VMware Horizon Community
chazellou30510
Enthusiast
Enthusiast
‎07-18-2017 06:29 AM
Jump to solution

Access point 2.8.1 and Horizon View 7.0.3-Denied access directly from Internet I must access from vIDM with twofactor authentification

Hello,

I have 3 vIDM with TwoFactor Authentification (Radius Server) only for External User.

Internal User use directly with Zero Client Teradici (Wyse) my Connexion Servers, it's OK. In internal, we don't use vIDM with two Factor authentification..

I install two Access point on DMZ for reverse proxy vIDM et Horizon. It's function, but if my external user try directly connect from Horizon Client, my users have a prompt for authentification AD, without Two authentifcation,  and after signed on my Connexion Server, we have access at ressource..

I must, only for my user external, we have acces on VDI NOT DIRECTLY, only from Workspace One.

On Access Point, proxyPattern it's solution maybe? or other solution ? Have you idea?

Sorry for my English !!

Thanks,

Labels (1)
Labels
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
‎07-26-2017 11:29 AM
Jump to solution

In order to support the internal zero clients with just AD password authentication you can use dedicated Connection Servers just for internal users.

You then have other Connection Servers dedicated for external users. These can be configured for optional SAML and for RADIUS authentication.

This will then support external users via vIDM with RADIUS authentication from vIDM. This is with the "external" Connection Servers.

External users just using Horizon client with RADIUS from "external" Connection Servers.

Internal users via "internal" Connection servers with just AD password authentication.

All Connection Servers are part of the same POD. It's just that some are configured for external use and some for internal.

Mark

View solution in original post

0 Kudos
3 Replies
AishR
VMware Employee
VMware Employee
‎07-25-2017 03:09 AM
Jump to solution

Kindly check the below parameters

1.            Need to check if configuration is correct. Reference http://pubs.vmware.com/identity-manager-27/topic/com.vmware.wsp-administrator_27/GUID-E355D9DD-54F4-...

2.            Add radius authentication to default access policy is desired order.

3.            Check if any network ranges have been defined.

0 Kudos
markbenson
VMware Employee
VMware Employee
‎07-26-2017 11:29 AM
Jump to solution

In order to support the internal zero clients with just AD password authentication you can use dedicated Connection Servers just for internal users.

You then have other Connection Servers dedicated for external users. These can be configured for optional SAML and for RADIUS authentication.

This will then support external users via vIDM with RADIUS authentication from vIDM. This is with the "external" Connection Servers.

External users just using Horizon client with RADIUS from "external" Connection Servers.

Internal users via "internal" Connection servers with just AD password authentication.

All Connection Servers are part of the same POD. It's just that some are configured for external use and some for internal.

Mark

0 Kudos
chazellou30510
Enthusiast
Enthusiast
‎07-28-2017 08:02 AM
Jump to solution

Thanks you markbenson,

I add 2 connexion server with SAML portail on "require" for external user. On my Access Point I configure the proxy Horizon with this vIP HLB with this 2 connexion server.

For internal user, I have 2 connexion server with SAML portail on "authorized", my user connect directly with another vIP HLB with this 2 connexions server.

It's good. My user external don't connect directly except if my user connect with vIDM. And for internal user, they connect directly with Zero client

Seb,

0 Kudos