Configure Access and Network Policies and Client Access URL

The Workspace ONE Access service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure.

A policy rule can also be configured to deny access to users by network range and device type.

When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

You should already be at the Workspace ONE login page. If so, skip to the Sign In step.

Launch Chrome Browser

  1. From the Desktop of the Main Console, double-click Google Chrome
  1. Select WS1 from the shortcut menu
  2. Select VIDM-01 Admin

Sign In

  1. Select Sign In

Change Authentication Domain

  1. The logon page is currently configured to authenticate to the corp.local domain
  2. Select Change to a different domain

Choose System Domain

  1. Click the drop-down menu to select a domain
  2. Select System Domain
  3. Clear the checkbox for Remember this setting
  4. Select Next

The System Directory is a local directory that is automatically created in the service when Identity Manager is first set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it. Nor can you delete the System Directory or the System Domain.

The local administrator user that is created when you first set up the WS1 Access appliance is created in the System Domain of the System Directory.

The System Directory is typically used to set up a few local administrator users to manage the service. In the following step you will authenticate with a local administrator account called admin.

Sign In to Workspace ONE

Authenticate to the System Domain as admin.

  1. username = admin
  2. password = VMware1!
  3. Select Sign in
  1. Select Identity & Access Management
  2. Select Policies

Network Ranges

  1. Select Network Ranges

Add Network Range

  1. Select Add Network Range

A default network range containing all IP addresses is created be default. You can modify the existing range, and/or add new ranges.

In this lesson, you will create a new network range and use it to apply policies.

Complete Add Network Range Form

  1. Name: Corporate Network
  2. IP Ranges: 192.168.0.0 to 192.168.255.255
  3. Select Save

Successfully Added Network Range

  1. Wait for the success message to appear
  2. Select the X to close the Network Ranges dialog box

Verify Default Access Policy Settings

The WS1 Access service includes a default access policy that controls user access to their Workspace ONE portals and their Web applications. You can edit the policy to change the policy rules as necessary.

When you enable authentication methods other than password authentication, you must edit the default policy to add the enabled authentication method to the policy rules.

Each rule in the default access policy requires that a set of criteria be met to allow user access to the applications in the portal. You apply a network range, select which type of user can access the content, and select the authentication methods to use.

  1. Select default_access_policy_set

Review default_access_policy_set

  1. The default access policy applies to 21 applications in the catalog
    This is the Horizon Desktop Pool as a result of the sync operation you completed.
  2. There are two policy rules created by default, controlling the access behavior when users logon from a Web Browser or the Workspace ONE App
  3. Select Edit

Edit Policy - Configuration

  1. Select Configuration

Review Policy Configuration Settings

  1. Select Cancel as no changes are necessary for this lab.

The default policy can be modified as needed.

Create a New Access Policy to Deny Application Access

A policy rule can be configured to deny access to users by network range and device type.

You will create a rule to deny access to a Horizon published application when it is accessed from a specific network.

Add Policy

  1. Select Add Policy

Complete Policy Definition

  1. Policy Name: Internal Network
  2. Click in the Select applications from your catalog... window to bring up a list of available applications

If the application list does not populate immediately, wait a few seconds and click in the Select applications from your catalog... window again.

Choose Horizon Desktop Pool

  1. Select Calculator
  2. Select Next

Add Policy Rule

  1. Select Add Policy Rule

Configure Policy Rule

  1. Choose Corporate Network from the drop-down list
  2. Choose Domain Users from the drop-down list
  3. Choose Deny access from the drop-down list

Save Policy Rule

  1. Select Save

Review Policy Rule

  1. Select Next

Save

  1. Select Save

Successfully Added Policy

Wait for the success message indicating the policy has been added.

Configure Client Access URL

The client access URL is used to launch locally-entitled resources from the Horizon pod, when users request applications and desktops via Workspace ONE and Identity Manager.

In an earlier exercise you configured Horizon Virtual Apps, and supplied the FQDN of a single connection server to complete the Identity Manager integration with your Horizon pod.

In production Horizon implementations, it is common to configure a load-balancer virtual IP (VIP) in front of your Connection Servers or UAGs. The client access URL should be configured so it directs requests for Horizon resources to the VIP.

Edit Virtual App Settings

  1. Select Catalog, making sure you click the down arrow
  2. Select Virtual Apps Collection

Select Horizon

  1. Select Horizon

Edit Network Range

  1. Click EDIT NETWORK RANGE

Review Network Settings for Default ALL RANGES Network Range

  1. Select ALL RANGES

Review Client Access URL Host

  1. The Client Access URL defaults to the FQDN of the Horizon Connection Server you entered when configuring the Virtual App.

    If you have a load-balancer configured with a virtual IP address (VIP) in front of your Connection Servers or Unified Access Gateways (UAG), edit the Client Access URL to use the VIP.

    This lab does not contain a load-balancer, so the FQDN of the Connection Server will be used.
  2. Select Cancel

Configure Settings for Network Range Corporate Network

  1. Select Corporate Network

Identity Manager supports using different Client Access URLs for each network range. This provides the flexibility to direct users to internal Connection Servers, external UAGs, or different Horizon pods in a Cloud Pod Architecture (CPA) implementation.

Review Client Access FQDN

The Client Access FQDN for the Internal Network you created is blank by default.  For the purposes of this lab, you will configure the Client Access URL to use the FQDN of the Horizon Connection Server.

It is important that each network range in your environment contains a client access URL.

Add Client Access URL Host and URL Port

  1. Client Access URL Host: horizon-01.corp.local
  2. URL Port: 443
  3. Select SAVE

Finish Network Ranges

  1. Click FINISH

Logout of the Workspace ONE Admin Console

  1. Select the drop-down menu next to Local Admin
  2. Select Logout

Go Back to Login Page

  1. Select Go back to login page

Leave this page open as you will use it in the next lesson.

Configure Access and Network Policies and Client Access URL Complete

You have successfully:

  • Added and configured a network range.
  • Create an access policy to deny access to an application from a specific network range.
  • Configured the client access URL access to your Horizon pod resources.