How to publish an application for internal access? anybody?

Perhaps you could use clientname, i.e. Nurse[1-100]

Hey Patrick!

I like the suggestion, specially since, as you know, is a medical facility. However, it is not secure since any user can get access to the publish applications from home by just renaming their PC

Take care.

Anybody else?

Tony,

i thought this is a standard feature of the suite, so i checked a current installation at a customer side as well as I digged into the current documentations of 7.2.1... what a pity that i wasn't able to find anything about it. I guess I mixed it up with the other suites that i am used to support.

If this feature really isn't integrated with web-IT/secure-IT at the moment it would be an important feature request because of security reasons to the developement team of vWorkspace. The easiest way for the administration would be to have the possibility to enable/disable access to the managed application/desktop/content during the publishing process.

Without this feature out of the box I may have an idea how to disable access to full wts/rdsh/vdi desktops from outside, but in my opinion this would much too complex to implement and wouldn't secure it 100%.

Holger

Holger,

I agree, it should be a standard feature.

So, you mentioned that you might have an idea how to disable access (besides changing the name of the users' computer), how would you do it?

thanks

Tony

Well Tony,

at 1st i have to mention again that my idea may be a little too complex to roll it out into production normally, but this really depends on your companies needs. As well it can be a good idea because of security reasons in general.

Further on this idea only works for you if you have the option to secure the WHOLE machines where the application/s is/are coming from (VDI and/or WTS/RDSH)... AND that your internal users DO NOT go on the road e.g. with their Notebooks that they are also using within the LAN. If they actually do maybe you have the possibility to change the concept here e.g. by only allow the vWorkspace JAVA connector from outside or s.th. like this.

By design every RDP client - doesn't matter from which manufactorer you use one - comes with a client version number that is stored in the code and that is caught by the target machine of your connection as soon as you try to connect to it.

So the main idea of this is simple and would be done as followed:

1. Assign a new internal client version number to the RDP client that you are using inside your LAN actually.

2. Secure the installation source of this modified RDP client as well as the information about how it works appropriate to your security needs!

3. Roll-out this modified RDP client to any client machine within your LAN (of cause without the installation source).

4. Set every VDI and/or WTS/RDSH that hosts the corresponding application/s to ONLY accept connections from RDP clients that are sending the right client version number that you choosed in step 1.

For a detailed how to I do recommend to read the following two articles from on of our founders at

part 1: http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/customizing-microsoft-rdp-client-part1.html

part 2: http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/customizing-microsoft-rdp-client-part2.html

Closing it's important to know that the freeware tool 'SecureRDP' to make the setting on the VDI and/or WTS/RDSH easily, that was bought by 2X Software Ltd. in 2005, isn't available for download at 2X Software anymore.

Please feel free to download it from our ressources at http://www.sbcpro.de/Downloads/SecureRDP/2XSecureRDP4.zip (it may have one or two bugs, but works just fine for what you would use it and again: It's free!).

During my last meet with Terry Lewis and Jon Rolls i also mentioned to make use of the client version number e.g. to only allow the vWorkspace clients to connect to a vWorkspace farm and they were interested in it. Sadly I missed to pass the details so far, but i will make use of this comment to start over this matter with them.

IMHO it would be cool to be able to set the client version number that you like to use for your vWorkspace farm in the vWorkspace management console as well as in the vWorkspace Connector GUIs. I guess this feature wouldn't be a big deal for the development and would advance farm security easily.

Holger

Good Morning Tony,

I've been testing this in my lab and I'm struggling to reproduce your issue.

1. Create App called "Can you see me"

2. Assign App to 192.168.1.x

3. Log on internally via AppPortal from my 192.168.1.x machine - I can see the App

4. Log on internally via WebPortal from my 192.168.1.x machine - I can see the App

5 Log on from  my 192.168.1.x machine but via Secure-IT - I can't see the app.

So this is either your Solution or my lab is broken

Cheers, Andrew.

Hotfix 161312 will allow customers to filter Web Access folders, so certain sets of applications may be hidden from users logging on. This hotfix is for 7.2 MR1 and is going thru the release process now.  When released it will be publicly available via support.quest.com.

Will this satisfy your requirement?

In Web Access Admin console there is a Client Identification category under Global Settings that has an option to query for the client's name and IP. Is that enabled? de-selecting that should prevent any IP-based client assignments from applying to Web Access users.

Kelly

That will be awesome!!

Any idea how when would it be available? Beta?

(Patrick, You are the man!!)

Patrick/Tony,

I believe that hotfix will only be useful if the Internal Users go through AppPortal ONLY (Or you have a completely different website for internal)

The easiest option is available right now  and is the one I spelt out above, assign your App(s) to the internal users IP subnet. They'll see it but external users will not.

Give it a go and let me know if I need to clarify anything

That would work if the feature where you assign applications based on the client's IP address would be 100% reliable, which is not the case (in all fairness it is Microsoft fault).

When you connect from the outside via Web-IT/Secure-IT the broker sees only the user's PC internal IP, so if your home network is 192.168.1.x, the broker will see the home network IP address (i.e. 192.168.1.100), instead of the public IP address, therefore, you cannot allocate (or limit) access to a publish application based on the clients' IP.

Also, If you have some if the first HP Windows CE terminals, the Vworkspace console shows 127.0.0.0 as the client's IP address.

Thanks for your reply.

PS: I open a support call and the fix should be availble by tomorrow at their web site.

Hello,

If anyone else is after the hotfix, you can find it on Support here

https://support.quest.com/Search/SolutionDetail.aspx?id=SOL75167

Tony, if you find the hotfix doesn't give you the exact feature you need, let me know and I'll show you my technique for achieving what you want to achieve via the IP route. Trust me, it works

Thanks, Andrew.