Forum Discussion
4 Replies
- Mike_61719Cirrus
Yes, it depends on how you want it setup (architecture). In many cases, you log into the APM with SSO to the RDS server and you have the two-factor authentication within the RDS server itself.
In other cases, you have the two-factor authentication at the APM login level and do the radius authentication up front. It depends on how you set it up.
- evegter_163099Nimbostratus
Hi Mike, thanks for the reply. When you say "the two-factor authentication within the RDS server itself", how exactly do you mean that? What kind of implementation of 2FA does RDS provide? I know the RDS Gateway server uses NPS as authentication and authorization layer and that can also redirect login to Radius with AD-user mapping etc but I have not implemented anything like that yet and wonder how the integration and SSO with WebAccess would be and when/how exactly the user would get prompted for the OTP key in that scenario. So I was hoping an enterprise Reverse Proxy/Loadbalancer like F5 would provide this kind of AD+OTP 2FA feature out of the box. The document "f5-microsoft-remote-desktop-services-dg.pdf" doesn't mention it so a multi-scenario document would be nice ;)
Your remark "In other cases, you have the two-factor authentication at the APM login level and do the radius authentication up front" basically sounds like what we have in mind. Do you know of any documentation that describes this?
Many thanks, Eric
- Mike_61719Cirrus
In the first scenario, you install the two-factor software on the RDS server. It will send a call to the device or database used for two-factor authentication. In this case, similar to phone factor or using the azure cloud.
In the second case, you will setup APM login: Username, Password (AD usually) and Two-factor authentication token. You're basically authenticating at the APM level rather than on the RDS server.
I like the RSA token guide: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/6.html
http://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm_authentication_config_11_0_0/_jcr_content/pdfAttach/download/file.res/apm_authentication_config_11_0_0.pdf
- evegter_163099Nimbostratusthanks! I'll read the docs and see where that takes me. The phonefactor solution (now MS) that uses the Azure MFA server as Radius proxy in combination with the RDS Gateway is basically what we'd like but not accepted because of availability/coverage reasons for SMS like token exchange by the customer so we need to get the solution to work with hardware tokens.