VMware Horizon Community
smittycsi2
Contributor
Contributor
‎09-13-2019 06:03 AM

2fa for external view users only

Hi,

From the Horizon documents it states you can have separate connection servers using different authentication methods, then doesn't explain any further .

so i know if you have a second Replica Connection server they share the same configuration so i am guessing you setup up a new connection server not a replica so i have questions.

Can they share the same pool ?

who is in control of the pool settings ?

Has anyone setup this environment that can explain the setup.

Ultimately would like to use 2fa for external users only and have the internal users log in the way they do now without 2fa and sharing the same pool.

Thanks.

Reply
0 Kudos
7 Replies
sjesse
Leadership
Leadership
‎09-13-2019 09:19 AM

You route traffic to the correct connection server or the uag/security server. Thats how we handle it, everything thats not an internal network gets routed to our external connection server, that has 2fa enabled.

Reply
0 Kudos
smittycsi2
Contributor
Contributor
‎09-16-2019 05:01 AM

Thanks for the reply

if you have 2 separate connections servers not a replica ,which connection server is responsible for the pool settings since they have separate Adam Db's thats what i want to clear up

Reply
0 Kudos
sjesse
Leadership
Leadership
‎09-16-2019 05:13 AM

They are replicas, but under View Configuration>Servers on the connection servers tab you can edit each connection server.

pastedImage_0.png

Then when you edit a pool under "Desktop Pool Settings" there is a connection server restriction setting option. In here you can pick the tags that you want

pastedImage_1.png

Reply
0 Kudos
sjesse
Leadership
Leadership
‎09-16-2019 05:19 AM

This would require you two have two seperate loadbalancer vips if you want to have redundancy though. Another option if you don't need to restrict any pools is to use the 2fa on the Unified Access Gateway. UAGs unlike security servers don't need a direct pairing to a connection server., and have 2fa available directly. I'm not sure the licensing restraints on that though, I think you may need enterprise instead of advanced or standard.

Reply
0 Kudos
smittycsi2
Contributor
Contributor
‎09-16-2019 05:29 AM

Thanks again for your fast answers

I think i am not explaining exactly what i want to do

I have 1 pool that i access from outside and inside .

outside goes through a security server to my only connections server.

I want to use 2FA for outside connections only .

On a single Pool

Can i add a new connection server that is for internal only and not use 2FA ? and keep the existing Connection server and turn on 2FA for external users

If they are replicas can i still change the authentication method for each connection server?

I hope this makes sense hahaha

Reply
0 Kudos
sjesse
Leadership
Leadership
‎09-16-2019 05:47 AM

Yes, but you need a second security server and you have to route internal traffic to that security server.

Reply
0 Kudos
cbaptiste
Hot Shot
Hot Shot
‎09-20-2019 07:22 AM

Let me see if i can explain this and try to simplify it. I see where you are getting confused.

You have 1 pool where users need access both internally and externally

You want your LAN users to authenticate using password

You want your remote users to use passcode


To accomplish this you will need about 2 brokers, 2 security servers/UAGs and 2 load balancers with 2 VIPs

1 internal load balancer to route LAN users to your connection brokers

1 external load balancer in your DMZ to route your remote users to your security servers or preferably your access points (UAG which is an abbreviation for Unified Access Gateway) where you will configure 2FA

If you use unified access gateways,  you will put your brokers VIP FQDN as the server to connect to as part of the configure and then you will configure the authentication method you wish to use.

If you use security servers (I would advise against it but feel free to do as you please obviously), they will be install and configure along with your connection servers using the same database, same everything as one POD. You will then go to only your security servers and configure them for 2FA but not your brokers.

So in the end, your brokers will prompt users for password but your security servers or your UAGs will requires dual factor authentication. You will need a load balancer to direct users from either the brokers or the security servers/UAGs. No matter which route the a user take they will land on the same pool as long as they are entitled to it.

Reply
0 Kudos