Cortex XDR with VDI persitent Desktop

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR with VDI persitent Desktop

L0 Member

Hello,

 

We use the Vmware Horizon VDI solution in Instant Clone with FSLogix profiles and a dedicated machine based on a Golden Image (Automated, Instant Clone, Dedicated).

 

A user therefore always connects to the same machine, which is updated from time to time from the Golden Image and the machine is never destroyed until user leaves the company.

 

On the Golden Image, we installed the Cortex agent with the VDI option (VDI_ENABLED=1), which works well, but when the user closes his session, Cortex no longer protects the machine, which remains in "VDI Pending Login" mode. This poses a security problem because Cortex no longer protects the machine even though it is not destroyed until next login.

 

If we install Cortex in the standard way on our machines after they have been created, each time we update the machines from the Golden Image Cortex will no longer be installed and will have to be installed again, generating duplicate licenses.

 

Do you have this type of VDI infrastrucre and how did you install the agent in this case? What do you recommend ?

 

Thank you

 

2 REPLIES 2

L4 Transporter

Hi Rdesjardins,

 

Unfortunately, the license duplication issue is simply unavoidable in your situation, in the same way as license duplication would be seen when a physical desktop or laptop is re-imaged.  I would encourage you to reach out to your account team to determine what capacity you have in your current licensing and any potential options to address your unique situation.

L5 Sessionator

Hi @Rdesjardins ,

 

to add to what @afurze just mentioned, talking about VDI users on pending login not having the protection though is a corner use case, still is considerably a mechanism which can be used because VDI pending login instances automatically get decomissioned after a continuous period of idle time out(mostly 90 minutes). Considering the fact that VDI instances are created out of the golden images and if there is a possibility of the attack attempted during the pending login period, is considerably a small amount of time for attacker to complete his/her objective. I am assuming the VDI instances might be protected well on network security element to prevent the Threat actor from infiltrating the network. Also, the VDI instance will anyways be destroyed post pending login status. 

 

Generally organizations have their own compliances and you can choose to configure to disconnect the VDI instance after pending login(which means endpoint is idle) after a specified amount of time, you feel is good. This will ensure that the VDI instances are rotated well with security, which also improves performance.

 

Even Vmware suggests a lower and optimised user session timeout configuration to prevent security risks.

Idle Session Timeout Vmware 

 

Hope this helps! Please mark the response as "Accept as Solution" if that helps respond to your query.

  • 1459 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!