VMware Horizon Community
thomasduval
Contributor
Contributor
‎01-20-2019 11:18 PM
Jump to solution

Traffic flow with UAG and Radius

Hi,

I'm planning on setting up a new architecture for VMware Horizon 7 VDI with UAG in DMZ and 2FA solution RADIUS-based. I would like to know more about the authentication in UAG instead of Connection Servers and RADIUS.

My understanding is now, the connection servers will not be part of the authentication process, only the UAG will communicate with the Radius server which will accept or deny the request (by asking the AD itself). So in this case, the Connection Server will not communicate with the AD anymore and will only receive request from the UAG once the user has been authenticated, right ?

I believe this diagram could summarize the communication flow :

screenshot.59.png

Labels (1)
Labels
Tags (4)
0 Kudos
1 Solution

Accepted Solutions
BenFB
Virtuoso
Virtuoso
‎01-21-2019 07:12 PM
Jump to solution

RADIUS is completed on the UAG. Once successful the AD credentials are forwarded from the UAG to the connection server which authenticates the user against AD. If successful and enabled the credentials are then passed to the virtual desktop to log the user in.

View solution in original post

0 Kudos
5 Replies
pbjork
VMware Employee
VMware Employee
‎01-20-2019 11:36 PM
Jump to solution

You are correct, UAG can perform authN before any kind of traffic is forwarded to the Connection Server. But once authorised the Connection Server still needs the Windows user.

Often you configure UAG to use: authMethods=securid-auth && sp-auth

More info: Configure Horizon Settings

0 Kudos
thomasduval
Contributor
Contributor
‎01-21-2019 12:04 AM
Jump to solution

Thanks for you reply.

You said that once a user is authenticated into UAG/Radius process, the request is then send to Connection Server for resources enumeration.

Is the UAG send the user's credential or "token" into the XML-based protocol to Connection Server, or is the Connection server will re-check again with AD itself ?

0 Kudos
pbjork
VMware Employee
VMware Employee
‎01-21-2019 12:36 AM
Jump to solution

User must login using username and PW after RADIUS. Or use certificates.

0 Kudos
BenFB
Virtuoso
Virtuoso
‎01-21-2019 07:12 PM
Jump to solution

RADIUS is completed on the UAG. Once successful the AD credentials are forwarded from the UAG to the connection server which authenticates the user against AD. If successful and enabled the credentials are then passed to the virtual desktop to log the user in.

0 Kudos
thomasduval
Contributor
Contributor
‎01-23-2019 05:33 PM
Jump to solution

OK thank you,

This is what I would like to know.

0 Kudos