Architecture Diagram

Before You Begin

This document provides instructions for configuring the Omnissa Horizon 8 Connection Servers for RSA SecurID Authentication as a RADIUS client. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this document. Administrators should review the product documentation for all products involved prior to installing the required components.

All RSA Authentication Manager & Horizon 8 components must be installed and working prior to the integration. Directory services integration and/or local RSA user account management are beyond the scope of this document; however, these configurations are a prerequisite to performing the steps in this document. Perform any necessary tests to confirm that all required components are working properly before proceeding.

Configure RSA Authentication Manager

Perform the steps in this section to configure RSA Authentication Manager for Horizon 8 Connection Servers using RADIUS.

Configuration Overview

To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the Authentication Manager Security Console.

The relationship of agent host record to RADIUS client in the Authentication Manager can be 1 to 1, 1 to many or 1 to all (global). RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.

Procedure

1. Log in to the RSA Authentication Manager Security Console.
   
   
2. Under RADIUS, select RADIUS Clients and click Add New.

3. Configure the Client Name, IPv4 Address of the Connection Server and Shared Secret (max 128 characters for Connection Server) then click Save & Create Associated RSA Agent.

4. On the Add New Authentication Agent page, click Save.

The RSA Authentication Manager Configuration is complete.

Configure Omnissa Horizon 8 Connection Servers

Perform the steps in this section to configure Horizon 8 Connection Servers as RADIUS clients to RSA Authentication Manager

Configuration Overview

Horizon 8 is normally implemented on multiple Connection Servers to provide high availability and to meet scalability requirements. Each Horizon 8 Connection Server is individually configured for RSA SecurID authentication. It is possible to have some Horizon 8 Connection Servers in a Horizon Pod enabled for RSA SecurID authentication and to have others disabled.

If RSA SecurID is not enabled on a specific Connection Server, users connecting through that server will be authenticated using just Microsoft Active Directory credentials (username, password, and domain name). If RSA SecurID is enabled on a specific Horizon 8 Connection Server, then users of the server are required to supply their RSA SecurID username and passcode first. If they are not authenticated at this level, access is denied. If they are correctly authenticated with RSA SecurID, they continue as normal and are then required to enter their Active Directory credentials.

If Horizon 8 provides services to users coming from untrusted or public networks such as the Internet, consider using Omnissa Unified Access Gateways (UAG) configured for RSA SecurID in front of Horizon 8 Connection Servers. This scenario can be used to force RSA SecurID authentication for users accessing the Horizon 8 environment remotely. See the Omnissa Horizon 8 documentation and the Omnissa Horizon 8 Unified Access Gateway (UAG) - RADIUS with Authentication Manager - RSA Ready SecurID Access Implementation Guide for additional information.

Procedure 

1. Log in to the Horizon 8 Console using an administrator username and password.
2. From the Horizon 8 Console, expand Settings and select Servers. Locate the Horizon Connection Servers section at the top center of the page, select the appropriate Connection Server and click Edit.

3. Within the Edit Connection Server Settings window, locate and select the Authentication tab.
4. Under Advanced Authentication section, select RADIUS for the 2-factor authentication settings. 
5. Under Advanced Authentication, use the Select Authenticator pulldown to select Create New Authenticator and if needed, click manage authenticators to configure the new RADIUS Host.

6. In the Add RADIUS Authenticator window, provide an Authenticator Name, Description, Username Label and Passcode Label of the RADIUS Host.

Note: The “Username Label” and “Passcode Label” fields provide the end-user a hint to place their passcode into the Horizon Client upon log in.

7. On the Primary Authentication Server page, enter the Hostname or IP Address of the RSA Authentication Manager and the Shared Secret (max 128 characters for Connection Server) previously used to create the RADIUS client in the RSA Authentication Manager as well as any other necessary fields.

8. Click Next.
9. OPTIONAL: If a secondary RADIUS Authenticator exists, check the Use a secondary server if primary is unavailable check box and enter the details of the secondary RADIUS Host Otherwise skip this step.

10. Select Finish.
11. Click OK button on Manage Authenticators.

12. From Authenticator drop-down menu, select the authenticator just added.

13. Click Ok
14. Repeat steps 12 & 13 for each Horizon 8 Connection Server you wish to enable for RSA SecurID.

Note: There is no need to restart the Horizon 8 Connection Servers after making these configuration changes.

The Horizon UAG Configuration is complete.