Connect to Horizon Life and Try Again
This calendar week, one of my customers is switching to Azure multi-factor authentication as their only multi-gene authentication solution for their employees. As the organization leverages VMware Horizon, this implementation needs to be switched to Azure MFA equally well.
Here's how we secured their VMware Horizon implementation with Azure MFA through the Azure MFA NPS Extension:
Why employ multi-cistron authentication for Horizon?
Organizations face up multiple challenges, including (but not limited to):
- tackling electric current consumer cloud adoption problems
- adhering to privacy regulations
- achieving productivity
User deject adoption problems
Today's deject applications and services allow sign-ins with electronic mail addresses, as information technology's currently the simply truly global identifier for people. Nonetheless, as cloud applications and services are breached, credential sets fall in the hands of malicious people. Though credential stuffing attacks, they will use these leaked credentials and try them on your organization'southward public facing applications and services.
Privacy regulations
To adhere to privacy regulations, organizations deploy virtual desktop solutions to provide secure means to achieve productivity with the system'due south sensitive data. There are many virtual desktop solutions in the market today, but VMware's Horizon product is the popular selection for organizations.
ane + ane = ?
All the same, when a malicious person gains admission to the 'secure' productivity platform of an system through stuffed credentials. the system has a big problem.
Multiple MFA methods
With Microsoft cloud services on the rise, another trouble might likewise arise: disparate multi-factor hallmark methods for users. It's counter-intuitive for people to have to use one multi-factor authentication method for one system or platform the organization uses, and another method for another. The hassle of keeping more than one method up to engagement for people who alter phone numbers and/or phones yearly grows exponentially with each multi-gene authentication method added.
Annotation:
In my opinion, administrators should go used to multiple multi-factor authentication methods and solutions to avert getting locked out by single multi-factor authentication solution interim upwards.
Getting ready
Before following the below steps, make sure you run across the following prerequisites:
- Implement i or more additional Windows Server-based virtual machines to act as the Network Protection Services (NPS) Server(southward) for Horizon. Make certain they run Windows Server 2016, or up. Implement the server on the same network as the Agile Directory Domain Controllers.
- Provide network connectivity between the new NPS Server(s) and the Horizon implementation. Take care of whatsoever routes and firewall configurations. Horizon View'due south Connexion Server(s) demand access to the NPS Server(s) using UDP1812 and UPD1813.
- Provide network connectivity between the new NPS Server(due south) and Azure Active Directory. The NPS Server(s) need TCP80 and TCP443 access to these addresses:
-
-
- https://adnotifications.windowsazure.com
- https://login.microsoftonline.com
- https://credentials.azure.com
- https://provisioningapi.microsoftonline.com
- https://aadcdn.msauth.net
- https://*.nuget.org
- https://nuget.cdn.azure.cn
-
- You demand the credentials for an business relationship in Active Directory to join the NPS Server(s) to Active Directory.
- Y'all need the credentials to sign in to the NPS Server with an account that has local administrator privileges.
- Y'all need the credentials to sign in to the Horizon implementation with an account that has ambassador privileges and access to Horizon Panel.
- You need the credentials for an business relationship in Azure Active Directory that has the Global Ambassador role.
- Make certain all user accounts in Agile Directory who will use Azure MFA with Horizon are synchronized to Azure Active Directory.
- Make sure all persons who will use Horizon with Azure MFA have completed their one-fourth dimension registration for Azure Multi-gene Hallmark and are assigned the Azure Ad Premium P1 stand up-alone subscription license or a license bundle that includes Azure Advertisement Premium P1.
- Download the latest version of the NPS Extension for Azure MFA and place it on the disk of the NPS Server(due south), and so information technology'southward available for installation.
- Download the Visual C++ Redistributable Packages for Visual Studio 2013 (X64) and place it on the deejay of the NPS Server(due south), then information technology'due south available for installation.
How to get the Azure Ad Tenant ID
The installation of the Azure MFA Adapter needs the Azure Ad tenant ID as input. To get this ID, follow these steps:
- Open a web browser.
- Navigate to the Azure AD Portal.
- Sign in with an Azure Advertisement account that has privileges to access the Azure Advert information.
As one of the prerequisites is the credentials of an Azure Advertisement account with Global Ambassador privileges, you tin can apply that account, just you may opt to use a bottom privileged Azure Advertizing account. - Perform multi-factor authentication, when prompted.
- In the left navigation pane, click on Azure Active Directory.
- In Azure Agile Directory's navigation pane, click on Properties.
- Copy the value from the Tenant ID field.
- Close the spider web browser.
How to install the NPS Server
Follow these steps to install the NPS Server with the required components:
- Sign in to the NPS Server wit local ambassador privileges.
- Commencement an elevated Windows PowerShell session and issue the following line of Windows PowerShell to bring together the Windows Server installation to Active Directory:
- Add together-Calculator-DomainName"nlan.local"
- Restart-Computer
- Afterward the Windows Server installation reboots, sign in with an Active Directory account that provides local ambassador privileges to the NPS Server.
- Start an elevated Windows PowerShell session.
- Run the following line of Windows PowerShell to install the Network Protection and Authentication Server (NPAS) office:
- Install-WindowsFeatureNPAS-IncludeManagementTools
- Run the following line of
Windows PowerShell to install the AzureAD PowerShell
Module. Follow the on-screen instructions. - Install-module AzureAD
- Run the Visual C++ Redistributable Bundle for Visual Studio 2013 to install information technology. Follow the on-screen instructions.
- Run setup.exe from the NPS Extension for Azure MFA to install it. Follow the on-screen instructions.
- Run the following lines of Windows PowerShell to configure the Azure MFA NPS Extension:
- cd "c:\ProgramFiles\Microsoft\AzureMfa\Config"
- .\AzureMfaNpsExtnConfigSetup.ps1
- When prompted, sign in with the Azure AD account with Global Administrator privileges.
- Paste the Azure AD tenant ID.
- Close the PowerShell window.
Repeat the above steps on the second NPS Server.
How to configure the NPS Server
Follow these steps to configure the NPS Server settings:
- At present, Open up the Network Policy Server management console from either Server Managing director's Tools menu, or the Administrative Tools folder in the Start Card.
- Right-click the NPS (Local) node in the acme left corner of the navigation screen and click on the Register server in Active Directory bill of fare item.
- Next, right-click on the Radius Clients node in the navigation screen. Click New.
The New RADIUS Client window appears. - Make these changes:
- Select the Enable this RADIUS client option.
- Specify a meaningful value in the Friendly name: field.
- Ascertain the IP address or fully qualified domain name for the Horizon View Connection Server you'd desire to configure with Azure MFA in the Adress (IP or DNS): field.
- Specify a shared secret in the Shared secret: and the Confirm shared secret: fields, that will exist used to obfuscate the traffic between the Horizon Connection Server and the NPS Server.
- Click OK.
- Create RADIUS clients for each Horizon Connection Server yous'd want to configure.
- Side by side, right-click on the Network Policies node in the navigation screen.
- Duplicate the default Connections to other access servers network policy.
- Assign priority ane.
- Brand two changes in the duplicated network policy:
- Cheque the Policy enabled choice in the Policy State area.
- Check the Grant access. Grant access if the connection request matches this policy option in the Admission Permission area.
- Relieve the network policy by clicking OK.
- Close the Network Policy Server management console.
- Sign out.
How to configure VMware Horizon
On the Horizon View Management Server(s), configure the post-obit settings:
- Open Horizon Administrator.
- Navigate to View Configuration, so to Servers.
- On the Connection Servers tab, select a server instance to (re)configure.
- Click Edit.
- Click on the Authentication tab.
- In the Advanced Authentication section, select RADIUS from the driblet-downward list for the 2-gene hallmark value.
- Enable the option Enforce ii-factor and Windows user proper noun matching.
- Enable the option Utilize the same user name and countersign for RADIUS and Windows authentication.
- Click the Manage Authenticators… button
The Manage Authenticators screen appears. - Click the Add or Edit push button in the Manage Authenticators screen.
The Edit RADIUS Authenticator modal screen appears. - On the Primary Authentication Server tab, specify the following settings:
- Specify the hostname or IP-address for the NPS Server
- For the Authentication type:, specify MSCHAP2.
- Paste the RADIUS shared secret as the Shared Secret: value.
- For the Server timeout: value, specify 10 seconds.
- For the Max attempts: value, specify 1.
- To specify a second NPS Server with the Azure MFA NPS Extension installed, repeat the steps on the Secondary Hallmark Server tab.
- Click OK.
- Close Horizon Panel.
Terminal
The Azure MFA NPS Extension proves to be a first-class way to provide multi-factor authentication to VMware Horizon implementations. Now, credential stuffing attacks by malicious persons aren't something to worry nearly anymore for the sensitive data handled in Horizon implementations.
Further reading
Download the NPS Extension for Azure MFA
Configure Firewalls for RADIUS Traffic
Integrate your existing NPS infrastructure with Azure Multi-Cistron Authentication Enable 2-Factor Authentication in Horizon Administrator
Source: https://dirteam.com/sander/2020/05/20/howto-secure-vmware-horizon-with-azure-mfa-through-its-nps-extension/
0 Response to "Connect to Horizon Life and Try Again"
Post a Comment