VMware Hands-on Labs - HOL-1841-01-NET


Lab Overview - HOL-1841-01-NET - Securing Horizon with Trend Micro and NSX

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

This lab will demonstrate how VMware End User Computing and NSX Security solutions can provide a secure desktop experience, doing so while maximizing operational efficiencies automated security policy delivery and redundant internal and external access.

Lab Module List:

 Lab Captains:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Installation and Configuration of Trend Deep Security (30 minutes)

Introduction


This Module contains the following lessons:


Launch the Installation Simulation of Trend Micro Deep Security


This part of the lab is presented as a Hands-on-Labs Interactive Simulation.  This will allow you to experience steps which are too time consuming or resource intensive to do live in the lab environment.

  1. Click here to open the installation simulation
  2. When finished, click the "return to lab" link to continue with this lab.

Conclusion


You have now seen what it takes to install and configure Trend's Deep Security with vCenter and NSX.  This included adding the vCenter connector and NSX as well as configuring the security policies within NSX to be used by Deep Security.

Congratulations on completing  Module 1.

Proceed to any module below which interests you most.

 

 


 

How to End Lab

 

To end your lab click on the END button.  

 

Hands-on Labs Interactive Simulation: Installation and Configuration of Trend Deep Security


This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will allow you to experience steps which are too time-consuming or resource intensive to do live in the lab environment. In this simulation, you can use the software interface as if you are interacting with a live environment.

  1. Click here to open the interactive simulation. It will open in a new browser window or tab.
  2. When finished, click the “Return to the lab” link to continue with this lab.

Module 2 - Protecting Horizon Desktops with NSX and Trend Micro Deep Security (45 minutes)

Module 2 Introduction


This Module contains the following lessons:

In module two we are going to take a look at the ability of Trend Micro Deep Security to detect a virus on a Windows 10 virtual desktop. This detection will leverage VMware NSX using a firewall rule to block all traffic to and from the VM’s. In a production environment, we could implement more advanced NSX firewall rules to allow an anti-malware server the ability to access the infected machine and remediate the threat. This functionality could be leveraged further by utilizing vSphere API's to capture the current state of the virtual machine just after infection for further investigation


Ensure that Trend Micro is running properly


Due to the limited resources and virtulization nesting of the Hands on Labs environment not all services are always deployed sucesfully when a lab is launched.  The next six steps will guide you through the process to verify guest introspection services are healthy before continuing on with your lab.


 

Launch Chrome

 

  1. Click Google Chrome Icon

 

Protecting Horizon Desktops with NSX and Trend Micro Deep Security



 

Launch Google Chrome

 

  1. Double click google chrome from the Main Console desktop.

 

 

Launch Trend Micro Deep Security

 

  1. Click to open a new tab
  2. Click Trend folder
  3. Click Trend Micro Deep Security from the menu bar

 

 

Log into Trend Micro Deep Security

 

Log into Trend Micro Deep Security.

  1. Username: admin
  2. Password: VMware1!
  3. Click Sign in.

 

 

Trend Micro Deep Security Main screen

 

  1. From the main screen select Computers.

 

 

View the managed machine

 

1. Notice that the "Win10-View-01a.corp.local" machine shows "managed online".

 

 

Open Horizon

 

1.  Open a new Tab in Chrome and select Horizon External Access.

 

 

Use Horizon HTML Access

 

  1. Select VMware Horizon HTML Access.

 

 

Log into Horizon

 

Log into Horizon with the following credentials.

(1) username: qeuser

(2) password: VMware1!

(3) Select Login

 

 

Select Windows-10

 

  1. Select Windows-10 desktop.

 

 

Open the temp-shortcut

 

  1. From the desktop double click the temp-Shortcut folder (1)

 

 

Copy the eicar.com file

 

EICAR.com is the European Institute of Computer Anti-virus Research's Standard Anti-Malware Test file is a special 'dummy' virus file which we will now use to test the correct operation of our Trend Micro Deep Security along with NSX rulesets. (For purposes of this test the "Temp" directory has been excluded from Trend's detection)

  1. Right click the eicar.com file
  2. Select copy.

 

 

 

Try to infect our VM

 

Let's see what happens when we try to infect our desktop with this virus file.

  1. Click anywhere on the desktop.
  2. Right click on the desktop.
  3. Select Paste.

 

 

Malware detected

 

Notice that the eicar file will not be permitted to be pasted to the desktop and will be detected as malicious code.  

Malware detection message will appear.

 

 

 

Disconnected message

 

A firewall rule will block all traffic to and from the desktop.  This will cause your session to terminate and if you try to reconnect to the desktop you'll be unable to at this point. (It may take a couple of minutes for this to be processed) Let's investigate further.

 

 

Open the vCenter Web Client

 

Let's log into our vCenter and see what has happened to our VM

 

 

Log in to the VMware Web Client

 

  1. User name: administrator@corp.local
  2. Password: VMware1!
  3. Select Login

 

 

Search for the Win10 Desktop

 

1. In the search bar type in Win10

2. Select Win 10-View-01a

 

 

 

Review the Win10 VM

 

  1. From the summary tab of the Win10-View-01a tab scroll down to Security Tags.

Note that the VM has been tagged with "ANTI_VIRUS.VirusFound.threat=medium" tag.

So Trend picked up the Virus, next let's take a look at what policy's in NSX changed connectivity to the machine.

 

 

 

View Firewall rules

 

  1. Click on the Home button.
  2. From the dropdown select Networking & Security.

 

 

Open Service Composer

 

1. Select Service Composer (1)

 

 

View Security Groups

 

  1. Click on Security Group tab.
  2. Click the Quarantine Group.
  3. In the Virtual Machine column you see there is one member of the group.  Click the number.

Notice the name of the VM in the Group. We can now verify that our Win10-View-01a VM has indeed been caught by this NSX Firewall rule due to the virus file we tried copying to the View desktop.

  1. Click the "x" to close the window.

 

 

Go back to the Trend Deep Security Tab in Chrome

 

  1. Switch to the Trend Deep Security tab in Chrome.

(Log back in if you have been timed out. )

username: admin

password: VMware1!

Click Sign in

 

 

Trend Micro Deep Security Main screen

 

  1. From the main screen select computers.

 

 

Find the Windows 10 machine

 

1. In the search Window type Win10

2. Press Enter

3. Locate Win10-View-01a.corp.local and double click the machine.

 

 

View Anti-Malware detection

 

  1. From the WIN10-VIEW-01A.corp.local system select Anti-Malware.

 

 

View Anti-Malware Events

 

  1. Click on the Anti-Malware Events Tab.
  2. Note that the Eicar file is listed as a quarantined file. This tells us that our file was quarantined and remediated.
  3. Close the WIN10-VIEW-01A.corp.local Tab.

 

 

Rescan the Windows 10 VM

 

  1. Right Click WIN10-VIEW-01A.corp.local in Trend.
  2. Select Actions.
  3. Select Full Scan for Malware (allow 60 seconds or so for this to complete) .

 

 

View NSX Service Composer

 

Go back to the vSphere Web Client Tab in Google Chrome.

  1. You should still be on the service composer tab click refresh at the top of the page.

 

 

View the quarantined machines

 

Note that the number of Quarantined machines is now back at zero. This tells us that our machine has been effectively cleaned by Trend and put back into the active machine network.

 

 

Verify your connection to the Horizon desktop works once again

 

  1. Switch back to your VMware Horizon Tab in Chrome

 

 

Access to the desktop.

 

Notice that we once again have access to our Windows 10 desktop which means we effectively cleaned the virus and the NSX rules put the machine back on the production network! Great job.

 

Conclusion


In Module 2 we've seen how we can leverage both NSX and Trend Micro Deep Security together to detect and quarantine a Horizon desktop. We then showed how after remediating the threat in Trend we were able to automatically detect that the VM was clean with NSX and place it back out of the quarantine group and the system is back and ready for use. This automated workflow is a huge advantage enabling orginizations to quickly quarantine and remediate threats.

 

Proceed to any module below which interests you most.


Module 3 - Protecting Web Servers against exploits with NSX and Trend Micro Deep Security (30 Minutes)

Module 3 Introduction


In module three we are going to demonstrate a Heartbeat exploit attack utilizing a Linux virtual machine and a heartbleed Python script. Once we have demonstrated that the Web server is vulnerable we will automatically protect it with agentless intrusion prevention services utilizing Trend Micro Deep Security in conjunction with VMware NSX.

This Module contains the following lessons:


Ensure that Trend Micro is running properly


Due to the limited resources and virtulization nesting of the Hands on Labs environment not all services are always deployed sucesfully when a lab is launched.  The next six steps will guide you through the process to verify guest introspection services are healthy before continuing on with your lab.


 

Launch Chrome

 

  1. Click Google Chrome Icon

 

Protecting Web Servers against exploits with NSX and Trend Micro Deep Security



 

Launch a new tab and open DVWA

 

  1. In Chrome, click to open a new tab
  2. Click the DVWA folder
  3. Launch the Damn Vulnerable Web App

 

 

Open a new tab in Chrome to launch a Horizon desktop session

 

  1. In Chrome, click to open a new tab
  2. Click the Horizon Folder
  3. Click the Horizon External Access shortcut

 

 

Launch the terminal application

 

  1. Double-click the Terminal Icon on the Desktop.

 

 

Log into Trend Micro Deep Security

 

  1. Username: admin
  2. Password: VMware1!
  3. Click Sign In

 

 

Launch the vSphere Web Client

 

  1. In Chrome, click to open a new tab
  2. Click RegionA folder
  3. Click RegionA vCenter shortcut

 

 

Change focus to the Trend deep security interface tab

 

  1. Click to open Trend Micro Deep Security tab

 

 

Change focus to the Horizon tab

 

  1. Click the Horizon tab

 

Module 3 Summary


In module three we demonstrated a Heartbeat exploit attack utilizing a Linux virtual machine and a heartbleed Python script. Once we demonstrated that the Web server was vulnerable we automatically protected it with agentless intrusion prevention services utilizing Trend Micro Deep Security in conjunction with VMware NSX.

Proceed to any module below which interests you most.


 

How to End Lab

 

To end your lab click on the END button.  

 

Module 4 - Securing and protecting internal access using NSX load balancing (45 Minutes)

Module 4 Introduction


In module four we are going to demonstrate access to two load balanced Horizon connection brokers through a NSX load balancer.  We will use a Windows 10 virtual machine configured on an internal corporate network to demonstrate a connection to a Windows 10 Horizon managed virtual machine through a redundant pair of Horizon connection brokers.  This connection will use a single connection name space and SSL certificate presented by the NSX Load Balancer.

This Module contains the following lessons:


 

Module 4 Topology

 

The key components are outlined here.

  1. External endpoint
  2. Distributed Firewall
  3. Endpoint on an internal secure network
  4. Target horizon virtual desktop
  5. Load balancing services
  6. Connection Server 1
  7. Connection Server 2

 

 

Securing and protecting internal access using VMware NSX Load Balancing


In this module you will connect to an internal Windows 10 desktop through one of two redundant Horizon connection servers, verify redundancy and explore the NSX configuration.


 

Connect to the internal desktop

 

  1. Double Click the Internal Desktop Icon.

 

 

Connect to your Health care desktop

 

  1. Double click the Windows-10 Icon

 

 

Explore NSX load balancing configuration

In this lesson we will explore the NSX load balancing configuration and force a connection server failure.

 

 

Verify redundant connection server used for Horizon View connection

Verify redundant connection server used for Horizon View connection.

 

 

Disconnect from the Win10-View-01a Desktop session

 

  1. Click options
  2. Click Disconnect

 

 

Confirm disconnect

 

Click OK

 

 

Close the VMware Horizon Client

 

  1. Click the X

 

 

Close the RDP session

 

  1. Click the X to close the RDP session

 

 

Confirm the RDP session disconnect

 

  1. Click OK

 

 

Power the Connection server back on for module 5

If you plan to move on to module 5 you will need to power the connection server back on that was powerd down in a previos step.  If you do not pln to move on to module 5 you can end your lab.

 

 

Return to the vSphere Web Client

 

  1. Click the vSPhere Web Client tab

 

 

Find the connection server virtual machine

 

  1. Type the connection server name you powered down in a previous step. (HVCS-01a or HVCS-02a)
  2. Click on the connection server name.

 

 

Power on the selected connection server

 

  1. Right click the connection server.
  2. Hover over Power.
  3. Click Power On.

 

Module 4 Summary


In module four we demonstrated access to two load balanced Horizon connection brokers through a NSX load balancer.  We also simulated a failure of one Horizon connection server and verified redundancy.  This redundancy is key when designing a virtual desktop environment for production use.

 

Proceed to any module below which interests you most.


 

How to End Lab

 

To end your lab click on the END button.  

 

Module 5 - Securing and protecting external access using VMware Horizon access servers (45 Minutes)

Module 5 introduction


In module five we are going to demonstrate access to two Horizon View Access servers through a NSX load balancer.  We will simulate an external firewall protected connection to a Windows 10 Horizon managed virtual machine through a redundant pair of Horizon Access servers. The connection will use a single connection name space.  The Access Point functions as a secure gateway for users who want to access Horizon 7 desktops and applications from outside the corporate firewall.

This Module contains the following lessons:


 

Module 5 topology

 

The key components are outlined here.

  1. External endpoint
  2. Load balancing services
  3. Distributed firewall
  4. Endpoint on an internal secure network
  5. Target Horizon virtual machine
  6. Redundant connection servers
  7. Redundant access point

 

 

Access point configuration

 

  1. Access point HVAP-01a is paired to Connection Server HVCS-01a
  2. Access point HVAP-02a is paired to Connection Server HVCS-02a

 

 

VMware Horizon 7 Network Ports

 

 

Securing and protecting external access using VMware Horizon access servers


In this module we are going to demonstrate HTML Blast access to an internal Windows 10 vm using load balanced Horizon View Access servers paired to connection servers.


 

Lesson 1: Verify external access to internal protected network is secure

 

Launch Google Chrome from your Main Console

 

 

Lesson 2: Exploring the NSX firewall configuration

In this lesson we will explore the Distributed firewall rules blocking the access.

  1. Note the Internal connection

 

 

Lesson  3: Connection to a Horizon hosted virtual machine through a NSX edge gateway to a protected internal network.

In this lesson we will connect to an internal vm through a load balanced Horizon View Secure Access point.

 

 

Lesson 4: Explore the Horizon Access Server load balancer configuration

In lesson 4 we will explore the Horizon view access point configuration

A Horizon View Access Point functions as a secure gateway for users who want to access Horizon 7 desktops and applications from outside the corporate firewall.

Access Point appliances typically reside within a DMZ and act as a proxy host for connections inside your company’s trusted network. This design provides an additional layer of security by shielding View virtual desktops, application hosts, and View Connection Server instances from the public-facing Internet.

This configuration utilizies a NSX load balancer to target two redundant Access Points that are in turn paied with two redundant connection servers.  Refer to the topology diagrams below.

 

Module 5 Summary


In module five we demonstrated access to two load balanced Horizon access servers through a NSX load balancer.  We also explored the firewall configuration required to secure external connections to a Horizon View environment.  This secure external HTML access enables internal applications to be securely delivered for production environments.

 

Proceed to any module below which interests you most.

 


 

How to End Lab

 

To end your lab click on the END button.  

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1841-01-NET

Version: 20171129-072133