How to Access the VDI & DaaS Web UI
    • Dark
      Light
    • PDF

    How to Access the VDI & DaaS Web UI

    • Dark
      Light
    • PDF

    Article Summary

    Note for versions earlier than 9.0

    The login methods described in this article are relevant only for Real-Time DX version 9.0 or higher. If you are using an earlier version, read this article to learn how a user can sign in to the VDI & DaaS web UI.

    After you sign in to the DEX platform web application (app.controlup.com), go to the VDI section to access the VDI & DaaS Web UI.

    DEX%20VDI%20Access%201

    If your ControlUp organization meets the prerequisites, and your ControlUp account has the required permissions, then you are automatically signed in to your VDI & DaaS environment.

    Optionally, you can enable LDAP authentication/authorization. Read below for details.

    Prerequisites

    • Real-Time DX 8.7 and later.
    • ControlUp Monitors must be running.
    • Port 443 must be available from the ControlUp Monitors to communicate to the web UI.
    • TCP ports required for connecting to the ControlUp Monitors:
      • RPC/WMI - for monitor deployment via the console.
      • 40706 - for monitor management.
    • If you use one of the following proxy authentication methods, these are supported: Negotiate proxy or Basic proxy. NTLM-based proxy authentication is not supported.

    Required user permissions

    Your ControlUp account must have the permission Access VDI & DaaS. Without this permission, the VDI & DaaS section is grayed out and unclickable. Learn how to assign this permission.
    AccessVDIDaaSPermission.png

    Your ControlUp account or your AD user (depending on whether you have enabled LDAP) must have one of the following permissions assigned in the Real-Time Console Security Policy:

    • Use Web Application to access the VDI web UI.
    • Manage Web Application access the VDI web UI and perform administrative actions.

    To grant these permissions:

    1. In the Real-Time Console, click Security Policy on the bottom tab and identify a role with the relevant permission assigned. If none of your roles has the permission assigned, you can click Not Set and set the status to Allow.
      Use Web Application.png

    2. Click Manage Roles.
      Manage roles.png

    3. Select the role that has the relevant permission and click Edit > Add Users/Groups.
      AddRoles

    4. To add ControlUp accounts to the role:

      1. Set Provider to ControlUp.Set provider to ControlUp.png

      2. Set Search options to Users to search for individual ControlUp accounts, or set Search options to Groups to search for SAML SSO groups. Note that to add SSO groups to a role, you must have configured SSO groups with ControlUp and your IdP.

      3. Select users or groups to add to the role and click OK.

    5. To add AD users to the role:

      1. Set Provider to Local AD and search for either users or security groups.Set provider to local ad.png

      2. Select users or groups to add to the role and click OK.

    Optional: enable LDAP and sign in with an Active Directory user

    To sign in to VDI & DaaS using LDAP, go to Global Settings > User Settings > Login Methods and enable Sign-in to VDI & DaaS with LDAP.
    Enable VDI & DaaS LDAP permission.png

    Tip

    You can set the VDI & DaaS login method per-user by overriding the default login methods. For example, you might want your daily ControlUp users to use LDAP, but allow some special users to access your VDI & DaaS environment without requring an AD user.

    The sign-in procedure depends on whether you are using SAML:

    • If you sign in to DEX with OAuth or a username and password, then you must enter a UPN and password to access your VDI environment. If ControlUp detects multiple AD users connected to your UPN, you can select which user to use. Your selection is remembered the next time you sign in.
    • If you sign in to DEX with SAML, then the user attributes sent by your IdP (email address, UPN, sAMAccountName, distinguishedName) are used to identify an AD user for authorization against the Real-Time Console Security Policy.

    If either your ControlUp account or your AD user has the permission Use Web Application in your Real-Time Console Security Policy, then you allowed access to your VDI & DaaS environment. If either of those accounts is explicitly denied the permission Use Web Application, you are not allowed access your VDI & DaaS environment.

    After you have signed in, both accounts (your ControlUp account and your AD user) are used to determine if you are allowed to perform a particular action:

    • If either account has permission to perform the action, then you are allowed to perform the action.
    • If either account is explicitly denied permission to perform the action, then you are now allowed to perform the action.

    Was this article helpful?