vWorkspaceWebAccessGuide 7.2

Quest vWorkspace
Web Access Guide

Version 7.2
2010 Quest Software, Inc. ALL RIGHTS RESERVED. Patents Pending. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. Patents This product includes patent pending technology. Trademarks Quest, Quest Software, the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners.
Quest vWorkspace Web Access Guide Updated December 2010 Software Version 7.2
CONTENTS
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .V OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VI CONVENTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VI ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . VII CONTACT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . VII CONTACT QUEST SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . VII CHAPTER 1 ABOUT WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 INSTALLATION CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . 2
Web Access and Microsoft Server 2008 and 2008 R2 . . . . 4
VWORKSPACE
CONNECTOR PACKAGES . . . . . . . . . . . . . . . . . . . 6
ABOUT THE VAS CLIENT 32 . . . . . . . . . . . . . . . . . . . . . 6 ABOUT THE VAS CLIENT 32T . . . . . . . . . . . . . . . . . . . . 7 ABOUT THE VAS CLIENT 32TS . . . . . . . . . . . . . . . . . . . 7 UPGRADE CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . . . . 7 CHAPTER 2 WEB ACCESS MANAGEMENT CONSOLE . . . . . . . . . . . . . . . . . . . . . 9 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 CONNECTION POLICIES. . . . . . . . . . . . . . . . . . . . . . . . . . . .11 WEB ACCESS CONFIGURATION WIZARD . . . . . . . . . . . . . . . . .12
Complete the Web Access Configuration Wizard ................ 12
GLOBAL SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 FARM SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 CONFIGURATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 CONFIGURE FARMS . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Add or Remove a Farm .................................................. 17
CONFIGURE THE CONNECTIVITY SETTINGS . . . . . . . . . . . . .18

Set Connection Brokers by Farm ..................................... 19 Set Firewall/SSL VPN by Farm......................................... 20 Set Proxy Server Settings by Farm .................................. 22
CONFIGURE THE AUTHENTICATION SETTINGS . . . . . . . . . . .23

Set Windows Domain..................................................... 23 i
vWorkspace Web Access Guide Set Two-Factor Authentication ........................................ 23
Credentials Pass-Through . . . . . . . . . . . . . . . . . . . . . . 25
Set Credentials Pass-Through ......................................... 26 Set Password Management............................................. 27 Set Client Identification.................................................. 27
CONFIGURE THE USER EXPERIENCE SETTINGS . . . . . . . . . . .28

Set Local Resources ...................................................... 28 Set Display .................................................................. 30 Set Performance ........................................................... 31
CONFIGURE THE USER INTERFACE SETTINGS . . . . . . . . . . .32

Set Set Set Set Set Content Layout Options ............................................ 34 Look & Feel Options ................................................. 35 Messages Options.................................................... 37 Downloads Options .................................................. 38 Miscellaneous Options .............................................. 39
CONFIGURE THE WEB ACCESS APPLICATION . . . . . . . . . . . .40

Set the General Options ................................................. 41
CHAPTER 3 USE WEB ACCESS INTERFACE . . . . . . . . . . . . . . . . . . . . . . . . . 43 START THE WEB ACCESS INTERFACE . . . . . . . . . . . . . . . . . . .44 INTERNET BROWSER CONSIDERATIONS . . . . . . . . . . . . . . . . . .46 ABOUT THE WEB ACCESS USER INTERFACE . . . . . . . . . . . . . . .47 APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Application Set Searches . . . . . . . . . . . . . . . . . . . . . . . 48
INFO CENTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 DOWNLOADS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 SESSION INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 PREFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 CHANGE PASSWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 WEB ACCESS HELP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 CHAPTER 4 WEB ACCESS AND THE SECURE GATEWAY . . . . . . . . . . . . . . . . . 55 ABOUT THE SECURE GATEWAY . . . . . . . . . . . . . . . . . . . . . . .56 ABOUT THE SECURE GATEWAY CERTIFICATE . . . . . . . . . . . .56 SECURE GATEWAY CONFIGURATION . . . . . . . . . . . . . . . . . . . .58 CONFIGURATION OPTIONS . . . . . . . . . . . . . . . . . . . . . . .61
Configure the Web Access .............................................. 63
ii
CHAPTER 5 WEB ACCESS SHAREPOINT INTEGRATION . . . . . . . . . . . . . . . . . 67 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 SETUP INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 CHAPTER 6 WEB ACCESS AND JUNIPER NETWORKS SECURE ACCESS . . . . . . . 73 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 CREATE CUSTOM HEADERS . . . . . . . . . . . . . . . . . . . . . . . . .74
Create Custom Headers ................................................. 74
CHAPTER 7 WEB ACCESS AND SMART CARDS . . . . . . . . . . . . . . . . . . . . . . . 77 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Configure Web Access for Smart Cards ............................ 78
CHAPTER 8 QUEST DEFENDER AND VWORKSPACE INTEGRATION . . . . . . . . . . 81 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Configure Quest Defender ............................................. 82 Configure Quest vWorkspace Web Access ........................ 82
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
iii
vWorkspace Web Access Guide
iv
About This Guide

Overview Conventions About Quest Software Contact Quest Support
Overview
The Quest vWorkspace Web Access Guide is designed to assist administrators and other IT professionals with tasks pertaining to installing and using Quest vWorkspace Web Access. It is recommended that you review the table of contents to familiarize yourself with the topics of discussion.
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references:
ELEMENT Select Bolded text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest Software products, such as menus and commands. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Reader, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + | A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
vi
About Quest Software

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products helping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.
Contact Quest Software

Email Mail info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com
Web site
Refer to our Web site for regional and international office information.
Contact Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/. From SupportLink, you can do the following: Retrieve thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/.
vii
viii
1
About Web Access
Overview Installation Considerations vWorkspace Connector Packages Upgrade Considerations
Overview
Web Access is a vWorkspace client that enables users to retrieve their list of allowed applications and desktops using a web browser. One or more vWorkspace Web Access servers must be available to use this interface.
vWorkspace Web Access is optimized to work with Microsoft Internet Explorer 7+ (though fully supported in IE 6), so some of the features may not be supported using other browsers.
Other than personalization settings, no client side configuration is needed. Users simply start their Internet browser and enter the address of the Web Access server. After successful authentication, the users published desktops and applications display in the web browser.
Installation Considerations
The following is a list of requirements for vWorkspace Web Access. Web Access can be placed in the DMZ or a secured subnet.
It is recommended that you use the Secure Gateway in conjunction with Web Access to protect sensitive data, such as passwords.
About Web Access
Hardware
Server class hardware that meets the minimum requirements of the selected operating system. One or more 100 Mbps or 1000 Mbps Ethernet adapters. Implemented as a virtual machine is an option.
Optional
Microsoft Network Load Balancing Third-party load balancing appliance X.509 server certificate (if the Web site requires SSL encryption) X.509 trusted root certificate (if used with vWorkspace SSL Gateway)
On the web server, Web Access requires Microsoft Internet Information Services (IIS) 6.0 or later. The prerequisites should be installed in the following order: Microsoft .NET Framework Internet Information Services (IIS) Microsoft ASP.NET Enable network COM+ access Internet Information Services (Common Files, Internet Information Services Manager, World Wide Web Service)
Some default settings on internet browsers affects how Web Access functions. Refer to Internet Browser Considerations for more information. The Enable this application to share on active session option must not be selected if you are using Web Access with published applications where multiple users use the same computer, such as a kiosk or other semipublic user. See the vWorkspace Administration Guide, Managed Applications chapter for more information.
In Web Access, if you are using Microsoft Vista and Internet Explorer 7+ and in the unique instance that the certificate revocation list is unavailable to the user, you may need to unselect the Internet Explorer option, Check for server certificate revocation. This option can be found at the following path: Internet Explorer| Tools | Internet Options | Advanced. It is important to note that this may not be a secure situation, because the Certificate Revocation List is updated regularly to account for the possibility that a certificate that has not yet expired may no longer be secure for a variety of reasons. This will not stop your session from being secured by the certificate, it just keeps the browser from returning an error when it does not find a Certificate Revocation List. To remedy this situation, please consult your server's documentation on how to publish a Certificate Revocation List.
Web Access and Microsoft Server 2008 and 2008 R2

If you are installing Web Access on Microsoft Windows Server 2008/IIS 7 or Microsoft Windows Server 2008 R2/ IIS 7.5, the following Role Services for Web Server (IIS) need to be installed. The vWorkspace installer ensures that the appropriate roles are installed. The Role Services for Web Server (IIS) that need to be installed are:
Common HTTP Features Static Content Default Document Directory Browsing HTTP Errors HTTP Redirection Application Development ASP.NET .NET Extensibility ISAPI Extensions ISAPI Filters Health and Diagnostics (The following three items are optional for monitoring purposes.)
About Web Access
HTTP Logging Logging Tools Request Monitor Security Windows Authentication Client Certificate Mapping Authentication Note: Only required if using smart cards for single sign-on with the Web Access Component. IIS Client Certificate Mapping Authentication Note: Only required if using smart cards for single sign-on with the Web Access Component. Request Filtering Performance Static Content Compression Dynamic Content Compression Management Tools IIS Management Console IIS Management Scripts and Tools IIS 6 Management Compatibility IIS 6 Metabase Compatibility IIS 6 WMI Compatibility IIS 6 Scripting Tools IIS 6 Management Console
vWorkspace Connector Packages

vWorkspace Connectors are supported on Windows computers and various end point devices, and can be found within the Connectors folder in the vWorkspace 7.2 download package. When the Connector is selected in the Downloads settings in Web Access, a version and location can be specified. In this case, it checks whether the vWorkspace Connector for Windows is installed on the end point device. If the specified version or later version is not installed, it attempts to automatically download the Connector from the specified location using Microsoft ActiveX.
ActiveX must be enabled on the users browser for client installation checking to work. This feature is not supported for browsers other than Internet Explorer.
The vWorkspace Connector packages available are: VASCLIENT32 Includes AppPortal and the Web Access. VASCLIENT32T Includes Web Access support, but not AppPortal. VASCLIENT32TS Includes a silent install for Web Access support.
About the VAS Client 32

This package is available in the following formats: VASCLIENT32.exe MSI installation with EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target end point device. VASCLIENT32.msi MSI installation without the EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target end point device. VASCLIENT32.cab CAB installation for automatic deployment through Web Access.
About Web Access
About the VAS Client 32T

This package is available in the following formats, and does not include the AppPortal interface: VASCLIENT32T.exe MSI installation with EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target end point device. VASCLIENT32T.msi MSI installation without the EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target end point device. VASCLIENT32T.cab CAB installation for automatic deployment through Web Access.
About the VAS Client 32TS

This package is available in the following format: VASCLIENT32TS.cab CAB installation for automatic deployment through Web Access, as a silent installation. The files are located at \\Inetpub\wwwroot\Provision\web-it\clients. VASCLIENT32TS.msi MSI installation for automatic deployment trhough Web Access, as a silent installation.
Upgrade Considerations
The following considerations should be given when upgrading Web Access: It is important to instruct your users to download and install the latest version of the vWorkspace Connectors. When upgrading from 5.x to 7.x, 5.x Connectors prevent users from launching applications. The following configuration settings are overwritten during the upgrade process: Connector version to Detect (Downloads setting) VDI Retry Interval (General setting) Download Center Text (User Interface setting)
Farm names in Web Access should not contain spaces. If you are upgrading, and your previous Web Access setup has spaces in farm names, you need to rename those farms before upgrading, or immediately after upgrading. To manually make the change, do the following in Webit.config: a) Change the name in the file. For example, <FarmList>Farm Name<FarmList> to, <FarmList>Farm-Name<FarmList> b) Rename the corresponding "webit.Farm Name.config" file to the new farm name without spaces.
2
Web Access Management Console
Overview Connection Policies Web Access Configuration Wizard Global Settings Farm Settings Configuration
Overview
Web Access uses a web browser based management console. It is accessed by entering the URL: http://servername/Provision/Web-IT/Admin Servername is replaced with the host name, FQDN, or IP address of your web server.
If you run the Web Access Management Console and a Web Access user session simultaneously in the same browser instance of Microsoft Internet Explorer 7+, either as two separate tabs or by navigating between the Web Access Management console and the Web Access user session, you may experience erratic behavior. However, it is possible to run the Web Access Management console and a Web Access user session simultaneously, in two separate browser instances.
vWorkspace Web Access is used with one or more vWorkspace infrastructures or farms. Through Global and Farm settings, administrators can specify settings by individual farms or for all of the farms. Some settings can be overridden by personal user settings if the administrator selects Allow the user to override in the vWorkspace Management Console.
10
Connection Policies
Connection Policies created in the vWorkspace Management Console take precedence over settings made in the Web Access Console. Once policy settings are enabled in the vWorkspace Management Console for a specific user or group, those settings are grayed out in the User Preferences settings in the Local Performance and Performance sections of the Web Access Console. Connection Policies are used to define automatic device connection and optimizations when users log on to a remote computer. Connection Policies can be configured and assignments and permissions defined and are set to Undefined by default. Connection Policies are defined using the following path: vWorkspace Management Console | Resources | Connection Policies The following properties and settings are defined on the Connection Policies Properties window. Remote Computer Sound Disk Drives Printers USB Devices Serial Ports Smart Cards Universal Printers Clipboard Microphone Graphics Acceleration Local Text Echo Media Player Redirection Flash Redirection WAN Acceleration (EOP Xtream)
For more information on these settings, see Connection Policies in the vWorkspace Administration Guide, User Sessions chapter.
11
Web Access Configuration Wizard

Web Access settings can be configured using the Configuration Wizard option in the Web Access Management Console. The following is a list of settings that can be configured using the configuration wizard. Farms Connection Brokers Firewall SSL/VPN Proxy Server Domains Password Management Application Set Layout vWorkspace Connectors General Settings
How to ...
Complete the Web Access Configuration Wizard 1. 2. Click Configuration Wizard from the left pane of the Web Access Management Console. Complete the information on the Farms window as follows, and then click Next. a) Enter the name of the infrastructure in the Farm field. Farm names should not contain spaces. b) Click Add, and then Save Changes. c) Repeat the above steps until you have added all of the farms. d) Use the Up and Down arrows to move the added farms.
12
e) Farms are displayed to users in the order they appear on this list. f) Select Log users on to all configured farms if users log on to all the defined farms using the same credentials. This option logs users on to all the farms simultaneously and returns a collective application set from all farms. This setting is presented when more than one farm is available and needs to be selected if using credentials pass-through to connect users with multiple farms. g) Users are not presented with a list of farms to choose from if this option is selected. 3. Complete the information on the Connection Brokers window, and then click Next. a) Enter the host name, FQDN, or IP address of the Connection Broker in the Server List field, and then click Add. Use FQDN when using https protocol. b) Repeat the above step to add other Connection Brokers as appropriate. You need to use multiple Connection Brokers if you are using fault tolerance or load balancing. c) Click Up or Down in the Server List field to move the order of the Connection Brokers. d) Enter the port number in the XML Port field. e) Select HTTP or HTTPS from the list in the Protocol field.
If you receive a Microsoft Internet Explorer error message, you may need to disable script debugging in Tools | Internet Options | Advanced.
4.
Complete the information on the Firewall SSL/VPN window, and then click Next. For more information on completing this window, see Set Firewall/SSL VPN by Farm.
13
5.
Complete the information on the Proxy Server window, and then click Next.
6.
Complete the information on the Windows Domain window, and then click Next. These settings are applied to Farm settings, not the Global settings. If you have specified more than one farm in step 2, you need to repeat steps 3 through 6 for all configured farms. Complete the information on the Password Management window, and then click Next. Complete the information on the Application Set Layout window, and then click Next.
7. 8. 9.
14
10. Complete the information on the vWorkspace Connector window, and then click Next. a) Select Do not automatically download and install a Connector, if appropriate. b) Select Allow the user to select which Connector to use, if appropriate. c) Select Automatically download and install the following Connector: and choose the Connector, if appropriate. d) Select Always display a link to download and install the vWorkspace Connector for Windows and enter a File Path, as appropriate. 11. Complete the appropriate information on the General Settings window, and then click Next.
12. Click Finish to complete the Web Access Configuration Wizard.
15
Global Settings
The following settings can be specified in Web Access on a global basis:
Authentication Windows Domains Two-Factor Authentication Credentials Pass-Through Password Management Client Identification User Experience Local Resources Display Performance User Interface Content/Layout Look & Feel Messages Downloads Miscellaneous Configuration Settings General
Farm Settings
Farm settings can also inherit their settings from the global settings. This is done by selecting Inherit the global settings. The following settings can be specified by Farm:
Authentication Windows Domain Two-Factor Authentication Credentials Pass-Through Connectivity Connection Broker Firewall/VPN Proxy Server User Experience Local Resources Display/Performance
16
Configuration
Complete the following configuration tasks in the presented order. Configure Farms Configure the Connectivity Settings Configure the Authentication Settings Configure the User Experience Settings Configure the User Interface Settings Configure the Web Access Application
Configure Farms
How to ...
Add or Remove a Farm 1. Click Add/Remove Farms in the left pane of the Web Access Management Console. Use the following URL to display the Web Access Management Console. Servername is replaced with the host name, FQDN, or IP address of your web server: http://servername/Provision/Web-IT/Admin 2. Enter the name of the infrastructure in the Farm field. Farm names should not contain spaces.
3. 4. 5.
Click Add, and then Save Changes. Repeat the above steps until you have added all of the farms. Use the Up and Down arrows to move the added farms. Farms are displayed to users in the order they appear on this list.
17
6.
Select Log users on to all configured farms if users log on to all the defined farms using the same credentials. Users are not presented with a list of farms to choose from if this option is selected. You must use this option if you are using the credentials pass-through option with multiple farms.
Farms must be added in the Web Access Management Console, or the user is presented with a disabled Web Access logon page.
Configure the Connectivity Settings

The Connectivity settings include Connection Brokers and Firewall/SSL VPN. The Connectivity settings must be configured separately for each farm. Web Access uses the Connection Broker to process user logon requests, to retrieve the list of allowed managed applications and desktops, and to obtain connectivity parameters. The Firewall/SSL VPN settings are used to determine the way in which users connect to Terminal Servers and managed computers. There are three address translation options that can be used, and which one is used depends upon server side firewalls, if network address translation is being used, as well as SSL encryption. The options are:
Normal Address vWorkspace Connectors connect to the vWorkspace Terminal Servers and desktops using their IP address. No address translation occurs and the target computers IP address is visible. Use this option if there are no firewalls between the vWorkspace Connector and target servers, and Network Address Translation is not being used. Alternative Address vWorkspace Connectors are assigned an alias IP address that is routeable across the Internet. Firewall rules are constructed to allow inbound connections using the alternative address. The firewall then forwards the packets to the target servers using their real IP addresses. The private IP addresses used by the servers are not exposed to the Internet. Use this option for connections to Terminal Servers and the servers are protected by a firewall with Network Address Translation enabled. 18
SSL Gateway
Use this option to encrypt the RDP session traffic. It is recommended that you use the SSL Gateway in conjunction with Web Access to protect sensitive data, such as passwords. Note: If you are using SSL Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URLs on the Firewall/SSL VPN section of the Web Access Management console. See Set Firewall/SSL VPN by Farm for more information.
How to ...
Set Connection Brokers by Farm Set Firewall/SSL VPN by Farm Set Proxy Server Settings by Farm
Set Connection Brokers by Farm 1. Do one of the following: a) Click Manage Farms in the left pane, and then select Connection Brokers from the right pane. b) Select the farm from the list in the left pane, and then select Connection Brokers from the left pane from the appropriate farms setting.
2.
Enter the host name, FQDN, or IP address of the Connection Broker in the Server List field, and then click Add. Use FQDN when using https protocol. Repeat step 2 to add other Connection Brokers as appropriate. You need to use multiple Connection Brokers if you are using fault tolerance or load balancing.
19
3.
4. 5. 6. 7. 8.
Click Up or Down in the Server List field to move the order of the Connection Brokers. Enter the port number in the XML Port field. Select HTTP or HTTPS from the list in the Protocol field. Click Save Changes. Repeat this process for each farm that has been added.
Set Firewall/SSL VPN by Farm 1. Do one of the following: a) Click Manage Farms in the left pane, and then select Firewall/SSL VPN from the right pane. b) Select the farm from the list in the left pane, and then select Firewall/SSL VPN from the left pane. Refer to the Web Access and the SSL Gateway chapter for more information on configuring Web Access and SSL Gateway.
2.
Select the Default Address Translation Setting. Use this option when the IP addresses for users is unknown.
20
3.
Enter information pertaining to Custom Address Translation Settings. You must end your entry of the Client Address Prefix with a dot (.), for example, 10.4.. Enter an asterisk (*) when you want to use this setting for all users. Use this option when the IP addresses for users is known.
If your Default Address Translation Settings is SSL Gateway and you have users who are not going to be using SSL Gateway, you would enter a Client Address Prefix, select Normal Address, and then click Add to add it to the Address Prefix List.
4.
Enter SSL Gateway Settings. Select the Enable NAT support for firewall traversal if Network Address Translation is being used on a firewall that is between the SSL Gateway and vWorkspace Terminal Servers.
You only need to enter your FQDN into the External SSL Gateway FQDN/IP Address field.
5.
Enter the external URL used to access Web Access remotely in the Web Access URL (external users) box. For example: https://your.domain.com/
OR
http://your.domain.com/ Please review the below caution note. 6. Enter internal URL used to access Web Access locally in the Web Access URL (internal users) box. For example: http://your.domain.com
OR
http://your.domain.com/
21
Review the below caution note.

Review the following notes about this configuration: If you are using SSL Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URLs on the Firewall/SSL VPN section of the Web Access Management console. If you are not using an SSL Gateway configuration, it is recommended that you do not enter information into the Web Access URL (external or internal users) fields. A potential issue may result if an incorrect URL or if an invalid or outdated URL is entered into these fields. The Web Access URL settings are global settings even though Firewall/SSL VPN settings are always farm specific. This means that if you modify the URLs for one far, they are modified for all farms.
7.
Click Save Changes.
Set Proxy Server Settings by Farm 1. Do one of the following: a) Select Use default from the system internet settings. b) Select Do not use a proxy server. c) Select Enter an address manually and complete the following: Enter the Proxy Server and Port. Enter any addresses that are not to be used for the proxy server.
2.
Click Save Changes.
22
Configure the Authentication Settings

The Authentication options can be configured globally or by individual farms. The settings include: Windows Domains; Two-Factor Authentication; Credentials Pass-Through; Password Management (this option can only be configured using a global setting); and Client Identification (this option can only be configured using a global setting).
How to ...
Set Windows Domain Set Two-Factor Authentication Set Credentials Pass-Through Set Password Management Set Client Identification
Set Windows Domain 1. Select Allow user to choose from the list of domains for users to choose a domain. If this check box is not selected, the domain field is not displayed to users, and the user is logged on to the first domain in the list. If there are no domains specified, then the user is presented with a free text field to enter the domain manually. 2. 3. Enter the NetBIOS form of the Windows domain name in the Domain field, and click Add. Use the Up and Down arrows to move the domains. The order in which the domains display is the order in which they appear on the Web Access Logon page. 4. Click Save Changes.
Set Two-Factor Authentication 1. Select Use two-factor authentication, if applicable.
23
2.
Select one of the following options: a) Secure Computing PremierAccess
OR
b) RADIUS (RSA ACE/Server, Secure Computing RemoteAccess) 3. If you selected Secure Computing PremierAccess, complete the following information: Specify the path and file name to the Secure Computing PremierAccess configuration file in the Configuration File Location box.
4.
If you selected RADIUS (RSA ACE/Server, Secure Computing RemoteAccess), complete the following information: RADIUS Server RADIUS Port RADIUS Secret Key Use Unencrypted Authentication (PAP)
If you are integrating Quest Defender with vWorkspace, see Quest Defender and vWorkspace Integration for more information.
5.
24
Click Save Changes.
Credentials Pass-Through
This setting allows users to automatically log in to their vWorkspace farms using the same credentials as their end point device. This setting should only be used in environments where network security is not a concern, such as with LAN users. To use this setting with Microsoft Internet Explorer, you must configure the following before enabling this feature: If you are using credentials pass-through and there are multiple farms in which users need to log in to using credentials pass-through, then you must also select the option, Log Users on to all configured farms in the Farm settings. Credentials pass-through is not currently supported when allowing users to select a farm. Enable Integrated Windows Authentication must be turned on in Advanced Internet Options of Internet Explorer, and the Microsoft IIS web server must be a member of a domain in the Active Directory forest containing the users account. Web Access site needs to be added to the list in both Trusted Sites and Local Intranet.
Credentials pass-through is not supported in the vWorkspace Connector for Java.
If you are using Mozilla Firefox and credentials pass-through, you must configure Firefox to use Integrated Windows authentication by completing the following steps: 1. 2. 3. 4. Open Firefox. Type about:config in the address bar. Type network.automatic in the filter box once the config page loads. Modify network.automatic-ntlm-auth.trusted-uris by double-clicking the row, and enter www.mydomain.com. Multiple URIs must be separated by comas. To configure Firefox to use Integrated Windows authentication for multiple Firefox installs, complete the following steps: 1. 2. Use a decompression tool, such as WinZip, the extract Firefox Setup 2.x.x.exe. Extract browser.xpi from the setup.
25
3. 4.
Edit all.js contained in browser.xpi in \bin\jreprefs. Modify network.automatic-ntlm-auth.trusted-uris by double-clicking the row, and enter www.mydomain.com. Multiple URIs must be separated by comas. Repackage browser.xpi, and use the extracted setup to install Firefox.
5.
Set Credentials Pass-Through 1. Select Enable credentials pass-through to use Integrated Windows Authentication with the Web Access.
2.
Enter the part of the IP address that is common to all end point devices on a subnet in the Intranet Address Prefix field, and then click Add. This prefix should match the first part of the Source IP as it appears in the Session Info tab of Web Access on the end user side. It does not have to end in a (.).
3. 4. 5. 6. 7.
Repeat step 2 to add all subnets. Use the Up and Down arrows to arrange the display of the Intranet Address Prefixes. Enter Excluded Prefixes to deny the use of credentials pass-through to end point devices having a specified IP address. Repeat step 5 to add all IP addresses. Use the Up and Down arrows to arrange the display of the Excluded Prefixes.
26
8.
Click Save Changes. If you are using credentials pass-through and there are multiple farms in which users need to log in to using credentials pass-through, then you must also select the option, Log Users on to all configured farms in the Farm settings. Credentials pass-through is not currently supported when allowing users to select a farm.
Set Password Management This option can only be configured as a global setting. 1. 2. 3. 4. 5. Enter a Domain using the NetBIOS name of the Password Management server. Enter the Server (FQDN). Enter a Port number, and then click Add. The usual number to use is 443. Repeat the above steps to add multiple Password Management servers. Click Save Changes.
Set Client Identification This option can be configured only as a global setting. 1. Select Query client name and IP address if the name and IP address of the end point device can be queried and sent to the Connection Broker. Once sent to the Connection Broker, the published desktops and applications that are assigned to the end point device based on Device Name or Device IP Address can be presented. The Query client name and IP setting does not work for users that are using browsers other than Internet Explorer or when ActiveX is not enabled in the userss browser.
If the Query client name and IP address setting is enabled, credentials pass-through does not work for users that are using a browser other than Microsoft Internet Explorer.
2.
Click Save Changes.
27
Configure the User Experience Settings

The User Experience settings can be configured globally or by individual farms. The settings include: Local Resources Provides control of end point device resources, such as printers and microphones. Display Provides control of display properties, such as screen resolution. Performance Provides control of performance and optimization settings, such as local text echo and Media Player Redirection.
Each setting has a check box that allows users to override the settings as configured by the Web Access administrator.
How to ...
Set Local Resources Set Display
Set Local Resources 1. Select Local Resources from the User Experience section.
2.
Select Allow user to override local resource settings, if appropriate, to allow users to personalize their own sessions.
28
3. 4. 5.
Complete the Remote Computer Sound options, as appropriate. Complete the Apply Windows key combinations options, as appropriate. Select the following options, as appropriate:
Redirect Drives Select if users need access to the disk drives on their physical device. Select if users need to print to autocreated end point device printers using native print drivers. Select if users need access to devices attached to the serial ports on their physical device. Select if users are required to log on to their session using a Smart Card attached to their physical device. Select if users need access to USB devices. Select if users need to print by autocreated end point device printers using the Universal print driver. Select if users need to redirect the local computer microphone when connecting to a Terminal Server. Select if users need to redirect the local computer clipboard when connecting to a Terminal Server.
Redirect Printers
Redirect Com Ports
Redirect Smart Cards
Redirect USB Devices Redirect Universal Printers
Redirect Microphone
Redirect Clipboard
6.
Click Save Changes.
29
Set Display 1. Select Display from the User Experience section.
2.
Complete the Display Settings. a) Select Allow user to override the display settings, if appropriate. b) Complete the Screen Resolutions options, as appropriate.
Window Sizes These settings only apply when seamless window connections are used. This setting allows users to minimize, maximize, or close the session by use of a connection bar, when connecting in full screen mode. This setting is available when Full Screen is chosen for Screen Resolution. This setting pins the remote desktop connection bar. Enable smart sizing This setting is used when a connection to managed computers that is a VMware virtual machine.
Display connection bar
Pin connection bar
30
Enable seamless mode
This setting enables the remote session screen size and color depth to match the settings of the end point device, when connecting to managed applications hosted on vWorkspace enabled Windows Terminal Servers. This setting is available when Full Screen is chosen for Screen Resolution. This setting enables the display area to span across two monitors.
Span multiple monitors when in full screen mode
c) Select a Color Depth option from the list. This setting is not used with seamless window connections. 3. Click Save Changes.
Set Performance 1. Select Performance from the User Experience section.
31
2.
Complete the Performance options. a) Select Allow user to override local resource settings, if appropriate, to allow the user to personalize their own sessions. b) Choose a connection speed. The following options are supported: Modem (28.8 Kbps) Modem (56 Kbps) Low-speed broadband (256 Kbps - 2 Mbps) Satellite (2 Mbps - 16 Mbps with high latency) High-speed broadband (2 Mbps - 10 Mbps) WAN (10 Mbps or higher with high latency) LAN (10 Mbps or higher)
c) Select the following options, as appropriate. Desktop background Font smoothing Desktop composition (Aero) If Desktop Composition is enabled, Graphics Acceleration is disabled. Visual Styles Show contents of window while dragging Menu and window animation Bitmap caching d) Select the following Experience Optimized Protocol (EOP) options, as appropriate: 3. Flash Redirection Media Player Redirection Graphics acceleration WAN Acceleration (EOP Xtream) Local text Echo
e) Select Reconnect if connection is dropped, as appropriate. Click Save Changes.
Configure the User Interface Settings

The User Interface settings can be configured globally or by individual farms. The settings include: Content Layout Controls how published applications, desktops, and content display in the users web browser.
32
Look & Feel Controls color scheme, header logo, and content position. Messages Controls the content of messages presented to the user. Downloads Controls the available download links as displayed in the Download Center. The downloads section is also used to specify which vWorkspace Connector to use, and whether to allow users to select which Connector to use. The options are as follows: Do not automatically download and install a Connector (normal operation). Allow the user to select which Connector to use (e.g. vWorkspace Connector for Windows, Linux, Mac OS X or Java). Automatically download and install either the vWorkspace Connector for Windows or the vWorkspace Connector for Java.
When the vWorkspace Connector for Windows is selected, a Connector version and location can be specified. In this case, it checks whether the vWorkspace Connector for Windows is installed on client end point device. If the specified version or later version is not installed, it attempts to automatically download the client from the specified location using Microsoft ActiveX. The autodownload operation only works on browsers that support ActiveX, and if ActiveX is enabled in Internet Options of the browser. Additionally, a static link can be displayed in the Web Access interface that allows the user to manually download and install the Windows client. Miscellaneous Controls the display of the IP address of the client end point device when a connection to the Web Access server is made, and whether to automatically start a specified (or single) application when the user logs on successfully.
How to ...
Set Content Layout Options Set Look & Feel Options Set Messages Options Set Downloads Options Set Miscellaneous Options
33
Set Content Layout Options 1. Complete the following options, as appropriate.
a) Select Enable for SharePoint if you want to enable Web Access to run inside a SharePoint Page Viewer Web Part. Do not select this option for a normal instance of Web Access. b) Select Allow user to override the application set layout, if appropriate. c) Select Present apps in flat format (No folders) to display all the published resources on one page. d) Select the Default application layout style from the following options: Details Icons List Tree (The application search feature is unavailable to users with this view.) Content width (Move the slider to display the appropriate pixels.)
e) Enter a number of columns in the Divide apps evenly among field. The default is 3. f) Enter a number of columns in the Divide List view applications evenly among field, which is only applicable to the List application layout style. The default is 2. 2. Click Save Changes.
34
Set Look & Feel Options 1. Complete the following fields on the Color Scheme window as appropriate.
35
2.
Click Upload New Logo Graphic to change the current header logo.
a) Click Browse to open the file that is to be used for the new logo. b) Click Upload New Logo. 3. 4. 5. Select a Page Background Color from the Select Color list. Select a Color Scheme. There are 9 different color schemes available. Select Custom to further customize the look and feel of Web Access. For more information on using the Custom option, refer to the Quest vWorkspace Web Access, Customizing the Look and Feel document, available from Quest SupportLink. 6. Click Save Changes.
36
Set Messages Options 1. To modify a message, type new text or type additional text, and then click Save Changes. This section is used to modify text and messages that is displayed in various areas of Web Access.
37
Set Downloads Options 1. Complete the vWorkspace Connector options, as appropriate.
a) Select Do not automatically download and install a Connector, if appropriate. b) Select Allow the user to select which Connector to use, if appropriate. c) Select Automatically download and install the following Connector: and choose the Connector, if appropriate. This option only works for users who are using Internet Explorer with ActiveX enabled. d) Select Always display a link to download and install the vWorkspace client for Windows and enter a File Path, as appropriate. e) Add up to five additional download links by entering the text string to be used as the display label in the Text field, and the location and file name in the Path field.
38
Use the check box, Hide download link from unauthenticated users to hide specified download links from unauthenticated users.
2.
Click Save Changes.
Set Miscellaneous Options 1. Select Display user help button to display Web Access help to the end user. This option is selected by default.
2.
Complete the Application Auto-Launch section as follows: a) Select Launch Applications Automatically to start a published application or desktop at logon. b) If you selected Launch Applications Automatically, you can select one of the following options: Auto-Launch When There Is Only One Application Auto-Launch Specific Application, and enter the name in the Name Of Application field.
The name of the specified application to be started must match the exact name of the published application. 3. Click Save Changes.
39
Configure the Web Access Application

The Configuration settings can be configured globally, or by individual farms. The General settings include: Display detailed error messages Enables detailed messages to display to accelerate troubleshooting. If this setting is not specified, it uses a pre-set default value that is specified in web.config, a web-application configuration file which is automatically installed. The default is to not display detailed error messages.
This option only applies to instances where any unhandled errors occur.
You can also select Enable error logging, as appropriate. It is recommended that this option is only selected as directed by Quest Software support personnel. User Session Time-Out Determines the length of time, in minutes, before the user is forced to reauthenticate. If this setting is not specified, it uses a pre-set default value that is specified in web.config, a web-application configuration file which is automatically installed. VDI Retry Interval Defines the wait period between connection attempts of a virtual desktop that is powering up. If this setting is not specified, it uses a pre-set default value that is specified in web.config, a web-application configuration file which is automatically installed.
40
How to ...
Set the General Options 1. Complete the following: a) Select Display detailed error messages and Enable error logging, if appropriate. It is recommended that this option is only selected as directed by Quest Software support personnel. b) Enter a number of minutes in the User Session Time-Out field. c) Enter a number of seconds in the VDI Retry Interval field. 2. Click Save Changes.
41
42
3
Use Web Access Interface
Start the Web Access Interface Internet Browser Considerations About the Web Access User Interface Change Password Web Access Help
Start the Web Access Interface

Users connect to the Web Access by using the following URL: http://servername/Provision/Web-IT/ Servername is replaced with the host name, FQDN, or IP address of your web server.
If your Web Access server requires an SSL connection, replace http with https. If your Web Access is being used with an SSL Gateway, a slash mark (/) must be added to the end of the URL.
The information displayed on the Web Access Login window in the Login, Info Center, Downloads, Session Info, and Preferences sections on the Web Access Login window depends upon the settings configured in the Web Access management console. Farms must have been added in the Web Access Management Console, or the user is presented with a disabled Web Access logon page. Some examples of the Web Access login window are listed below.
Web Access Logon without Domain and Client Type Options
44
Web Access Login with Client Type
Web Access Login with Options of Domain and Client Type
Once a user successfully authenticates their log on, a list of published resources or application set, is presented. An application set is not presented if a user has not been assigned a published resource. The view of the application set is based upon settings made in the Web Access management console, Content Layout.
45
A toolbar is accessible on the Application Set window that offers the following options:
Refresh
Change Password
Help
Internet Browser Considerations

Some default settings on internet browsers affect how Web Access functions. Here are some of the features of Web Access that can be affected by internet browser settings. Windows client detection and auto-download/install Not supported by internet browsers that do not support ActiveX, or if users do not have the ActiveX setting enabled on their browsers. Credentials Pass-Through Web Access URL must be added to the Trusted Sites list and Integrated Windows authentication must be enabled by the user in their browser settings. User identification and application set return based on client IP address or name ActiveX must be enabled. Web Access Microsoft SharePoint Integration Depends on credentials pass-through. Application Auto-Launch Web Access URL must be added to the Trusted Sites for Internet Explorer versions 6, 7, and 8. The installation of Web Access sets the Compatibility Mode to On by default. Certificate Revocation List is unavailable to the user If you are using Microsoft Vista and Internet Explorer 7+ and in the unique instance that the certificate revocation list is unavailable to the user, you may need to unselect the Internet Explorer option, Check for server certificate revocation. This option can be found at the following path: Internet Explorer| Tools | Internet Options | Advanced.
46
It is important to note that this may not be a secure situation, because the Certificate Revocation List is updated regularly to account for the possibility that a certificate that has not yet expired may no longer be secure for a variety of reasons. This will not stop your session from being secured by the certificate, it just keeps the browser from returning an error when it does not find a Certificate Revocation List. To remedy this situation, please consult your server's documentation on how to publish a Certificate Revocation List. If you are using Microsoft Internet Explorer, you may want to advise end users to set the Internet Options setting, Automatic prompting for file downloads to Enable. If this setting is not set to Enable, a file download prompt is displayed when trying to launch an application that is published on a VM while that VM is in a powering on or OS reboot state. Use the following path in Internet Explorer to change this setting: Tools | Internet Options | Security | Custom Level | Downloads
About the Web Access User Interface

The Web Access user interface consists of several tabs, allowing end users to change their settings. Permissions are granted through the various settings in the Web Access management console, to allow users to change their settings.
Applications
The Applications tab displays all the applications that have been assigned to the user. You can also change the layout of your applications by selecting one of the View options. The options are: Details Displays Location and Farm information for each application. Icons Displays the applications and icons. List Displays the applications in a list format. Tree Displays the applications in a tree format, organized by folders.
47
Application Set Searches

An application set search feature is available to users if their application layout style is one of the following: Details Icons List
The search feature is unavailable to users with the Tree view. Users enter the search terms into the search box, and then click the search button. A list of possible applications are presented. The Clear option is used to clear the search results and return to the full set of applications.
Info Center
The Info Center tab is used to display messages to end users from Web Access administrators.
Downloads
The Downloads tab is used to provide a link for downloading the current version of the Web Access Client to end users.
48
Session Info
The Session Info tab is used to display the following details about the session: Logged in user name Farm or farms that the user is logged into Number of published resources Source IP Address (IP of the Web Server, or the IP of the Secure-IT server when connecting to Web Access through Secure-IT) Client IP (if configured in the Web Access Management Console) Client Name (if configured in the Web Access Management Console)
Preferences
Users are permitted to change some settings in Web Access based upon the settings made by the Web Access administrator. The following window is presented to users when they select the Preferences option. Users can change the settings as indicated by the administrator in the Web Access Management Console.
49
TAB General
SETTINGS Change your layout: Default application layout style Content width Divide apps evenly among Divide List View applications evenly among Display apps in flat format (no folders) Do not display client detection warning messages Remember farm selection for login Currently selected farm: Apply settings to: (specify settings for all farms or a specific farm)
Display
Color Depth (These settings are not used when making seamless window connections.) Screen Resolution Disable connection bar This setting allows users, by use of a connection bar, to minimize, maximize, or close the session when connecting in full screen mode. Pin connection bar This setting pins the remote desktop connection bar. Enable smart sizing This setting is used when connected to managed computers that are VMware virtual machines. Enable seamless mode This setting enables the remote session screen size and color depth to match the settings of the physical client device when connecting to managed applications hosted on vWorkspace enabled Windows Terminal Servers. Span multiple monitors when in full screen mode This setting enables the display area to span across two monitors. Apply Settings to: (specify settings for all farms or a specific farm).
50
TAB Local Resources
SETTINGS Remote computer sound Apply Windows key combinations Connect automatically to these devices when logged on to the remote computer: Drivers Printers Com Ports Smart Cards USB Devices Universal Printers Microphone Clipboard Apply Settings to: (specify settings for all farms or a specific farm).
Performance
Allow the following: Desktop background Show contents of window while dragging Font Smoothing Menu and window animation Desktop Composition (Aero) Visual Styles Bitmap caching Experience Optimized Protocol (EOP): Flash Redirection Media Player Redirection Graphic Acceleration WAN Acceleration (EOP Xtream) Local text Echo Reconnect if connection is dropped Apply settings to: These setting can be applied to all farms, or a specified one.
51
Change Password
Users can securely change their password while connecting over the Internet. However, for security reasons, it is recommended that SSL encryption is required on the Web Access server if this feature is used across the Internet. The Web Access must be configured to use a Password Management server. Users choose a domain if the administrator has specified any domains in the Password Management section of the Admin Console. If domains have not been specified by the administrator, users are not able to change their passwords. Users will need to provide the following: Username Old Password New Password Confirm New Password Domain
Web Access Help

Web Access Help is available for the following topics: Authentication
52
Logging On Logging Out Changing Your Password
Using the Application Set Configuring the Application Set
Users have access to a basic Help menu by default, however, administrators have the ability to disable Help. It is important to remember that when the Help option is disabled, users do not have access to any online help. For more information on how to disable Web Access Help, see Set Miscellaneous Options.
53
54
4
Web Access and the Secure Gateway
About the Secure Gateway Secure Gateway Configuration Configuration Options
About the Secure Gateway

The Secure Gateway enables clients to access Web Access using https and virtual machine published desktops and applications using RDP over SSL. The Secure Gateway is designed to simplify the deployment of applications over the Internet, securely and cost-effectively. RDP connections are SSL-encrypted at client workstations and sent through the corporate firewall on TCP port 443. Once received by the Secure Gateway, the data is decrypted and forwarded to the destination virtual machine on TCP port 3389. Outbound RDP traffic passing through the Secure Gateway is encrypted and forwarded to the client workstation.
The Secure Gateway can be used with Web Access. The web browser requests to the Web Access server are SSL encrypted at the client workstations and sent through the corporate firewall on TCP port 443. Once received by the Secure Gateway, the data is decrypted and forwarded to the destination Web Access server on TCP port 80. Outbound responses from the Web Access server passing through the Secure Gateway are encrypted and forwarded to the clients web browser.
About the Secure Gateway Certificate

The following are suggested best practices for your Secure Gateway certificate. Your certificate should have the same Issued To and Friendly Name. The certificate should be an RSA (1024) certificate, not an AES certificate. You should have a private key that corresponds to the certificate.
56
On the Certificate Properties window, General tab, Server Authentication should be listed and selected.
57
Secure Gateway Configuration

The Secure Gateway is configured using the Quest Secure-IT applet that is located in the Windows Control Panel.
PROXIES TAB FIELDS RDP Proxy Local IP Address
DESCRIPTION
This checkbox enables SSL encryption of RDP session traffic between the vWorkspace client and vWorkspace enabled Terminal Servers and computers. The IP address for the Secure Gateway for inbound requests is selected from the list.
Local Port
The TCP port number to be used for SSL encryption of RDP session traffic. Default is 443. Note: If Microsoft IIS exists on the Secure Gateway, the port 443 might already be in use.
58
PROXIES TAB FIELDS Certificate Name
DESCRIPTION This field is for selection of the web server certificate that is to be used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. Note: Only certificates installed in the Windows machine store are recognized.
Web Access Proxy Local IP Address This checkbox enables secure web browser traffic between the vWorkspace client and the Web Access web server. The IP address for the Secure Gateway for inbound Web Access SSL requests is selected from the list. Local Port The TCP port number to be used for SSL encryption of the Web Access session traffic. Default is 443. Note: If Microsoft IIS exists on the Secure Gateway, the port 443 might already be in use. Destination Host(s) The Secure Gateway forwards requests through the IP address, host name, or FQDN of the Web Access web server. Use commas to separate entries. The TCP port number that the Web Access web server listens on. Default is 80. Enable SSL This checkbox decrypts and then forwards packets. Unselect this checkbox, and the packet is sent without being decrypted. Certificate Name This field is for selection of the web server certificate that is to be used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. This field is only for use if the Enable SSL checkbox is selected. Note: Only certificates installed in the Windows machine store are recognized.
Dest. Port
59
PROXIES TAB FIELDS Connection Brokers Proxy Local IP Address
DESCRIPTION
This checkbox indicates secure traffic between the vWorkspace client and the Connection Broker servers. The IP address for the Secure Gateway for inbound Connection Broker SSL requests is selected from the list.
Local Port
The TCP port number for SSL encryption of Connection Broker traffic. Default is 443. Note: If Microsoft IIS exists on the Secure Gateway, the port 443 might already be in use.
Destination Host(s)
The Secure Gateway forwards requests through the IP address, host name, or FQDN of the Connection Broker server. Use commas to separate entries. The TCP port number that the Connection Broker servers listen on. Default is 80.
Dest. Port
Enable SSL
If this checkbox is selected, the Secure Gateway decrypts inbound SSL packets before forwarding them to the Connection Broker servers. If this checkbox is not selected the Secure Gateway does not encrypt SSL packets for inbound Connection Broker servers.
Certificate Name
This field is for selection of the web server certificate that is to be used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. This field is only for use if the Enable SSL checkbox is selected. Note: Only certificates installed in the Windows machine store are recognized.
60
OPTIONS TAB FIELDS Connections Settings Inactivity Timeout
DESCRIPTION
This number is the amount of time a session can be inactive before the Secure Gateway terminates it. Default is 0 (no time out).
Server Logging Enable to Trace login to the specified file If this checkbox is selected, logging for troubleshooting is enabled. The name and location for this file is entered into the text box. You can also use Browse.
Configuration Options
The Web Access configuration option is discussed in this section. For more information on other Secure Gateway configurations, refer to the vWorkspace Administration Guide.
Web Access
This option describes a setup when a single point of entry is needed for users connecting from external networks, and the vWorkspace client is accessed by Web Access.
61
Web Access is configured with the FQDN of the Secure Gateway for any client devices whose IP address is not part of the corporate LAN. Remote clients gain access to the system using a single FQDN. Only one firewall access rule is required to permit inbound connections to the Secure Gateway on TCP port 443.
A valid 128-bit SSL certificate must be installed on the Secure Gateway.
The Secure Gateway, if situated in the DMZ, requires additional firewall rules that permit the Secure Gateway to communicate with Web Access and the virtual machines. Alternatively, the Secure Gateway and Web Access can be in the DMZ. Additional rules are required to permit the Secure Gateway to communicate with the virtual machines, and Web Access to communicate with the Connection Broker.
If you are using Secure Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URLs on the Firewall/SSL VPN section of the Web Access Management console.
62
How to ...
Configure the Web Access 1. 2. Use the following path to access the applet: Windows Control Panel | Quest Secure-IT Complete the RDP Proxy section as follows: a) Select Local IP Address, and then select an IP address from the list. b) Enter the Local Port. c) Click the Lock icon to select the web server certificate used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized. 3. Complete the Web Access Proxy section as follows: a) Select Local IP Address, and then select an IP address from the list. b) Enter the Local Port. c) Enter the IP address, host name, or FQDN of the Web Access web server that the SSL Gateway forwards requests. Use commas to separate entries. d) Select Enable SSL.
63
e) Click the Lock icon to select the web server certificate used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized.
Both the RDP and the Connection Broker proxies can share the same IP address and TCP port.
4. 5. 6.
Click OK. Start the vWorkspace Web Access Management Console. Select the farm from the list, and then click Firewall/SSL VPN.
64
7.
Complete the fields on the Firewall/SSL VPN window:
a) Select SSL Gateway as the Default Address Translation Setting. Use this option when the IP addresses for users is unknown. b) Enter information pertaining to Custom Address Translation Settings. The Custom Address Translation Settings are for internal, LAN based users. You can add address prefixes to prevent them from unnecessarily starting SSL encrypted RDP connections.
65
You must end your entry of the Client Address Prefix with a dot (.), for example 10.4.. Use this option when the IP addresses for users is known.
If your Default Address Translation Settings is SSL Gateway and you have users who are not going to be using SSL Gateway, you would enter a Client Address Prefix, select Normal Address, and then click Add to add it to the Address Prefix List.
c) Enter the External SSL Gateway FQDN/IP Address. d) Enter the TCP Port. e) Enter IP addresses in to the SSL Gateway/Local IP Address List. This needs to include all the IP addresses that appear in Local IP Address list in the Secure-IT Settings in the Web Interface Proxy settings section, as well as the Destination Host(s) IP address. Typically, the SSL Gateway/Local IP Address List includes all the possible IP addresses that an end user sees as their Source IP Address in the Session Info tab of Web Access. f) Enter the external URL used to access Web Access remotely in the Web Access URL (external users) box. For example: https://webit.mycompany.com g) Enter internal URL used to access Web Access locally in the Web Access URL (internal users) box. For example: http://webit.mycompany.com
Please review the following notes about this configuration: If you are using SSL Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URLs on the Firewall/SSL VPN section of the Web Access Management console. The Web Access URL settings are global settings even though Firewall/SSL VPN settings are always farm specific. This means that if you modify the URLs for one farm, they are modified for all farms.
8.
Click Save Changes.
66
5
Web Access SharePoint Integration
Overview Requirements Setup Instructions
Overview
vWorkspace Web Access can be used in Microsoft Office SharePoint, Page Viewer Web Part.
Requirements
Microsoft Office SharePoint users must be domain users. The .Net Framework 3.5 must be installed on the SharePoint server. vWorkspace Web Access can be installed on the SharePoint server, or another web server. It is recommended that both servers are in the same domain, or users are required to authenticate to both servers separately.
Setup Instructions
Use the following instructions to setup your vWorkspace Web Access Microsoft Office SharePoint integration. 1. Install Quest vWorkspace Web Access using the vWorkspace installer. Web Access can be installed on the SharePoint server, or on another Web server. It is recommended that both servers are in the same domain, or users are required to authenticate to both server separately. 2. Configure Web Access using the Web Access Management Console the normal way, except for the following: a) Configure Web Access to use Credentials Pass-Through. This is important so that users are automatically authenticated to Web Access when they connect to the SharePoint site running Web Access. b) Select the Enable on SharePoint setting in the Content Layout options. 3. Open your SharePoint site to the page where you want to add Web Access, and then log in as the administrator or site owner.
68
4.
Click Site Actions | Edit Page.
5.
Click Add a Web Part in the pane where you want to add Web Access. This should be done in an area where Web Access can take up at least 525 by 635 pixels of space.
6.
Locate the Page Viewer Web Part on the Add Web Parts Dialog window, and then click Add.
69
7.
Ensure your SharePoint page looks like the following:
8.
Click Edit next to the Page Viewer Web Part, and then select Modify Shared Web Part.
9.
Select Web Page, and then enter the URL to the Web Access you installed and configured into the Link field on the Page Viewer Web Part properties pane. If you are using credentials pass-through, which is recommended, then you should enter the ssodefault.aspx page. For example: http://abc.mywasite.com/provision/web-it/ssodefault.aspx
70
10. Click Test Link. If you get an Access Denied error or prompted to log in to a Microsoft Windows dialog window, it is due to Web Access using Windows Integrated Authentication to automatically log you in using your Windows credentials for single sign-on purposes, while the Web Access site is not part of the trusted sites list in the browser settings. Users should be instructed to do the following: a) Select Tools | Internet Options in Internet Explorer, and then click on the Security tab. b) Select Trusted Sites | Sites, and add the URL to the Web Access site to which the Page Viewer is pointing and the URL of the SharePoint site to the list. 11. Enter a friendly name on the Page Viewer Web Part window. 12. Expand the Appearance node, and complete the following: a) Enter a fixed height of 525 pixels. b) Enter a fixed width of 635 pixels. c) Click OK.
13. Close the browser window, and then open it again. 14. Enter your SharePoint login credentials, and verify that Web Access has successfully retrieved your application set. It may take a few seconds for the Page Viewer area to be populated by your application set, as Web Access is doing a silent authentication via Windows Integrated authentication.
71
72
6
Web Access and Juniper Networks Secure Access
Overview Create Custom Headers
Overview
Web Access and Juniper Networks Secure Access SSL VPN can be integrated to be used as a single, sign on solution by using custom headers created by the Juniper Secure Access Central Manager.
Create Custom Headers

How to ...
Create Custom Headers 1. 2. 3. 4. 5. Open the Juniper Secure Access Central Manager. Under Resource Policies, select Web | SSO Cookies/Headers. Click New Policy. Enter a name for the policy. Specify your Web Access URL in the Resources section. For example: http://servername/provision/web-it/* Enter the host name, FQDN, or IP address of your web server in the above URL.
6.
Select the role to which the policy should apply in the Roles section. If you are not certain as to which policy or policies to apply, select Policy applies to All roles.
74
Web Access and Juniper Networks Secure Access
7.
Select Append headers as defined below as the Action.
8.
Enter each header name and value from the following table in the Headers and values section. Click Add after adding each header name and value.
HEADER NAME PN_Username PN_Password PN_Domain VALUE <USER> <PASSWORD> MYDOMAIN (use the relevant domain to which your users authenticate)
9.
Click Save Changes. If all configurations have been completed correctly (such as Secure Access roles, permissions), users are presented with their applications when using Web Access.
75
If your Web Access implementation has multiple farms that users can authenticate to and get applications from, there are two different ways this can be configured: 1. If users are to be presented with applications for all configured farms, select Log users on to all configured farms on the Farms window in the Web Access Management Console.
OR
2. If users can log in to only one specified farm, add that information to the Header and values section. See step 8 for more information. For example:
HEADER NAME PN_Farm VALUE MYFARM
a) If a farm has been previously selected and saved in the Web Access Custom User Settings, open the Settings window and unselect Remember farm selection for login. b) Your Juniper users are presented with applications only from that farm.
76
7
Web Access and Smart Cards
Overview Requirements
Overview
Smart card technology enables a secure, standard way to allow single-sign on for users. vWorkspace Web Access can be configured to use smart cards as a sign on option.
Requirements
The following are requirements for using smart card authentication with Web Access: Internet Information Services (IIS) server must be joined to your domain. IIS cannot be used in conjunction with Secure-IT, because the connection to Web Access is terminated by Secure-IT. See About Secure Gateway for more information on Secure-IT. IIS server must have an SSL web server certificate from Certificate Authority that has also issued the smart card certificate. Client machines that are not joined to your domain are prompted twice to authenticate; to authenticate to IIS and to authenticate when an application is started.
How to ...
Configure Web Access for Smart Cards 1. 2. Join the IIS server to your domain. Select Enable the Windows directory server mapper on the Web Sites Properties window, Directory Security tab. The Web Sites Properties window is found at the following path: Start | Administrative Tools | Internet Information Services | Web Sites folder | Properties (context menu) 3. Do the following to enable a web server certificate from the certificate authority: a) Open Properties for ssodefault.aspx by using the following path from your web server on the IIS Manager: Web Sites | Default Web Site | Provision | web-it b) Open the File Security tab and click Edit under Secure communications.
78
Web Access and Smart Cards
c) Select the following on the Secure Communications window: Require secure channel (SSL) Require 128-bit encryption Require client certificates Enable client certificate mapping
4.
Complete the following Credentials Pass-Through settings on the Web Access Management Console. These settings can be done at the Farm or Global level. a) Select Enable credentials pass-through. b) Select Use Kerberos authentication. c) Select Initial Authentication Only.
79
d) Add an asterisk (*) to the Intranet Address Prefix section to enable all IP addresses. e) Click Save Changes.
80
8
Quest Defender and vWorkspace Integration
Overview
Overview
Quest Defender software provides two-factor authentication; by verifying authentication requests and enforcing authentication policies across enterprise networks. Administrators can use Quest Defender along with Web Access Two-Factor Authentication to further enhance security. The following describes the setup necessary for integrating Quest Defender and Quest vWorkspace Web Access version 6.x and later.
How to ...
Configure Quest Defender 1. 2. Setup DAN to accept incoming RADIUS request from the Quest vWorkspace IIS server. Confirm that DAN is assigned to a DSS, and there are users or groups in the members tab.
Configure Quest vWorkspace Web Access 1. 2. 3. 4. 5. 6. Open the vWorkspace Web Access Management Console. Select the farm or farms to which this integration is to be applied. Select Two-Factor Authentication from the Authentication settings. Select Use two-factor authentication. Select RADIUS (RSA ACE/Server, Secure Computing RemoteAccess). Enter the DDS and DAN information into the RADIUS Server, RADIUS Port and RADIUS Secret Key fields.
82
Quest Defender and vWorkspace Integration
7.
Select Use Unencrypted Authentication (PAP).
8.
Click Save Changes.
83
84
INDEX
A authentication settings about 23 setting client identification 27 setting credentials pass-through 25 setting password management 27 setting two-factor authentication 23 setting Windows domain 23 C certificate Secure Gateway 56 configuration settings about 40 setting general options 41 Connection Brokers setting by farm for Web Access 19 Connection Policies 11 connectivity settings about 18 credentials pass-through using with Firefox 25 D documentation conventions vi F farm settings about 16 adding and removing 17 G global settings about 16 I installation Server 2008 R2/IIS 7.5 4 Server 2008/IIS 7 4 Web Access 2 internet browser settings 46 Q Quest vWorkspace contacting support vii
S Secure Gateway about 56 certificate 56 configuring 58 Secure Sockets Layer Gateway See Secure Gateway SharePoint integration about 68 requirements 68 setup 68 SSL Gateway accessing by the Web Access 61 configuring the Web Access 63 support contacting Quest vWorkspace vii U user experience settings about 28 setting display 30 setting local resources 28 setting performance 31 user interface settings about 32 setting content layout options 34 setting download options 38 setting look & feel options 35 setting miscellaneous options 39 setting text options 37 user passwords changing in the Web Access 52 V vas client 32 package 6 vas client 32T package 7 vas client 32TS package 7 vWorkspace client vas client 32 package 6 vas client 32T package 7 vas client 32TS package 7 W Web Access about 2 adding and removing farm settings 17 application set searching 48 authentication settings 23 changing user passwords 52 changing user settings 49
85
configuration settings 40 configuration wizard 12 configuring smart cards 78 connecting to the interface 44 connectivity settings 18 farm settings 16 global settings 16 installing 2 installing on Server 2008 4 installing on Server 2008 R2 4 internet browser settings 46 management console 10 session info 49 setting client identification 27 setting connection brokers by farm 19 setting content layout options 34 setting credentials pass-through 25 setting display 30 setting download options 38 setting firewall/SSL VPN by farm 20 setting general options 41 setting local resources 28 setting look & feel options 35 setting miscellaneous options 39 setting password management 27 setting performance 31 setting text options 37 setting two-factor authentication 23 setting Windows domain 23 smart card authentication 78 upgrading 7 user experience settings 28 user interface 32 using help 53 using via the SSL Gateway 61
86

vWorkspaceWebAccessGuide 7.2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

vWorkspaceWebAccessGuide 7.2

Uploaded by

Copyright:

Available Formats

Quest vWorkspace

Web Access Guide

CONFIGURE THE CONNECTIVITY SETTINGS . . . . . . . . . . . . .18

CONFIGURE THE AUTHENTICATION SETTINGS . . . . . . . . . . .23

vWorkspace Web Access Guide Set Two-Factor Authentication ........................................ 23

CONFIGURE THE USER EXPERIENCE SETTINGS . . . . . . . . . . .28

CONFIGURE THE USER INTERFACE SETTINGS . . . . . . . . . . .32

CONFIGURE THE WEB ACCESS APPLICATION . . . . . . . . . . . .40

CHAPTER 8 QUEST DEFENDER AND VWORKSPACE INTEGRATION . . . . . . . . . . 81 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

vWorkspace Web Access Guide

About This Guide

vWorkspace Web Access Guide

About Quest Software

Contact Quest Software

Contact Quest Support

vWorkspace Web Access Guide

vWorkspace Web Access Guide

About Web Access

vWorkspace Web Access Guide

Web Access and Microsoft Server 2008 and 2008 R2

About Web Access

vWorkspace Web Access Guide

vWorkspace Connector Packages

About the VAS Client 32

About Web Access

About the VAS Client 32T

About the VAS Client 32TS

vWorkspace Web Access Guide

vWorkspace Web Access Guide

Web Access Management Console

vWorkspace Web Access Guide

Web Access Configuration Wizard

Web Access Management Console

vWorkspace Web Access Guide

Web Access Management Console

12. Click Finish to complete the Web Access Configuration Wizard.

vWorkspace Web Access Guide

Web Access Management Console

vWorkspace Web Access Guide

Configure the Connectivity Settings

Web Access Management Console

vWorkspace Web Access Guide

Web Access Management Console

vWorkspace Web Access Guide

Review the below caution note.

Click Save Changes.

Click Save Changes.

Web Access Management Console

Configure the Authentication Settings

Set Two-Factor Authentication 1. Select Use two-factor authentication, if applicable.

vWorkspace Web Access Guide

Select one of the following options: a) Secure Computing PremierAccess

Click Save Changes.

Web Access Management Console

vWorkspace Web Access Guide

Web Access Management Console

Click Save Changes.

vWorkspace Web Access Guide

Configure the User Experience Settings

Web Access Management Console

Redirect Com Ports

Redirect Smart Cards

Redirect USB Devices Redirect Universal Printers