SAAM1150BU Enabling Simple, Secure Access to …...Enabling Simple, Secure Access to Your Horizon...

Greg Armanini & Matt Coppinger

SAAM1150BU

#VMWORLD #ADV1591BU

Enabling Simple, Secure Access to Your Horizon and Citrix Virtual Desktops and Apps with Workspace ONE

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2



bution

Agenda

1 Why Workspace ONE?

2 Workspace ONE Overview

3 Horizon and Citrix in Workspace ONE

4 Workspace ONE Mode Demo

CONFIDENTIAL3



bution

Agenda





CONFIDENTIAL4



bution

Consumerization is driving

DIGITAL TRANSFORMATION

ModernWorkforce

AppsAnywhere

MobileWorkflows

EmergingDelivery Models

© 2016 VMware Inc. All rights reserved. Confidential – Not for Distribution 5



bution

Workspace Adapts With The Speed Of Life

6

WORK PUBLIC PERSONALVMworld 2017 Content: N

ot for publicatio

n or distribution

7

Consumerization Drives Vertical Integration

iOS / MAC

• iTunes

• Apple ID

• App Store

• iWork

• iCloud

ANDROID / CHROME

• Gmail Account

• Google Play

• G Suite

• Google Drive

WINDOWS

• Microsoft ID

• AD/Azure AD

• Office 365

• Windows Store

Update Service



bution

8

…And Creates Silos within IT

• iTunes

• Apple ID

• App Store

• iWork

• iCloud

• Gmail Account

• Google Play

• G Suite

• Google Drive

• Microsoft ID

• AD/Azure AD

• Office 365

• Windows Store

Update Service

• Salesforce 1

• Concur

• Workday

• Slack

• Dropbox

• Docusign

Mobile Team Desktop Team LOB

iOS / MAC ANDROID / CHROME WINDOWS SaaS APPS



bution

• iTunes

• Apple ID

• App Store

• iWork

• iCloud

• Gmail Account

• Google Play

• G Suite

• Google Drive

• Microsoft ID

• AD/Azure AD

• Office 365

• Windows Store

Update Service

• SCCM

• Salesforce 1

• Concur

• Workday

• Slack

• Dropbox

• Docusign

Mobile Team Desktop Team LOB


9

A Platform Approach Breaks Silos and Delivers a Digital Workspace

Connected Things

(Rugged / IoT)

Identity and Access Management

Unified Catalog Single-Sign On Authentication Access Policy

Digital Workspace Platform

End-User Services Team




bution

You can’t transform

business without a

great user experience

You don’t need to

compromise security

to get there

VMware Workspace ONE Empowers the Digital Workspace your business needs



bution

Identity and Access Management

Unified Catalog Single-Sign On Authentication Access Policy

AirWatch Unified Endpoint Management (UEM)

Management Context

End-User Services Team


11

One Platform For All Use Cases Open

Ecosystem

App Config

Community

Mobile

Security

Alliance

Authentication

and Identity

Providers

Connected Things

(Rugged / IoT)

Virtualize



bution

Digital workspace (physical)Gen2 (unified catalog)Gen1 virtual workspace (single pane of glass)

Typical Virtual Workspace Journey

12

Citrix XAHorizon 7

Apps

Horizon

Cloud

Web

Apps

Horizon 7

Desktops

Identity

Manager

External

Identity

AirWatch

Native

Apps

Patch

Management



bution

Digital workspace (physical)Gen2 (unified catalog)Gen1 virtual workspace (single pane of glass)

Typical Virtual Workspace Journey

13

Citrix XAHorizon 7

Apps

Horizon

Cloud

Web

Apps

Horizon

Desktops

Identity

Manager

External

Identity

AirWatch

Native

Apps

Patch

Management

Horizon 7 A dv & Ent, Horizon Cloud

Workspace ONE Enterprise



bution

Workspace ONE Benefits

• Only way to federate authentication for Horizon 7, Horizon Cloud, Citrix,

Native and Web apps

• Path to reduce the Windows password dependency for improved

security and usability

• Unified self-service and enterprise catalog

• Consistent, consumer-ized user experience

14



bution

Agenda





CONFIDENTIAL15



bution

16

Wearables

RemoteEmployees

Contracted Employees

BYO UsersKiosk

Devices

IoTDevices

LOB Devices

Digital

Workspace

Access Services

Unified End Point

Management

Services

Business IntelligenceSecurity Services

EMM FABRIC



bution

Web Virtual Native



bution

Today BOOKMARKS

Enterprise Portal

App Catalog

Kiosk / Launcher



bution

App Access Through Workspace ONE

19

Native mobile apps

Web apps

On-premapps

Virtual apps

OR

In-house mobile apps

Public mobile apps

Unified Workspace

with entitled apps

Workspace ONE



bution

Integrating Existing Identity Solutions• It is not uncommon to see an existing Identity Management solution for web apps

– Identity Management solutions support “3rd party Identity Provider (IdP)” federation

– Customers are not forced to throw out existing investment for second identity provider

Remote Apps(Horizon / Citrix)

VMware IDM

Legacy Web App(s)

3rd party IdP

Native Mobile Apps

VMware IDM

New Web Apps

VMware IDM



bution

Provisioning

Configuration

Access

Control

Plane

Security

Policy

Identity Policies

CASB / Apps

Ent. Systems

Network

Endpoints

User

Device PostureVMworld 2017 Content: N

ot for publicatio

n or distribution

Desktop Integrations In Workspace ONE

22

Horizon 7Horizon Cloud

Hosted

Horizon Cloud

On-Premises

Workspace ONE

App ExpressThinApp

Citrix XenApp /

XenDesktop

On-prem

enterprise apps

and desktops

Enterprise class

apps and desktops

in the cloud

Enterprise class

apps and

desktops,

simplified

deployment

Fast provisioned,

web based

Windows apps for

non-domain users

Packaged apps

can be used offline

Bring legacy apps

forward into digital

workspace

NEW!



bution

Web Applications

Native Mobile

Web Applications

Native Mobile

Workspace ONEVMware Identity Manager SaaS Offering

Citrix XenApp On-premises ThinApp and Web Apps



bution

Citrix XenApp

Native MobileNative Mobile

Horizon CloudWeb ApplicationsWeb Applications

VMware Identity ManagerOn-Premises Offering

On-premises ThinApp and Web Apps



bution

Agenda





25



bution

Citrix Integration

26



bution

• Leverages existing Citrix investment

• Citrix XenApp and XenDesktop entitlements sync to Workspace ONE

• Launch via Citrix Receiver with ICA file

• External access proxies through Netscaler

• Supports

– XenApp 5.0, 6.0, 6.5, 7.x

– XenDesktop 7.x

– IDM Hosted

– IDM on-premises 2.4+

– Storefront SDK or Web Interface

Identity Manager and Citrix Integration Overview

27

Receiver



bution

Desktop



bution

Co

ntr

olle

r

2

3

1

1

2

3

Workspace ONE Citrix Entitlement And Directory Sync

29

Store

Front

Session

Host

Session

Host

Session

HostCitrix

Configuration

XML Server

Citrix Receiver

VIDM

Service

vIDM

DB

Citrix Components

PowerShellWorkspace

ONE

WebSocket

Connecto

r

Inte

gra

tion

Bro

ker



bution

Co

ntr

olle

r

Store

Front

Session

Host

Session

Host

Session

HostCitrix

Configuration

XML Server

Citrix Components

ICA File

5

7

Authenticate and request ICA File

3

Workspace ONE Citrix Resource Launch (ICA)

30

4

Connecto

r

Inte

gra

tion

Bro

ker

1

Launch Citrix Resource

2

Launch request to Connector / IB

Citrix Receiver

Workspace

ONE

6

VIDM

Service



bution

Co

ntr

olle

r

Store

Front

Session

Host

Session

Host

Session

HostCitrix

Configuration

XML Server

Citrix Components

ICA File

5

8

Authenticate via STA and request ICA File

3

Workspace ONE Citrix External Resource Launch (ICA)

31

4

Connecto

r

Inte

gra

tion

Bro

ker

1

Launch Citrix Resource

2

Launch request to Connector / IB

Citrix Receiver

Workspace

ONE

6

VIDM

Service STAServer

7Netscaler



bution

IDM Connector and Integration Broker - Basic

32

Connecto

r

Inte

gra

tion

Bro

ker

Co

nn

ecto

r

Inte

gra

tion B

roker

Citrix sync and launch

IDMService

Dedicated server

for IB

(& Connector)

Configure IB for

both sync and

launch



bution

IDM Connector and Integration Broker - Advanced

33

Identity Manager

Service

Connector 1

Connector 2

LB

LB

LBCitrix

HA Connector pair,

outbound doesn’t

require LB

Separate sync and

launch tasks in

configuration

Scale out sync brokers

linearly behind load

balancer

Sync Integration

Broker

Sync Integration

Broker

Launch

Integration Broker

Launch Integration

Broker

…

Dedicated Windows

servers per IB10.142.29.10

10.142.29.11VMworld 2017 Content: Not fo


bution

Simplifying Integrations With Resource Profiles

34

Identity Manager

Service

Connector 1

Connector 2

New!

Identity Manager

Service

Connector 1

Connector 2

E X I S T I N G N E W

Config

UI 2

Config

UI

Service redirectsto Connectors

• Citrix, Horizon integrations configured perConnector

• Settings are manually copied between

• Hard management & troubleshooting

Service hostsconfiguration UI

Config

UI

(All)

• Configuration UI is centralized

• Connectors become workers

• More fine grained control of resource syncis possible



bution

Desktop Resource Profiles

35



bution

Horizon

37



bution

Simple Access to Apps & DesktopsAccess to Horizon 7 and Horizon Cloud desktops from Workspace ONE / Identity Manager

• Full support for Horizon 7.x

– Virtual Desktops

– Published Applications

– Horizon Cloud Pod Architecture

– Single Sign On & True SSO

• Support for Horizon Air / Cloud

– Horizon Cloud Hosted with Workspace ONE

– Support multiple tenantsin Workspace ONE / Identity Manager

– SSO to virtual desktops and published apps

– Horizon Cloud On-premiseswith Identity Manager



bution

• CAPEX Model

• Greater flexibility in desktop options

• Scalable to customer requirements

• Feature rich management

• Hybrid OPEX/CAPEX model

• Management infrastructure in the cloud

• On-premises virtual desktops & apps on

hyper-converged infrastructure

• Minimal internal expertise required and

easily scalable

Horizon Deployment Options

• OPEX model of utility based pricing

• Scalability on demand

• Minimal internal expertise required

• Remote locations where building data

center capacity is impossible

G

Horizon Cloud with Hosted

Infrastructure

On Premises

(Horizon 7)

Horizon Cloud with On-premises

Infrastructure

LOADBALANCERS

CONNECTIONBROKERS

ACTIVEDIRECTORY

MANAGEMENTSERVERS

CO

MP

UT

E S

ER

VE

RS

RU

NN

ING

VIR

TU

AL

DE

SK

TO

PS

CUSTOMER IT ENVIRONMENT

SANSTORAGE

CLOUD PROVIDER

ACTIVEDIRECTORY

ACCESS POINTS

VIRTUAL DESKTOPS & APPS

ON HYPER-CONVERGED INFRASTRUCTURE

CONTROL PLANE

CLOUD PROVIDER

MOBILEUSERS

REMOTEUSERS

ACTIVEDIRECTORY

USER APPDATA

CORP USER DEVICES

SECURE VPN

SE

CU

RE

VP

N

CUSTOMER IT ENVIRONMENT



bution

Horizon 7 Integration



bution

Hosted Desktops

41

Horizon 7.x Desktops VMware Identity Manager

Horizon Agent Request

/ Session StartGet Resources,

Entitlements

Horizon Clients

Connection Server(Enable Authentication)



bution

Hosted Applications

42

RDS Farm Connection Server VMware Identity Manager

Get Resources,

Entitlements

Horizon Clients

Horizon Agent Request

/ Session Start



bution

Horizon True SSO

• No need to enter AD credentials or SmartCard

• Users authenticate to VMware Identity Manager using a variety of credential options

• Once authenticated, users select Horizon desktop or hosted (published) application

• Uses SAML to connect the Identity Provider’s (IdP) authentication with user’s UPN for access to AD credentials

• True SSO generates unique, short-lived certificate to manage Windows logon process



bution

Integrating Horizon CloudSetting up access to Horizon Cloud with Workspace ONE

44



bution

Horizon Cloud Hosted Desktops & Apps Integration

• Requires On-Premises IDM Connector

• Requires IDM Connector be joined to Active Directory Domain

• Horizon Cloud On-Premises Support of Desktops and Apps with latest Horizon Client (v4)

• Integrated using sync between Identity Manager & Horizon Cloud

– Enable Horizon Cloud Desktops and Applications in IDM administration console

– Create Horizon Cloud Federation Artifact in IDM

– Configure SAML Authentication in Horizon Cloud

– From IDM initiate Sync with Horizon Cloud

– Desktops and Hosted applications are part of the same sync



bution

Agenda





48



bution

Horizon 7 Integrated With Workspace ONE

49

Workspace ONE access policies enforced through the Horizon Client

1. Horizon Client, Horizon app or file association redirects through WS ONE browser

2. WS ONE can host app UI and enforce per app access policy

3. User passes through to Horizon resource when authenticated



bution

Workspace ONE Configuration in Horizon 7.2

50

1

2

3

1. Require external authentication (IDM)

2. Enables redirection to WS1 hostname

3. Force access policy compliance



bution

Access Policy Control in Identity Manager

51



bution

CONFIDENTIAL52



bution

Accelerate your Knowledge of Workspace ONEDate Title Session # Speaker

Tuesday, 11:00am Transformation of the Digital Workspace SAAM3157SU Tony Kueh

Tuesday, 12:30pm Introduction to Access Management in Workspace ONE SAAM2288BU Josue Fontanez

Prab Kalra

Tuesday, 3:30pm Enable Simple, Secure Access to your Horizon and Citrix Virtual Desktops

and Apps with Workspace ONE

SAAM1150BU Greg Armanini

Matt Coppinger

Tuesday, 5:00pm Securing Access and Protecting Information in Office 365 with Workspace

ONE

SAAM2291BU Camilo Lotero

Adarsh Kedari

Wednesday, 9:30am Delivering Virtual Desktops and Apps via the Digital Workspace with

Workspace ONE and VMware Horizon

ADV1591BU Matt Coppinger

Peter Bjork

Wednesday, 2:00pm Deployment Deep Dive: Best Practices and Troubleshooting of Workspace

ONE

SAAM2197BU Kevin Sheehan

Adarsh Kedari

Wednesday, 3:30pm Secure and Seamless Access to all of your Applications with Conditional

Access and Mobile SSO in Workspace ONE

SAAM2204BU Vikas Jain

Prab Kalra

Thursday, 10:30am VMware on VMware: Winning a Single Sign-On Solution with VMware

Workspace ONE

SAAM1321BU Robert Coggins

Josue Fontanez

Thursday, 1:30pm Simplify Management and Security of your Mobile Apps with Workspace

ONE

SAAM2294BU Vikas Jain

Vinay Jain

Also join us for Quick Talks, Expert Discussions, and Hands-on-Labs!!!



bution

Questions!



bution



bution

SAAM1150BU Enabling Simple, Secure Access to …...Enabling Simple, Secure Access to Your Horizon...

Documents

Transcript of SAAM1150BU Enabling Simple, Secure Access to …...Enabling Simple, Secure Access to Your Horizon...