Architecture Diagram

Before You Begin

This document provides instructions for configuring the Omnissa Horizon 8 Connection Servers for RSA SecurID Authentication as a RADIUS client. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this document. Administrators should review the product documentation for all products involved prior to installing the required components.

All RSA Cloud Authentication Service & Horizon 8 components must be installed and working prior to the integration. Directory services integration and/or local RSA user account management are beyond the scope of this document; however, these configurations are a prerequisite to performing the steps in this document. Perform any necessary tests to confirm that all required components are working properly before proceeding.

Configure RSA Cloud Authentication Service

Perform the steps in this section to configure the RSA Cloud Authentication Service for Horizon 8 Connection Servers using RADIUS.

Configuration Overview

To configure RADIUS with RSA Cloud Access Service for Horizon 8 Connection Servers, you must first deploy at least one local Identity Router and configure a separate RADIUS client in the RSA Access Service for each Horizon 8 Connection Server.

Procedure

1. Log in to the RSA Cloud Access service as  an administrator.
2. Browse to Authentication Clients > RADIUS.

3. Click Add RADIUS Client and Profiles.

4. Enter the Name, IP Address and Shared Secret for the Horizon 8 Connection Server.
5. Click Save and Next Step

6. On the RADIUS Profiles page, click Finish.
7. Click Publish.

The RSA Cloud Authentication Service Configuration is complete.

Configure Omnissa Horizon 8 Connection Servers

Perform the steps in this section to configure Horizon 8 Connection Servers as RADIUS clients tothe RSA Cloud Authentication Service

Configuration Overview

Horizon 8 is normally implemented on multiple Connection Servers to provide high availability and to meet scalability requirements. Each Horizon 8 Connection Server is individually configured for RSA SecurID authentication. It is possible to have some Horizon 8 Connection Servers in a Horizon Pod enabled for RSA SecurID authentication and to have others disabled.

If RSA SecurID is not enabled on a specific Connection Server, users connecting through that server will be authenticated using just Microsoft Active Directory credentials (username, password, and domain name). If RSA SecurID is enabled on a specific Horizon 8 Connection Server, then users of the server are required to supply their RSA SecurID username and passcode first. If they are not authenticated at this level, access is denied. If they are correctly authenticated with RSA SecurID, they continue as normal and are then required to enter their Active Directory credentials.

If Horizon 8 provides services to users coming from untrusted or public networks such as the Internet, consider using Omnissa Unified Access Gateways (UAG) configured for RSA SecurID in front of Horizon 8 Connection Servers. This scenario can be used to force RSA SecurID authentication for users accessing the Horizon 8 environment remotely. See the Omnissa Horizon 8 documentation and the Omnissa Horizon 8 Unified Access Gateway (UAG) - RADIUS with CAS Configuration - RSA Ready SecurID Access Implementation Guide for additional information.

Procedure

1. Log in to the Horizon 8 Console using an administrator username and password.
2. From the Horizon 8 Console, expand Settings and select Servers. Locate the Horizon Connection Servers section at the top center of the page, select the appropriate Connection Server and click Edit.

3. Within the Edit Connection Server Settings window, locate and select the Authentication tab.
4. Under Advanced Authentication section, select RADIUS for the 2-factor authentication settings.
5. Under Advanced Authentication, use the Select Authenticator pulldown to select Create New Authenticator and if needed, click manage authenticators to configure the new RADIUS Host. 

6. In the Add RADIUS Authenticator window, provide an Authenticator Name, Description, Username Label and Passcode Label of the RADIUS Host.

Note: The “Username Label” and “Passcode Label” fields provide the end-user a hint to place their passcode in to the Horizon Client upon log in.

7. On the Primary Authentication Server page, provide Hostname or IP Address of the RSA Identity Router management interface and the Shared Secret as well as any other necessary fields. Click Next.

8. OPTIONAL: If a secondary RADIUS Authenticator exists, check the Use a secondary server if primary is unavailable check box and enter the details of the secondary RADIUS Host Otherwise skip this step.
9. Click OK button on Manage Authenticators.

10. From Authenticator drop-down menu, select the authenticator just added. Click OK.

11. Repeat step 10 for each Horizon 8 Connection Server you wish to enable for RSA SecurID.

Note: There is no need to restart the Horizon 8 Connection Servers after making these configuration changes.

The Horizon UAG Configuration is complete.