Using Duo to protect Vmware View from internet only

kermed · ‎09-13-2019

We just recently installed Duo and are currently testing. One of the things we would like to protect, is access to our VMware View environment when our users are working remotely. We do not want our users to be prompted for MFA when they are working in the office. From what I see there is no way to distinguish this in Duo?

srt1 · ‎09-13-2019

Hi,

We are doing same. You just need to set up remote access via VMware Unified Access Gateway v3.5+ and not directly to the VMware horizon connection server. The UAG can be setup to perform the 2FA via RADIUS and then the actual connection server does not have to have 2FA turned on. This way only those connection via the UAG (i.e. remote users) will get prompted for 2FA.

UAG is a VM deployable ‘appliance’ and is part of the Horizon product.

I have this working successfully with local users connecting via the Horizon connection server not requiring 2FA and those coming from the Internet that connect via the UAG do need 2FA.

Hope this help.

kermed · ‎09-19-2019

Hi srt

Took the time to install the UAG 3.7 and now have a similar setup to you. I turned on RADIUS authentication on the UAG and pointed it to our Duo Auth Proxy. I can successfully log into my desktop through the UAG but never get prompted for 2FA via Duo.

Would you be able to take a bit of time and provide a few more details? It wold be greatly appreciated.

srt1 · ‎09-19-2019

Hi,

Have attached screen shot of our Horizon settings on our UAG 3.6

Most important thing to remember is to click on the “More V” at the bottom of the screen to check ALL the parameters. This is particularly important for the Horizon section otherwise you do not see the settings in particular the ones I highlighted with red rectangle which must be set to RADIUS.

Hope this helps.

srt1 · ‎09-19-2019

Also this is our RADIUS section just in case you need that as well.