VMware Horizon Community
bjohn
Hot Shot
Hot Shot
‎03-11-2015 10:30 AM

two-factor authentication

We have two security servers paired with two internal connection servers.

VDISEC1 paired with VDIBROKER1

VDISEC2 paired with VDIBROKER2

They are both load balanced internally and externally to point to view.mydomain.com. This has worked fine for us so far.

We would like to setup two-factor authentication for external users only. I don't see any way of setting it up without affecting internal users?

Thanks

0 Kudos
7 Replies
JHT_Seattle
Hot Shot
Hot Shot
‎03-11-2015 03:02 PM

Spin up two more connection servers.  You can tag them ("Internal" and "External") to restrict your pools if necessary, or just have two separate LTMs configured for the service (one internal and one external) with two A records to keep internal users hitting the internal LTM.  That's what worked for us!

0 Kudos
bjohn
Hot Shot
Hot Shot
‎03-12-2015 06:26 AM

Thanks, I suppose that's the only option I have.

I don't understand why I cant set any authentication options on the security server itself.

0 Kudos
JackMac4
Enthusiast
Enthusiast
‎03-12-2015 07:31 AM

bjohn wrote:

Thanks, I suppose that's the only option I have.

I don't understand why I cant set any authentication options on the security server itself.

Because a security server isn't a connection server - it's simply a very scaled down DMZ option to get you to a connection server. View is a plugin architecture, meaning there are many modules that make up every component. For the Security Server we simply remove all the modules that aren't necessary, including authentication, because we don't want that exposed on the outside. Many people use their SS's as external facing machines. Depending on your architecture and sizing, you could always have one CS for internal use and one for external use, or possibly three rather than four. But ultimately, yes, you'll need another CS to do this.

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
0 Kudos
bjohn
Hot Shot
Hot Shot
‎03-12-2015 09:41 AM

OK. Thanks for the explanation. We would need 2 more for reduancy.

Any issues with mixing 2008 R2 and 2012 connection servers?

0 Kudos
JackMac4
Enthusiast
Enthusiast
‎03-12-2015 09:52 AM

bjohn wrote:

OK. Thanks for the explanation. We would need 2 more for reduancy.

Any issues with mixing 2008 R2 and 2012 connection servers?

Yes, that would certainly be the recommendation.

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
0 Kudos
bjohn
Hot Shot
Hot Shot
‎03-12-2015 09:58 AM

Forgot to mention that I'm still on 5.1.3

Anyone out there use Azure for two-factor with VDI?

0 Kudos
markbenson
VMware Employee
VMware Employee
‎03-13-2015 12:29 AM

Connection Server 5.1.x must be installed on Server 2008 R2. For Server 2012 you need a newer Horizon/View version.

Mark

0 Kudos