Securing external connections to your VMware Horizon environment is not always easy. However, you might already have all the tools necessary to allow external users to access your VMware Horizon environment in a secure way, by which I mean, using multi-factor authentication.
If you have:
- A VMware Horizon environment using Unified Access Gateway for external access
- A MS 365 or Office 365 subscription
- AzureAD synced with on-premises AD
- MFA set up for your AzureAD users
then you are good to go.
What we will accomplish is that external users will connect to the Unified Access Gateway. The UAG will use SAML to authenticate the user against the Azure AD (which is synced with the local AD) and then forward the user to the connection server to show the desktops/published applications that are available. Because the SAML authentication does not return the users’ password back to the UAG, we need to set up Horizon TrueSSO using an enrollment server and a certificate authority to allow a single-sign-on experience for the user.
You will need the following components before starting:
- Correctly configured and working Horizon environment
- Configured Unified Access Gateway with Horizon, without third-party identity providers or Radius/RSA configured
- Microsoft Certification Authority server
- Two Windows servers, AD joined (one is also ok if you don’t want to use high availability for TrueSSO).
We will set up 2 VMware Horizon enrollment servers with a local sub-CA installed on them. Then we will configure TrueSSO to use both servers to issue certificates for users logging on via the UAG and authenticated by AzureAD. To be true, the whole setup might seem complicated and it does involve a lot of steps and running manual commands. But if you follow all the steps in the following posts, you should be good to go!
I’ve created this tutorial based on a lot of other posts I’ve found on the Internet and combined this with my experiences of setting it up both in my home lab and for customers.
As this has become a rather large post, I’ve split up the different steps into multiple posts which you can find here:
- Part 1: Setup sub-CA(s)
- Part 2: Certificate Template
- Part 3: Enrollment Servers
- Part 4: SAML Setup
- Part 5: True SSO Setup
When you follow all the parts you will end up with external access to your Horizon environment, secured by authenticating your users using AzureAD and multifactor authentication.
I was able to create this setup with the help of following websites and blog posts, but also encountered some issues that were not touched on those blogs. With this posts I hope to to help others to get this setup smoothly!
CA Setup: Set Up an Enterprise Certificate Authority (vmware.com)
Sub-CA Setup: Setup Server 2019 Enterprise CA 3/5: Subordinate CA – VMLabBlog.com
SAML Setup: Enabling SAML authentication for Horizon with Unified Access Gateway and Azure AD – IVANDEMES
TrueSSO Setup: Setting Up True SSO (vmware.com)
Enrollment server with local install CA: MiniKB: TrueSSO – Enrollment Server unable to connect to CA: The authentication service is unknown – Roch’s Brain Backup Blog (digitalworkspace.blog)