VMware View – Restricted Entitlements

“How can I keep my virtual desktops inaccessible from outside my network?…”  That was the question I was asked not long ago and my first thought was “everyone wants access from any device, any location, any network, whatever…why would you want to do such a thing?” but the reasons given made a ton of sense.  There may be some desktop pools that you only want available from the internal network, as an example, say if you work at a schools and you have desktop pools created for your computer labs, you may not need, nor want those pools accessible over the internet so as to keep the lab pool available for lab computers only.

Well, you can do things like enabling two-factor authentication, thereby allowing on those users with secure tokens access, maybe if you have a load balancer like the NetScaler, perhaps you could write a ruleset to restrict access, or you could use what VMware View calls “Restricted Entitlements” – which is what I implemented in this case.

From the VMware View Administrator guide directly (I’m too tired to try and rewrite it):

You can configure the restricted entitlements feature to restrict View desktop access based on the View Connection Server instance that users connect to when they select desktops.

With restricted entitlements, you assign one or more tags to a View Connection Server instance. Then, when configuring a desktop pool, you select the tags of the View Connection Server instances that you want to be able to access the desktop pool.

When users log in through a tagged View Connection Server instance, they can access only those desktop pools that have at least one matching tag or no tags.


My example environment includes the following:
SECVCS01 – View Security Server in DMZ
SECVCS02 – View Security Server in DMZ
INTVCS01 – Internal View Connection Server paired with SECVCS01
INTVCS02 – Internal View Connection Server paired with SECVCS02
INTVCS03 – Internal View Connection Server
INTVCS04 – Internal View Connection Server
Basically, the process is this: (all steps done in View Administration Console on an internal View connection server)
·         Under View Configuration, click Servers then the Connection Servers tab
·         In this case, I’m going to “tag” INTVCS03 and INTVCS04 with the value “InternalVCS”
o   Highlight INTVCS03 and click Edit
o   On the General tab, enter a Tag (InternalVCS)
o   Click OK
o   Repeat for INTVCS04

·         Under Inventory, click Pools
·         Highlight the pool to restrict and then click Edit
·         Click the Pool Settings tab
·         Under the General heading, look at the Connection Server Restrictions option, by default it says None
o   Click Browse
o   On the Connection Server Restrictions window, select Restricted to these tags and select InteralVCS
o   Click OK
o   Click OK on the Edit Pool window
I’m sure this new version of blogger is cool and all….but right now I’m finding the formatting to be a little aggravating.  So, we’ll conclude with this text as is….only a few people are likely to read anything I put out here.  Setting up a tag as shown above will keep the desktop pool from being accessed by INTVCS01 and INTVCS02, thus keeping remote connections from the internet from accessing the pool, thereby making this pool an “internal only” desktop pool.
Though this will keep unwanted internet connections off the pool, a potential issue could be that this affects the pool in its entirety, meaning you as an administrator will not have remote access to any pool restricted to the connection brokers tagged with InternalVCS.  This setting affects all users with access to the pool, even administrators.  However, Restricted Entitlements provide an very easy way to setup additional security to unwanted remote access to a desktop pool. 

Leave a comment

Filed under VDI, VMware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s