The state of external access to my Horizon 6 Enterprise lab has been in flux for a while. I’ve used Duo Security to provide two-factor authentication for a bit, but as I transitioned from a straight WAN -> DMZ NAT using a View Security Server to proxying all of my incoming traffic through an F5 LTM Lab Edition virtual appliance using APM, I found myself on the hunt again.
I would have stuck it out with Duo – it’s a great service and provided fully-featured and free of charge for up to 10 users, but I couldn’t make it work with APM. After a fair bit of research, I landed on WiKID Systems. It, like Duo, met my three most basic requirements, which are an iOS-based soft token so I can just use my iPhone for authentication, RADIUS authentication, and it was free.
Before I started, I had already configured my firewall to pass all View-related traffic to a virtual IP on my F5 VM in my DMZ (443/TCP, 80/TCP, 4172/TCP, 4172/UDP). The View 1.2 iApp was deployed on the F5, and it was configured so I could access everything internally without being proxyed, while everything external was proxyed via APM. Connectivity worked both natively using the Horizon View Client, as well as via the webtop.
Deploy and Configure the WiKID Appliance
Since WiKID Systems already has a write up on deployment, I won’t cover that here. Instead, you can get that right from the source -> https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-strong-authentication-server-iso-1
I’ll pick up where I have my appliance deployed and initial configuration (certificates installed, registered with WiKID Systems, available externally on 80/TCP, etc.) complete.
1. Logged in to the WiKID Admin Console, click Domains, then Create A New Domain.
2. Give your new domain a Name, Device Domain Name, Server Code (this is the external IP address used for WiKID, must be 12 digits, fill in 0s if need be – example below is for 188.8.131.52), and the rest of the configuration. The defaults were fine with me. Click Create when finished.
3. Click Network Clients, then Create A New Network Client.
4. Give your new network client a Name, the IP address of the intended target (mine is the internal IP address of my F5 appliance), choose Radius and your Domain. Click Add when finished.
5. Type in your Shared Secret, and then click Add NC. I did not have to configure anything on the Assign Return Attribute field.
6. On your iOS device (or Android or whatever – I’m only showing iOS because it’s what I use) in the WiKID Token Client, choose Add a new domain.
7. Enter the Server Code defined in step 2 above. This should be the external IP address for the WiKID service. Click Save.
8. Define a PIN within the constraints set in step 2 above. This will be required each time you want to authenticate with WiKID. Click Set.
9. On the Users tab, click Manually Validate A User.
10. Click the Registration Code link (mine corresponded to the SHA256 one).
11. Give the new user a UserID, and then click Register.
12. Your user should now show up on the Users tab.
Configure F5 – RADIUS
1. On your F5 web GUI, go to Access Policy > AAA Servers > RADIUS.
2. Click Create. Complete the following:
- Mode – Authentication
- Server Connection – Direct
- Server Address – WiKID internal IP address
- Authentication Service Port – Default
- Secret – We defined this on the Network Client in the WiKID configuration.
- Timeout – 60 seconds to match the WiKID configuration
- Retries & Service Type – Default
3. Click Finished.
Configure F5 Access Policy for View
1. In the F5 Web GUI, browse to your iApp and disable Strict Updates. Nothing within the iApp configuration can be changed outside of the iApp config page without it.
2. Now, go to Access Policy > Access Profiles > Access Profiles List.
Remember – this assumes you’ve already deployed the default View 1.2 iApp with APM configured.
3. Click Edit under Access Policy for your View Access Profile.
4. A new page will pop up with the Visual Policy Editor for your View Access Policy. First, click the + to the left of the AD View Client Logon. This is for the VMware View client type.
5. Choose VMware View Logon Page, and then click Add Item.
6. A window will pop up, prompting for configuration of the logon page. Configure the following, and click Save when finished.
- VMware View Logon Screen – RADIUS
- VMware View Windows Domains – Blank
- VMware View RADIUS Auth Label – I don’t know if this makes a difference – I just supplied Wikid.
- The rest you can leave at defaults. I made sure I called out that this was WiKID auth in the UI.
7. On the VPE, click the + to the right of the new VMware View Logon Page.
8. On the Authentication tab, choose RADIUS Auth, and then click Add Item.
9. A window will pop up, prompting for configuration of the RADIUS Auth. Configure the following, and click Save when finished.
- AAA Server – This will be the RADIUS AAA Server configured earlier.
- Show Extended Error – Default
- Max Logon Attempts Allowed – 3 to match the rest of the policies.
End to end, the View Client authentication should look something like this (Disclaimer isn’t necessary):
10. Back on the VPE, click the + to the left of the Browser Logon Page. This is for the Full or Mobile Browser client type.
11. Choose Logon Page, and then click Add Item.
12. Configure similarly to that below. The only things I changed here were the Form Header Text and Logon Page Input Field #1 and #2, and these were for aesthetic reasons. The rest of the form is default. Click Save when finished.
13. Click the + to the right of your new Logon Page.
14. Repeat steps 8 and 9 above for the new RADIUS Auth. The only difference will be that you have to give it a unique name.
End to end, the Browser authentication should look something like this (Disclaimer isn’t necessary):
15. Click the Close button to exit the VPE.
Now, let’s see what happens when we try to connect externally.
1. Load up the URL in Chrome. Click Click here…
2. Type in my WiKID username and the passcode from my soft token. Click Logon.
3. That worked, so now AD authentication. Click Logon.
4. Now I’m in. I just have the one Windows 7 View desktop, so click it.
5. Click the VMware View Client button first to try it out.
And I get my desktop:
6. Now let’s try HTML5 Client.
My desktop loads through the HTML5 client in another browser tab, just like it’s supposed to.
Horizon View Client
1. Load up the Windows Horizon View Client.
2. I get the disclaimer I configured in the iApp deployment. Click OK to bypass.
3. Now WiKID authentication – username and passcode from the soft token.
4. That went through, so now AD authentication.
5. Click on my View desktop to launch it.
And there’s my desktop.