Hello guys,
I have a "little" question over integration with MFA. What is for you the best solution? Some customer access to horizon from internal network with Horizon Connection Server FQN and form external network use the UAG, other use UAG for all (internal and external) network.
I read that it is very simple configure MFA intergration with UAG (For example with Azure MFA https://thevirtualhorizon.com/2019/12/14/integrating-microsoft-azure-mfa-with-vmware-unified-access-... and a little bit complex the integration with Horizon (NPS server etc...)
Thank You
Fabio
No one has ever implemented Azure MFA with Horizon/UAG. What is your choice?
I have not found official VMware documentation.
It depends on what you want to achieve/what your customer/company wants.
Most deployments I do are using separate entries for internal and external user, and the customer wants to use MFA when users are connecting externally.
In this scenario you have two options for MFA:
Option 1 requires a NPS server which will be connected to Azure via the NPS Extension. On the UAG you use the Radius settings to connect to the NPS server. If everything is configured properly users will fill in their username and password, answer the security prompt on their phones and will successfully be logged in.
Option 2 is a direct connection to Azure which users a different Identity Provider compared to VMware Horizon (Active Directory). This in turn gives you all the bells and whistles Azure authentication offers you, but it will require an user to enter their credentials again when logging into the desktop (so no SSO).
To get SSO working you'll need to implement TrueSSO.
Jesper,
I'm implementing Option #1. Currently the UAG asks for a Passcode which you're not required to enter. After you hit the login prompt it gives you the allow notification on the Authenticator App. You hit Allow then the horizon client prompts you with your AD credentials.
From what you said there's a way to configure it without the "Passcode" prompt?
If you set it up correctly, it should go as follows:
The field labeled passcode is confusing for end users, that's why since UAG 3.8 you can edit those labels:
https://docs.vmware.com/en/Unified-Access-Gateway/3.9/com.vmware.uag-39-deploy-config.doc/GUID-1B866...
Ciao
in the end, I implemented the integration of Azure MFA with UAG and activated TrueSSO on the Horizon to allow user access with only the insertion of the credentials for the MFA because:
- Azure MFA with UAG without TrueSSO on Horizon double authentication is required:
Authentication on Azure MFA
Authentication on Horizon
- Azure MFA with UAG and TrueSSO on Horizon only one authentication:
Authentication on Azure MFA
More info can be found in this link where I have entered all the steps:
https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-1/
https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-2/
https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-3/
https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-4/
https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-5/
Yeah the "passcode" was now the password which is what I was missing. thanks.
Hi Fabio,
Funnily enough I set up MFA thru the UAG the other day and was cursing the fact it asked for credentials twice, so this is a big help. Will put this together with the help of your guide, many thanks!
One query - the configuration of this will have no impact on non-UAG users who are connecting directly to the load balancers and then to the internal connection servers from the internal LAN? Don't want to accidentally turn on MFA for our internal users...
Cheers
It depends on how you configured your Connection Server(s). But as long as you don't enforce SAML authentication on those, they won't enforce MFA.
Ciao
Users who connect using direct access to connection servers (no-UAG) do not change their user experience if you set the "Delegation of authentication to VMware Horizon" value to Allowed. By setting this value to Required, users who connect directly to the connection servers will not be able to access.
Excellent, thanks for that 🙂