Adding a second factor for Horizon Client login is always a good idea. But sometime we may not only want to authenticate user. We may also want to limit user VDI access from a dedicated end point device. To achieve this, we should also authenticate end point device.
A easy way to do that is enabling VDI access with certificate authentication. The VDI access will only allow from end point device with certificate installed. For those end point device without it, access will be banned.
Enabling certificate authentication is very easy. This feature also available from far ago. The requirement is listed follow.
Unified Access Gateway 2.6 or later
Horizon 7 version 7.5 or later
A certificate installed on the client device that Unified Access Gateway accepts
The first thing we need to prepare is a certificate. This certificate can either obtain from a 3rd party CA (e.g. Globalsign) or an internal CA. This document will using a 3rd party certificate as example. But don't worry, the procedure of using an internal CA is exactly the same.
The deployment will be divided into 2 parts.
So let's start from part 1.
1. Enabling the setting on Unified Access Gateway (UAG)
Assume you already have an UAG installed and configured for your Horizon infrastructure. The first step will be logging in the UAG Admin UI.
Click "Authentication Settings". Click the Gear Button next to X.509 Certificate.
Click the check next to "Enable X.509 Certificate". Click the "Select".
Here you will need to provide the root certificate to let UAG accept corresponding client certificate. My client certificate is obtained from Globalsign. So I have also downloaded the Globalsign root cert. Here I will select the root cert downloaded.
Next step is optional. CRL means Certificate revocation list. It is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted.
If you want to increase the security of the certificate authentication process, you should enable CRL by checking the client cert is expired or not. My example will enable it by providing the CRL list from Gobalsign.
Click the check next to "Enable Cert Revocation". Check "Use CRL from Certificates". Input the URL to "CRL Location". Click "Save".
After enabled the X.509 cert, we also need to enable corresponding Horizon setting.
Click and show "Edge Service Setting". Click the Gear Button next to "Horizon Setting".
Click the "More" button at the bottom of the page.
Select "Device X.509 Certificate and Pass Through" for Auth Methods. Click "Save".
From now on, the certificate authentication is enabled. All end point without client cert will not be allowed to login the Horizon platform.
2. Installing certificate on client device
After enabled the setting on UAG, next we will need to install client certificate on end point device. I will make use a Windows 10 machine as an example.
On the end point device, open the Edge browser. Click the 3 dots button "...". Click "Setting".
Search the name "Certificate" at search bar. Click "Manage Certificate".
Click "Import".
Click "Next".
Click "Browse". Select the client cert. Click "Next".
Input the password of the certificate. Click "Next".
Click "Next".
Click "Finish".
The client cert is installed successfully.
And you should be able to see the login screen.
----- END -----
Comments