Workspace ONE Access Horizon Args

I had an interesting customer use case last week that called for some ingenuity with how we establish Horizon app launch URIs in Workspace ONE Access. In short, a 3rd party agency required management access to retail location IoT devices on a closed network. These contractors were road warriors of sorts; sometimes onsite, but more often than not, out in the field servicing other customers of their own. We call this the “managed aisle” use case in my world, referencing a common retail arrangement where 3rd party vendors manage certain retail product aisles in a store (i.e. beverages). The customer was already using Workspace ONE as the unified app catalog for their enterprise and third party MSPs, publishing an assortment of management and enterprise tools that could only be accessed when on the intranet. They also had an existing Horizon RDS farm deployed with the same management suite for badged resources to perform similar functions on company-owned equipment. So the question became, how could we breadcrumb the user experience in such a way that a contractor could continue consuming applications […]

My #HomeLab: Q4 '19 Update

Opening Most of you might have noticed the hiatus I’ve taken from the WS1 + Azure AD series; not to worry, this is only in anticipation of several interesting product changes that are relevant for the series. We will resume once those are in place later this year. In the interim, I’m taking advantage of the down time to do some infrastructure and architecture housekeeping. You might recall from my #homelab post that I mentioned a few tasks I’d like to see to completion before the end of the year. Namely, Add a fourth host to the vSAN cluster in order to support automatic rebuild in the event of a host-level failure Migrate the NSX-T 2.4 install base to the new Corfu structure – in effect, migrating the configuration to the Simplified UI Upgrade vSphere from 6.7U1 to 6.7U3 An item that I hadn’t originally planned, but ultimately implemented, was removing many of the overlay uplinks in each host to a consolidated N-VDS hosting vSAN, vMotion, the host TEPs, and edge VLAN uplinks. So let’s jump into some of these […]

Workspace ONE and Azure AD: Part 2

Opening Part 1 of this series opened with the business aspects of making investments in Workspace ONE and Microsoft 365, as well as how to integrate both platforms for adopting new use cases. Part 2 will cover how to create the unified app catalog, providing each of our personas with an “any app, any device, at any time” experience. This function is what enables the vast array of personas to consume a common set of resources from their preferred platform, all with dynamic forms of single sign-on to maintain a healthy security posture. It’s also one of the four key value adds from Workspace ONE Advanced. Architecture Very quickly, let’s remind ourselves of the architecture we’re working from in this series: To quote the excerpt from Part 1: Take notice that the end users begin consuming various services and applications by first launching the Workspace ONE app catalog, regardless of the federated architecture. The value add from this flow is that our users can go to one location, the Unified App Catalog, to consume any application or resource across the […]

NSX-T LBaaS with Workspace ONE Access

Opening A few homelab versions back, I exclusively ran NSX-v LBaaS for all things “edge”. I’ve since had the opportunity to shift over to F5 BIG-IP, and now Avi Networks (welcome to the VMware family!), but still asked on numerous occasions to provide guidance on how to load balance Workspace ONE Access with NSX. Let me just say, the world is moving to NSX-T; it’s time you do the same. So without further ado, let’s dig into the recipe for how to load balance Workspace ONE Access with NSX-T. Pre-Requisites Only a handful of things to account for here: Functional NSX-T 2.4 Environment – For the below, I am using a highly available NSX-T 2.4.0 Manager cluster, with dual ‘large’ sized virtual Edge Nodes Functional Workspace ONE Access Node – I’m using an on-premises 1903 cluster below. Keep in mind, to implement a functional cluster, you will need to change the FQDN which won’t be possible without the below implemented. For now, start with one node, then follow the instructions for establishing a 3 node cluster. Here’s a great document […]

Workspace ONE and Azure AD: Part 1

Opening Often times when working with customers, I get the impression that there is a strong sense of confusion when discussing the integration of a platform such as Microsoft 365 with 3rd party ecosystems. After all, an investment in M365 comes with many features and functions, so where do platforms like Workspace ONE fit in? My friends, welcome to my day job and one true passion in life. Remember the saying, “do what you love and you’ll never work a day in your life.” This mini-series is aimed at breaking down the often encountered silos so that you can articulate and deliver a best-in-class end user experience using the analogous functions from two best-in-class platforms: Workspace ONE and Azure AD. We’ll briefly cover the major use cases of stitching these two ecosystems together, and why this fabric is critical to adoption and value realization. Note to reader: The scope of this mini-series will be limited to what you are capable of doing with these platforms today. The partnership announcement will most certainly have a positive impact on the below, and […]

#HomeLab Networking

Preamble I mentioned in my inaugural post that attempting to cover the network design for the #homelab in one post wasn’t going to cut it. Alas, here we are; I’ve successfully migrated to NSX-T 2.4 Policy Manager (the Corfu structure) and made a few tweaks to the underlay, so it’s time to dive deep. Be prepared, this is a lengthy post and stands to evidence my previous statement about “being sensitive to security architecture”. I don’t claim to be a networking expert, and much of what I’ve picked up outside of NSX has been self taught using the wonderful #homelab. Overview Truer words have never been spoken than the image above. What started in the beginning as one layer 2 boundary has now become various layer 3 zones all peered over a mix of eBGP and iBGP. Before I go into the gory details of rails, uplinks and overlays, a quick view at what we’re building up to: The top half of this view shows physical uplinks and VLAN rails within the physical boundaries, while the lower half shows the […]

#VMworld 2019

EDIT [9/8/19]: Here is the recorded version of our session if you weren’t able to attend: Session Recording Slides Leader board (@lamw) EDIT [8/9/19]: See https://blogs.vmware.com/euc/2019/08/vmworld-workspace-one.html for ‘Can’t Miss’ sessions to register for! It’s that time of year again; #VMworld 2019 is less than 3 weeks away, but the content catalog is live for you to book your conference schedule. A few sessions you might be interested in checking out: Workspace ONE and Azure AD Integration: Deep Dive from the Trenches [DEE2023BU] – Ryan Costello and I will dive deep on how to deliver a rich end-user experience with your investments in Workspace ONE and Azure AD/Office 365. This is 300 level configuration with live demos, so bring your tablets and notebooks! If you’re a fan of my recent post on the WS1 UEM SCIM Adapter fling, come checkout Joe and I give a LIVE DEMO in the Solution Exchange on Wednesday from 10:00AM-12:30PM PST, booth #949. Look for the “Innovation Accelerating Transformation” headline above the kiosks. Sneak peek! Stay tuned here for information on an additional session not yet […]

WS1 UEM SCIM Adapter

Today is an exciting day. It’s my first experience developing a VMware Fling, and it’s is the GA release of what Joe Rainone and I put hours of laborious love into. Identity is not only our day job, but also an area that we are both very passionate about. Our belief is that this Fling, while unsupported, answers a question that many of our customers ask when designing production Workspace ONE deployments. Take a look, play around, and please provide feedback here! What is the Fling about? The SCIM protocol is quickly modeling after what SAML brought to identity management almost 15 years ago: a common way to establish resource identity in a service-to-service architecture. Gone are the days where LDAP and Active Directory are the primary systems of record. This concept is particularly enhanced as EUC platforms like Microsoft Azure, VMware Workspace ONE, and others provide native directory services while maintaining a common identity among themselves and their relying parties. Furthermore, the burden of maintaining ‘connector’-like infrastructure for the sole purpose of identity synchronization not only diminishes the value […]

My #HomeLab

Preamble The time has finally come for an inaugural VP blog post, and what better way to kick this off than covering the #homelab? This quintessential tool has been the topic of many conversations (go checkout thevpad.com if that isn’t already obvious) and is, in my opinion, table stakes to a successful career in this industry. I started out with a humble 2 node ROBO vSAN cluster on whitebox chassis. Growing pains led me to what I have today, but rest assured that everyone has a starting point and there’s no shame in that fact. Consider yourself “ahead of the crowd” just by taking the first step; initiative and persistence are key to mastering this industry. Some believe that this tool should be subsidized; I fundamentally disagree. Your career requires constant maintenance and investment in order to provide fruits of your labor. If you have arrived at this post, I assume you concur. Enough of the opinion column, let’s jump into the real reason why you are. Overview Covering the #homelab build in one post isn’t going to cut it. […]