Hi,
I'm planning on setting up a new architecture for VMware Horizon 7 VDI with UAG in DMZ and 2FA solution RADIUS-based. I would like to know more about the authentication in UAG instead of Connection Servers and RADIUS.
My understanding is now, the connection servers will not be part of the authentication process, only the UAG will communicate with the Radius server which will accept or deny the request (by asking the AD itself). So in this case, the Connection Server will not communicate with the AD anymore and will only receive request from the UAG once the user has been authenticated, right ?
I believe this diagram could summarize the communication flow :
RADIUS is completed on the UAG. Once successful the AD credentials are forwarded from the UAG to the connection server which authenticates the user against AD. If successful and enabled the credentials are then passed to the virtual desktop to log the user in.
You are correct, UAG can perform authN before any kind of traffic is forwarded to the Connection Server. But once authorised the Connection Server still needs the Windows user.
Often you configure UAG to use: authMethods=securid-auth && sp-auth
More info: Configure Horizon Settings
Thanks for you reply.
You said that once a user is authenticated into UAG/Radius process, the request is then send to Connection Server for resources enumeration.
Is the UAG send the user's credential or "token" into the XML-based protocol to Connection Server, or is the Connection server will re-check again with AD itself ?
User must login using username and PW after RADIUS. Or use certificates.
RADIUS is completed on the UAG. Once successful the AD credentials are forwarded from the UAG to the connection server which authenticates the user against AD. If successful and enabled the credentials are then passed to the virtual desktop to log the user in.
OK thank you,
This is what I would like to know.