In the pod deployment wizard step for specifying its Unified Access Gateway configurations, you can also specify use of two-factor authentication for your end users' access to their desktops and applications through those gateway configurations.


Horizon Cloud on Microsoft Azure: Pod deployment wizard's two-factor authentication fields in their initial state after enabling the toggle to enable two-factor authentication.

When two-factor authentication details are specified in the wizard for a gateway configuration, then during the pod deployment process, the pod deployer configures the gateway configuration's corresponding deployed Unified Access Gateway appliances with the specified two-factor authentication details.

As described in the Unified Access Gateway documentation, when the Unified Access Gateway appliances are configured for two-factor authentication, the Unified Access Gateway appliances authenticate the incoming user sessions according to your specified two-factor authentication policies. After Unified Access Gateway authenticates a user session according to your specified authentication policy, then Unified Access Gateway forwards that end-user client request for a desktop or application launch to the deployed pod manager to establish a connection session between the client and an available desktop or application.

Important: After the pod is deployed, when you plan to configure your tenant's Universal Broker settings to use two-factor authentication, and you have deployed the pod with both an external gateway configuration and an internal gateway configuration, additional post-deployment steps might be required to ensure Universal Broker can distinguish between an external end user and an internal end user for the purposes of appropriately applying the two-factor authentication settings specified for Universal Broker. For details, see Best Practices When Implementing Two-Factor Authentication in a Universal Broker Environment.

Prerequisites

For the external or internal Unified Access Gateway configuration for which you are entering the two-factor authentication details, verify that you have completed the fields for the Unified Access Gateway configuration in the wizard as described in Specify the Horizon Cloud Pod's Gateway Configuration. When configuring two-factor authentication to an on-premises authentication server, you also provide information in the following fields so that the Unified Access Gateway instances can resolve routing to that on-premises server.

Option Description
DNS Addresses Specify one or more addresses of DNS servers that can resolve the name of your on-premises authentication server.
Routes Specify one or more custom routes that allow the pod's Unified Access Gateway instances to resolve network routing to your on-premises authentication server.

For example, if you have an on-premises RADIUS server that uses 10.10.60.20 as its IP address, you would use 10.10.60.0/24 and your default route gateway address as a custom route. You obtain your default route gateway address from the Express Route or VPN configuration you are using for this environment.

Specify the custom routes as a comma-separated list in the form ipv4-network-address/bits ipv4-gateway-address, for example: 192.168.1.0/24 192.168.0.1, 192.168.2.0/24 192.168.0.2.

Verify that you have the following information used in your authentication server's configuration, so that you can provide it in the appropriate fields in the pod deployment wizard. If you are using a RADIUS authentication server and have both a primary and secondary server, obtain the information for each of them.

RADIUS

If you are configuring settings for both a primary and auxiliary RADIUS server, obtain the information for each of them.

  • IP address or DNS name of the authentication server
  • The shared secret that is used for encryption and decryption in the authentication server's protocol messages
  • Authentication port numbers, typically 1812/UDP for RADIUS.
  • Authentication protocol type. The authentication types include PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP1, MSCHAP2 (Microsoft Challenge Handshake Authentication Protocol, version 1 and 2).
    Note: Check your RADIUS vendor's documentation for the authentication protocol that your RADIUS vendor recommends and follow their indicated protocol type. The pod's capability to support two-factor authentication with RADIUS is provided by the Unified Access Gateway instances, and Unified Access Gateway supports PAP, CHAP, MSCHAP1, and MSCHAP2. PAP is generally less secure than MSCHAP2. PAP is also a simpler protocol than MSCHAP2. As a result, even though most RADIUS vendors are compatible with the simpler PAP protocol, some RADIUS vendors are not as compatible with the more secure MSCHAP2.
RSA SecurID
Note: The RSA SecurID type is supported with Horizon Cloud on Microsoft Azure deployments that are running manifest 3139.x or later. The UI option to specify the RSA SecurID type in the Add Pod and Edit Pod wizards will become visible to select in the wizards starting in mid-March 2022.
  • Access key from the RSA SecurID authentication manager server.
  • RSA SecurID communication port number. Typically 5555, as set in the RSA Authentication Manager system settings for RSA SecurID Authentication API.
  • Host name of the RSA SecurID authentication manager server.
  • IP address of that RSA SecurID authentication manager server.
  • If the RSA SecurID authentication manager server or its load balancer server has a self-signed certificate, you will need the CA certificate to provide in the Add Pod wizard. The certificate should be in PEM format (file types .cer or .cert or .pem)

Procedure

  1. Switch on the Enable two-factor authentication toggle.
    When the toggle is enabled, the wizard displays the additional configuration fields. Use the scroll bar to access all of the fields.

    The following screenshot is an example of what is displayed after you switch on the toggle in the External UAG section.

    Horizon Cloud on Microsoft Azure: Pod deployment wizard's two-factor authentication fields in their initial state after enabling the toggle to enable two-factor authentication.
  2. Select your two-factor authentication type, Radius or RSA SecurID.
    Currently, the available, supported types are RADIUS and RSA SecurID.

    After selecting the type, the Two-factor Authentication Configuration menu automatically reflects that you are adding a configuration of that selected type. For example, if RSA SecurID type is selected, the Two-factor Authentication Configuration menu displays New RSA SecurID.

  3. In the Configuration Name field, enter an identifying name for this configuration.
  4. In the Properties section, specify details related to the end users' interaction with the login screen they will use to authenticate for access.

    The wizard displays fields based on the configuration that a Horizon Cloud on Microsoft Azure deployment supports using with its gateway configurations. The fields vary according to the selected two-factor authentication type. Refer to the table below that corresponds to your selected type, RADIUS or RSA SecurID.

    RADIUS

    As you complete the fields, specifying details about the primary authentication server is required. If you have a secondary authentication server, enable the Auxiliary Server toggle and specify the details for that server also.

    Option Description
    Display Name You can leave this field blank. Even though this field is visible in the wizard, it only sets an internal name in the Unified Access Gateway configuration. This name is not used by Horizon clients.
    Display Hint Optionally enter a text string that will be displayed to the end users in the message on the end-user client login screen when it prompts the user for their RADIUS user name and passcode. The specified hint appears to the end user as Enter your DisplayHint user name and passcode, where DisplayHint is the text you specify in this field.

    This hint can help guide users to enter the correct RADIUS passcode. As an example, specifying a phrase like Example Company user name and domain password below for would result in a prompt to the end user that says Enter your Example Company user name and domain password below for user name and passcode.

    Name ID Suffix This setting is used in SAML scenarios, where your pod is configured to use TrueSSO for single sign-on. Optionally provide a string which will be appended to the SAML assertion user name that is sent in the request to the pod manager. For example, if the user name is entered as user1 on the login screen and a name ID suffix of @example.com was specified here, a SAML assertion user name of user1@example.com is sent in the request.
    Number of Iterations Enter the maximum number of failed authentication attempts that a user is allowed when attempting to log in using this RADIUS system.
    Maintain Username Enable this toggle to maintain the user's Active Directory username during the authentication flow that transpires among the client, the Unified Access Gateway instance, and the RADIUS service. When enabled:
    • The user must have the same username credentials for RADIUS as for their Active Directory authentication.
    • The user cannot change the username in the login screen.

    If this toggle is switched off, the user is able to type a different user name in the login screen.

    Note: For the relationship between enabling Maintain Username and the domain security settings in Horizon Cloud, see the Domain Security Settings on General Settings Page topic.
    Host Name / IP Address Enter the DNS name or the IP address of the authentication server.
    Shared Secret Enter the secret for communicating with the authentication server. The value must be identical to the server-configured value.
    Authentication Port Specify the UDP port configured on the authentication server for sending or receiving authentication traffic. The default is 1812.
    Accounting Port Optionally specify the UDP port configured on the authentication server for sending or receiving accounting traffic. The default is 1813.
    Mechanism Select the authentication protocol that is supported by the specified authentication server and which you want the deployed pod to use.
    Server Timeout Specify the number of seconds that the pod should wait for a response from the authentication server. After this number of seconds, a retry is sent if the server does not respond.
    Max Number of Retries Specify the maximum number of times the pod should retry failed requests to the authentication server.
    Realm Prefix Optionally provide a string which the system will place at the beginning of the user name when the name is sent to the authentication server. The user account location is called the realm.

    For example, if the user name is entered as user1 on the login screen and a realm prefix of DOMAIN-A\ was specified here, the system sends DOMAIN-A\user1 to the authentication server. If you do not specify a realm prefix, only the entered user name is sent.

    Realm Suffix Optionally provide a string which the system will append to the user name when the name is sent to the authentication server. For example, if the user name is entered as user1 on the login screen and a realm suffix of @example.com was specified here, the system sends user1@example.com to the authentication server.
    RSA SecurID
    Option Description
    Access Key Type in the access key for your RSA SecurID system, obtained in the system's RSA SecurID Authentication API settings.
    Server Port Specify the value configured in your system's RSA SecurID Authentication API settings for the communication port, typically 5555 by default.
    Server Host Name Enter the DNS name of the authentication server.
    Server IP Address Enter the IP address of the authentication server.
    Number of Iterations Enter the maximum number of failed authentication attempts that a user is allowed before they are locked out for one hour. The default is five (5) attempts.
    CA Certificate This item is required when your RSA SecurID Authentication Manager server or its load balancer uses a self-signed certificate. In this case, copy the CA certificate and paste it into this field. As described above in this page, the certificate information should be provided in PEM format.

    When the server has a certificate signed by a public Certificate Authority (CA), this field is optional.

    Authentication Timeout Specify the number of seconds you want the authentication attempt to be available between the Unified Access Gateway instances and the RSA SecurID authentication server before timing out. The default value is 180 seconds.