BIG-IP APM with Horizon 7.x HTML5 gets a Hotfix For Updated Code
Technical update on some new hotfixes that were rolled out to resolve some issues with HTML5 connectivity with VMware Horizon 7.1/7.2 with BIG-IP Access Policy Manager. What is VMware Horizon HTML Access? VMware Horizon HTML Access provides the ability for employees to access applications and desktops via web browsers (HTML5 compliant) and without the need for additional plugins or native client installations. This method of access provides advantages to customers who utilize very strict software installation requirements and require access to their internal resources, as well as customers who utilize BYOD based implementations. VMware Horizon HTML Access is an alternative way of accessing company internal resources without the requirement of software installation. What does the Hotfix Do? The Hotfix is designed to allow the newer version of the VMware Horizon HTML Access Clients which were upgraded with new URI information to be accessible via APM. Without this hotfix, customers who upgrade to the Horizon 7.1/7.2 code may experience an issue where HTML5 will not connect to the VDI Resource (blank or grey screen.) The easiest way to determine if you are affected by the issue is within the URL. If you do not see the string f5vdifwd within the URL then you are most likely affected by this issue. Here is an example of a working configuration. Notice the f5vdifwd string in the URL: https://test.test.local/f5vdifwd/vmview/68a5058e-2911-4316-849b-3d55f5b5cafb/portal/webclient/index.html#/desktop The Hotfix Information Details Note that the fixes are incorporated into Hotfixes. F5 recommends to use the Hotfix builds over the iRules listed in the below article. If the iRules are in place when upgrading to a build with the incorporated fix, make sure that the iRule is removed. Version 12.1.2 HF1 Release Notes Version 13.0 HF2 Release Notes 638780-3 Handle 302 redirects for VMware Horizon View HTML5 client Component Access Policy Manager Symptoms Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility. Conditions APM webtop with a VMware View resource assigned. HTML5 client installed on backend is of version 4.4 or later. Impact This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM. Workaround for versions 11.6.x and 12.x priority 2 when HTTP_REQUEST { regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy } when HTTP_RESPONSE { if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } { if { [info exists vmview_html5_prefix] } { set location [HTTP::header "Location"] set location_path [URI::path $location] if { $location_path starts_with "/portal/" } { set path_index [string first $location_path $location] set new_location [substr $location $path_index] regsub "/portal/" $new_location $vmview_html5_prefix new_location HTTP::header replace "Location" $new_location } unset vmview_html5_prefix } } } Workaround for version 13.0 priority 2 when HTTP_REQUEST { regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix } when HTTP_RESPONSE { if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } { if { [info exists vmview_html5_prefix] } { set location [HTTP::header "Location"] set location_path [URI::path $location] if { $location_path starts_with "/portal/" } { set path_index [string first $location_path $location] set new_location "$vmview_html5_prefix[substr $location $path_index]" HTTP::header replace "Location" $new_location } unset vmview_html5_prefix } } }
View 1.5.5 iApp Access Policy with Microsoft Network Policy Server (NPS) and Azure MFA
Hello, Has anyone set up the VMware Horizon View 1.5.5 iApp to do multi-factor authentication against Azure MFA? We are working through a POC, but have yet to find a full setup guide for this use case. There is an on-prem Windows 2016 Server running the Network Policy and Access Services role. This provides the Network Policy Server (NPS) and RADIUS server. The BIG-IP becomes a RADIUS client of the NPS. Then, there is a NPS Extension for Azure MFA that Microsoft publishes. This is installed on the NPS server and provides the two factor authentication against Azure MFA. Hoping to find some guideance on this configuration- both the iApp configuration on BIG-IP and the NPS RADIUS client configuration on the NPS server. ThanksDelivering Security and Scalability Across the Digital Workspace with Workspace ONE and F5 APM
Hey Everyone! Just wanted to provide an exciting update on a new document in the series for Integration/Deployment guides for F5 with VMware Products. This integration has been a long time coming and really shows F5's and VMware's joint vision of a digital workspace. I am happy to announce that the next document APM Proxy with Workspace ONE is now available to the public! What is Workspace ONE? VMware Workspace ONE, powered by VMware AirWatch technology, is an intelligence-driven digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. With Workspace ONE, organizations can remove siloes of cloud, desktop and mobile investments, and unify management of all devices and apps from one platform. Where does F5 Help? When combined with Workspace ONE, the portfolio of BIG-IP’s leading ADC technologies optimizes the user experience by delivering speed, scale, and resiliency. Customers can reap several benefits from the integration, including: Access to Apps without Disruption - This integration helps clients non-disruptively accelerate, simplify, and secure the delivery of business applications. End users are presented with a modern workspace that increases productivity with single sign-on access. IT organizations can utilize their Workspace ONE platform to extend the same user experience to legacy or custom applications. Using identity integrations, VMware provides the platform and user experience, while F5 provides the scale and application interoperability. Reducing Risk Across the Entire Organization - IT now has access policies that reduce the risk of data loss across the entire organization. Policies include app access (including legacy apps), conditional access and device compliance. Workspace ONE and F5 can leverage modern authentication protocols like OAuth to offload and simplify identity and access management. Providing Great User Experience Across All Devices - New features in the Workspace ONE and F5 integration, like OAuth and JSON Web Tokens (JWT) help deliver a transparent user experience while support ensuring secure access across all devices including mobile, desktop and web interface. Consolidation of Gateways - Gateway-sprawl can lead to complexity in an environment. With this integration, IT can simplify management of gateways by consolidating them into a single platform using the Workspace ONE and F5 integration. What does this Integration Guide Detail? This documentation focuses on deploying F5 BIG-IP APM for with VMware Workspace ONE (Cloud or VIDM onpremise) to deliver VMware Horizon desktops and applications in a production environment. This guide will provide the necessary steps to configuring your Workspace ONE Cloud or VIDM onpremise and BIG-IP to work with the JWT Token integration that was developed and tested by VMware and F5. Once configured, access to desktops and applications will become seamless and secure through single-sign on with VMware Workspace One and BIG-IP APM. Here is an example from the integration guide that shows the Workspace ONE network ranges "All Ranges" page with the newly added "Wrap Artifact in JWT" and "Audience in JWT" settings. This will allow the F5 BIG-IP APM to consume the JWT Token to validate a user at the perimeter (DMZ) and once validated will then pass along the SAML Artifact to the Horizon Connection Server(s) for authentication. In the All Ranges Network Setting Enable the checkbox for "Wrap Artifact in JWT" on the Horizon Environment that was configured in previous steps Click the + under the "Audience in JWT" next to the checkbox and provide a unique name (our example is f5cpa) Click the Save button. You can now download the updated step-by-step guide for APM Proxy with Workspace ONE. Special Thanks to the VMware Workspace ONE development team for all of their assistance putting this together!
Remove HTML5 option from Horizon View users.
This is a longshot, but I was asked the question and I'm tasked with providing the answer. Our Horizon View environment does not currently support HTML5. To avoid confusion with the users, the managers would like us to remove the HTML5 option from the end users. It seems unlikely that I'll be able to remove the HTML5 button from the popup window. But an iRule added to the VPE may be able to direct users down the Horizon View Client path without being prompted. Is this something that can be implemented easily?Lightboard Lessons: Secure & Optimize VDI
Virtualization continues to impact the enterprise and how IT delivers services to meet business needs. Desktop Virtualization (VDI) offers employees anywhere, anytime, flexible access to their desktops whether they are at home, on the road, in the office or on a mobile device. In this edition of Lightboard Lessons, I show how BIG-IP can secure, optimize and consolidate your VMware Horizon View environment, providing a secure front end access layer for VMware’s VDI infrastructure. ps Related: Simplify VMware View Deployments
