VMware Horizon Community
fabio1975
Commander
Commander

Horizon MFA vs UAG MFA

Hello guys,

I have a "little" question over integration with MFA.  What is for you the best solution? Some customer access to horizon from internal network with Horizon Connection Server FQN and form external network use the UAG, other use UAG for all (internal and external) network.

I read that it is very simple configure MFA intergration with UAG (For example with Azure MFA https://thevirtualhorizon.com/2019/12/14/integrating-microsoft-azure-mfa-with-vmware-unified-access-... and a little bit complex the integration with Horizon (NPS server etc...) 
Thank You 

Fabio 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
11 Replies
fabio1975
Commander
Commander

No one has ever implemented Azure MFA with Horizon/UAG. What is your choice?

I have not found official VMware documentation.

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
JesperA89
Enthusiast
Enthusiast

It depends on what you want to achieve/what your customer/company wants.
Most deployments I do are using separate entries for internal and external user, and the customer wants to use MFA when users are connecting externally.

In this scenario you have two options for MFA:

  1. Use the Microsoft Authenticator App only
  2. Use all MFA authentication methods (Phone call, text message, app)

Option 1 requires a NPS server which will be connected to Azure via the NPS Extension. On the UAG you use the Radius settings to connect to the NPS server. If everything is configured properly users will fill in their username and password, answer the security prompt on their phones and will successfully be logged in.

Option 2 is a direct connection to Azure which users a different Identity Provider compared to VMware Horizon (Active Directory). This in turn gives you all the bells and whistles Azure authentication offers you, but it will require an user to enter their credentials again when logging into the desktop (so no SSO).
To get SSO working you'll need to implement TrueSSO.

rklein
Contributor
Contributor

Jesper,

I'm implementing Option #1.  Currently the UAG asks for a Passcode which you're not required to enter.  After you hit the login prompt it gives you the allow notification on the Authenticator App.  You hit Allow then the horizon client  prompts you with your AD credentials.

From what you said there's a way to configure it without the "Passcode" prompt?

Reply
0 Kudos
JesperA89
Enthusiast
Enthusiast

If you set it up correctly, it should go as follows:

  1. User tries to log in externally against Horizon
  2. UAG gives you the username and passcode prompt, in the passcode field the user enters his/her password
  3. User gets a prompt on their mobile device, they tap allow.
  4. User gets logged into Horizon and their desktop

The field labeled passcode is confusing for end users, that's why since UAG 3.8 you can edit those labels:
https://docs.vmware.com/en/Unified-Access-Gateway/3.9/com.vmware.uag-39-deploy-config.doc/GUID-1B866...

fabio1975
Commander
Commander

Ciao
in the end, I implemented the integration of Azure MFA with UAG and activated TrueSSO on the Horizon to allow user access with only the insertion of the credentials for the MFA because:
- Azure MFA with UAG without TrueSSO on Horizon double authentication is required:
Authentication on Azure MFA
Authentication on Horizon
- Azure MFA with UAG and TrueSSO on Horizon only one authentication:
Authentication on Azure MFA

More info can be found in this link where I have entered all the steps:

https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-1/

https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-2/

https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-3/

https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-4/

https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-5/

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

rklein
Contributor
Contributor

Yeah the "passcode" was now the password which is what I was missing.  thanks.

hellraiser
Enthusiast
Enthusiast

Hi Fabio,

 

Funnily enough I set up MFA thru the UAG the other day and was cursing the fact it asked for credentials twice, so this is a big help. Will put this together with the help of your guide, many thanks!

 

JD
Reply
0 Kudos
hellraiser
Enthusiast
Enthusiast

One query - the configuration of this will have no impact on non-UAG users who are connecting directly to the load balancers and then to the internal connection servers from the internal LAN?  Don't want to accidentally turn on MFA for our internal users...

 

Cheers

JD
Tags (1)
Reply
0 Kudos
JesperA89
Enthusiast
Enthusiast

It depends on how you configured your Connection Server(s). But as long as you don't enforce SAML authentication on those, they won't enforce MFA.

Reply
0 Kudos
fabio1975
Commander
Commander

Ciao 

Users who connect using direct access to connection servers (no-UAG) do not change their user experience if you set the "Delegation of authentication to VMware Horizon" value to Allowed. By setting this value to Required, users who connect directly to the connection servers will not be able to access.

 

fabio1975_0-1618392180425.png

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

hellraiser
Enthusiast
Enthusiast

Excellent, thanks for that 🙂

JD
Reply
0 Kudos