VMware Horizon Community
janasrs
Enthusiast
Enthusiast
‎05-24-2022 06:38 AM

Connection server - one without 2FA configured, one with.

Assume I have two connection servers with the addresses 192.168.5.11 and 192.168.5.12.  DNS had been set up with two A records for each of these addresses, both referencing horizon.testdomain.com. 

We have some staff in the office and some accessing Horizon via a site-to-site VPN connection. I want to force 2FA for those on the VPN connection, but not when they are in the office.

My hope was to configure one connection server without 2fa (.11) and the other with 2FA configured at the connection server (.12). Then, we'd have two DNS entries - one pointing to the connection server that has 2FA configured, and one for the server without 2FA. 

Even though I've changed DNS so horizon.testdomain.com only resolves to 192.168.5.11, I still see sessions that are going through 192.168.5.12.  Because of that, I haven't configured 2FA on .12 yet.

 I thought that if the address of a connection server wasn't reflected in the DNS name resolution, users would only be directed to the address that's resolved.

I have not been able to find any issues with stale DNS entries still referencing 192.168.5.12. Will connection servers use any connection server that is available, even if their addresses do not resolve to the DNS name that's been established?

 

0 Kudos
3 Replies
vBritinUSA
Hot Shot
Hot Shot
‎05-24-2022 06:52 AM

If you had 2 records like so

horizon.testdomain.com  192.168.5.11

horizon.testdomain.com 192.168.5.12

then DNS is going to do RR, you may want to check the DNS server(s) to make sure that the second entry was removed from all DNS servers.

You maybe better doing this with UAG's, have them be the entry point for the VPN users. Have the UAG's have 2FA enabled and enable HA. The benefit then is you can use both Connection Servers in the VIP internally and create a new VIP for the UAG's.

So it would be 

2fa.testdomain.com 192.168.5.20

uag1.testdomain.com 192.168.5.21

uag2.testdomain.com 192.168.5.22

vip.testdomain.com 192.168.5.10

cs1.testdomain.com 192.168.5.11

cs2.testdomain.com 192.168.5.12

That be the way I would do it.

 

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
8islas
Enthusiast
Enthusiast
‎05-24-2022 07:05 AM

HI; @janasrs 

Check your configuration here, you should have their respective IP/FQDN Name 192.168.5.11 and 192.168.5.12

If you have configured "horizon.testdomain.com" here is the problem. (you force RR via DNS)

8islas_1-1653401102538.png

 

Regards

If this is helpful please mark as the solution.

0 Kudos
8islas
Enthusiast
Enthusiast
‎05-24-2022 07:55 AM

Hello again, I forgot to comment something interesting.

Its recommended to have this unchecked:

Disable Secure Tunnel

By default, internal Horizon Clients connect to Horizon Agents by tunneling (proxying) Blast or PCoIP through a Horizon Connection Server. It would be more efficient if the internal Horizon Clients connect directly to the Horizon Agents instead of going through a Connection Server.

If the tunnels are enabled, and if you reboot the Connection Server, then user connections will drop.
If the tunnels are disabled, then rebooting the Connection Server will not affect existing connections.

The content of this blog and the work is amazing. Check this:
https://www.carlstalhood.com/vmware-horizon-8-configuration/#tunnel

VMware Notes:
The protocol session can also be configured to be tunneled via the Connection Server, although this is not generally recommended as it makes the ongoing session dependent on the Connection Server.
https://techzone.vmware.com/resource/horizon-architecture#architectural-overview

Regards

If this is helpful please mark as the solution.

 

0 Kudos