How to Access the VDI & DaaS Web UI
    • Dark
      Light
    • PDF

    How to Access the VDI & DaaS Web UI

    • Dark
      Light
    • PDF

    Article summary

    Note for versions lower than 9.0

    The login methods described in this article are relevant only for Real-Time DX version 9.0 or higher. If you are using a lower version, read this article to learn how a user can sign in to the VDI & DaaS web UI.

    After you sign in to the DEX platform web application (app.controlup.com), go to the VDI section to access the VDI & DaaS Web UI.

    DEXVDIAccess

    If your ControlUp organization meets the prerequisites, and your ControlUp account has the required permissions, then you are automatically signed in to your VDI & DaaS environment.

    Optionally, you can enable LDAP to sign in with an Active Directory user. Read below for details.

    Prerequisites

    • Real-Time DX 9.0 and higher.
    • ControlUp Monitors must be running.
    • Port 443 must be available from the ControlUp Monitors to communicate to the web UI.
    • TCP ports required for connecting to the ControlUp Monitors:
      • RPC/WMI - for monitor deployment via the console.
      • 40706 - for monitor management.
    • If you use one of the following proxy authentication methods, these are supported: Negotiate proxy or Basic proxy. NTLM-based proxy authentication is not supported.

    Required user permissions

    To access the VDI & DaaS web UI, you must have the relevant permissions in both the DEX web UI and the Real-Time Console Security Policy.

    Permissions in the DEX web UI

    Your ControlUp account must have at least one permission in the Access VDI & DaaS permission category:

    • Access Overview page lets a user view the Overview tab of the VDI & DaaS web UI to view dashboards.
    • Access Details page lets a user view the Details tab of the VDI & DaaS web UI to drill down into machines, sessions, folders, etc.

    DEXpermissions.png

    If you don't have at least one of the above permissions, then the VDI & DaaS icon is grayed-out and unclickable.

    Security limitation with web UI permissions

    While you can use permissions to block a user's access to either the Overview page or the Details page, these restrictions apply only to the UI. If a user has at least one of these permissions, then that user can access our backend API to view the raw data for both pages if they have the right technical knowledge.

    Permissions in the Real-Time Console Security Policy

    Your ControlUp account or your AD user (depending on whether you have enabled LDAP authorization) must have one of the following permissions assigned in the Real-Time Console Security Policy:

    • Use Web Application to access the VDI web UI.
    • Manage Web Application access the VDI web UI and perform administrative actions.

    To grant these permissions:

    1. In the Real-Time Console, click Security Policy on the bottom tab and identify a role with the relevant permission assigned. If none of your roles has the permission assigned, you can click Not Set and set the status to Allow.
      Use Web Application.png

    2. Click Manage Roles.
      Manage roles.png

    3. Select the role that has the relevant permission and click Edit > Add Users/Groups.
      AddRoleCUAdmin

    4. To add ControlUp accounts to the role:

      1. Set Provider to ControlUp.
        Set provider to ControlUp.png

      2. Set Search options to Users to search for individual ControlUp accounts, or set Search options to Groups to search for SAML SSO groups. Learn more about assigning roles with SSO groups.

      3. Select users or groups to add to the role and click OK.

    5. To add Active Directory users to the role:

      1. Set Provider to Local AD and search for either users or security groups.Set provider to local ad.png

      2. Select users or groups to add to the role and click OK.

    Optional: enable LDAP and sign in with an Active Directory user

    To sign in to VDI & DaaS using LDAP, go to Global Settings > User Settings > Login Methods and enable Sign-in to VDI & DaaS with LDAP.
    Enable VDI & DaaS LDAP permission.png

    Tip

    You can set the VDI & DaaS login method per-user by overriding the default login methods. For example, you might want your daily ControlUp users to use LDAP, but allow some special users to access your VDI & DaaS environment without requring an AD user.

    The sign-in procedure depends on whether you are using SAML:

    • If you sign in to DEX with OAuth or a username and password, then you must enter a UPN and password to access your VDI environment. If ControlUp detects multiple AD users connected to your UPN, you can select which user to use. Your selection is remembered the next time you sign in.
    • If you sign in to DEX with SAML, then the user attributes sent by your IdP (email address, UPN, sAMAccountName, distinguishedName) are used to identify an AD user for authorization against the Real-Time Console Security Policy.

    If either your ControlUp account or your AD user has the permission Use Web Application in your Real-Time Console Security Policy, then you allowed access to your VDI & DaaS environment. If either of those accounts is explicitly denied the permission Use Web Application, you are not allowed access your VDI & DaaS environment.

    After you have signed in, both accounts (your ControlUp account and your AD user) are used to determine if you are allowed to perform a particular action:

    • If either account has permission to perform the action, then you are allowed to perform the action.
    • If either account is explicitly denied permission to perform the action, then you are now allowed to perform the action.

    Was this article helpful?