I have a client that has hardning all their landing zones and its been a struggle to get nerdio to work with both being dpeloyed in that zone and also still be able to be accesseble to end users from any network. Now the issue is the private winget repo doens't have hardning solutions and even if you setup a private endpoint for the cosmosDB nerdio can't see it the way nerdio connects to it.
The hardning process of nerdio needs some improvement as full hardning is ok but some customers needs both a secure backend but still be able for their end users to login to nerdio and do their end user things like switch SSD or turn on their VM. Hence the management portal and end user is on the same app service the only solution is a hybrid setup and that breaks other things.
I really hope some improvement are done in this area so we can have best of both worrlds and not asking end users to use vpns
splitting end user and admin portal into their own app servic ecould be a way maybe ?
Nerdio hybrid hardning
Next steps:
• We will review your request and update its status as it moves through the evaluation process.
• If we need more details, we'll reach out in the comments.
We also welcome additional feedback and votes from the community.
We weren’t able to include winget in the initial hardening scope due to a few challenges, but we are actively working on it and expect to add support in an upcoming release.
Regarding separating the NME Admin Console from the User Self-Service Portal, it’s unlikely we’ll be able to fully isolate them. Both are effectively control planes for AVD/Windows 365 and therefore share similar security considerations. If the security posture is to restrict access to the Nerdio Manager console from the internet, the same approach should generally apply to the end-user self-service portals as well.
That said, there’s an interesting option I've seen some customers adopt: publish a browser via RemoteApp with its home page set to the NME User Self-Service Portal, and make that RemoteApp available to all users who need access.
Thanks,
I understand that you can't just split them up but if you want to give better support and not force companies to have to do weird workarounds then this should be on your roadmap to find a solution to this. You have a end user ability in nerdio and want to offer hardning also. striving to have both options should be a goal.
I have a few hardened environments, and so far, customers have been able to live with not being able to log in from outside. If I ever have this use case, I will probably suggest an application gateway or WAF... And here it would be better to have a subpage to have a clear separation. Then you could publish the user page externally, but not the /admin page. A further web app would need to be carefully considered. I would also have liked to see the new option as an admin to view the user portal, which would be a little clearer, e.g., with /admin or a switcher.
Please sign in to leave a comment.
Comments (4 comments)