WIXLIB

Symantec VIP Integration Guide for VMware View

Symantec VIP Integration Guide for VMware ViewTable of ContentsAbout integrating VMware View with Symantec VIP.3System requirements. 3VIP supported features.3Authentication workflow.4Configuring Vmware View Connection Server. 7Prerequisities. 7Adding a Validation server.7Configuring VMware View for integration with Symantec VIP. 7Testing the Integration.10Hardware and VIP Access Credential Authentication. 10SMS/Voice Authentication. 10VIP Access Push Authentication. 11Troubleshooting.12Copyright statement. 132

Symantec VIP Integration Guide for VMware ViewAbout integrating VMware View with Symantec VIPThe traditional user name and password authentication is no longer enough to meet today's evolving security threatsand regulatory requirements. However, users demand an easy-to-use authentication solution. What is needed today isstronger and smarter authentication to secure corporate data and applications, while offering greater ease of use.Symantec VIP is a cloud-based authentication service that enables enterprises to securely access online transactions,meet compliance standards, and reduce fraud risk. VIP provides an additional layer of protection beyond the standarduser name and password through a wide variety of additional authentication capabilities including: Two-factor authentication – dynamic, one-time-use security codes generated by a user's VIP credential in the form of mobile apps, desktop software, security tokens, and security cards.Out-of-band authentication – dynamic, one-time-use security codes delivered by phone call, by SMS text messageor email, or by push notifications sent to a registered mobile device.VIP is based on OATH open standards, an industry-wide consortium working with other groups to promote widespreadstrong authentication. Because the service is hosted by Symantec, enterprises engage one solution to support multipleenterprise, partner, and customer-facing applications requiring strong authentication. Intended for administrators, thisguide helps you prepare for VIP integration by providing a comprehensive outline for planning, decision making, and taskprioritization for a successful deployment.Users generate a security code on a VIP credential that they register with Symantec’s VIP Service. They use that securitycode, along with their user name and password, to gain access to the resources protected by VMware View.System requirementsThe integration environment used in this document is based on the following software versions:Table 1: System requirementsProductDescriptionPartner nameVMwareProduct name and versionVMware View 5.1 environment View Connection Server 5.1 View Security Server 5.1 View Client 5.1VMware Horizon 7 Enterprise Edition View Connection Server 7.5 VMware Horizon Client 4.8VIP supported featureslists the VIP Enterprise Gateway features that are supported with VMware View.Table 2: VIP supported featuresVIP featureSupportFirst-factor authenticationAD/LDAP password through VIP Enterprise GatewayNo3

Symantec VIP Integration Guide for VMware ViewVIP featureVIP PINSupportNoSecond-factor authenticationVIP Access PushYesSMSYesVoiceYesSelective strong authenticationEnd user-basedNoRisk-basedNoGeneral AuthenticationMulti-domainYesAnonymous user nameYesLegacy authentication provider integration (delegation)YesAD password resetNoIntegration MethodVIP JavaScript(JavaScript is used for push and out-of-band (OOB) authentication such asSMS and Voice)NoVIP LoginNoSOAP Web Service APIsNoRADIUSYesAuthentication workflowThis section describes how the integration of Symantec VIP with VMware View authenticates a user's access of protectedresources. This workflow describes the integration for the User ID–Security Code authentication method.4

Symantec VIP Integration Guide for VMware ViewFigure 1: User ID security code authentication workflowTable 3: Workflow descriptionWorkflowDescriptionStep 1The user enters a user name and a security code on VMware View Client Login page.Step 2As the first part of the two-factor authentication process, the VMware View Connection Serversends the user name and the security code to VIP Enterprise Gateway for authentication.Step 3The VIP Enterprise Gateway validation server authenticates the user name and the securitycode with VIP Service.VIP Service returns an authentication response to VIP Enterprise Gateway.5

Symantec VIP Integration Guide for VMware ViewWorkflowDescriptionStep 4The VIP Enterprise Gateway validation server returns an Access-Accept Authenticationresponse to VMware View Connection Server.Step 5As the second part of the two-factor authentication process, the VMware View client promptsfor user name and password.Step 6The VMware View Connection Server sends the user name and the password to the UserStore for validation. The User Store sends an authentication response back to VMware ViewConnection Server.Based on this response, you can access the VMware View environment.6

Symantec VIP Integration Guide for VMware ViewConfiguring Vmware View Connection ServerPrerequisities Before you integrate VMware View with Symantec VIP for second-factor authentication, you must ensure that first factor authentication works.Install and configure VIP Enterprise Gateway. For configuration procedures, see VIP Enterprise Gateway Installationand Configuration Guide, available on the Broadcom TechDocs portal.Adding a Validation serverYou must complete the following steps to create a Validation server:1. Log in to VIP Enterprise Gateway and click the Validation tab.2. Click Add Server. The Add RADIUS Validation server dialog box is displayed.3. Configure the RADIUS validation parameters:FieldActionVendorSelect VMware from the drop down list.Application NameSelect the vendor’s application that you use, VMware View/Horizon.Authentication ModeSelect the UserID-Security Code mode that you want to use for first and secondfactor authentication.In this authentication mode, VIP Enterprise Gateway validates the first-factor (username and password) with your User Store, such as AD/LDAP. VIP EnterpriseGateway validates the second-factor (user name and security code) with VIP Service.4. Click Continue to add the Validation server.Configuring VMware View for integration with Symantec VIPComplete the procedures in this section to configure VMware View.1. Log into VMware View Administrator.2. Navigate to View Configuration Servers Connection Servers.7

Symantec VIP Integration Guide for VMware View3.4.5.6.Select a Connection Server where you want to configure the second factor authentication and click Edit.In the Edit View Connection Server Settings dialog box, select the Authentication tab.In the Advanced Authentication section, in the 2–factor authentication drop-down list, select RADIUS.In the Authenticator drop-down list, select Create New Authenticator. The Add RADIUS Authenticator dialog box isdisplayed.7. In the Add RADIUS Authenticator dialog box, edit the fields to configure RADIUS server (VIP Enterprise Gateway) asdescribed.FieldDescriptionnLabelName of the authenticator. For example, VIP.DescriptionA brief description about the server. This field is optional.Primary Authentication ServerHostname/AddressSpecify the IP Address or the host name of the RADIUS (VIP Enterprise Gateway) serverthat you use.8

Symantec VIP Integration Guide for VMware ViewFieldDescriptionnAuthentication portSpecify the port number of Validation Service, which you have specified while creatingthe Validation Server on VIP Enterprise Gateway server.Accounting portNot applicable.Authentication typeSelect PAP from the drop-down list.Shared secretEnter the RADIUS pre-shared secret, which you have specified while creating theValidation Server on VIP Enterprise Gateway server.Server timeoutTime duration in seconds for which the RADIUS server attempts to authenticate a user.For example, if you set this field to 20 seconds, the server gives you 20 seconds toattempt a login before declaring a timeout.Max retriesNumber of attempts that you can try to log in and authenticate your credentials with theRADIUS server.Note: If you are integrating Out-of-Band authentication (SMS, Voice, or Push) then toavoid authentication failures, set the Server timeout field to 20 seconds and Max retriesto 3.Realm prefixEnter an appropriate value if required. This field is optional.Realm SuffixEnter an appropriate value if required. This field is optional.8. Click Next.9. Enter the details of secondary RADIUS server if you want to configure it, and click Finish.10. If required, in the Edit View Connection Server Settings dialog box, Authentication tab, under AdvancedAuthentication, select Enforce 2-factor and Windows user name matching. Select this check box if you want touse the same user name for both the RADIUS and the Active Directory Authentication. This field is optional.9

Symantec VIP Integration Guide for VMware ViewTesting the IntegrationThis section describes the procedures for testing the integration of VMware View with Symantec VIP. An authenticationmethod can integrate the following verification mechanisms. Hardware and VIP Access Credential: In this method, the security code that you generate on your hardware or VIP Access credential is used besides the user name and password to access the protected resources.See Hardware and VIP Access Credential Authentication.SMS/Voice: If you have configured Out-of-Band (OOB) authentication in the VIP Enterprise Gateway validation serverand in VIP Manager, then a security code is sent to your registered mobile device over SMS or Voice. You must usethis security code besides the user name and password to access the protected resources.See SMS/Voice Authentication.VIP Access Push: For users who have installed VIP Access on their registered mobile devices, VIP Service sends aVIP Push notification message to the mobile device. The user must tap the Allow button on the device to perform thesecond-factor authentication and complete the sign-in.See VIP Access Push Authentication.Hardware and VIP Access Credential AuthenticationIf you are using the hardware or VIP Access credential authentication with the User ID – Security Code authenticationmethod, then perform the following steps:1. Launch VMware View Client.2. In the Connection Server drop-down list select the appropriate server, and click Connect. The following dialog box isdisplayed. Do the following:– Enter the user name.– Enter the security code that you generate on your hardware or VIP Access credential.3. Click OK. The following dialog box is displayed. Do the following:– Enter the user name.– Enter the password.4. Click Login. After successful authentication, you can access the protected resources.SMS/Voice AuthenticationIf you have integrated SMS or Voice authentication with the User ID – Security Code authentication method, then performthe following steps:1. Launch VMware View Client.10