Good Morning vmware magicians,
I have what is probably a newb question and I think I know the answer, in which case, this becomes a solicitation for ideas. So here it is!
Can we enable 2 factor authentication at the pool level instead of at the UAG? The use case for this is to only enforce 2 factor where it is necessary because, you guessed it, licensing costs money and we have a bunch of people who don't need it at the pool level because it is implemented on all of the applications themselves that they access.
My understanding is that 2fa on VDI is kind of an all or nothing thing that you apply to the UAG and or connection servers. In that case, does anyone have any experience implementing 2fa in this way using the desktop image itself perhaps? Or using some special voodoo that I'm not aware of?
Thank you very much for any thoughts or ideas!
Dave
You have a number of options here. MFA/2-factor authentication can be enforced natively on the UAG or connection servers. There are also third-party alternatives.
Good morning to you as well,
You mention in your question that some users don't care about 2fa. Are you asking about intern 'and' external access? I'm betting not as you're referencing the UAG's and typically they are external access devices.
If it's going to be a mix of pools external and some don't need 2fa then indeed that will be tricky. However, if you need 2fa external but no 2fa internal you could create multiple VIP's that point to external and internal Connection servers and just use the 2fa from the external.
Hope that helps.
Well our plan was to force all traffic, internal and external through the UAG so that all users sessions were treated the same but you bring up an interesting situation I hadn't considered. How well do we isolate the internal connection servers? If only certain users should be able to access the connection servers for internal resolution than we could hand that at the firewall where we segment that traffic.
Or possibly perform 2 factor on the F5 VIP instead. We would have to maintain different VIPs but it gives me some options to run through on the whiteboard. Thank you!
You have a number of options here. MFA/2-factor authentication can be enforced natively on the UAG or connection servers. There are also third-party alternatives.
That is an outstanding reply. I just went through some options with a coworker and had nearly settled on an option but you have me interested in validating the MFA capabilities. If two factor isn't required, it should be able to authenticate a user without prompting for a token. The question for them I would think is do those users still have to be licensed or is the license tied to a token?
Awesome! Thank you!
In our case we only had to license users that are MFA enabled. The bypass users did not need to be licensed.