VMware workstation but you will need an ESXi server at some stage to deploy desktops onto.

Study – The Hands on Labs.

This resource from VMware is amazing. Its also free. Some of the Horizon Requirements I wasn’t familiar with at all, so this helped. I went in and did a search for Horizon 7.1 and did them inline with the Official Study guide. “HOL-1951-01-VWS – VMware Workspace ONE – Getting Started” isn’t strictly needed (but still worth doing) but I would strongly recommend the first two modules of “HOL-1951-03-VWS – VMware Workspace ONE – Advanced Topics” as it covers “Identity Manager”.

Studying – The Videos:

The most popular videos are the ones Greg Shields has created on Plural sight called VMware Horizon 7 Desktop and Mobility (VCP7-DTM). These are well presented and you can follow along in your Lab and have been collected into a learning path.

There are also a bunch on the official VMware YouTube channel which are worth watching.

While attending a class is a great experience, I do often prefer video study. I can work at my own pace, jump back and forwards as it suits me.

Studying – Reading Material:

To be honest I didn’t find any really up-to-date books on 7.5, which was a bit disappointing.

It was mostly going through the official material and blogs. The release notes and Architecture Planning Docs I found good, and I bounced quite a lot from these into the other official documentation

This blog post on the network ports is quite interesting too.

A very notable blog (much better than is one) is by Carl Stalhood over at www.carlstalhood.com. Its really well formatted and kept current.

The Exam Experience:

The exam itself is 59 questions over 105 minutes. Its not easy, I give it that.

I arrived just in time and after the usual round of stuffing my stuff into lockers, form signing, photos, and checking of pockets, was rushed through into the exam room. 59 questions later (several of those flagged) and I got the popup stating that I’d passed. I don’t particularly enjoy sitting for tests but I really enjoy that moment.

Exam tips:

Arrive about 15 minutes early and bring photo ID. First and foremost, nobody is out to trick you, but you are being tested to a high standard. Always make sure you read the questions carefully and in full. The questions are usually always clear and concise, and even if you don’t know the answer you can sometimes work out what what answer is not. It’s easy to get rattled during any kind of test, if you are not sure of your answer mark it for review and come back to it once you’ve gotten to the end.

If you decide to go for this exam, good luck!

Horizon View Connection Server – Install and basic setup 2/2.

Got the install done and now on to the setup. We’re going to look at doing 4 bits of config and 1 check:

  1. Check the certificate is recognised.
  2. Licensing your install
  3. Connecting to a vSphere server.
  4. Configuring the events Database
  5. Adding a syslog server.

Before you begin any of the below login to your Connection server https://<full_server_name>/

 

Licensing your install

  1. On the right hand panel labelled Inventory.
    1. Expand View Configuration.
    2. Select Product Licensing and Usage
    3. Click Edit License…
  2. Enter in your serial number and click OK.
  3. Your license info should now be shown.

Configuring the events DB

  1. On the right hand panel labelled Inventory.
    1. Expand View Configuration.
    2. Select Event Configuration
    3. Click Edit…
  2. To see how to create the events database here is a previous post where we looked at creating the events database using SQL Express. Fill in the details that you used to create the database.
  3. If the connection is successful you’ll see the following:

 

Connecting to the vCentre Server Server

  1. On the right hand panel labelled Inventory.
    1. Expand View Configuration.
    2. Select Servers.
    3. Click Add…
  2. Enter in the details of the VCSA and a user that has the correct privileges. For most medium sized deployments the default Advenced Settings will be fine. Generally speaking you need to determine how much connection traffic your environment will receive and how the storage will cope.
  3. This warning will pop up if you are using the default certificates generated by the VCSA. Click View Certificate…
  4. Click Accept…
  5. Select Do not use View Composer (we’ll do this later) and click Next.
  6. Select Reclaim VM disk space and Enable View Storage Accelerator and click Next. Changing the Default host cache size can help with storage acceleration but will take the memory away from the host that it dedicates to VM’s and use it for storage caching.
  7. A final check your selected options, if all looks good click finish.
  8. If the connection is established successfully then you see the VCSA added to the vCenter Servers tab.

So now we’re configured and ready to go, except for the vRealise and Log Insight server which well add as we build them out. The next post will look at installing the bits needed for connecting to a Windows Desktop as well as putting together the first pool.

Horizon View Connection Server – Install and basic setup 1/2.

Apologies to the three people who read this blog regularly,  The last month has been very busy.

So far we have configured a Root CA, and imported a certificate into what will become our first connection server, and a setup a SQL database. Now we are ready to install and do a basic setup our first connection server.

Installing the Horizon View Connection server.

  1. Connect to the server you will be using as your connection server.
  2. Copy across the installer and double click to run.
  3. Click Yes. To accept the UAC warning.
  4. Click Next.
  5. Select “I accept the terms in the license agreement” and click Next.
  6. Here you can change the installation location if you prefer. Click Next.
  7. On the Installation Options window:
    1. Select Horizon 7 Standard Server as the install.
    2. Select  “Install HTML Access”, this is technically not necessary but I would recommend it.
    3. Select the IP protocol you use. IPv4 would be the most common I expect
    4. Click Next.
  8. Enter in a password for Data Recovery and a hint if you prefer. Click Next.
  9. Select whichever is appropriate for your environment, bearing in mind that most companies will have the servers firewall controlled via GPO. So check with your Windows and Security guys. In this case I want the firewall of this server to be configured automatically. Click Next.
  10. Select whether you’d like the local Administrators Group to have Admin rights to view. This can be changed later but I generally prefer not to from the start. Click Next
  11. Choose whether you want to join the VMware Customer Experience Program or not. If your company policy allows it I would recommend you do. Click Next.
  12. Click Install.
  13. Once the installer is done, click Finish.

Now we have the Horizon View Connection Server installed which can be verified by going to http://<your_full_server_address>/admin.

In part 2 we’ll get the basic config done. Adding a vCenter server, connecting to the events DB and licensing your install.