7 Replies Latest reply on Sep 20, 2019 7:22 AM by cbaptiste

    2fa for external view users only

    smittycsi2 Lurker


      From the Horizon documents it states you can have separate connection servers using different authentication methods, then doesn't explain any further .

      so i know if you have a second Replica Connection server they share the same configuration so i am guessing you setup up a new connection server not a replica so i have questions.

      Can they share the same pool ?

      who is in control of the pool settings ?


      Has anyone setup this environment that can explain the setup.


      Ultimately would like to use 2fa for external users only and have the internal users log in the way they do now without 2fa and sharing the same pool.



        • 1. Re: 2fa for external view users only
          sjesse Master

          You route traffic to the correct connection server or the uag/security server. Thats how we handle it, everything thats not an internal network gets routed to our external connection server, that has 2fa enabled.

          • 2. Re: 2fa for external view users only
            smittycsi2 Lurker

            Thanks for the reply

            if you have 2 separate connections servers not a replica ,which connection server is responsible for the pool settings since they have separate Adam Db's thats what i want to clear up

            • 3. Re: 2fa for external view users only
              sjesse Master

              They are replicas, but under View Configuration>Servers on the connection servers tab you can edit each connection server.



              Then when you edit a pool under "Desktop Pool Settings" there is a connection server restriction setting option. In here you can pick the tags that you want


              • 4. Re: 2fa for external view users only
                sjesse Master

                This would require you two have two seperate loadbalancer vips if you want to have redundancy though. Another option if you don't need to restrict any pools is to use the 2fa on the Unified Access Gateway. UAGs unlike security servers don't need a direct pairing to a connection server., and have 2fa available directly. I'm not sure the licensing restraints on that though, I think you may need enterprise instead of advanced or standard.

                • 5. Re: 2fa for external view users only
                  smittycsi2 Lurker

                  Thanks again for your fast answers

                  I think i am not explaining exactly what i want to do

                  I have 1 pool that i access from outside and inside .

                  outside goes through a security server to my only connections server.

                  I want to use 2FA for outside connections only .

                  On a single Pool

                  Can i add a new connection server that is for internal only and not use 2FA ? and keep the existing Connection server and turn on 2FA for external users

                  If they are replicas can i still change the authentication method for each connection server?


                  I hope this makes sense hahaha

                  • 6. Re: 2fa for external view users only
                    sjesse Master

                    Yes, but you need a second security server and you have to route internal traffic to that security server.

                    • 7. Re: 2fa for external view users only
                      cbaptiste Enthusiast

                      Let me see if i can explain this and try to simplify it. I see where you are getting confused.


                      You have 1 pool where users need access both internally and externally

                      You want your LAN users to authenticate using password

                      You want your remote users to use passcode

                      To accomplish this you will need about 2 brokers, 2 security servers/UAGs and 2 load balancers with 2 VIPs


                      1 internal load balancer to route LAN users to your connection brokers

                      1 external load balancer in your DMZ to route your remote users to your security servers or preferably your access points (UAG which is an abbreviation for Unified Access Gateway) where you will configure 2FA

                      If you use unified access gateways,  you will put your brokers VIP FQDN as the server to connect to as part of the configure and then you will configure the authentication method you wish to use.

                      If you use security servers (I would advise against it but feel free to do as you please obviously), they will be install and configure along with your connection servers using the same database, same everything as one POD. You will then go to only your security servers and configure them for 2FA but not your brokers.


                      So in the end, your brokers will prompt users for password but your security servers or your UAGs will requires dual factor authentication. You will need a load balancer to direct users from either the brokers or the security servers/UAGs. No matter which route the a user take they will land on the same pool as long as they are entitled to it.