Setting Up Two-Factor Authentication with Universal Broker

Overview

The Universal Broker is a component of the Horizon Cloud Connection Server that acts as an intermediary to handle interactions between end users and their resources. After users have been authenticated, and have made a resource selection, the Universal Broker matches the users to the best resources available.

Universal Broker works in conjunction with multi-cloud assignments to allow users to leverage the best infrastructure location across multiple Horizon pods. The combination of Multi-cloud Assignments and Universal Broker means that the end-user sees one icon representing their entitlement, while the Universal Broker delivers the best match for the user.

This guide provides resources about the Universal Broker and Multi-Cloud Assignments. These resources include tips for configuring multi-cloud assignments in Horizon 7, Horizon 8 and Horizon Cloud on Microsoft Azure environments with Universal Broker, as well as implementing two-factor authentication.

Purpose of This Tutorial

This guide presents a focused list of tips and resources about how to set up and use Universal Broker with two Factor Authentication, leveraging Multi-Cloud Assignments. It also identifies where to find help with connecting to Horizon Service, setting up multi-cloud entitlements, configuring separate authentication paths for internal and external users, and setting up two-factor authentication.

Audience

This tutorial is intended for IT administrators and product evaluators who are familiar with VMware vSphere and VMware vCenter Server. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, directory services, and other infrastructure services is assumed. Knowledge of other technologies, such as VMware Horizon, Horizon Cloud on Microsoft Azure and Universal Broker, is also helpful.

Understanding Universal Broker

The Horizon Universal Broker is a cloud-based brokering technology that allows you to broker desktops and applications to end users across all cloud-connected Horizon pods, regardless of the infrastructure that they run on.

The Universal Broker simplifies hybrid Horizon deployments with a few key features.

• A single connection FQDN (Fully Qualified Domain Name) for all remote resources. Users can connect to a single FQDN to access any assignment in any Horizon pod.
• The Universal Broker provides connectivity awareness of Horizon pods, which allows for redirection of requests for resources from an unavailable pod to another pod with sufficient resources to handle the request.
• Smart Brokering functionality can deliver desktops from multi-cloud assignments to end users along the shortest network route.

The Universal Broker is aware of geographical locality and pod topology. Using this information, the Universal Broker can make better resource-matching decisions and deliver desktops from multi-cloud assignments to end users along the shortest network route.

For more details, see Horizon Universal Broker in Horizon Control Plane Services Architecture.

Setting up Universal Broker

To set up separate authentication configurations for internal and external users with Universal Broker, you must first set up the Universal Broker and connect to Horizon Cloud Services, then configure Universal Broker with either Horizon 7, Horizon 8, or Horizon Cloud Services on Microsoft Azure, and finally, set up multi-cloud entitlements in the above environments. The following sections provide tips and resources to help you get this done.

Connecting to Horizon Service and Domain Join

Before you can set up separate authentication configurations with Universal Broker, you must first connect to Horizon Cloud Services and join the domain.

To use Universal Broker, you must use the Horizon Service.

If you are using Horizon Cloud on Microsoft Azure only, then you are automatically using the Horizon Service.

For Horizon 7 or Horizon 8 pods, review the following topics in the Getting Started with VMware Horizon Service guide:

• Adding a Cloud Connector to Horizon 8 Pod
• First Login to Horizon Service
• Adding a Pod to Horizon Service
• Domain Join

Configuring Universal Broker with Horizon

After connecting to Horizon Cloud Services and completing domain join, you are equipped to configure Universal Broker with either Horizon 7, Horizon 8, or Horizon Cloud Services on Microsoft Azure, or both. At that point, you will also need to set up Universal Broker with the Horizon Console. The following sub-sections provide tips and resources whether your environment is Horizon 7, Horizon 8, or Horizon Cloud Services with Microsoft Azure environments, or both.

For an overview of Universal Broker and how it works, see Horizon Control Plane Services Architecture.

Configuring Universal Broker with Horizon 7 or Horizon 8

This section provides tips and resources for environments containing Horizon 7 or Horizon 8.

To use Universal Broker with Horizon in an SDDC capacity or in a private datacenter, you first need to have the pods configured to use the Horizon Service. For Horizon deployments in an SDDC-based infrastructure or a private datacenter (running vSphere), you need to set up and configure a Horizon Connector Appliance. Each pod using Universal Broker must be managed. The Horizon Service and Universal Broker both use the Horizon Connector to communicate with each managed pod to match users to entitlements, and to monitor capacity and availability of each pod.

You must also install the Universal Broker plugin that runs within the Connection Server for every cloud-connected pod that participates in multi-cloud assignments. You must download and install the plugin on each Connection Server instance within a participating pod, as described in Horizon Pods - Install the Universal Broker Plugin on the Connection Server.

For details about connecting a Horizon pod to the Horizon Service, see Horizon Service Journey.

Configuring Universal Broker with Horizon Cloud on Microsoft Azure

This section provides tips and resources for environments containing Horizon Cloud Services on Microsoft Azure.

If you are using Horizon Cloud Services on Microsoft Azure pods, you do not need to deploy any other components. All Horizon Cloud Services on Microsoft Azure pods are automatically connected to the Horizon Service, and are  manageable by the Horizon Universal Console. The Horizon Service already has visibility into each Horizon Cloud Services on Microsoft Azure pods to look up user entitlements, and to monitor the capacity and availability of each Horizon Cloud Services on Microsoft Azure.

For more details about the architecture of Universal Broker, see System Architecture and Components of Universal Broker.

Regardless of the platform type that each pod is running on, you need to have a Unified Access Gateway deployed, and a public IP that the Universal Broker will direct users to, once the Universal Broker has identified the best pod to service the user’s resource request.

For a detailed explanation of the architecture of Universal Broker and how it connects to Horizon and Horizon Cloud Services on Microsoft Azure pods, see System Architecture and Components of Universal Broker.

Setting up Universal Broker from the Horizon Universal Console

For a complete set of prerequisites and instructions for setting up and configuring Universal Broker, see Setting Up a Broker in the Horizon Service documentation.

For a demonstration of a Universal Broker configuration, see Horizon Universal Broker Basic Setup.

Setting up Multi-Cloud Entitlements with Universal Broker

After configuring Universal Broker with either Horizon 7, Horizon 8, or Horizon Cloud Services on Microsoft Azure, you are equipped to set up multi-cloud entitlements in the above environments.

Multi-cloud entitlements are a feature in Horizon Service that allow you to entitle users to resources across multiple pods residing on the same infrastructure type.

For example, you can set up an entitlement for users to leverage resources from multiple Horizon 7 or Horizon 8 pods. However, you cannot currently entitle users for cross-platform entitlements combining Horizon 7 or Horizon 8 and Horizon Cloud on Microsoft Azure pods in a single entitlement.

Multi-cloud assignments do not require multiple pods. In fact, you can set up a multi-cloud assignment to leverage just a single pod for capacity.

Setting up multi-cloud assignments with Horizon 7 or Horizon 8

This section provides tips and resources for environments containing Horizon 7 or Horizon 8.

You can set up multi-cloud assignments with Horizon in SDDC infrastructures or private datacenters. To provide end users with virtual desktops provisioned by cloud-connected Horizon pods, you create a multi-cloud assignment. The desktop pools in an assignment can span one or more cloud-connected Horizon pods that are in a managed state.

For a brief demo showing how to create a multi-cloud assignment that spans two Horizon Pods, see Multi-Cloud-Assignment - Basic.

For step-by-step instructions showing how to create multi-cloud assignments, see Horizon Pods - Create a Multi-Cloud Assignment of VDI Desktops.

Setting up multi-cloud assignments with Horizon Cloud on Microsoft Azure

This section provides tips and resources for environments containing Horizon Cloud Services on Microsoft Azure.

Once Universal Broker is enabled for your Horizon Service account, all Horizon Cloud Services on Microsoft Azure pods can create multi-cloud assignments that leverage capacity from multiple Horizon Cloud Services on Microsoft Azure pods.

For detailed instructions showing how to create multi-cloud assignments with Horizon Cloud Services on Microsoft Azure, see Horizon Cloud Pods in Microsoft Azure - Create a VDI Multi-Cloud Assignment in Your Horizon Cloud Tenant Environment.

Configuring Two-Factor Authentication with Universal Broker

After setting up multi-cloud entitlements in either Horizon 7, Horizon 8, or Horizon Cloud Services on Microsoft Azure environments, you are equipped to configure two-factor authentication.

You can configure two types of two-factor authentication types with Universal Broker. RADIUS and RSA-SecurID. If you configure Universal Broker to use two-factor authentication, you must enable it for all pods. Furthermore, all pods must be configured identically.

To use two-factor authentication for RADIUS, you must configure multiple components within your environment, depending on the types of Horizon pods that you have in your Horizon Service environment.

Configuring Horizon Cloud Service

For any two-factor authentication configurations to work with Universal Broker, it is imperative that you configure each external-facing component to leverage two-factor authorization, regardless of whether you want users to use two-factor authorization or not.

Some organizations do not want to force users to use two-factor authentication mechanisms if they are connecting from a private or trusted network. For those users, there is a configuration item in Universal Broker to allow you to specify network ranges that are intended to service internal or trusted users if you do not wish to have those users use two-factor authentication.

All external-facing Unified Access Gateways should be configured to use two-factor authentication according to the instructions found in Configuring RADIUS for Unified Access Gateway in the Unified Access Gateway product documentation.

For example, if you want to use RADIUS authentication, you must configure the RADIUS service on each external Unified Access Gateway instance across all participating Horizon pods, as well as pods in Microsoft Azure.

Warning: Do not delete any Unified Access Gateway instances within the participating pods. Since Universal Broker relies on Unified Access Gateway for the protocol traffic between Horizon Client and virtual resources, users cannot access provisioned resources from a participating pod if you delete the Unified Access Gateway instance on that pod.

Configuring Two-Factor Authentication in Horizon Cloud on Microsoft Azure Environments

This section provides tips and resources for environments containing Horizon Cloud Services on Microsoft Azure.

Configuring two-factor authentications with Horizon Cloud on Microsoft Azure pods is straightforward. All configuration is done through the Universal Broker setup UI, which automatically configures the Unified Access Gateways in each Horizon Cloud on Microsoft Azure pod correctly. All of the instructions can be found in Best Practices When Implementing Two-Factor Authentication in a Universal Broker Environment.

Note: You can skip step 3 in the instructions, as this step applies only to Horizon in a private datacenter or SDDC infrastructure.

Configuring Two-Factor Authentication in Horizon 7 or Horizon 8 Environments

This section provides tips and resources for environments containing Horizon 7 or Horizon 8.

To use two-factor authentication for Universal Broker, you must first configure the appropriate authentication service on each external Unified Access Gateway instance within every participating pod. The configurations of external Unified Access Gateway instances must be identical within and across participating pods.

Follow the deployment and configuration instructions for Unified Access Gateway with Horizon in a Private Data Center that are applicable for your environment in the Deploying and Configuring the VMware Unified Access Gateway.

You need to configure the authentication method rule and other advanced settings in the Advanced Edge Services configuration, which you can find in the Configure Horizon Settings document.

In Figure 1 below, you can see an example of the checklist of settings required to configure the authentication method:

Figure 1: Configuring Horizon Settings

To configure Universal Broker to use RADIUS or RSA SecureID, follow the instructions in Best Practices When Implementing Two-Factor Authentication in a Universal Broker Environment.

Ignore When Setting Up Two-Factor Authentication

The Horizon documentation provides instructions for implementing two-factor authentication with Horizon. However, those procedures to not apply when using Universal Broker. If you are trying to set up two-factor authentication with Universal Broker in a Horizon 7 or Horizon 8 environment, then ignore the workflows outlined in the following documents:

• Enable Two-Factor Authentication in Horizon Console
• Using Two-Factor Authentication

Configuring Different Authentication Methods for Internal and External Users

At this point, you have finished setting up the Universal Broker and connecting to Horizon Services, then configuring Universal Broker with either Horizon 7, Horizon 8, or Horizon Cloud Services on Microsoft Azure, and setting up multi-cloud entitlements in the above environments. You are now equipped to configure separate authentication methods for internal and external users.

If you do not want your internal users to be forced to use two-factor authentications when they log in to Horizon, you can define a network range in the Network Ranges tab of the Universal Broker settings pages.

Find out the proper addresses that Universal Broker will see as Internal traffic originating from, typically the Egress NAT addresses on your Edge firewall or router. This is because Universal Broker will see those addresses as the originator of all traffic coming from inside your organization.

For a quick demonstration showing how to set up a two-factor assignment with Universal Broker, see Two-factor Setup with Universal Broker - Basic.

Summary and Additional Resources

This guide provided a collection of tips and resources in a single, consolidated document, about setting up and implementing Universal Broker in Horizon 7 or 8, or Horizon Cloud with Microsoft Azure environments for multi-cloud assignments and two-factor authentication.

Resources

For your convenience, the resources referenced in this guide are presented as a curated checklist in order of appearance:

• Horizon Control Plane Services Architecture > Horizon Universal Broker
• Getting Started with VMware Horizon Service

• Horizon Service Journey
• Horizon Pods - Install the Universal Broker Plugin on the Connection Server
• Setting Up a Broker in the Horizon Service documentation
• System Architecture and Components of Universal Broker

• Horizon Universal Broker Basic Setup
• Multi-Cloud-Assignment - Basic video
• Horizon Pods - Create a Multi-Cloud Assignment of VDI Desktops.
• Horizon Cloud Pods in Microsoft Azure - Create a VDI Multi-Cloud Assignment in Your Horizon Cloud Tenant Environment
• Configuring RADIUS for Unified Access Gateway
• Best Practices When Implementing Two-Factor Authentication in a Universal Broker Environment
• Deploying and Configuring the VMware Unified Access Gateway
• Configure Horizon Settings
• Enable Two-Factor Authentication in Horizon Console

• Using Two-Factor Authentication

• Define Internal Network Ranges for Universal Broker
• Two-factor Setup with Universal Broker - Basic video

Changelog

The following updates were made to this guide:

Date	Description of Changes
2021/06/03	Initial publication.

About the Author and Contributors

This guide was written by Rick Terlep, Staff EUC Technical Marketing Architect, End User Computing Technical Marketing, VMware, with support and contributions from:

• Chris Halstead, EUC Staff Architect, EUC Mobile Marketing, VMware
• Darren Hirons, Lead Solution Engineer, Digital Workspace, VMware
• Cindy Carroll, Technical Marketing Manager, End User Computing, VMware

 

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.