I have the following use case:
External users should authenticate to identity manager and when authenticated they can start their Horizon desktops through UAG.
The current setup is the following:
- 3 IDM appliances behind a netscaler in DMZ, with connectors in LAN.
- 2 UAG's behind a netscaler in DMZ.
- Users authenticate to IDM with/without radius based on security group membership.
Is there a way to force users to use identity manager and not directly connecting to the UAG's?
Is this achievable? And how?
Thank you for your answer. You are right.
I discussed this also with Peter Bjork and it is indeed the way to go.
I tried to avoid having dedicated connection servers with Workspace One mode enabled, but unfortunately this is not possible (at least when you need to access these connection servers directly with the Horizon client).
I enabled Worspace ONE mode and I access to IDM trought UAG.
The connection to the desktop does not work, because the horizon client can not find the server from external network. In IDM I have added view connection server and when I login to IDM from internal network I have acces to the desktop, it does not only work from an external network.
How can I access the desktop through IDM from an external network?
VMware Identity Manager do not tunnel the traffic. Horizon must be externally accessible. In VMware Identity Manager you can create network ranges. Each range you specify correct FQDN for clients to use to access Horizon.