VMware Hands-on Labs - HOL-1951-03-VWS


Lab Overview - HOL-1951-03-VWS - VMware Workspace ONE Advanced

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

In this lab you will learn how to install and configure VMware Identity Manager (vIDM) on-premise deployment.  How to integrate Workspace ONE with Horizon 7 and Web Applications. You will also learn about configuring Workspace ONE with a RADIUS-based 2-Factor Authentication solution. Followed by walking through the process of configuring Workspace ONE for high availability.

Lab Module List:

 Lab Captains:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Installation and Configuration of VMware Identity Manager (30 minutes)

Introduction


In the module you will cover the installation and configuration of a single, on-premise version of VMware Identity Manager (vIDM) 3.2.  Once the configuration has been completed, you will review features and functionality available in the Administration Console.

 


 

What is Workspace ONE?

 

Workspace ONE provides the ability to simply deliver and manage any app on any device.   It delivers on consumer-simple expectations like one-touch access to nearly any app, from any device, optimized with AirWatch Conditional Access.  Empowering employees to get productive quickly with a self-service app store while giving IT a central place to manage user provisioning and access policy with enterprise-class directory integration, identity federation and user analytics expected from the leader of hybrid cloud infrastructure.

 

 

What is VMware Identity Manager?

 

VMware Identity Manager (vIDM) is the name of the appliance that runs Workspace ONE.   It is also a software layer that resides in the appliance that provides identity-related components, including authentication for users who single sign-on to resources in VMware Workspace ONE. You can create a set of policies that relate to networking and authentication to control access to these resources. 

 

 

What are the Key Benefits?

Providing an environment where employees can be both happy and productive; removing the traditional barriers to mobility like complex passwords, configuration steps, traditional VPNs and tokens by uniquely optimizing authentication for each device type rather than the lowest common denominator. Free the business to roll out new SaaS and mobile apps and services immediately to forever change business processes and customer engagement while maintaining a single point of user entitlement and license monitoring. Simplify IT by leveraging existing directory infrastructure and extend to SaaS and mobile apps with automated provisioning, utilization reporting and conditional access policies.

 

Power on Appliance


Due to the length of time it takes to power on the appliance in a lab environment, you will execute that task first.  Once you have powered on the appliance, continue on with the lab while the boot process is taking place.


 

Launch Browser

 

  1. From the main console, double-click on Google Chrome

 

 

Login to the vSphere Client

 

The vSphere HTML client login screen should appear.  If not navigate to https://vcsa-01.corp.local

  1. Select Use Windows session authentication
  2. Click on Login

 

 

 

Power On the VM

 

  1. Under the RegionA01-COMP01 cluster, right click on the vIDM-02 vm
  2. Select Power
  3. Select Power On

This process may take up to 15 minutes in this lab environment.   Please continue on with the lab.  You will navigate back to the appliance at a later point in time.

 

Deployment Options for On-Premise VMware Identity Manager


VMware Identity Manager (vIDM) offers both a Windows and Linux deployment option.  The Windows version can be installed on Windows Server 2008 R2, 2012 R2, or 2016.  The Linux based virtual appliance runs SUSE Linux Enterprise 11, and comes as a virtual appliance.  In this case we will be using the Linux based virtual appliance.

 

 

In this lab, we have a single node vIDM deployment, which is common during a proof of concept.  In  a production environment VMware recommends a 3 node clustered configuration to maintain full functionality.  More information on clustering vIDM can be found in the module 5 of this lab to get more information on how to deploy vIDM for high availability.


Deploy VMware Identity Manager Appliance


In this chapter, we will walk through the process of deploying the Identity Manager (vIDM) 3.2 Linux appliance.  This chapter is strictly theoretical with no steps to be performed.

 


 

Configure DNS

 

These steps are not to be performed in the Lab environment.

The vIDM appliance requires both forward (A-record) and reverse (PTR-record) DNS records.

As you can see, both have been configured for the vIDM appliance vIDM-02.

 

 

Time Sync

 

vIDM is sensitive to time differences between the systems it integrates with.  For example, the maximum skew time for SAML is 30 seconds.

You should confirm Time Configuration is set up and running on the ESXi host(s) in which vIDM will reside.  The appliance will pick up the correct time from the ESXi host.  When integrating vIDM with Active Directory it is important that the ESXi hosts and your domain controllers are time synced to the same source.

Note:  The following screen captures used the vSphere Web Client.

These steps are not to be performed in the Lab environment.

To confirm the host has time configured:

  1. Within vCenter, click on esxi-03a.corp.local
  2. Select the Configure tab
  3. Select Time Configuration

As you can see NTP Client is running on the host, configured with IP Address 192.168.100.1.

 

 

Deploy the Virtual Appliance

 

Once all prerequisites are in place and you have downloaded the vIDM Storage Virtual Appliance (SVA)  from my.vmware.com, you are ready to begin the deployment process.  In this lab the appliance has been uploaded for you.  For informational purposes you will review the process for uploading the appliance.

These steps are not to be performed in the Lab environment.

  1. Right click on esx-03a.corp.local
  2. Select Deploy OVF Template

 

Run Setup Wizard


Once the OVA file has been deployed, the remainder of the initial setup takes place in the GUI based Identity Manager Appliance Setup Wizard.

Note:  All additional steps moving forward are to be done in the lab unless otherwise noted.


 

Confirm you are still logged into the vSphere Client

 

First we must confirm that the virtual appliance vIDM appliance vIDM-02 has booted up.

  1. Confirm you are still logged into the vSphere Client

If you are logged in go directly to the Navigate to the vIDM Appliance step.  If you need to log back into the vSphere Client, continue on to the next step.

 

 

Navigate to the vIDM Appliance

 

  1. Right click on vIDM-02
  2. Select Remote Console

 

 

Open Additional Browser Tab

 

  1. From Google Chrome, open another tab

 

 

Launch Administration Console

 

  1. Open the WS1 shortcut folder
  2. Select the New vIDM shortcut

 

 

VMware Identity Manager Appliance Setup Wizard

 

  1. To start the VMware Identity Manager Appliance Setup wizard, click on Continue

 

Configuration of VMware Identity Manager


In this chapter you will learn how to complete the configuration process using the Administration Console.


 

Log into the Administration Console

 

Here you have the login screen for the Administration Console

  1. Specify admin as the user.  This is the Appliance Administrator Account.
  2. Type VMware1! as the password
  3. Click Sign in

 

 

Modify User Attribute Requirements in VMware Identity Manager

 

vIDM utilizes User Attributes, defined in your identity source, to filter which users and groups should be synchronized with vIDM.

  1. Confirm you are on the Identity & Access Management tab
  2. Click on Setup
  3. Select User Attributes

 

 

Click on Manage

 

  1. In the upper  right hand corner, click on Manage

 

 

Add Directory

 

vIDM supports Active Directory, LDAP, or Local Users directories. In this lab we use Active Directory.  If you choose to use LDAP in your environment as your identity source, be aware there are certain limitations that exist, such as you can not join vIDM to an LDAP domain.  To find out more on the restrictions when using LDAP click here.

  1. Select Add Directory
  2. Click on Add Active Directory over LDAP/IWA

 

 

Role Based Access Control

 

  1. Click on the Roles tab

Note:  Roles may be hidden behind the search box, depending on what your screen resolution is set to.

Role Based Access Control (RBAC), allows you to define specific roles that an administrator is granted within vIDM. Starting with vIDM 3.2, you now have the ability to control what a given administrator can and cannot modify within the console.  By default there are three different levels of administrators.  

 

Administration Console Walk-Through


The VMware Identity Manager (vIDM) Administration Console provides you the ability to manage users, groups, resources, entitlements, and access policies.  In this chapter we will take a tour of the features and functionality of Administration Console


 

Dashboard

The dashboard section of the Administration Console is were you go to gain an overview of utilization, health, and wellness of your environment.

 

 

Reports

 

  1. Select the down arrow next to Dashboard
  2. Click on Reports

 

 

Users and Groups

 

  1. Click on the Users & Groups tab
  2. Note the ones that list Domain as corp.local.  These are the accounts that were imported from Active Directory when you added the Directory earlier in the lab
  3. The accounts labeled as System Domain are the local vIDM accounts
  4. Click on Add User

 

 

 

Catalog

 

  1. Click on drop down arrow next to catalog Catalog

The catalog tab allows you to define your Web Apps and Virtual Apps that you wish to publish on the Workspace ONE portal.

Web Apps are considered Software as a Service (SaaS) based applications.  With Web Apps, you have the ability to enable approvals.   Once approvals have been activated, vIDM can integrate with a third party approval system. As soon as a user makes a request for an application that is located in the catalog an approval sequence is initiated. The request must then be approved before a user will be allowed to launch the application.  

Virtual Apps are published applications such as Horizon, Horizon Cloud, or  Citrix-Published Applications. To walk through the process of publishing a Horizon desktop please review Module 2 of this lab.  

 

 

Identity & Access Management

 

1.  Click on the Identity & Access Management tab

The Identity & Access Management tab contains options for how a user will access the environment. You visited this section earlier when integrated Active Directory with vIDM.  We will now take a look at some additional features.  

 

 

Appliance Settings

 

  1. Click on the Appliance Settings tab

In this tab you have the option to configure the appliance, enter the license number, configure SMTP alerts, as well as choose if you would like to participate in the user experience program (Telemetry).

  1. Click on Manage Configuration

 

Conclusion


Congratulations!  You have now completed Module 1.  You should be familiar with the initial setup and configuration of VMware Identity Manager.  


 

VMware Identity Manager Document Library

 

If you are looking for additional information on how to configure

Proceed to any module below which interests you most.

Lab Module List:

Module 2 - Integrating Workspace ONE with Horizon (60 minutes) (Advanced) Walk through the integration of Horizon 7 with Workspace ONE to deliver desktops and apps

Module 3 - Configure MFA using RADIUS in Workspace ONE (15 minutes) (Advanced) Learn how to configure a RADIUS compatible authentication adapter

Module 4 - Integrating Workspace ONE with SAML Based Web Applications (30 minutes) (Advanced) Learn how to add web applications and configure single-sign-on with SAML 2.0

Module 5 - Configure Failover and Redundancy or Workspace ONE (15 minutes) (Advanced) Learn how to design a highly available Workspace ONE deployment in both single- and multi-site implementations

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 2 - Integrating Workspace ONE with Horizon 7.5 (60 Minutes)

Introduction


*PLEASE NOTE* - This module is dependent on the Workspace ONE Identity Manager configuration that was done in Module 1 of this lab.

Please be sure that you have completed the following sections of Module 1 before continuing with this module:

The Identity Manager server you configure in Module 1 will be used for Horizon integration in this module.

In the module you will integrate VMware Horizon 7.5 with an on-premise installation of VMware Identity Manager 3.2. The Identity Manager appliance has already been deployed, and you will configure it for Horizon integration.

Please note in this module we recommend using Google Chrome for the best experience. This browser has been configured to ignore self-signed certificates.


 

Integrating Horizon 7.5 with Identity Manager

Integrating VMware Horizon 7, Horizon 6, or View with the VMware Identity Manager service lets you provide users the ability to access their entitled Horizon desktops and applications from the Workspace ONE portal or app. You can integrate independent Horizon pods, which consist of Horizon Connection Server instances, and pod federations, which contain multiple pods and can span multiple sites and data centers.

You deploy and manage desktop and application pools in the Horizon Administrator interface. You also create entitlements for Active Directory users and groups in Horizon, not in VMware Identity Manager. You must sync these users and groups to the VMware Identity Manager service from Active Directory before integrating with Horizon.

To integrate Horizon pods and pod federations with VMware Identity Manager, you create one or more virtual apps collections in the VMware Identity Manager administration console. The collections contain the configuration information for the pods and pod federations, as well as sync settings. You then sync the Horizon resources and entitlements to VMware Identity Manager.

In the VMware Identity Manager administration console, you can view the Horizon desktops and applications. You can also view user and group entitlements.

End users can run their entitled desktops and applications from the Workspace ONE portal or app. These desktops and apps can be accessed over HTML in a browser or over a supported display protocol in the Horizon Client.

 

Prepare for Horizon Integration with Identity Manager


In Module 1 you configured an Identity Manager appliance, which is not yet configured for Horizon integration. Please be sure you completed Module 1 of this lab before continuing with this module.

Integrating Horizon with Identity Manager enables you to sync desktop and application resources, along with entitlements (assignments) to these resources to Identity Manager.  

Installing and configuring VMware Horizon 7.5 is outside the scope of this lab. In this section you will use the Horizon Administrator console to verify desktop entitlements, which will be used for Identity Manager integration.


 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Horizon Administrator

 

  1. Select Horizon from the bookmarks bar
  2. Select Horizon-02-Admin

 

 

Login to Horizon Administrator

 

  1. User name: administrator
  2. Password: VMware1!
  3. Verify Domain: CORP
  4. Select Log In

 

 

Navigate to Desktop Pool

 

  1. Expand Catalog and select Desktop Pools
  2. Click twice on the Manual pool to open the properties page

 

 

Review Entitlements

 

  1. Select Entitlements
  2. Verify the Domain Users group has been entitled to the Desktop Pool

 

 

Leave Horizon Administrator Open

 

Leave the VMware Horizon 7 Administrator tab open in Chrome, as you will use it in the next lesson.

 

Configure SAML Authentication


Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. Identity Manager provides single sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.

In this section, you will configure SAML authentication in Horizon.


 

Navigate to Horizon View Administrator Tab in Chrome

 

  1. From the Chrome browser, select the View Administrator tab

Chrome should already be running with the View Administrator tab available. If so, you can skip the following steps and proceed to Configure SAML Authentication on Horizon Connection Server.

 

 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Horizon View Administrator

 

  1. Select Horizon from the bookmarks bar
  2. Select Horizon-02-Admin

 

 

Log In to Horizon View Administrator

 

  1. User name: administrator
  2. Password: VMware1!
  3. Verify Domain: CORP
  4. Select Log In

 

 

Configure SAML Authentication on Horizon Connection Server

To launch remote desktops and applications from VMware Identity Manager or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon Administrator.

A SAML authenticator contains the trust and metadata exchange between Horizon 7 and the device to which clients connect.

You associate a SAML authenticator with a Connection Server instance. If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.

 

 

SAML Configuration Complete

You have successfully configured your Horizon 7 Connection Server for SAML authentication.

 

Configure Horizon Pods and Pod Federations in VMware Identity Manager


VMware Identity Manager is an Identity as a Service (IDaaS) offering, providing application provisioning, self-service catalog, conditional access controls and Single Sign-On (SSO) for SaaS, web, cloud and native mobile applications.

You can integrate the following types of resources with VMware Identity Manager:

In this module you will configure Identity Manager for integration to an existing, on-premises VMware Horizon 7 v7.5 pod.


 

Integrate Horizon Cloud Pod Architecture Pod Federations with Identity Manager

 

The Horizon Cloud Pod Architecture (CPA) feature links together multiple Horizon pods to form a single, large desktop and application brokering and management environment called a pod federation. A pod federation can span multiple sites and data centers.

While CPA is outside the scope of this lab, note that Identity Manager can be integrated with both single Horizon pods as well as CPA pod federations.

If you would like to learn more about Horizon Cloud Pod Architecture, please visit lab 1951-02.

 

 

Integrate an Independent Horizon Pod with Identity Manager

To integrate Horizon pods in VMware Identity Manager, you create one or more virtual apps collections in the VMware Identity Manager administration console. The collections contain the configuration information for the Horizon Connection Servers as well as sync settings.

 

 

Open a New Tab in Chrome

 

  1. Open a New Tab in the Chrome browser.

You should already have Chrome running from the previous less. If so, open the new tab and proceed to Navigate to the Identity Manager Login Page.

 

 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to the Identity Manager Login Page

 

  1. Select WS1 from the shortcut menu
  2. Select New vIDM

 

 

Change Authentication Domain

 

  1. The logon page is currently configured to authenticate to the corp.local domain
  2. Select Change to a different domain

 

 

Choose System Domain

 

  1. Click the drop-down menu to select a domain
  2. Select System Domain
  3. Clear the checkbox for Remember this setting
  4. Select Next

The System Directory is a local directory that is automatically created in the service when Identity Manager is first set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it. Nor can you delete the System Directory or the System Domain.

The local administrator user that is created when you first set up the VMware Identity Manager appliance is created in the System Domain of the System Directory.

The System Directory is typically used to set up a few local administrator users to manage the service. In the following step you will authenticate with a local administrator account called admin.

 

 

Sign In to Workspace ONE as Admin

 

  1. username = admin
  2. password = VMware1!
  3. Select Sign in

 

 

Verify User Attributes

 

  1. Select Identity & Access Management
  2. Select Setup
  3. Select User Attributes
  4. Verify distinguishedName and userPrincipalName are selected

When configuring Identity Manager to sync user accounts from Active Directory or another directory service, specific user attributes are required for Horizon integration.

If the required attributes are not populated and synced, Horizon desktops and applications may not work properly.

 

 

Create Virtual Apps Collection

You can integrate Horizon desktops and applications, Horizon Cloud desktops and applications, Citrix published resources, and ThinApp applications with VMware Identity Manager.

Beginning with the 3.1 release, these resources are managed with the new Virtual Apps Collections feature.

 

Launching Horizon Desktops and Applications from Workspace ONE


Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. Identity Manager provides single sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.

In this section you will authenticate to Workspace ONE as an end user, then launch Horizon resources.


 

Log Out of Previous Workspace ONE Sessions

In this exercise you will connect to Workspace ONE using end user credentials. To do this, it is important that any existing Workspace ONE sessions are logged off.

 

 

Navigate to Existing Workspace ONE Tab in Chrome

 

  1. Navigate to the VMware Workspace ONE tab in Chrome.

You should still have Chrome opened with a tab for VMware Workspace ONE. If so, proceed to Logout of VIDM-02. If you closed Chrome, proceed to the next step.

 

 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Workspace ONE

 

  1. Select WS1 from the Chrome bookmarks bar
  2. Select New vIDM

 

 

Logout of VIDM-02

 

  1. Select the drop-down menu next to the logged on user
  2. Select Logout

 

 

Go Back to Login Page

 

  1. Select Go back to login page

 

 

Verify Authentication Domain

 

  1. Verify the domain selected is corp.local
  2. Select Next

 

 

Authenticate to Workspace ONE as an End User

 

  1. username = user1mod1
  2. password = VMware1!
  3. Select Sign in

 

 

 

Review Workspace ONE Preferences

Once logged on to Workspace ONE, your catalog of applications and desktops is available.

 

 

Navigate to User Settings

 

  1. Select the drop-down menu next to the user avatar
  2. Select Settings

 

 

User Preferences

 

  1. Select Preferences

 

 

Review Horizon Remote Apps Configuration

 

Workspace ONE is currently configured to launch apps and desktops using the Horizon Client.

While this option provides the best overall user experience, Horizon also supports HTML access for added flexibility.

 

 

Configure Horizon Remote Apps for Browser

 

  1. Select Browser
  2. Select Save
  3. Note the Successfully saved selected preference message.

 

 

Back to Catalog

 

  1. Select Back

 

 

Launch Remote Desktop

 

  1. Select Open on the Man-Pool1 desktop pool

Identity Manager checks the network and access policy rules, then passes a SAML token to Horizon to start and authenticate to the remote desktop or application.

 

 

VMware Horizon HTML Access

 

  1. The remote desktop is opened in a new Chrome tab
  2. Click to expand the Horizon Client controls

 

 

Log Out of Windows

 

  1. Select Options for the running VM
  2. Select Log Off

 

 

Confirm Log Off

 

  1. Select OK
  2. Select Close

 

 

Sign out of Horizon HTML Access

 

  1. Select Options for Horizon
  2. Select Log out

 

 

Confirm Log Off

 

  1. Select OK

 

 

Sign Out of Workspace ONE

 

  1. Expand the drop-down menu
  2. Select Sign Out

 

 

Go Back to Login Page

 

  1. Select Go back to login page

Leave this page open as you will use it in the next exercise.

 

Configure Access and Network Policies and Client Access URL


The VMware Identity Manager service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure.

A policy rule can also be configured to deny access to users by network range and device type.

When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

You should already be at the Workspace ONE login page. If so, skip to the Change Authentication Domain step.


 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to the Identity Manager Login Page

 

  1. Select WS1 from the shortcut menu
  2. Select VIDM-02

 

 

Change Authentication Domain

 

  1. The logon page is currently configured to authenticate to the corp.local domain
  2. Select Change to a different domain

 

 

Choose System Domain

 

  1. Click the drop-down menu to select a domain
  2. Select System Domain
  3. Clear the checkbox for Remember this setting
  4. Select Next

The System Directory is a local directory that is automatically created in the service when Identity Manager is first set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it. Nor can you delete the System Directory or the System Domain.

The local administrator user that is created when you first set up the VMware Identity Manager appliance is created in the System Domain of the System Directory.

The System Directory is typically used to set up a few local administrator users to manage the service. In the following step you will authenticate with a local administrator account called admin.

 

 

Sign In to Workspace ONE

 

Authenticate to the System Domain as admin.

  1. username = admin
  2. password = VMware1!
  3. Select Sign in

 

 

Navigate to Policies

 

  1. Select Identity & Access Management
  2. Select Policies

 

 

Network Ranges

 

  1. Select Network Ranges

 

 

Verify Default Access Policy Settings

The VMware Identity Manager service includes a default access policy that controls user access to their Workspace ONE portals and their Web applications. You can edit the policy to change the policy rules as necessary.

When you enable authentication methods other than password authentication, you must edit the default policy to add the enabled authentication method to the policy rules.

Each rule in the default access policy requires that a set of criteria be met to allow user access to the applications in the portal. You apply a network range, select which type of user can access the content, and select the authentication methods to use.

 

 

Create a New Access Policy to Deny Application Access

A policy rule can be configured to deny access to users by network range and device type.

You will create a rule to deny access to a Horizon published application when it is accessed from a specific network.

 

 

Configure Client Access URL

The client access URL is used to launch locally-entitled resources from the Horizon pod, when users request applications and desktops via Workspace ONE and Identity Manager.

In an earlier exercise you configured Horizon Virtual Apps, and supplied the FQDN of a single connection server to complete the Identity Manager integration with your Horizon pod.

In production Horizon implementations, it is common to configure a load-balancer virtual IP (VIP) in front of your Connection Servers or UAGs. The client access URL should be configured so it directs requests for Horizon resources to the VIP.

 

 

Configure Access and Network Policies and Client Access URL Complete

You have successfully:

 

Launching Horizon Desktops with Deny Access Policy Rule


In the previous exercise you created a new network range for the corporate network, and a new policy to deny access for a specific Horizon resource when accessed from this network.

In this section you will authenticate to Workspace ONE as an end user, and attempt to launch the Horizon Desktop pool.


 

Navigate to VMware Workspace ONE Tab in Chrome

You should already have Chrome open with a tab to VMware Workspace ONE. If so, you can skip the next couple of steps and proceed to Authenticate to Workspace ONE as an End User.

 

 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Workspace ONE

 

  1. Select WS1 from the Chrome bookmarks bar
  2. Select New vIDM

 

 

Verify Domain

 

  1. Verify the domain selected is corp.local
  2. Select Next

 

 

Authenticate to Workspace ONE as an End User

 

  1. username = user1mod1
  2. password = VMware1!
  3. Select Sign in

 

 

Launch App

 

  1. Select Open

 

 

Access Denied Due to Policy

 

  1. Select OK

This time the Horizon Desktop can not be opened due to the deny rule you created in the previous exercise.

 

 

Conclusion


Congratulations!  You have now completed Module 2.  You should be familiar with the integration of Horizon 7 with VMware Workspace ONE Identity Manager.  


 

Horizon Integration

 

If you are looking for additional information:

Proceed to any module below which interests you most.

Lab Module List:

Module 1 - Installation and Configuration of VMware vIDM (30 minutes) (Advanced) Walk through the installation and configuration of the VMware Identity Manager

Module 3 - Configure MFA using RADIUS in Workspace ONE (15 minutes) (Advanced) Learn how to configure a RADIUS compatible authentication adapter

Module 4 - Integrating Workspace ONE with SAML Based Web Applications (30 minutes) (Advanced) Learn how to add web applications and configure single-sign-on with SAML 2.0

Module 5 - Configure Failover and Redundancy or Workspace ONE (15 minutes) (Advanced) Learn how to design a highly available Workspace ONE deployment in both single- and multi-site implementations

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 3 - Configure MFA using RADIUS in Workspace ONE (15 Minutes)

Introduction


VMware Workspace ONE allows for setting up Network Ranges and different authentication policies that can be assigned to different network ranges.

For example, you might want your end-users to authenticate with their AD credentials when they are in the office and connected to the corporate network, while you might want them to use 2-factor authentication when working from home. Or you might have a group of users requiring MFA because of the applications they can access.

For this lab we are using FreeRADIUS.net to simulate a RADIUS compatible authentication adapter, in a real-world scenario this could be your RSA Server or any other 2-factor authentication solution supporting RADIUS protocol. We have setup a different password (123456) other than the default AD-password (VMware1!) typically used in the HOL, consider this your RSA token.

We will walk you through the configuration of the RADIUS authentication adapter within Workspace ONE and assign RADIUS authentication to all connections coming from a specific network range.


 

Lab Ready?

 

1. Make sure the Lab Status is Ready

 

 

Start FreeRADIUS.net

 

  1. Open Start Menu
  2. Select FreeRADIUS START
  3. Verify FreeRADIUS is started and Ready to process requests.

Attention!

Please leave the FreeRADIUS START Window open or minimize it, but DO NOT close it.

 

Setup RADIUS as an Authentication Adapter


In this module we will setup RADIUS as an additional authentication adapter and configure it to work with our FreeRADIUS.net instance.


 

Launch Browser

 

  1. From the Main Console, open Google Chrome

 

 

Open Identity Manager console

 

  1. Click WS 1 and open VIDM-01 Admin to open Management Console
  2. Username: administrator
  3. Password: VMware1!
  4. Click Sign in

 

 

Setup Authentication Adapters

 

  1. Click Identity & Access Management tab
  2. Click Setup
  3. Click on vidm-01.corp.local

 

 

Modify Authentication Adapters

 

  1. Click Auth Adapters
  2. Click RadiusAuthAdapter

 

 

Configure RADIUS

 

  1. Check 'Enable RADIUS Adapter'
  2. Check 'Enable direct authentication to Radius server during auth chaining'
  3. Set 'Number of attempts to Radius server' to 5
  4. Set 'Server timeout in seconds' to 5
  5. Specify 192.168.110.10 as the RADIUS server ip
  6. Scroll down
  7. Set Accounting port to 1813
  8. Chose PAP as Authentication type
  9. Enter HOLrocks! as the shared secret
  10. Scroll down (leave configuration for secondary server empty)
  11. Click Save

 

 

Return to Admin Console

 

1. Close this tab to return to the Admin Console

 

Create Network Range and modify policy


To limit RADIUS authentication to clients in a specific network, we have to create a networks range and modify the default policy to use RADIUS for this specific range we create.


 

Switch To Policies

 

  1. Click Manage
  2. Click Policies
  3. Click Network Ranges

 

 

Add Network Range

 

  1. Click Add Network Range

 

 

Define Network Range cont.

 

  1. Enter RADIUS Test as 'Name' for the network range
  2. Provide a description RADIUS Test (optional)
  3. Enter 192.168.100.1 as 'From'
  4. Enter 192.168.100.255 as 'To'
  5. Click Save

This will add all the 192.168.100.xxx IP addresses to the RADIUS Test network range and will include our test VM.

 

 

Verify the new network range has been added

 

  1. Verify RADIUS Test IP Address Range was created
  2. Close the Network Ranges Window

 

 

Change default access policy

 

  1. Click default_access_policy_set

 

 

Edit Policy

 

  1. Click Edit

 

 

Edit Policy

 

  1. Click the X to ignore the warning about modifying the default policy
  2. Click the Next

 

 

Add Policy Rule

 

  1. Click Add Policy Rule

 

 

Configure Policy Rule

 

  1. Select RADIUS Test from dropdown menu
  2. Select Web Browser from dropdown menu
  3. Select RADIUS from dropdown menu
  4. Select Password from dropdown menu
  5. Click on Advanced Properties
  6. Scroll Down

 

 

Advanced Properties

 

Besides re-authentication time, you can configure a Custom Error Message, Custom Error Link Text and a Custom Error Link URL, where you could guide the user to a how-to document or further information on how to resolve any issues with authentication.

Please take a minute to look at all the different and authentication method options, allowing you to setup different authentication methods for different devices/access methods and locations (based on network range).

You can also combine multiple authentication methods if you need more than 2-factor authentication.

  1. Click Save

 

 

Change Policy Rule Order

 

1. Hover the mouse cursor over RADIUS Test until the cursor changes, then click on RADIUS Test and keep the button pushed
2. Drag the rule all the way to the top
3. Release the RADIUS Test Policy Rule

 

 

Verify Rule Order

 

  1. Verify Radius Test is listed as the first rule
  2. Click Next

 

 

Policy Summary

 

  1. Verify Policy Rule
  2. Click Save

 

Verify functionality


Now we will verify the new policy is active.


 

Open New Incognito Window

 

Open a new incognito browser window:

  1. Click the vertical dots in the upper right corner
  2. Select New incognito window

 

 

Log in to WS1

 

  1. Click WS1 and select VIDM-01
  2. Click Next

 

 

Log In as user3mod3

 

  1. Username user3mod3
  2. Password VMware1!
  3. Click Sign in

 

 

Verify Login

 

As you logged in from the Main Console (IP address 192.168.110.10), you should have successfully logged in to the Workspace ONE console using your domain password.

1. Close the Incognito Window

 

 

Test RADIUS Authentication from Windows 10 VM

Now let's test the RADIUS Authentication. For this we need to open our Windows 10 test VM via Horizon Client.

 

 

Open Edge Browser

 

Wait for the Instant Clone VM to load, then

  1. Notice the Subnet of the VM is 192.168.100.XXX (which is within the Network Range we defined earlier)
  2. Open Microsoft Edge browser
  3. Browse to vidm-01.corp.local (this should be the home page)
  4. If prompted, confirm domain ist set to corp.local and click Next

 

 

Authenticate Using RADIUS

 

Since the IP address of our test VM is within the RADIUS Test network range (192.168.100.180 - 192.168.100.190) we defined earlier, we now - as expected - get prompted for the RADIUS Passcode instead of our CORP.LOCAL domain password.

  1. Notice "Please enter RADIUS Passcode" message
  2. Username: user3mod3
  3. RADIUS Passcode: 123456
  4. Click Sign In
  5. Click No to not save your password

 

 

Verify access

 

Verify you can access the portal successfully.

 

 

Disconnect and Log Off

 

  1. Click Options
  2. Select Disconnect and Log Off
  3. Click OK

 

 

Close Horizon Client

 

  1. Click the X to close the Horizon Client

 

Conclusion


We have shown how easy it is to integrate VMware Workspace ONE with a RADIUS compatible 2FA solution.

VMware Workspace ONE also comes with a built-in 2FA solution, as this lab environment is not connected to the internet, we could not show it in this lab, but you can learn more about it here: VMware Verify.

VMware Verify uses mobile push tokens, leveraging the Verify app for iOS and Android.


 

VMware Verify Video (1:43 min)

If you are interested in learning more about VMware Verify, take a look at the short video above.

 

 

Conclusion

 

You can find additional information on User Authentication options, including RADIUS, in the documentation for VMware Workspace ONE.

The QR-Code will take you the link below:

https://docs.vmware.com/en/VMware-Identity-Manager/3.2/idm-aw-administrator.pdf

 

 

You've finished Module 3

Congratulations on completing Module 3.

If you are looking for additional information on Workspace ONE, try one of these:

Proceed to any module which interests you most.

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 4 - Integrating Workspace ONE with SAML Based Web Applications (30 minutes)

Introduction


In this module you will learn how to configure Web and SaaS applications in VMware Workspace ONE. With VMware Workspace ONE, you can provide Single-Sign-On (SSO) for your users to any Web/SaaS application supporting Security Assertion Markup Language (SAML).

This will simplify a user's digital workspace experience by allowing the user to have a single entry point for all applications (ThinApps, Citrix XenApp, RDSH, SaaS) and VDI Desktops from any device offering a browser. With VMware AirWatch, you can even extend this to mobile apps.

The SSO into Horizon Published Apps and Desktops is shown in Module 2 - Workspace ONE Integration with Horizon 7.

 

Users can customize their portal by adding application bookmark from the catalog as shown in the sample picture of Workspace ONE portal above. In this lab, we will first walk you through adding a simple Web-Link (without SSO) to the catalog and in another example, add a SAML 2.0 enabled app with SSO.


 

Lab Ready?

 

1. Make sure the Lab Status is Ready

2. Open README.txt

3. Make yourself familiar with the content of README.txt, this will make your life easier by allowing you to copy/paste rather than typing, especially if you don't have a US keyboard.

 

Create Web Based Application Shortcut


In this example we will create a simple shortcut for a Web Application, without passing any user information for single-sign-on. This basically just creates a bookmark and is the simplest form of integrating a Web Application or Website into VMware Workspace ONE.


 

Launch Browser

 

  1. From the Main Console, open Google Chrome

 

 

Login to VMware Identity Manager

 

  1. Open VIDM-01 Admin in Chrome
  2. Username: administrator
  3. Password: VMware1!
  4. Click Sign in

 

 

Create New Web Application

 

  1. Click New

 

 

Add Entitlement

 

  1. Click on Save & Assign

 

 

Open New Incognito Window

 

  1. Click the Customize And Control Google Chrome Icon
  2. Select New Incognito Window

 

Add SAML based Web Application and SSO Configuration


In this lab we will add our SAML 2.0 Test-App and configure VMware Workspace ONE to pass user information to the app. In preparation for this lab, we have already configured the SAML Test-App to trust VMware Workspace ONE by adding the certificate to the Test App, as this is very specific to this app, we won't spend much time on that part and rather focus on the VMware Workspace ONE side.


 

Switch to Administration Console

 

Switch to the Admin Console and

  1. Click Settings

If you have closed the Chrome browser Window/Tab with your Workspace ONE session, please re-open Chrome and login to VIDM-01 Admin as administrator.

 

 

SAML 2.0 Preparation

 

On this settings page, you can find and download the SAML Metadata. SAML Integration requires configuration on the Workspace ONE side and on the side of the application you want to integrate. For the SAML 2.0 test app we use later in this lab, this configuration was done for you. However, this is where you can find the necessary information (signing certificate and IdP URL etc.) in the Administration Console:

  1. Click on SAML Metadata
  2. Notice you could Copy or Download the Certificate for the Workspace ONE/vIDM Appliance
  3. Click the X to close the window

 Note: No need to copy or download the certificate for this lab, we have the test app already configured for you.

 

 

Configuration SAML Test App

 

This is just to show how the setting files for our simple SAML-Test application look like. For this (very) simple app, we needed to provide the certificate of our Workspace ONE (vIDM) instance, the IdP SSO URL to get the application launched and the Assertion Return URL.

As the configuration is very specific to this simple test-app, we didn't add those steps to the lab. However, if you are really interested, you can use WinSCP or Putty to look at the settings.php file on saml-test.corp.local, the file is located under /var/www/html/saml/demo.

 

 

Add SAML Application

 

You should be on the Catalog page in the Administration Console

  1. Click on New

 

 

Access Policies

 

Leave the default_access_policy_set and

1. Click Next

Note: Access policies can be applied on the applications to control user access based on criteria such as the user's network range or device type. You can create access policies for a single application, a set of applications, or all applications in your catalog. When you add an application to the catalog, you select the access policy to use.

 

 

Add Entitlement

 

  1. Click Save & Assign

 

 

Open New Incognito Browser Window

 

  1. Click on the Customize and control Google Chrome Icon
  2. Select New incognito window

 

 

Log In to Workspace ONE

 

  1. Click Next

 

 

Open SAML 2.0 APP

 

Let's test the SAML 2.0 App.

  1. Click Open

 

 

Verify attributes are displayed

 

If you configured the app correctly, you should see the Success Window above.

  1. Verify attributes firstname/lastname, username and principalname (=email) have been passed correctly to the SAML-Test App
  2. Close Incognito Window

 

For this to work, the necessary information must be available for each user in Active Directory and the attributes need to be synced with Workspace ONE. If you make changes to attributes in AD, a sync between VMware Workspace ONE and the Directory has to happen.

 

 

Cloud Application Catalog

 

VMware Workspace ONE also allows for adding Web Application from the Application Catalog, since this environment is not connected to the Internet, you won't be able to test this option. The catalog currently consists of over 100 (and growing) pre-configured templates for typically used web/SaaS applications such as ADP, Salesforce.com, Office 365, Workday, ServiceNow and many others more.

Just because an application is not listed, does not mean it is not supported/working with VMware Workspace ONE it might just be a little more work to set it up.

 

 

 

External Application Sources

 

In addition to adding new applications manually or via our Application Catalog, it is possible to import applications from existing 3rd party Identity Managers such as OKTA, PING or ADFS. Yes, Workspace ONE can co-exist and play nicely with others.

 

Conclusion


In this module you learned how add a simple shortcut for a web-based application and how to integrate a more complex SAML 2.0 based application, to which we passed certain user specific attributes. Depending on the application you want to integrate you might have to configure different settings in VMware Workspace ONE and your application. Always consult documentation for VMware Workspace ONE and your application for details or consider leveraging VMware Professional Service to assist.


 

VMware Workspace ONE - Techzone

 

You can find more information on VMware Workspace ONE on our Techzone Website:

https://techzone.vmware.com/resource/workspace-one


 

 

You've finished Module 4

 

Congratulations on completing Module 4.

If you are looking for additional information on Workspace ONE, try one of these:

Proceed to any module previously which interests you most.

 

Module 5 - Configure Failover and Redundancy for Workspace ONE (15 Minutes)

Introduction


In this module you will learn about how to implement a highly available Workspace ONE Identity Manager solution.

Please note this section of the lab is for informational purposes only. There are no associated lab steps.

For a comprehensive look at VMware recommended practices for building a highly available Workspace ONE solution, please review VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture.


Configure Highly Available Single Site


VMware Workspace ONE Identity Manager is the primary entry point for end users to consume all types of applications, including SaaS, web, Horizon 7 virtual desktops and published applications, Citrix XenApp, and mobile apps.

Therefore, it should be deployed to be highly available within a site, and also deployed in a secondary data center for failover and redundancy.

This lesson explores design considerations for implementing the Identity Manager components of Workspace ONE with HA for a single site.


 

Design Overview

 

VMware Identity Manager can be implemented using on-premises or SaaS-based implementation models. This lab focuses on the on-premises model.

The main components of Identity Manager on-premises are:

In an on-premises deployment, VMware Identity Manager is available as either a Linux-based virtual appliance or as a service installed in a Windows VM.

The Identity Manager Connector software can run on the same VM as the the Identity Manager appliance. VMware recommends separating these services to separate appliances, as described in the following sections.

VMware Identity Manager can also be integrated with the rest of the Horizon 7 Enterprise components to provide access to Horizon 7 desktops and published applications. The VMware Identity Manager VM handles authentication and provides SSO services to applications and desktops.

Syncing resources such as Active Directory and Horizon 7 and can be done either by using a separate VMware Identity Manager Connector or by using the built-in connector of an on-premises VMware Identity Manager VM. The separate connector can run inside the LAN in outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.

 

 

Database

VMware Identity Manager can be set up with an internal or external database to store and organize server data. A PostgreSQL database is embedded in the VMware Identity Manager virtual appliance, but this internal database is not recommended for use with production deployments.

To use an external database, have your database administrator prepare an empty external database and schema before you use the VMware Identity Manager Setup wizard to connect to the external database. Licensed users can use an external Microsoft SQL Server 2012, 2014, or 2016 database server to set up a high-availability external database environment.

The database requires 64 GB of disk space for the first 100,000 users, and another 20 GB for each additional 10,000 users.

 

 

Scalability and Availability

 

VMware Identity Manager has been tested to 100,000 users per single virtual appliance installation. For a high-availability environment, at least three VMware Identity Manager appliances should be configured to ensure availability in the event of a failure of an appliance or ESXi host. After initial configuration, the virtual appliance is cloned twice and deployed with new IP addresses and host names.

For production implementations, VMware recommends Microsoft SQL Server 2016 along with its cluster offering Always On availability groups, which is supported with VMware Identity Manager. This allows the deployment of multiple instances of VMware Identity Manager, pointing to the same database protected by an availability group with an availability group listener as the single Java Database Connectivity (JDBC) target for all instances.

Windows Server Failover Clustering (WSFC) can also be used to improve local database availability and redundancy. In a WSFC cluster, two Windows servers are clustered together to run one instance of SQL Server, which is called a SQL Server failover cluster instance (FCI). Failover of the SQL Server services between these two Windows servers is automatic.

 

 

High Availability Design Recommendations

To provide high availability:

 

Configure Highly Available Multi-Site


This lesson explores design considerations for implementing Workspace ONE Identity Manager with HA in a multi-site configuration.


 

Design Overview

 

The failover process that makes the secondary sites VMware Identity Manager appliances active requires a change at the global load balancer to direct traffic of the namespace to the desired instance. You must also clear the caches on the original primary data center.

VMware Identity Manger consists of the following layers, which make up the service and need to be designed for redundancy:

 

 

VMware Identity Manager Appliances and Connectors

To provide site resilience, each site requires its own group of VMware Identity Manager virtual appliances to allow the site to operate independently, without reliance on another site. One site runs as the active VMware Identity Manager, while the second site has a passive group. The determination of which site has the active VMware Identity Manager is usually controlled by the global load balancers namespace entry or a DNS entry, which sets a given instance as the target for the namespace in use by users.

Within each site, VMware Identity Manager must be installed with a minimum of three appliances. This provides local redundancy and ensures that services such as Elasticsearch function properly. The VMware Identity Manager appliances are hosted in the DMZ network.

A local load balancer distributes the load between the local VMware Identity Manager instances, and a failure of an individual appliance is handled with no outage to the service. Each local site load balancer is also load-balanced with a global load balancer.

At each site, two VMware Identity Manager Connector virtual appliances are hosted in the internal network and can use an outbound-only connection mode. These connectors point to the global load balancer.

 

 

Multi-site Database

VMware Identity Manager 2.9 (and later) supports Microsoft SQL Server 2012 (and later) and its cluster offering Always On availability groups. This allows us to deploy multiple instances of VMware Identity Manager, pointing to the same database protected by an availability group with an availability group listener as the single Java Database Connectivity (JDBC) target for all instances.

VMware Identity Manager is supported with an active/passive database instance with failover to the secondary site if the primary site is unavailable. Depending on the configuration of SQL Server Always On, inter-site failover of the database can be automatic, though not instantaneous.

Within a site, Windows Server Failover Clustering (WSFC) is used to improve local database availability and redundancy. In a WSFC cluster, two Windows servers are clustered together to run one instance of SQL Server, which is called a SQL Server failover cluster instance (FCI). Failover of the SQL Server services between these two Windows servers is automatic.

Note: All JDBC connection strings for VMware Identity Manager appliances should point to the SQL Server availability group listener (AGL) and not directly to an individual SQL Server node.

If your organization has already deployed Always On availability groups, consult with your database administrator (DBA) about the requirements for the database used with VMware Identity Manager.

The SQL Server Always On setup can be configured to automatically fail over and promote the remaining sites database to become the primary.

 

Conclusion


Congratulations!  You have now completed Module 5.  You should be familiar with how to configure failover and redundancy for Workspace ONE Identity Manager.


 

VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture

 

If you are looking for additional information:

Proceed to any module below which interests you most.

Lab Module List:

Module 1 - Installation and Configuration of VMware vIDM (30 minutes) (Advanced) Walk through the installation and configuration of the VMware Identity Manager

Module 2 - Integrating Workspace ONE with Horizon (60 minutes) (Advanced) Walk through the integration of Horizon 7 with Workspace ONE to deliver desktops and apps

Module 3 - Configure MFA using RADIUS in Workspace ONE (15 minutes) (Advanced) Learn how to configure a RADIUS compatible authentication adapter

Module 4 - Integrating Workspace ONE with SAML Based Web Applications (30 minutes) (Advanced) Learn how to add web applications and configure single-sign-on with SAML 2.0

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1951-03-VWS

Version: 20190309-192236