Restrict VMware Horizon Users from using UAG remotely
Today I was asked by a client if there was a way to restrict a group of users from accessing a VMware Horizon environment from the internet using the Universal Access Gateways (UAG)s. I wasn’t sure if this was possible as most environments I work on leverage permissions on the pool level and not internal/external but after a little digging, turns out you can (sort of) via a new Remote Access tab in Horizon 7.6.
The reason this is a sort of answer is that you can’t RESTRICT the user group explicitly. Instead, you explicitly enable everyone else.
In the View Administrator, you go to User and Groups and then Remote Access.
This tab will most likely be blank. As long as it is blank, there are no restrictions in your environment. Once you start adding groups to this tab, you must be sure you are adding in enough groups to cover all the people that you WANT to access the environment remotely via the UAG. Consider this a global option so be sure to verify users from all Desktop Pools have the appropriate access. It would be nice to just add in a restrictive group but that is not how it works. I would assume in most environments that have this layer of restrictive access, the people ALLOWED to use the system remotely are typically the minority (managers, admins, etc.). In that scenario, adding in the users who would have access to the tab makes sense.
Once you add the groups to the Remote Access tab, you must also verify that you have defined your UAGs as External.
At this point, only Users and Groups defined in the Remote Access tab in View Administrator will be able to use the UAGs for access. Internal users will have no issues connecting directly to the Brokers though.