Tag Archives: VMware Workspace ONE Access

Stop syncing Disabled user accounts into the VMware Workspace ONE Access – Directory Sync

6 Sep

We had many Disabled accounts that were getting synced into the Workspace ONE Access (WoA) from the Directory Sync – Active Directory with IWA operation. The challenge here been no standards to cater for Disable accounts in the Active Directory. I decided to stop syncing the disabled accounts into WoA. Thanks for the exclusion filter feature that came in handy, and the following are the detailed steps.

  • Exclusion filter to stop syncing the Disabled accounts
  • Safeguards adjustment (Optional)
  • Why did we had to stop syncing Disable accounts?

Exclusion filter to stop syncing the Disabled accounts

Login to your WoA portal with administrative privileges and go to the following path – Identity & Access Management –> Directories –> Select the Directory with Active Directory & IWA –> Sync Settings –> Users

Add the filter to exclude the disabled users:

userAccountControl – contains – 514
Note – 514 = Disabled Accounts

userAccountControl – contains – 66050
Note – 66050 = Disabled, Password Doesn’t Expire

Note – I found this helpful blog which described all the UAC attributes/values in detail – UserAccountControl Attribute/Flag Values | Jack Stromberg

WoA – Users

The above will take care of not syncing the Disable user accounts into the WoA directory. However, in our scenario, the number of disable accounts were very high, and the Safeguards kick-in to protect mass deletion.

Safeguards Adjustment (Optional)

This is an optional step depending on your environment. It might need tweaking, and I am highlighting the values that need to be tweaked if it involves mass deletion (Note – these values are for experimental purposes only). Note – Please switch the value back to default after the mass deletion activity is completed. The Safeguards feature a real blessing to control WoA Directory Sync accidents against any human/automation errors.

WoA – Safeguards

Why we had to stop syncing disable accounts?

I ran into an issue where-in users had multiple accounts with 1 active/1 disabled. The email address attributes were the same in both the accounts, which will have a conflict when the end-user tries to login. This becomes evident once we switched our identity to 3rd party IDP – Azure Active Directory, where the primary NAMEID attribute is the email address.

I hope you will find these steps helpful to stop syncing disabled accounts into WoA Access – Directory Sync.

Thanks,
Aresh Sarkari

VMware EUC – Horizon, UAG, VIDM and AppVolumes – NSX Load Balancing – Health Check Monitors

2 Feb

There is no single place to find a consolidated list of Load balancer health check monitors (aka Service Monitors in NSX) for the VMware EUC products:

I have been using VMware NSX load balancer across the board. The below details will provide an overview of what to enter for the health monitors. Note – If you are using something more meaningful  for your environment leave feedback in the comments section. I will try to implement the same and update the blog later.

VMware Unified Access Gateway (UAG)

Create a new Service Monitor under NSX and call is UAG_https_monitor. Refer to the screenshot for more details.

UAG Service Monitor

Send String: GET /favicon.ico
Response code: 200s

VMware Identity Manager or Workspace ONE Access

Create a new Service Monitor under NSX and call is VIDM_https_monitor. Refer to the screenshot for more details.

VIDM Service Monitor
Send String: GET /SAAS/auth/login
Response code: 200s

VMware Horizon Connection Servers

Update 13th Sep 2021 – For all Horizon version 7.10 and above please start using the following service monitor within NSX.

Send String: GET /favicon.ico
Response code: 200s

You can use this string for versions 7.7 or upto 7.10. Create a new Service Monitor under NSX and call is Horizon_https_monitor. Refer to the screenshot for more details.

image
Send String: GET /broker/xml/
Receive string: /styles/clientlaunch-default

VMware App Volumes

Create a new Service Monitor under NSX and call is AV_https_monitor. Refer to the screenshot for more details.

AV Service Monitor

I hope you will find these monitors useful in monitoring the VMware EUC products.

Thanks,
Aresh Sarkari