This topic describes the high-level steps and best practices that you can use to configure two-factor authentication to the Universal Broker service.
How Two-Factor Authentication Works with Universal Broker
By default, Universal Broker authenticates users solely through their Active Directory user name and password. You can implement optional two-factor authentication by specifying an additional authentication service.
As of the service release version 2203, Universal Broker supports the following two-factor authentication services with both Horizon deployments and Horizon Cloud on Microsoft Azure deployments.
- RADIUS
- RSA SecurID
Universal Broker relies on the configuration of the external Unified Access Gateway instances within each participating pod when performing two-factor authentication of network users. Although you can also configure internal Unified Access Gateway instances to handle the authentication and routing of internal network users, Universal Broker bases its two-factor authentication on the authentication service that is configured on the external Unified Access Gateway instances.
For example, if you want to use RADIUS authentication for your Horizon pods configured with Universal Broker, you must configure the identical RADIUS service on every external Unified Access Gateway instance across all participating Horizon pods. You cannot configure RADIUS on some participating pods and RSA SecurID on other participating pods.
When You Want to Enable Two-Factor Authentication for Users on Both External and Internal Networks
- For each pod in your Universal Broker environment, configure at least one external Unified Access Gateway instance. Configure the identical two-factor authentication service on every external Unified Access Gateway instance across all the pods.
Follow the configuration guidelines for your specific use case. When your tenant's fleet has:
- Horizon pods only
- Configure either the RADIUS or RSA SecurID service on every external Unified Access Gateway instance across all the pods.
- Horizon Cloud on Microsoft Azure deployments only
- Configure the same two-factor authentication service on every external Unified Access Gateway instance across all the pods. If all pods are manifest 3139.x or later and you see the RSA SecurID option is available in the two-factor authentication settings when you run the Edit Pod wizard on the pods, then you have the option to configure all of the pods to use the RSA SecurID type. Otherwise, RADIUS type is available.
- Mixture of Horizon pods and Horizon Cloud on Microsoft Azure deployments
-
In a blended fleet, the options available to you depend on whether your
Horizon Cloud on Microsoft Azure deployments meet the conditions to have the RSA SecurID option available on them.
- If your Horizon Cloud on Microsoft Azure deployments do not meet the conditions to have the RSA SecurID type configured on them, then you can configure the RADIUS service on every external Unified Access Gateway instance across all the pods in the fleet.
- If your Horizon Cloud on Microsoft Azure deployments do meet the conditions to have the RSA SecurID type configured on them, then you can configure either RSA SecurID or RADIUS on every external Unified Access Gateway instance across all the pods in the fleet.
For Horizon pods, see the Unified Access Gateway documentation, the VMware Horizon Documentation, and the VMware Horizon 7 documentation.
For Horizon Cloud pods in Microsoft Azure, see Add a Gateway Configuration to a Deployed Horizon Cloud Pod and Enable Two-Factor Authentication on a Horizon Cloud Pod's Gateways.
- Optionally configure an internal Unified Access Gateway instance for each pod. To route user traffic to your respective internal and external DNS servers, do one of the following:
- Configure distinct FQDNs for the internal and external Unified Access Gateway instances in the pod.
- Configure the same FQDN for the internal and external Unified Access Gateway instances in the pod. Then configure split DNS zones for the FQDN of the pod's load balancer.
- (Horizon pods only) Configure the JSON Web Token settings in each Unified Access Gateway instance to support the tunnel server and protocol redirection required by Universal Broker. See Horizon Pods - Configure Unified Access Gateway for Use with Universal Broker.
- In the Authentication page of the Universal Broker configuration wizard, specify the following settings:
- Enable the Two-Factor Authentication toggle.
- For Type, select the authentication service that you configured on all the external Unified Access Gateway instances across your pods.
- Set the Skip Two-Factor Authentication toggle to the off position.
When You Want to Enable Two-Factor Authentication Only for Users on the External Network
- Complete steps 1 through 3 as described in the previous use case, "When You Want to Enable Two-Factor Authentication for Users on Both External and Internal Networks."
- In the Network Ranges tab of the Broker page, define the public IP ranges that represent your internal network. See Define Internal Network Ranges for Universal Broker.
- In the Authentication page of the Universal Broker configuration wizard, specify the following settings:
- Enable the Two-Factor Authentication toggle.
- For Type, select the authentication service that you configured on all the external Unified Access Gateway instances across your pods.
- Enable the Skip Two-Factor Authentication toggle.
