It's not exactly ideal in terms of security, but arguably suitable for a POC or lab. This Basic Deployment involves a single UAG appliance sitting in the trusted network or the DMZ. Here's a nice depiction of a Basic Deployment using UAG as a VMware Tunnel. I'm going to use the terms interchangeably throughout this post. Please note that, "Workspace One UEM," is what VMware is calling AirWatch nowadays. Further, VPN connectivity is only made available for the individual app, rather than the whole device, providing better overall security. As Per-App VPN enabled applications are launched VPN connections are automatically established for these apps on behalf of the users in the back ground, providing a very simplified and convenient user experience. Configured to act as VMware Tunnel, the UAG appliance is used to provide Per-App VPN connections for iOS apps that require access to internal corporate resources. To get SSO working you'll need to implement TrueSSO.This is a recipe for delivering AirWatch Per-App VPN capabilities using Horizon's Unified Access Gateway 3.3 and a SaaS instance of AirWatch/Workspace One UEM. This in turn gives you all the bells and whistles Azure authentication offers you, but it will require an user to enter their credentials again when logging into the desktop (so no SSO). Option 2 is a direct connection to Azure which users a different Identity Provider compared to VMware Horizon (Active Directory). If everything is configured properly users will fill in their username and password, answer the security prompt on their phones and will successfully be logged in. On the UAG you use the Radius settings to connect to the NPS server. Option 1 requires a NPS server which will be connected to Azure via the NPS Extension. Use all MFA authentication methods (Phone call, text message, app).Use the Microsoft Authenticator App only.In this scenario you have two options for MFA: Most deployments I do are using separate entries for internal and external user, and the customer wants to use MFA when users are connecting externally.
It depends on what you want to achieve/what your customer/company wants.
0 kommentar(er)
