This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Kilian_Huber
Participant
‎2019-03-31 07:35 AM

Endpoint Security on VMware Horizon View with Instant Clones

Jump to solution

Does anybody have any experience with running Endpoint Security in a VMware Horizon View infrastructure with instant clones? I have found two related threads on CheckMates here (here and here) but they are not really conclusive to me.

If working with Instant Clones, the EP client would be deployed on the master image. Whenever a new VDI session is being established to Horizon View, a new clone of this image would be deployed. However, since the EPGUID of the master is already registered with the EPS server, the clone would not be able to synchronize with the EPS server (duplicate EPGUID on the server). Are my assumptions correct? Is there any design guide or paper whatsoever on this subject? I can't find anything neither in SK nor in the admin guides. I also cannot find an explicit statement as to the support of Endpoint Security with VMware Horizon View.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-03-31 09:29 AM

Jump to solution

In general we have plans to support VDI environments later this year. Recommend connecting with your local office on this.

You are correct in that once an EPGUID registers, you can’t “clone” it and expect it work, at least not without performing extra steps.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2019-03-31 09:29 AM

Jump to solution

In general we have plans to support VDI environments later this year. Recommend connecting with your local office on this.

You are correct in that once an EPGUID registers, you can’t “clone” it and expect it work, at least not without performing extra steps.

0 Kudos
Kilian_Huber
Participant
‎2019-04-08 07:09 AM
In response to PhoneBoy

Jump to solution

I have spoken to several Check Point representatives now (TAC, local office) and here is what I have so far:

  • VDIs in non-persistent mode are not supported, not working and are currently not planned to be supported in an upcoming release for which a release date can be given
  • VDIs in persistent mode are basically working, however such deployments are also not supported. Should be supported though from Client Version E81 onwards which should be released in May 2019

We see an increasing number of customers interested in or switching to VDIs and they like the non-persistent mode (aka instant clones) as it simplifies patching significantly and saves disk space.

0 Kudos
SystemICPO
Explorer
‎2019-05-23 09:05 AM
In response to Kilian_Huber

Jump to solution
Same here, I think Checkpoint need to clarify the situation with the management of Virtualized desktops
0 Kudos
Daniel_Taney
Advisor
‎2019-05-23 01:29 PM
In response to SystemICPO

Jump to solution

I am not well versed in VMware Horizon, but have you seen the release notes for E81.00?

They mention "Virtual desktop infrastructure (VDI) Persistent Support for VMWare Horizon" I don't know if this helps with what you were hoping to accomplish or not?

R80 CCSA / CCSE
0 Kudos
Kilian_Huber
Participant
‎2019-05-24 12:59 AM
In response to Daniel_Taney

Jump to solution

Not really - persistent mode was actually already working (although not officially supported) but persistent mode is basically just a virtualized workstation. It has its own persistent virtual disk and is a full Windows installation, so if you have 500 clients you need to patch and update 500 individual clients. With non-persistent mode, there is - basically - one master image which is being cloned the moment a user logs in and is being destroyed when the user logs out. So disk space is only used when the virtual machine is actually in use. And if you need to patch and update software, you only need to do this on the master image. It's a really nice technology but of course software like Check Point Endpoint Security (and other Endpoint Security products) are not working because they rely on their own unique identifiers for workstations but the non-persistent VDI clients are all clones of one master image.

0 Kudos
James_Hnasko
Participant
‎2019-09-10 05:25 PM
In response to PhoneBoy

Jump to solution

Any update on this topic? Does 81.30 support instant clones?

0 Kudos
Kilian_Huber
Participant
‎2019-09-11 06:14 AM
In response to James_Hnasko

Jump to solution

I don't think so, the release notes for E81.30 don't state anything related to VDI deployments and since the feature would constitute a significant change in the way endpoint clients communicate with policy servers, I assume it would be something that you would find in the release notes.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-13 03:41 PM
In response to Kilian_Huber

Jump to solution
Based on the following SK, Persistent-mode VDI should be supported as of E81: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Instant Clones are not currently supported.
If you're interested in this, I recommend engaging with your local Check Point office.
0 Kudos