Still got Mainframe? Virtual Desktops in an SNA networks.

My recent engagements with customers from the finance verticals unveiled some specific common requirement when it comes to desktop virtualization projects for their branches.

A lot of banks still run core banking software using LU (Logical Units) terminal interfaces on Windows to communicate with Mainframe’s SNA network through Microsoft Host Integration Server. 

Virtualizing endpoints running those types of terminal software is challenging because in the SNA architecture all the communication is based and controlled on the physical device level which is identified as a LU. In other words, from the LU terminal perspective, we need to assure that sessions from a single client device to VDI will always connect to a specific virtual desktop, no matter which user will initiate and log into the session. Only this setup will allow LU apps to authenticate properly in the SNA network.

Desktop Pool assignments in Horizon are user/user group based though, and there is no simple solution to associate a virtual desktop with physical endpoint device like Thin Client.

After some investigation, I’ve come with an interesting workaround. We can use a feature of Horizon called Kiosk Mode to achieve dedicated device based assignment. The feature name might be misleading but it does its job!

First of all, we need to get a list of all the MAC addresses of our endpoint devices. Next, using vdmadmin.exe command we create a special AD user objects for those MAC addresses:

vdmadmin -Q -clientauth -add -domain DOMAIN -clientid cm-00:50:56:82:81:ec -genpassword -ou “OU=vdi,DC=domain,DC=local” -group ThinClientDevices -description “Horizon View device account for client with MAC address 00:50:56:82:81:ec” -noexpirepassword

As you can see in the example above, Horizon creates a user account in AD with a random password with its hash stored also in the AD LDS database. Identifying a device by MAC is much better than then using Client Name or IP Address as you don’t have to play with DHCP reservations or static IP addresses (yep, sorry Citrix, you’re doing it wrong! 😉

Once created, you use this account to create entitlement for a desktop pool or specific individual desktop in View Administrator or in our cool new HTML5 Horizon Console.

As a last step, launch the Horizon Client with an –unattended switch on the client device to authenticate as a Kiosk:

C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe” -unattended -serverURL view.mydomain.local

This switch will instruct Horizon Client to use a MAC-address based account for authentication against Connection Server. No username or password needs to be entered from the user perspective, Connection Server will use the one it stored securely in the AD LDS database if it finds a match with connecting MAC.

If you still need to authenticate the user (real user, not the dummy MAC-based one) to the Windows session, you just disable SSO (on the Connection Server Global Settings level or for a specific set of desktops using View Agent GPO admx template) and the next thing a user sees after launching a Horizon Client is Windows Logon Screen asking for password or smart card. This user will also show up in all the Horizon consoles as the one actually logged in, so you can still manage his environment with UEM and AppVolumes.

One more thought on this matter. This config is also limiting access to VDI only for known devices. Of course, this is not as secure as 802.1x because it allows MAC address spoofing, but still enhances the security of the solution to a certain level.

This is a great proof that Horizon can run almost any type of desktop workload! Reach out to me for details if you would like to know more about this setup.

Meanwhile, you can read more about Kiosk Mode in this whitepaper:

And on disabling SSO for specific virtual desktop machines:

Have a great day!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s