VMware Horizon Community
djwilliams979
Contributor
Contributor
Jump to solution

Is 2 Factor at the Pool Level Possible in VDI?

Good Morning vmware magicians,

I have what is probably a newb question and I think I know the answer, in which case, this becomes a solicitation for ideas.  So here it is!

Can we enable 2 factor authentication at the pool level instead of at the UAG?  The use case for this is to only enforce 2 factor where it is necessary because, you guessed it, licensing costs money and we have a bunch of people who don't need it at the pool level because it is implemented on all of the applications themselves that they access.

My understanding is that 2fa on VDI is kind of an all or nothing thing that you apply to the UAG and or connection servers.  In that case, does anyone have any experience implementing 2fa in this way using the desktop image itself perhaps?  Or using some special voodoo that I'm not aware of?

Thank you very much for any thoughts or ideas! 

Dave

Tags (3)
1 Solution

Accepted Solutions
BenFB
Virtuoso
Virtuoso
Jump to solution

You have a number of options here. MFA/2-factor authentication can be enforced natively on the UAG or connection servers. There are also third-party alternatives.

  • MFA on all connection server(s) or UAG (Typically to enforce it for all remote access. MFA should be a requirement for external access and many regulations that apply to businesses require it).
    • Most MFA solutions allow you to define policies by user/group. This could allow MFA to be enforced for some AD groups/entitlements while others are bypassed.
  • If you aren't able to define policies you could configure MFA on a separate load balanced VIP and connection server(s). You can then tag the connections servers and pools so they are only accessible from that specific VIP. This will ensure users that need access to certain pools must perform MFA but on a shared endpoint users will have to know which VIP to pick.
  • There are alternatives like F5 APM which replace the UAG and allow for a more selective enforcement of policies.

View solution in original post

5 Replies
vJoeG
Hot Shot
Hot Shot
Jump to solution

Good morning to you as well,

You mention in your question that some users don't care about 2fa. Are you asking about intern 'and' external access? I'm betting not as you're referencing the UAG's and typically they are external access devices.

If it's going to be a mix of pools external and some don't need 2fa then indeed that will be tricky. However, if you need 2fa external but no 2fa internal you could create multiple VIP's that point to external and internal Connection servers and just use the 2fa from the external.

Hope that helps.

------------------
Joe Graziano
Senior Solution Engineer - EUC Federal
VCP7-DTM, VCP6-DM, VCP6-DCV
vExpert, vExpertPro
jgraziano@vmware.com
djwilliams979
Contributor
Contributor
Jump to solution

Well our plan was to force all traffic, internal and external through the UAG so that all users sessions were treated the same but you bring up an interesting situation I hadn't considered.  How well do we isolate the internal connection servers?  If only certain users should be able to access the connection servers for internal resolution than we could hand that at the firewall where we segment that traffic. 

Or possibly perform 2 factor on the F5 VIP instead.  We would have to maintain different VIPs but it gives me some options to run through on the whiteboard.  Thank you!

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso
Jump to solution

You have a number of options here. MFA/2-factor authentication can be enforced natively on the UAG or connection servers. There are also third-party alternatives.

  • MFA on all connection server(s) or UAG (Typically to enforce it for all remote access. MFA should be a requirement for external access and many regulations that apply to businesses require it).
    • Most MFA solutions allow you to define policies by user/group. This could allow MFA to be enforced for some AD groups/entitlements while others are bypassed.
  • If you aren't able to define policies you could configure MFA on a separate load balanced VIP and connection server(s). You can then tag the connections servers and pools so they are only accessible from that specific VIP. This will ensure users that need access to certain pools must perform MFA but on a shared endpoint users will have to know which VIP to pick.
  • There are alternatives like F5 APM which replace the UAG and allow for a more selective enforcement of policies.
djwilliams979
Contributor
Contributor
Jump to solution

That is an outstanding reply.  I just went through some options with a coworker and had nearly settled on an option but you have me interested in validating the MFA capabilities.  If two factor isn't required, it should be able to authenticate a user without prompting for a token.  The question for them I would think is do those users still have to be licensed or is the license tied to a token?

Awesome!  Thank you!

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso
Jump to solution

In our case we only had to license users that are MFA enabled. The bypass users did not need to be licensed.

Reply
0 Kudos