You route traffic to the correct connection server or the uag/security server. Thats how we handle it, everything thats not an internal network gets routed to our external connection server, that has 2fa enabled.
Thanks for the reply
if you have 2 separate connections servers not a replica ,which connection server is responsible for the pool settings since they have separate Adam Db's thats what i want to clear up
This would require you two have two seperate loadbalancer vips if you want to have redundancy though. Another option if you don't need to restrict any pools is to use the 2fa on the Unified Access Gateway. UAGs unlike security servers don't need a direct pairing to a connection server., and have 2fa available directly. I'm not sure the licensing restraints on that though, I think you may need enterprise instead of advanced or standard.
Thanks again for your fast answers
I think i am not explaining exactly what i want to do
I have 1 pool that i access from outside and inside .
outside goes through a security server to my only connections server.
I want to use 2FA for outside connections only .
On a single Pool
Can i add a new connection server that is for internal only and not use 2FA ? and keep the existing Connection server and turn on 2FA for external users
If they are replicas can i still change the authentication method for each connection server?
I hope this makes sense hahaha
Yes, but you need a second security server and you have to route internal traffic to that security server.
Let me see if i can explain this and try to simplify it. I see where you are getting confused.
You have 1 pool where users need access both internally and externally
You want your LAN users to authenticate using password
You want your remote users to use passcode
To accomplish this you will need about 2 brokers, 2 security servers/UAGs and 2 load balancers with 2 VIPs
1 internal load balancer to route LAN users to your connection brokers
1 external load balancer in your DMZ to route your remote users to your security servers or preferably your access points (UAG which is an abbreviation for Unified Access Gateway) where you will configure 2FA
If you use unified access gateways, you will put your brokers VIP FQDN as the server to connect to as part of the configure and then you will configure the authentication method you wish to use.
If you use security servers (I would advise against it but feel free to do as you please obviously), they will be install and configure along with your connection servers using the same database, same everything as one POD. You will then go to only your security servers and configure them for 2FA but not your brokers.
So in the end, your brokers will prompt users for password but your security servers or your UAGs will requires dual factor authentication. You will need a load balancer to direct users from either the brokers or the security servers/UAGs. No matter which route the a user take they will land on the same pool as long as they are entitled to it.