VMware Horizon View – Restrict Remote Access through UAG

To restrict a number of users the right to access the VMware Horizon View environment from outside the corporate network, you can add a users AD account or a AD security group to the “Remote Access” Users and Groups in the Horizon View Admin console.

To do this I have multiple AD groups defined:

  • VDI_Allow_External_Access
    • ==> contains users that are allowed external access through UAG
  • VDI_Restrict_External_Access
    • ==> contains users that are not allowed external access through UAG
    • (this group is not actually necessary but I add it just as a double check so each user is at least in one of the groups VDI_Allow_External_Access or VDI_Restrict_External_Access)
  • VDI_Pool_01_Access
    • ==> contains users that have access to Pool #01 (used in the pool entitlement)
  • VDI_Pool_02_Access
    • ==> contains users that have access to Pool #02 (used in the pool entitlement)

A user which is not allowed to access the VMware Horizon View environment from outside the corporate network is a member of the following groups

  • VDI_Restrict_External_Access
  • VDI_Pool_0x_Access

A user which is allowed to access the VMware Horizon View environment from outside the corporate network is a member of the following groups

  • VDI_Allow_External_Access
  • VDI_Pool_0x_Access

I have added the AD group VDI_Allow_External_Access to the Remote Access, which allows all the members of this group to access the environment through the UAG servers which are only used to access the environment from outside the corporate environment

This configuration works fine and users that are not in the VDI_Allow_External_Access group are not allowed to access the VDI environment from outside the corporate environment but can access it perfectly from inside the corporate environment.

However, there are two thinks to note:

  1. Nested groups do not work: When adding security groups in the “Remote Access” be aware that nested groups do not work
  2. The warning message the user receives is “You are not entitled to use the system.”. This message is actually not entirely true because the user is entitled to use the system, but only when the are accessing it from within the corporate environment. I have raised a support request at VMware to change the warning message to make it clearer to the end-user. See https://wsone.ideas.aha.io/ideas/HZI-I-601

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.