Highlighted
Contributor
Contributor

Traffic flow with UAG and Radius

Jump to solution

Hi,

I'm planning on setting up a new architecture for VMware Horizon 7 VDI with UAG in DMZ and 2FA solution RADIUS-based. I would like to know more about the authentication in UAG instead of Connection Servers and RADIUS.

My understanding is now, the connection servers will not be part of the authentication process, only the UAG will communicate with the Radius server which will accept or deny the request (by asking the AD itself). So in this case, the Connection Server will not communicate with the AD anymore and will only receive request from the UAG once the user has been authenticated, right ?

I believe this diagram could summarize the communication flow :

screenshot.59.png

Labels (1)
Tags (4)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Commander
Commander

RADIUS is completed on the UAG. Once successful the AD credentials are forwarded from the UAG to the connection server which authenticates the user against AD. If successful and enabled the credentials are then passed to the virtual desktop to log the user in.

View solution in original post

0 Kudos
5 Replies
Highlighted
VMware Employee
VMware Employee

You are correct, UAG can perform authN before any kind of traffic is forwarded to the Connection Server. But once authorised the Connection Server still needs the Windows user.

Often you configure UAG to use: authMethods=securid-auth && sp-auth

More info: Configure Horizon Settings

0 Kudos
Highlighted
Contributor
Contributor

Thanks for you reply.

You said that once a user is authenticated into UAG/Radius process, the request is then send to Connection Server for resources enumeration.

Is the UAG send the user's credential or "token" into the XML-based protocol to Connection Server, or is the Connection server will re-check again with AD itself ?

0 Kudos
Highlighted
VMware Employee
VMware Employee

User must login using username and PW after RADIUS. Or use certificates.

0 Kudos
Highlighted
Commander
Commander

RADIUS is completed on the UAG. Once successful the AD credentials are forwarded from the UAG to the connection server which authenticates the user against AD. If successful and enabled the credentials are then passed to the virtual desktop to log the user in.

View solution in original post

0 Kudos
Highlighted
Contributor
Contributor

OK thank you,

This is what I would like to know.

0 Kudos