VMware SASE and Cloud Web Security

What is SASE and CWS and why do i need it?

Let’s start with the basics! SASE is a Gartner term and is an abreviation of Secure Access Service Edge. Still not much help right? Well lets start explaining this by looking at how people typically work, espeically remotely, and how their traffic is secured. Most of you that ever work remotely will most likely use a device level VPN. This uses software on your device to create a tunnel into your company data centre and allows you to remotely access internal resources. This is how most companies have done it for many years, and it really dates back to the days when all a companies resources were in their own data centre. Tunnelling all the traffic back into the data centre was the perfect way to reach everything a remote user would need.

These days though things are a little different. In recent years we’ve seen a huge increase in the consumption of public clouds, SaaS applications and collaboration tools. All of these reside on the internet, not inside the company data centre. So end users utilising the old device VPN model are essentially tunnelling in, then breaking back out. This is inefficient when it comes to the routing of traffic, especially when it comes to things like Teams and Zoom meetings. The hairpinning of the traffic in and back out adds latency and can cause poor user experience with users experiencing poor frame rates and jitter on voice and video.

The location of the services wasnt the only reason to send all traffic into the data centre though. Security was another reason. By sending all the traffic into the data centre, companies can send it via security appliances such as proxies and apply policies to it, controlling what can and cannot be accessed for example.

SASE removes the need for the device level VPN. Instead of terminating the connection in the company data centre, instead we terminate it one of VMware’s many worldwide distributed ‘POPS’ or points of presence. From here, we can route the traffic in a much more optimum route to where it needs to go, to destinations like public clouds, SasS and web resources or even back into the company data centre. What’s more, your device can connect to the closest POP available, meaning wherever you may be travelling your traffic will always be routing via the closest route.

Devices can be connected into the SASE POPs in different ways too. Managed devices can have the VMware Tunnel application deployed and the tunnel can create either application level connections or a full device connection into the SASE POPs (depending on the OS type), and you can choose what to send and what to bypass, so you can ultimately choose which traffic goes via the POP and which does not need to.

But what about these security services that we using internally i hear you say. Well thats where Cloud Web Security comes in. CWS is a range of web security features contained in the SASE POP, so not only is all your traffic going via an optimised route, but we also apply all the security policies to the traffic in flight as it goes through the POP.

VMware SASE also works great with the VMware SD-WAN solution, Velocloud too. Velocloud device can be instructed to send office data to the SASE service, and for users working in offices and remotely, the Tunnel agent is intelligent enough to know when it is connected to trusted SD-WAN network and can disable itself. This means whether your users are working remotely or in the office you can be sure that all their traffic is being routed and secured effectively.

Configuration of SASE and Cloud Web Security

In the video i’ll show you at a high level how to configure a SASE and CWS. Hopefully you’ll see how simple it is, and see what the end users experience is like when the CWS policies are applied

Workspace ONE UEM and Workspace ONE Access Integration for Hub Services

I know there are a lot of SaaS customers out there who have only been using basic MDM functionality within Workspace ONE. The platform has moved on a lot in the last few years and if you haven’t already seen it i strongly suggest you check out hub services. This takes the Workspace ONE agent that is used for device management and adds additional functionality to the application such as a unified app catalogue, people search and a notifications platform to name but a few!

When i talk to people about this though, many don’t know where to start, so i thought i’d make a short video to get you started. First off Hub services requires integration between UEM and Access. The good news is that whatever version of Workspace ONE you have, you are entitled to Access. For those of you using SaaS the access tenant is a SaaS tenant. For those still on prem there is an option to deploy an on prem version.

Some customers will have been sent details of their access tenant already when they signed up, but, depending on when this was you may not have a SaaS access tenant. Don’t worry though as its super easy to create one and set up the integration. In this video i’m going to show you just how easy it is

Workspace ONE Access FIDO2 integration

As of this month (Feb 2021) All Workspace ONE Access SaaS tenants, now supports FIDO2 as an authentication method. So, I thought i’d put together a short video showing how easy it is to configure it and some different device types using the solution.

For all my demos i used a Yubikey5NFC. It’s a pretty cool token that works using standard USB or NFC – https://www.yubico.com/gb/product/yubikey-5-nfc/?utm_source=google&utm_medium=pd:search&utm_campaign=UK_B2C_LeadGen_Google_SEM_Brand&utm_content=&gclid=Cj0KCQiAvbiBBhD-ARIsAGM48bxh6yCcxBkjXbce5CjjNDBoN_RYIBbgETQQH2BZSQ44KQhfS9oo-pQaAmTBEALw_wcB

These are a list of the supported authenticators at time or launch

Here is a link to my video, showing how to confiure FIDO2 authentication and some examples of it in use across a range of devices.

Workspace ONE UEM – Windows 10 enrolment

If you’re an existing Workspace ONE UEM administrator, you’ll know there are lots of ways to enrol a variety of devices. Whether you’re a seasoned admin or a newbie though, you might not be aware of some of the Windows 10 enrolment methods.

First, lets introduce some key concepts we’ll be covering:

OOBE or Out of the box experience – this is the concept of powering on a Windows 10 device and configuring it via a series of wizard driven screens. A lot of organisations still use legacy Windows imaging to prepare machines. This involves wiping off the factory image and replacing it with a new cusotmer one. OOBE is an alternate method which uses the image shipped from the factory and simply customises it.

Factory provisioning – Preparing a Windows 10 device with enrolment details and software, either in the factory or the IT department so that desktops can be provisioned quicker and easier. The main advantage of factory provisioning is that the OOBE process can be customised for your organisation, and custom software can be pre-installed ready and usable straight after the first logon. Several manufacturers support the factory provisioning process.

In this series of videos i’m going to show you various methods that could be used in typical organisations.

Factory Provisioning with AzureAD join – In this video we are going to use factory provisioning to prepare a new Windows 10 machine to enrol into Workspace ONE UEM using AzureAD. This is ideal if your users only access SaaS based resources and you have limited requirement for on premises domain resources.

Factory Provisioning with localAD join – In this video we are going to use factory provisioning to prepare a new Windows 10 machine to enrol into Workspace ONE UEM and join an on premises AD. This is ideal if the bulk of your apps and data reside on premises.

Silent enrolment using AD Group policy – Not all the Windows 10 machines you want to enrol will be new machines. There may be occassions where existing domain joined machines need to be enroled. In this video we’ll show you how to silently enrol a domain joined machine into Workspace ONE UEM.

Windows 10 Enterprise Reset – There are always times when things go wrong and Windows 10 is no exception. Sometime a great way to fix Windows 10 machines is to perform a reset. This puts the machine back into its factory delivered state. VMware have introduced Enterprise Reset. When issued, a Windows 10 machine will perform a full reset but will stay under UEM management and will remain a member of the domain. This means once issues the machine will fully reconfigure itself and redeliver any apps assigned.

Looking for a quick to deploy remote access solution?

We’re seeing an increase in news articles and customer requests around enabling staff to work from home.

Due to the current global situation, many organisations are quickly looking to enable remote working to ensure their employees safety and keep them productive at the same time. This is especially true in certain organisations which provide key public services.

Continue reading “Looking for a quick to deploy remote access solution?”

Why digital transformation is essential for organisations to survive

Depending on which age group you fall into, your end user experience at your workplace will have undergone several transformations. From pen and paper to typewriters and then to desktop computers to give just a few examples.

Continue reading “Why digital transformation is essential for organisations to survive”

Horizon 7.10, App Volumes 2.18 and Dynamic Environment Manager 9.9

So the latest release of Horizon is available. As always, it brings some new functionality. Below are some useful links for you to quickly get up to speed on what’s new.

Continue reading “Horizon 7.10, App Volumes 2.18 and Dynamic Environment Manager 9.9”