Hey everybody and welcome back to part 3 of this article series on Workspace ONE Access in combination with Microsoft Azure and VMware Horizon On-Premises and on Azure. In the last parts we have covered the general design and how to configure the Access appliances. In the second part we covered the load balancing part, which has been configured via VMware NSX Advanced Load Balancer, including the cloning process of the Access Appliances and the changing of the FQDN.
In this Episode, we will ensure, that we’re able to synchronise Active Directory users to our Workspace ONE Access appliance, to create an Enterprise Application on Azure, and to enable users to consume Multi-Factor Authentication based on Conditional Access Rules created on Azure.
Table of Contents
High Level Design – Authentication
In the last parts, we were focussing more on the services in the DMZ. Now we’re having a closer look at what is needed in the internal network to securely enable users to consume the features of the Workspace ONE Access appliance such as the Application Catalog and the consolidation of all internal applications and Desktops on the Horizon landscape.
The Access Connector appliance is basicalle the leg into the identitiy platform, which for most companies is Active Directory on-premises. One of the huge advantages is, that the Access Connector improves the overall security as it only pushes data in one way, meaning from the internal network to the DMZ. There are no data written back from the Appliances.
In addition, users have the possibility to access internal resources through the connector (we will cover this in a later part of this series, when it comes to Horizon resources).
All in all, the following resources are needed to cover the topics in this part:
- Windows Server in the internal network for the Access Connector appliance
- Firewall rules in place between the Connector, Active Directory and the Access (one way)
Desired Authentication flow
In this scenario we want to user the advantages of Azure AD with Conditional Access to consume resources within our network by only having ONE authentication app, the Microsoft Authenticator.
Following the mentioned process, a user (regardless if external or internal) tries to connect to the Workspace ONE Access URL and automatically get’s redirected to Azure AD. The user performs the authentication and based on the Conditional Access policy a Microsoft Authenticator request will get send to the end user’s device before allowing any access.
Once the access is granted, the user will get access to the App Catalog of Workspace ONE Access and can connect to the required internal resources.
One important factor before installing the Connector is to prepare for the required firewall ports. There are two types of connections that must be allowed to make the solution work.
An extremley handy tool for finding the right firewall ports is the Ports and Protocol tool of VMware.
Visit this link to open it: https://ports.esp.vmware.com/
The following ports must be opened within the internal network, between the Connector Server and the required servics:
– Port 389: LDAP Authentication from the Domain Controller/s
– Port 636: LDAP/S from the Domain Controller/s
– Port 443: From the Workspace ONE Access Appliances
The only requirement is to open port 80 and 443 from the Connector Server to the Workspace ONE Appliances.
A Service Account should be created for the WS1 Access Sync service. I have prepared a user already to perform these tasks. This domain account should have at minimum local administrator rights on the Connector server.
Installing the Workspace ONE Access Connector
I have already a Windows Server prepared in my internal network, which will host the Workspace ONE Access Connector appliance.
We start off in connecting to the Windows Server (which has the Service Account in the Prerequisites defined as local Administrator of this machine) and connect to the Load Balancer URL of our environment. In my case this is https://access.avdlogix.com.
After the successful sign in, we navigate to “Integrations” in the top menu bar. Click on “Connectors” on the left hand side to create a new Connector service within Workspace ONE Access.
Now you need to click on “New” in the center of the screen to create a new Connector server.
Confirm the appearing pop up window by clicking “OK“.
You will be asked to confirm the message again, please do so.
Now you get to a stage where you can download the Connector installer from the MyVMware.com portal. Please follow the link, by clicking on the blue button.
Now you can select the Workspace ONE Access installer for the required version from the download page. Make sure you have access to the Customer Connect portal, as you will get asked for credentials.