VMware Horizon Community
kentaro31
Contributor
Contributor
‎07-18-2019 01:11 AM

Segregating 2FA users, or different configs on Connection servers

Sorry the title is a mouthful.

I'm trying to implement UAG setup, as currently we use VPN and its being decommissioned.  Currently we have 2 groups of users, one group is filtered via IP, and another group enforces MFA. All of this is handled via VPN.  I want to try and have the same setup through UAG.  My problem is I can't verify if you can have different configurations on multiple connection servers within the same pod, meaning connection01 does not have any 2FA, while connection02 is set to enforce.  This would mean I could point separate UAGs, to each connection server.  Is there a better way to do this?   If it matters, I'm looking at using Okta MFA with RADIUS (via this link Configure VMware Horizon View to Interoperate with Okta via RADIUS | Okta

Thanks in advance for any help!

Ken

0 Kudos
2 Replies
cbaptiste
Hot Shot
Hot Shot
‎07-22-2019 07:29 AM

The way to do is to leverage UAGs for the use cases. Personally, I would enforce 2FA for all external users. UAG does support multiple different types of auth including radius. The caveat is you need to decide whether you wish to split your connection brokers between, in your case, internal users and external or keep them the same. Personally I always keep them the same. I have yet to find a use case where I couldn't use the same connection servers for both. However, I believe as best practice, mostly unwritten, VMware would suggest segregating the brokers between internal and external within the same pod. The downside of using the same brokers for both internal and external use means you can no longer enable tunneling on the connection brokers. The gain is less management overhead.

0 Kudos
kentaro31
Contributor
Contributor
‎07-28-2019 09:21 PM

Thanks for the reply, appreciate it!

The 2FA for all external users may come later, but since it involves contractors and contracts, it isn't something I can just enforce immediately.  I agree, 2FA for all external access would be best.  I will move ahead with segregating the brokers and seeing how that works out!

Thanks,

Ken

0 Kudos