This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kilian_Huber
Contributor
‎2019-03-31 07:35 AM
Jump to solution

Endpoint Security on VMware Horizon View with Instant Clones

Does anybody have any experience with running Endpoint Security in a VMware Horizon View infrastructure with instant clones? I have found two related threads on CheckMates here (here and here) but they are not really conclusive to me.

If working with Instant Clones, the EP client would be deployed on the master image. Whenever a new VDI session is being established to Horizon View, a new clone of this image would be deployed. However, since the EPGUID of the master is already registered with the EPS server, the clone would not be able to synchronize with the EPS server (duplicate EPGUID on the server). Are my assumptions correct? Is there any design guide or paper whatsoever on this subject? I can't find anything neither in SK nor in the admin guides. I also cannot find an explicit statement as to the support of Endpoint Security with VMware Horizon View.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-03-31 09:29 AM
Jump to solution

In general we have plans to support VDI environments later this year. Recommend connecting with your local office on this.

You are correct in that once an EPGUID registers, you can’t “clone” it and expect it work, at least not without performing extra steps.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2019-03-31 09:29 AM
Jump to solution

In general we have plans to support VDI environments later this year. Recommend connecting with your local office on this.

You are correct in that once an EPGUID registers, you can’t “clone” it and expect it work, at least not without performing extra steps.

0 Kudos
Kilian_Huber
Contributor
‎2019-04-08 07:09 AM
In response to PhoneBoy
Jump to solution

I have spoken to several Check Point representatives now (TAC, local office) and here is what I have so far:

  • VDIs in non-persistent mode are not supported, not working and are currently not planned to be supported in an upcoming release for which a release date can be given
  • VDIs in persistent mode are basically working, however such deployments are also not supported. Should be supported though from Client Version E81 onwards which should be released in May 2019

We see an increasing number of customers interested in or switching to VDIs and they like the non-persistent mode (aka instant clones) as it simplifies patching significantly and saves disk space.

0 Kudos
SystemICPO
Explorer
‎2019-05-23 09:05 AM
In response to Kilian_Huber
Jump to solution

Same here, I think Checkpoint need to clarify the situation with the management of Virtualized desktops
0 Kudos
Daniel_Taney
Advisor
‎2019-05-23 01:29 PM
In response to SystemICPO
Jump to solution

I am not well versed in VMware Horizon, but have you seen the release notes for E81.00?

They mention "Virtual desktop infrastructure (VDI) Persistent Support for VMWare Horizon" I don't know if this helps with what you were hoping to accomplish or not?

R80 CCSA / CCSE
0 Kudos
Kilian_Huber
Contributor
‎2019-05-24 12:59 AM
In response to Daniel_Taney
Jump to solution

Not really - persistent mode was actually already working (although not officially supported) but persistent mode is basically just a virtualized workstation. It has its own persistent virtual disk and is a full Windows installation, so if you have 500 clients you need to patch and update 500 individual clients. With non-persistent mode, there is - basically - one master image which is being cloned the moment a user logs in and is being destroyed when the user logs out. So disk space is only used when the virtual machine is actually in use. And if you need to patch and update software, you only need to do this on the master image. It's a really nice technology but of course software like Check Point Endpoint Security (and other Endpoint Security products) are not working because they rely on their own unique identifiers for workstations but the non-persistent VDI clients are all clones of one master image.

0 Kudos
James_Hnasko
Participant
‎2019-09-10 05:25 PM
In response to PhoneBoy
Jump to solution

Any update on this topic? Does 81.30 support instant clones?

0 Kudos
Kilian_Huber
Contributor
‎2019-09-11 06:14 AM
In response to James_Hnasko
Jump to solution

I don't think so, the release notes for E81.30 don't state anything related to VDI deployments and since the feature would constitute a significant change in the way endpoint clients communicate with policy servers, I assume it would be something that you would find in the release notes.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-13 03:41 PM
In response to Kilian_Huber
Jump to solution

Based on the following SK, Persistent-mode VDI should be supported as of E81: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Instant Clones are not currently supported.
If you're interested in this, I recommend engaging with your local Check Point office.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events