Enable Multi-Factor Authentication for VMware Horizon UAG with Thales / Gemalto Safenet


Background

I had a requirement to implement Multi-Factor Authentication for external access to a Horizon View environment. External connections are already handled by a VMware Universal Access Gateway so it is a pretty easy task to include and enable the integration with a radius service to enable MFA. This guide shows how to integrate with Gemalto’s Safenet Trusted Access service.

 

Implementation

Step 1 – Safenet Trusted Access setup

I will assume at this point you have some familiarity with Gemalto’s SAS / STA platform and that you have already synchronised user accounts from Active Directory. Gemalto’s setup guide is quite out of date at this point, but it gives you the information required for setup and to enable MFA on a View connection server. The guide can be found here.

First off, we need to add an authentication node to Gemalto STA. This is essentially a public IP address that is allowed to authenticate against the Gemalto radius servers.

What the above screenshot shows is how to define an auth node. Enter a name for the service, the public IP range that will be allowed to authenticate with the service and generate a shared secret key that will be used to connect to the service later on in the setup procedure.

If you have a firewall in place, ensure that traffic is allowed to communicate with the Safenet public radius IP’s on port 1812 and port 1813 UDP.

Step 2 – Integration with Universal Access Gateway

This sequence is configured on a UAG 3.6 appliance, the steps should be similar on older versions of the appliance.

Log into the UAG appliance and enable Authentication Settings. This will then allow you to click on RADIUS.

UAGMFA011

Configure the settings as shown. You can change the number of authentication attempts and time outs to suit your requirements. STA uses PAP authentication for Radius.

Clicking the more button will allow you to add a secondary Radius server IP address. Click Save to go back to the previous menu.

Now to enable Radius authentication. Click on Edge Service Settings and then click on Horizon Settings

Click on More to reveal the Authentication options.

Set the Auth Method to RADIUS

If you would like to use SSO, click the Enable Windows SSO option. This is not something I have tested, but I believe enabling password hash syn to STA would allow this to work.

Click save and then try to log into Horizon View. You should now have the option to enter a passcode rather than a password.

Which then takes you the familiar log in with the password screen.

More details about integration with UAG can be fund here from VMware.

Ian

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.