Anti Virus protection in RDS sessions under server 2012 R2 Standard

Hi Guys
We are building a server that will run two 2012 R2 standard servers as VM's under ESXi 5.5 Hypervisor.
One of the servers will be the host for, initially, 8 RDS accounts. This will rise later to possibly 50.

We need to ensure that user activity (which will include some internet browsing and opening of mail attachments) is protected.  How is standard AV deployed in this scenario. I have approached Sophos (our prefered AV provider) who readily provide information concerning vShield to deploy AV for VM's but RDS is not mentioned in their documentation despite my including this in my enquiry.

Can I assume that deploying AV for a VM using vShield also then protects any RDS sessions as they run in that VM's context ??? If this is the case do I need to make any specific exclusions. I don't seem to be able to google anything on this subject - maybe its obvious to some! I could do with a solid back ground doc on this subject.

This will all be running on a Proliant DL360 Gen8 with 2 x 2.3Ghz E5-2630v2 Intel Hex (6)Core Processors
and 64Gb Memory (to be upgraded after the inital 8 sessions are proven)

Do we have any security concious VMware gurus out there.

TrevorWhiteIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You just run standard server AV on a terminal server.
The vmware-aware antiviruses run scanner on separate windows server (which is huge expense at your scale)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
normally the guest itself already come with its host AV (if assuming they used free one which is unlikely for enterprise setup), and since this is a VM setup AV VM appliance via hypervisor will be recommended since it does introspection (vi a agent installed) at the Guest while VM appliance is outside of Guest VM. Malware cannot inhibit the VM appliance with such ease compared inside the Guest VM.

For the case of vShield, when a guest VM tries to access a file, the vShield Endpoint Agent running on the VM notifies the Sophos security VM appliance. The security VM scans the file, if the file has changed or if a detection update has occurred since the file was last scanned. If the security VM detects a threat, access to the file is blocked, and the security VM sends an alert to Enterprise Console. Also the security VM can initiate a full scan of all the guest VMs, and schedules scans to balance the various ESXi host so as to avoid unnecessary high load due to concurrent scanning. As per norm, upon security VM detects a threat, it sends an alert to Enterprise Console too.

The SAV is not an all-in-one though has No Web Protection, No Behaviour monitoring, No Boot sectors/Suspicious Files scanning, No Adware and PUAs detection.

I do not see RDS or Email either and I suspect they required Sophos vShield or UTM and Email resp.
-For RDS scan, besides the port control and filter via UTM appliance, I do not see SAV covers that or even any Novell and RDP mapped file scanning except Windows shares and Windows mapped network drives. This was also asked in Sophos forum but no specific answer from support.
-For Email attachment scan, these files are subjected to on-access scanning as per SAV file extensions as long as within Guest OS, not certain as per via Outlook plugin though.

Some Notes -
- Only a Sophos security VM is needed on each ESXi host running the Guest VMs.
- Cannot use Sophos AV for VMware vShield to protect Guest VMs that run other AV products, as files might be scanned multiple times (due to the design of VMware vShield).
- Must power on a security VM manually whenever the ESXi host is taken out of maintenance or standby mode. Always do this before you power on the Guest VMs, so that the Guest VMs are protected immediately.
- Under (File) Extension, archive extensions are only scanned if archive scanning is enabled.

Ref - kb using Sophos AV for VMware vShield 1.0
vsphere 6 drops support for introspection.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

TrevorWhiteIT ConsultantAuthor Commented:
Hi Btan and Gheist,

Thanks for your time on this. I was having a problem following some of Btan's comments, but let me offer where I think we should be going now.

From Gheist's comment we can deploy Sophos Endpoint Protection on the RDS VM and AV on demand and on access protection will be provided for all RDS sessions. Now Sophos have versions of End Point Protection that also monitor web access, can I assume this is also covered in each RDS session when deployed at the VM???

Are there any extra exceptions that need/are suggested to be applied in this scenario??

For me, installing in the VM like this is fine, as Gheist points out, this is a small scale solution and even if we needed to introduce a further server if we scaled up further I'd still use this method. Are there any down sides??

Thanks guys, I appreciate your thoughts and time.

btanExec ConsultantCommented:
vShield v6 (or they called it NSX 6)  still has introspection - under NSX Guest Introspection that is the next gen of vShield Endpoint capabilities. You need the Guest Introspection Thin Agent component installed with VMware Tools. This feature is not installed by default, hence requires to update VMware Tools installation. This feature was known as the VMware vShield Endpoint Thin Agent prior to the ESXi 5.5 Update 2 release, which is when VMware renamed it the VMware Tools Guest Introspection plugin.

Sophos vShield only perform tasks such as file, memory and process scanning that are offloaded from Guest VM to Sophos security virtual appliance through a thin client agent (in the Guest). It is not RDS or Web specific unless Sophos confirm that. The mapped drive are in the Guest, such scan exclude the remote desktop mapped (shared) drive as compared to normal Windows mapped drive  

As a whole, Sophos security appliance only covers AV and those endpoint capability is not under Sophos security appliance. Even for Sophos Endpoint, see  (pdf) matrix showing as only a virtual machine or the standard installed inside OS. It is not a security appliance supported by Sophos. It is also not vShield Endpoint (pdf) that can manage communication between virtual machines and the secure virtual appliance, using introspection at the hypervisor layer. Sophos is vShield partners in AV scope only
The EPSEC API enables VMware anti-virus partners to integrate with vShield Endpoint by providing introspection into file activity in the hypervisor. Essential anti-virus functions are supported through this API.
However, if you have Sophos security appliance running with Guest installed with another AV engine, it is likely to face inter-operability issues it as I shared previously
Cannot use Sophos AV for VMware vShield to protect Guest VMs that run other AV products, as files might be scanned multiple times (due to the design of VMware vShield).
Endpoint filtering RDS traffic is more from firewalling perspective and for Web it is more of having Endpoint checking on access scan via file, memory and process which include the web browser. Sophos vShield appliance does not have any of a web application firewall capability to inspect web traffic per se.
btanExec ConsultantCommented:
...Adding on.... under VMWare portfolio, I believe the use case you need, it is more applicable and towards the use of vShield apps (pdf) that is a hypervisor-based application-aware firewall solution
Hypervisor-Level Firewall
•      Inbound/outbound connection control enforced at the virtual NIC level through hypervisor inspection, supporting multihomed virtual machines
•      Ability to enforce based on network, application port, protocol type (TCP, UDP), application type
•      Dynamic protection as virtual machines migrate
•      IP-based stateful firewall and application layer gateway for a broad range of protocols including Oracle, Sun Remote
Procedure Call (RPC), Microsoft RPC, LDAP and SMTP; ...
You can check out this quick example in a simple config of using the Apps firewalling
TrevorWhiteIT ConsultantAuthor Commented:
I have recieved the following from Sophos:

Our Web Control module is designed primarily for use on typical endpoints used by a handful of users at any given time at most. With a Terminal Server environment, given the sheer number of lookups that would potentially need to be handled, it would be much more efficient on resources to use a gateway solution such as our Web Appliance or UTM.

Our Anti-Virus product is suitable for use on Terminal Servers with multiple concurrent users and is supported. See the following KBA for optimisations of Sophos Anti-Virus for Terminal Servers:

I have confirmation that our initial 8 users will operate fine with standard EndPoint product installed. We will investigate an alternative web access solution, possibly utilising the existing Juniper firewall or deploying a Sophos UTM, etc.

I am so sorry, Btan, I found your description and information difficult to follow. I am awarding points to Gheist as this is the route we believe is most appropriate, certainly at this point.

Thanks each for your time.

I think it will be fair to split evenly as all advices were to the point.
TrevorWhiteIT ConsultantAuthor Commented:
I am happy to split. It is just that I could not follow sufficiently - and did not benefit from the attempt.
btanExec ConsultantCommented:
noted, the key is AV is to be installed within the server and not using the hypervisor. the lengthy sharing is to apprise that it has capability to scan each guest OS as well and needed the endpoint agent running within that guest OS. However, it does not do those inspection you are looking out for. I was working towards your query

Can I assume that deploying AV for a VM using vShield also then protects any RDS sessions as they run in that VM's context ???
Specifically on whether vShield works or not - it works for scanning but not apparently suited to your use case and likely more work effort but I do see I have shared my part on vShield. Thanks gheist and trevor.

As for the point, I leave it to author good discretion then.
I just juped in when author was grading...
btanExec ConsultantCommented:
thanks gheist for sharing
We have TS with 50 concurrent office-like users at al times in a VM with local common AV.
Yes, it halves storage throughput, but for the rest no problem at all...
TrevorWhiteIT ConsultantAuthor Commented:
Guys, This is great.
Thanks so much for your continued input it is very helpful.
I now see what btan was driving at.
As stated I'm happy to split 50:50 but have needed to enquire of the admin how to do this - I can't see how to split the points after I have already allocated to Gheist.

You can "request attention", but sice other participants did not join the motion i think it is not worth moderators time.
TrevorWhiteIT ConsultantAuthor Commented:
Ok We will leave as is unless moderator comes back to me.

Just dont give me points next time we meet on the site and all are even ;)
btanExec ConsultantCommented:
no worries :)
TrevorWhiteIT ConsultantAuthor Commented:
You are Gentlemen for sure. Have good weekend when it gets here
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.