With Unified Access Gateway 3.4, VMWare Horizon Standard Edition license owners will have their ability to use RSA SecurID for MFA stripped away.
This is really annoying for customers using standard edition and moved the rsa auth to the UAG.
It is actually a degradation of a feature that acually existed in this product.
Will have to move the RSA auth back to the Connection Server for some customers which leads to more Windows Servers needed if you have split environments.
VMware you could do better.
Agreed, this is a big disappointment for customers with Standard licensing that want to provide secure remote access.
We tried shifting RADIUS from the UAG to the connection servers but found that it didn't work. Hopefully you have better luck with RSA SecurID.
Not only it takes away RSA SecurID, it also takes away generic RADIUS. Considering that we have just renewed Horizon View Standard for 1.5 years, this is really poor practice. Had I known this was coming, I would have looked elsewhere for my VDI needs.
I think this was a big miss on VMware's part and I would recommend letting your account team know. The miss here was that RADIUS has always been available as a AuthN authentication method. Had they just introduced it with the release of UAG 3.4 and the new licensing model it would have been different. Instead VMware encouraged migrating from Security Servers to the UAG advertising feature parity and then that was suddenly taken away.
I've been exploring only enforcing AD (pass-through) authentication on the UAG while enforcing RADIUS on the connection servers but so far it doesn't work.
What doesn't work on the connection server side? I'm on 7.4 using 3.3 Uags and have radius setup on the connection servers. They type the username first, then they get the 2fa, DUO in our case, after that.
I also tested this on 7.4.0 and UAG 3.3. so I must be missing something.
When I connect through the UAG with a correct username and password I’m promoted for the DUO MFA prompt on my phone and if approved can successfully connect. However, if I enter an incorrect password but still approve the DUO MFA prompt the connection server will reject the password with the message “Unknown user name or bad password”.
If I uncheck “Enforce 2-factor and Windows user name matching” and a correct username and password are entered I’m promoted for the DUO MFA prompt on my phone and if approved can successfully connect. If I enter an incorrect password but still approve the DUO MFA prompt the connection server will reject the password with the same message “Unknown user name or bad password”. In this case I can type in both a valid username and password (This is an issue since we need the username enforced).
Hi Sorry to hit you up like this. I also have 7.4 Horizon and 3.3 UAG's with DUO. Since moving to the UAG the prompt arrives at phone I approve which then should put me through to the connection servers however it prompts me with bad username or password and i have to enter domain credentials. DUO logs look normal. Have you seen this before as DUO and Vmware are blaming each other! Any thoughts would be welcome.
UAG 3.5 now allows all advanced and enterprise features to be used with any Horizon edition. This means that advanced features such as Smart Card, RSA SecurID and RADIUS, and enterprise features such as HA and OPSWAT device policy checks can be used with UAG 3.5 even with the basic standard edition of Horizon.