I have a single Connection Server (Horizon 7.10.2) that internal users use tunneled access to reach their VDIs. The configuration is simple right now but needs to be changed to allow additional users from a different network segment to enter the environment. This will require 2 factor authentication, RSA secureID, to be integrated for those new users.
If I attach a UAG to my Connection Server, can I have two resolvable addresses? One for users that need to two factor (to the UAG) in and one for users that do not need to (straight to the Connection Server)?
Or do I need to bring in another Connection Server, perhaps as a replica? I have never had to stand one up, I am not sure of the limitations.
I just wanted to bounce this off the community before I get to deep into planning.
You can, the recommended method in the reference architecture says use split dns, but they can be used separate. There is one exception, if you have the secure gateways enabled on the connection server, you can't enable them on the UAG because only one or the other can use them.
By secure gateways you mean the options for PCoIP Secure Gateway and Blast Secure Gateway?
I have both enabled so that users sessions are tunneled, brokered and maintained through the Connection Server.
Awesome, that is making sense now. Is there another configuration with two UAGs in front of the Connection Server?
UAG 1: NO RSA
UAG 2: RSA
This way I can turn off the Secure Gateway on the Horizon Connection server and the UAGs then manage the tunneling.
Yes, you can deploy 2 UAG in front of the Connection servers with one RSA enable and other without 2 factors.
However, you need to have 2 different public URL ( one for 2FA UAG and one without 2FA UAG )
Thank you for the response. I will be going with the UAG to replica route for the time being. Too many impacts with taking down the current access and standing up the new, at least with the lack of lead time that I have. I appreciate your input on this.
Like was mentioned before yes, the UAG is basically a proxy for the connection server that can handle the user connection instead of the connection server. There isn't a 1-1 relation ship like there is with the older security servers. What I currently do is use one address, but we use sourced based routing on the load balancer to route different networks to different UAGs. The external UAG has radius enabled, and is only used by external networks, anything that we labeled as internal comes to the internal UAGs. We have them pointed at different connection servers and use connection server tags to prevent some desktops from being available on the external uags as well.