2 Replies Latest reply on Jul 28, 2019 9:21 PM by kentaro31

    Segregating 2FA users, or different configs on Connection servers

    kentaro31 Lurker

      Sorry the title is a mouthful.

       

      I'm trying to implement UAG setup, as currently we use VPN and its being decommissioned.  Currently we have 2 groups of users, one group is filtered via IP, and another group enforces MFA. All of this is handled via VPN.  I want to try and have the same setup through UAG.  My problem is I can't verify if you can have different configurations on multiple connection servers within the same pod, meaning connection01 does not have any 2FA, while connection02 is set to enforce.  This would mean I could point separate UAGs, to each connection server.  Is there a better way to do this?   If it matters, I'm looking at using Okta MFA with RADIUS (via this link Configure VMware Horizon View to Interoperate with Okta via RADIUS | Okta

       

      Thanks in advance for any help!

       

      Ken

        • 1. Re: Segregating 2FA users, or different configs on Connection servers
          cbaptiste Enthusiast

          The way to do is to leverage UAGs for the use cases. Personally, I would enforce 2FA for all external users. UAG does support multiple different types of auth including radius. The caveat is you need to decide whether you wish to split your connection brokers between, in your case, internal users and external or keep them the same. Personally I always keep them the same. I have yet to find a use case where I couldn't use the same connection servers for both. However, I believe as best practice, mostly unwritten, VMware would suggest segregating the brokers between internal and external within the same pod. The downside of using the same brokers for both internal and external use means you can no longer enable tunneling on the connection brokers. The gain is less management overhead.

          • 2. Re: Segregating 2FA users, or different configs on Connection servers
            kentaro31 Lurker

            Thanks for the reply, appreciate it!

             

            The 2FA for all external users may come later, but since it involves contractors and contracts, it isn't something I can just enforce immediately.  I agree, 2FA for all external access would be best.  I will move ahead with segregating the brokers and seeing how that works out!

             

            Thanks,

            Ken