Customers who leverage Access Policy Manager (APM) for remote access to VMware Horizon 6 (formerly known as VMware View) typically have some level of two-factor authentication (2FA) as an added layer of authentication. It’s especially important when users may be accessing Horizon resources from untrusted devices or networks.
One challenge I have found, especially when using F5’s VMware Horizon iApp, is that the iApp requires some settings to be pre-configured to support SecurID for 2FA. This blog post will walk you through the pre-configuration and subsequent iApp setup of RSA SecurID with APM’s PCoIP Proxy using the native RSA integration capabilities of APM.
Shout-out to the peeps from VMware’s OneCloud team – big thanks to Simon Long and Aresh Sarkari for helping put this together!
The Authentication Flow
Let’s start with a quick recap of the authentication flow.
Joe User will connect to the F5 virtual server’s public IP using the Horizon client or with F5’s WebTop.
Next, he’ll be prompted to enter their RSA SecurID username and the passcode.
BIG-IP APM will authenticate the username and passcode against the RSA Server.
Once Joe has been validated through the RSA authentication server, he is then prompted for their Active Directory username and password.
APM sends the Active Directory username and password to a domain controller.
Once the final authentication step is completed, BIG-IP APM will enumerate the authorized desktops and applications through the Horizon Client or F5 WebTop.
Joe then securely launches his apps and desktops, all proxied through the APM PCoIP Proxy.
Here’s a picture of what the RSA integration looks like with APM in the mix:
Setting Up APM and RSA for PCoIP Proxy
Now, let’s get down to business. Here’s a quick list of things we’ll assume are already configured:
BIG-IP installed and configured
RSA Authentication servers installed and configured
RSA tokens activated
Firewall rules and routing between the BIG-IP and the RSA Authentication servers in place
We’ll also focus on the key areas of the VMware Horizon iApp (version 1.2.0) that you will need to change in order to support RSA SecurID - I’ll actually cover the complete setup of the APM PCoIP Proxy with the VMware Horizon iApp in an upcoming blog post and instructional video.
Click Here to download the documentation for setting up RSA SecurID with APM PCoIP Proxy.
As always, feel free to send any feedback or ideas to our VMware Alliance team at firstname.lastname@example.org!