RealQuiet
Enthusiast
Enthusiast

UAG or Horizon Connection Server with secureID, which to use?

Jump to solution

I have a single Connection Server (Horizon 7.10.2) that internal users use tunneled access to reach their VDIs. The configuration is simple right now but needs to be changed to allow additional users from a different network segment to enter the environment. This will require 2 factor authentication, RSA secureID, to be integrated for those new users.

If I attach a UAG to my Connection Server, can I have two resolvable addresses? One for users that need to two factor (to the UAG) in and one for users that do not need to (straight to the Connection Server)?

Or do I need to bring in another Connection Server, perhaps as a replica? I have never had to stand one up, I am not sure of the limitations.

I just wanted to bounce this off the community before I get to deep into planning.

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
sjesse
Leadership
Leadership

Yes, if you want to use a uag, you wither need to disable those or install a replica connection server and disable it on  it and point the uag to the replica.

View solution in original post

7 Replies
sjesse
Leadership
Leadership

You can, the recommended method in the reference architecture says use split dns, but they can be used separate. There is one exception, if you have the secure gateways enabled on the connection server, you can't enable them on the UAG because only one or the other can use them.

0 Kudos
RealQuiet
Enthusiast
Enthusiast

By secure gateways you mean the options for PCoIP Secure Gateway and Blast Secure Gateway?

I have both enabled so that users sessions are tunneled, brokered and maintained through the Connection Server.

0 Kudos
sjesse
Leadership
Leadership

Yes, if you want to use a uag, you wither need to disable those or install a replica connection server and disable it on  it and point the uag to the replica.

RealQuiet
Enthusiast
Enthusiast

Awesome, that is making sense now. Is there another configuration with two UAGs in front of the Connection Server?

UAG 1: NO RSA

UAG 2: RSA

This way I can turn off the Secure Gateway on the Horizon Connection server and the UAGs then manage the tunneling.

0 Kudos
surajr04
VMware Employee
VMware Employee

Yes, you can deploy 2 UAG in front of the Connection servers with one RSA enable and other without 2 factors.

However, you need to have 2 different public URL ( one for 2FA UAG and one without 2FA UAG )

RealQuiet
Enthusiast
Enthusiast

Thank you for the response. I will be going with the UAG to replica route for the time being. Too many impacts with taking down the current access and standing up the new, at least with the lack of lead time that I have. I appreciate your input on this.

0 Kudos
sjesse
Leadership
Leadership

Like was mentioned before yes, the UAG is basically a proxy for the connection server that can handle the user connection instead of the connection server. There isn't a 1-1 relation ship like there is with the older security servers. What I currently do is use one address, but we use sourced based routing on the load balancer to route different networks to different UAGs. The external UAG has radius enabled, and is only used by external networks, anything that we labeled as internal comes to the internal UAGs. We have them pointed at different connection servers and use connection server tags to prevent some desktops from being available on the external uags as well.

0 Kudos