This section describes how to integrate Omnissa Horizon 8 with RSA Cloud Authentication Service using RADIUS.

Architecture Diagram

Before You Begin

This document provides instructions for configuring Omnissa Horizon 8 & Unified Access Gateways for RSA SecurID Authentication as a RADIUS client. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this document. Administrators should review the product documentation for all products involved prior to installing the required components.

All RSA Cloud Authentication Service & Horizon 8 components must be installed and working prior to the integration. Directory services integration and/or local RSA user account management are beyond the scope of this document; however, these configurations are a prerequisite to performing the steps in this document. Perform any necessary tests to confirm that all required components are working properly before proceeding.

Configure RSA Cloud Authentication Service

Perform the steps in this section to configure the RSA Cloud Authentication Service for Omnissa Horizon 8 & Unified Access Gateways using RADIUS.

Configuration Overview

To configure RADIUS with RSA Cloud Authentication Service for Horizon 8 & Unified Access Gateways, you must first deploy at least one local Identity Router and configure a separate RADIUS client in the RSA Cloud Authentication Service for each Unified Access Gateway.

Procedure

1. Log in to the RSA Cloud Authentication Service RSA as an administrator. 
2. Browse to Authentication Clients > RADIUS.

3. Click Add RADIUS Client and Profiles.

4. Enter the Name, IP Address and Shared Secret for the Unified Access Gateway (max 64 characters).
5. Click Save and Next Step. 

6. On the RADIUS Profiles page, click Finish.
7. Click Publish.

The RSA Cloud Authentication Service Configuration is complete.

Configure Omnissa Horizon 8 & Unified Access Gateway

Perform the steps in this section to configure Horizon 8 & Omnissa Unified Access Gateway as a RADIUS client to the RSA Cloud Authentication Service.

Configuration Overview

When servicing users located on untrusted networks, Horizon 8 is normally implemented with multiple Unified Access Gateways in addition to multiple Horizon Connection Servers to provide high availability and to meet scalability requirements. Each Unified Access Gateway is individually configured for RSA SecurID authentication. It is possible to have some Unified Access Gateways in a Horizon Pod enabled for RSA SecurID authentication and to have others disabled.

If RSA SecurID is not enabled on a specific Unified Access Gateway, users connecting through that UAG will be authenticated using just Microsoft Active Directory credentials (username, password, and domain name). If RSA SecurID is enabled on a specific Unified Access Gateway, then users of that UAG are required to supply their RSA SecurID username and passcode first. If they are not authenticated at this level, access is denied. If they are correctly authenticated with RSA SecurID, they continue as normal and are then required to enter their Active Directory credentials.

While requirements vary between organizations and use cases, users are usually only required by security policy to enter their RSA SecurID passcode once during the authentication process. If RADIUS authentication is configured on both the UAG and the Horizon connection server being used to authenticate a user, that user will be prompted twice for their RSA SecurID passcode. To prevent multiple passcode prompts, RADIUS authentication should only be configured on the UAGs, not the Horizon Connection Servers servicing user logins via UAGs. This document will follow the most common, single passcode configuration with RADIUS configured on the UAG.

There are multiple methods available to configure Omnissa Unified Access Gateways. The following steps to configure individual Omnissa Unified Access Gateways for RADIUS and SecurID Access authentication are carried out using the built-in graphical user interface within each UAG. Please see the Omnissa Horizon 8 documentation for details on Omnissa provided PowerShell scripts for UAG mass-deployment and automation options.

Procedure

1. Log in to the Horizon 8 Console using an administrator username and password.
2. From the Horizon 8 Console, expand Settings and select Servers. Locate the Horizon Connection Servers section at the top center of the page, select the appropriate Connection Server and click Edit.

3. Within the Edit Connection Server Settings window, locate and select the Authentication tab.
4. Under Advanced Authentication section, verify that Disabled has been select for 2-factor authentication setting.

5. Repeat steps 1-4 on any additional Horizon Connection Servers servicing user logins via UAGs.
6. Using your web browser, log into the Omnissa Universal Access Gateway Admin Console (usually on port TCP 9443) using the admin username and password.
7. Click SELECT under Configure Manually.

8. At the top of the page under General Settings, toggle the Authentication Settings slider to the ON position.
9. Under Authentication Settings, click the cogwheel to the right of RADIUS.

10. At the top of the RADIUS configuration page, Toggle Enable RADIUS to ON.
11. Enter the Hostname or IP Address of the RSA Identity Router management interface and the Shared Secret (max 64 characters for UAG) previously used to create the RADIUS client in the RSA Cloud Authentication Service console as well as any other necessary fields.

Note: If a DNS name is used for the RADIUS server, the UAG must be able to resolve the address using either host entries or a DNS server. See the Omnissa provided UAG documentation for more information.

12. Click the More link at the bottom of the page to expose additional settings.
13. In the log in page passphrase hint, enter an intuitive text string that will display on the Horizon Client to alert users to enter their RSA SecurID passcode.

14. Click SAVE.
15. At the top of the page under General Settings, toggle the Edge Service Settings slider to the on position.

16. Under Edge Service Settings, click the cogwheel to the right of Horizon Settings.
17. Click the More link at the bottom of the page to expose additional settings.
18. Locate the Auth Methods pulldown and select RADIUS.

19. Click SAVE.

Note: There is no need to restart the UAG or Horizon 8 Connection Server after making these configuration changes.

The Horizon UAG Configuration is complete.