Tested SMS PASSCODE multi-factor authentication with VMware Horizon View

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer for a broad range of authentication clients such as:

  • Citrix Web Interface Protection
  • RADIUS Protection
  • Cloud Application Protection
  • IIS Web Site Protection
  • ISA/TMG Web Site Protection
  • Windows Logon Protection
  • Secure Device Provisioning (for ActiveSync devices)

In this review we test how-to integrate SMS PASSCODE with the latest version of VMware Horizon View using RADIUS authentication.

What is SMS PASSCODE

Unlike traditional hardware-token based solutions, SMS PASSCODE works without distribution of any hardware-tokens. As a result, the logistic overhead involved is minimal and roll-out is much faster. On the mobile phone is no software installation needed. Just extract the cell phone number from the AD.

SMS PASSCODE sends a One-Time-Passcode (OTP) to the user mobile phone. SMS PASSCODE looks at multiple factors such as time, geo-location, and type of login system being accessed.

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer to the VMware Horizon View environment. VMware Horizon View has support for RADUIS authentication.

LAB environment

In the lab environment the following components are installed:

SMS Passcode

  1. Horizon View Clients (PCoIP, RDP and HTML)
  2. Horizon View Security Server
  3. Horizon View Connection Server external
  4. Horizon View Connection Server internal
  5. Microsoft SQL Server
  6. Horizon View Composer
  7. vCenter Server
  8. Active Directory Domain Controller
  9. SMS PASSCODE version with Network Policy Server (NPS) role installed

For the external connection to the VMware Horizon View environment a Multi-Factor Authentication (MFA) is configured by using SMS PASSCODE. The internal Horizon View users don’t use SMS PASSCODE to connect.

The following software versions are used:

  • Windows Server 2012 R2 Active Directory (AD)
  • Windows Server 2008 R2 for the SMS PASSCODE and NPS software role
  • VMware vSphere 6
  • VMware Horizon View 6.1
  • SMS PASSCODE 7.2

Instead of using a GSM modem, a Web Service SMS dispatching service is used for sending messages. A GSM modem is highly preferred in a production environment.

Installation and configuration Management

Installation of SMS PASSCODE

SMS PASSCODE is installed on a Microsoft 32-or 64-bit Windows Operating System.. The core components of SMS PASSCODE are:

  • Database Service. The database stores the SMS PASSCODE configuration and user data.
  • Transmitter service. This service is responsible for dispatching messages and validation of SMS PASSCODE logons. Handles load balancing and failover between all GSM modems
  • Load Balancing service. Service responsible for load balancing and failover.
  • Web Administration Interface. Web site for maintaining user and configuration data

These core components can be distributed over one of more servers to provide redundancy and load distribution for enterprise 24×7 uptime demands.  In the lab setup all the core components are installed on a single server.

As Authentication Client Radius protection is selected during the installation.

Network Policy Server (NPS)

On the SMS PASSCODE server the Network Policy Server (NPS) role is installed for RADIUS authentication.

Configuration

Web Administration Interface (WAI)

The Web Administration Interface (WAI) is available from the web browser on port 2000. From the WAI the configuration of SMS PASSCODE is done.

From the WAI we need to do the following main steps:

  1. Configure AD integration and the messaging infrastructure used in the General settings
  2. Configure the User Integration Policy (UIP)
  3. Configure User Group Policies
  4. Configure transmission infrastructure for creating a dispatching entity

Step 1. General Settings

In the general settings tab AD integration in single sync mode is enabled. With single sync mode users are imported from a single user group.

AD integration

In the globalization options the messaging infrastructure used. The following messages infrastructures can be used in SMS PASSCODE:

  • SMS OTP
  • E-mail OTP
  • Voice call OTP
  • Web service SMS OTP
  • Token OTP
  • Personal passcode OTP

The SMS OTP is the most secure option to use and highly preferable. In our lab environment we use Web service SMS OTP as messaging infrastructure. A 3rd party web service is used for SMS dispatching.

general settings - web service

Step 2. User Integration Policy (UIP)

User Integration Policies are used to configure how users in the SMS PASSCODE database are synchronized with users from one or more Active Directory stores.

UIP

When enabling AD integration, users are synced when belonging to a specified group or attribute. For example the mobile attribute is used to retrieve AD users. Only users with the phone number filled in are synced to SMS PASSCODE.

import

Step 3. User Group Policies (UGP)

User Group Policies (UGP) are used for managing users. Every users is assigned to a UGP and automatically inherits the settings specified by this policy. For example the administrator could change type of passcode dispatching, SMS type (Flash/normal) or Self Service Site permissions in the UGP. A UGP manage user settings on a group basis or on individual basis by overriding the UGP .

We changed the default UGP for the dispatch type to “Send passcodes by web services SMS”.

basic

Step 4. transmission infrastructure for creating a dispatching entity

In our lab environment we don’t have a GSM modem for send SMS messages, so we used and configure a Web Service Dispatcher service for sending in SMS messages.

step 4 dispatcher

After these four main configuration steps we can test if the SMS message is sent to the user mobile phone by selecting the test button and choose for the Web Service Dispatcher option. A test SMS message is sent to the users mobile phone. If the SMS message arrives on the mobile phone the configuration is ready for the next step.

sms test

When the four main steps are performed it is possible to perform some optional additional steps such as:

  • Adjust the passcode policy to reflect to the organization policy. For example adjust the minimal passcode length, composition of the passcode, lifetime and message composition for the SMS message that is sent to the mobile phone.
  • Create Authentication policies and lockout periods settings
  • Enable Geo IP and IP history lookup to identify where in the world your users are logging-in.
  • Configure date and time restrictions
  • Configure the Self Service Web Site. The Self-service web site is for maintaining the users account settings and Password Resets.

Network Policy Server (NPS)

On the Network Policy Server a RADIUS Client profile is created. The RADIUS profile points to the VMware Horizon View Connection Server (3) that is configured for the external users. In this Client profile we enter the following information:

  • Friendly Name.
  • DNS or IP address of the Connection server.
  • Manually assigned a shared secret that will be used for the RADIUS connection between the NPS and Connection Server.

NPS

VMware Horizon View external Connection Server configuration

On the Horizon View Connection Server (3) for the external access we configure 2-factor authentication for Remote Authentication Dial-In User Service (RADIUS). On the VMware Horizon View Connection Server we create a RADUIS profile using the following settings:

Connection Server ViewConnection1

In the primary Authentication Hostname/Address the IP address of the NPS server. NPS is installed on the SMS PASSCODE server. The same shared secret is used from the NPS Client configuration.

Connecting to the VMware Horizon View environment

Externally users connect to the VMware Horizon View environment by using the VMware View Client and HTML Access.

VMware Horizon View Client

When connecting externally to the VMware Horizon View environment by using the Horizon View Client, the following login box appears in the Horizon View Client:

VIewclient

After entering the AD user name and password credentials, a One-Time-Passcode (OTP) is send the user mobile phone.

Iphone

Entering the OTP in the Next Code: field and you’re authenticated to the VMware Horizon View environment and you see your pool entitlements.

Next code

HTML access

Another option is to connect to the VMware Horizon View environment is by using HTML access. This option does not require any software other than a supported browser such as IE, Chrome or Firefox on the client. HTML access uses the Blast protocol instead of the PCoIP protocol.  The login steps are the same as the Horizon View client.

 html5 html5-1 html5-3

Conclusion

SMS PASSCODE is a multifactor solution that adds an extra security layer to the VMware Horizon View environment. SMS PASSCODE has the following pros:

  • Stable and flexible product. We tested SMS PASSCODE for several months and it is a very stable product. We experienced no crashes or strange things during our tests.
  • Simple installation, configuration and maintaining
  • Can be used in Small and Midsize Business (SMB) till large Enterprise (24×7) environments (scalable).
  • No extra software is needed on the users mobile phone
  • No hardware-tokens are needed
  • Because RADIUS authentication is used, it works with new versions of VMware Horizon View out of the box.

For SMS PASSCODE a Windows Operating System is needed. It would be great if in the future an appliance version can be used wihout the need of a Windows Operating System.

When working with external users that connect to your VMware Horizon View environment an extra security layer is needed besides the standard username and password.

SMS PASSCODE offers that extra layer of security by using 2-factor or Multi-Factor Authentication.

More information

Want to try SMS PASSCODE live or request a free 30 day trial? Click the linkvExperts can obtain a NFR license by sending an email to support@smspasscode.com. Provide some documentation that proves you are a vExpert.

First impressions of Cisco UCS Central 1.3

Cisco released version 1.3(1a) of UCS Central. Cisco UCS Central integrates management of one or more UCS domains in a single management solution. This release has the following new enhancements:

  • HTML5 UI: New task based HTML5 user interface.
  • KVM Hypervisor Support: Ability to install Cisco UCS Central in KVM Hypervisor
  • Scheduled backup: Ability to schedule domain backup time. Provides you flexibility to schedule different backup times for different domain groups.
  • Domain specific ID pools: The domain specific ID pools are now available to global service profiles.
  • NFS shared storage: Support for NFS instead of RDM for the shared storage is required for Cisco UCS Central cluster installation for high availability.
  • The ability to manually push global VLANs and VSANs to UCS Manager without having to deploy a Global Service Profile to improve the centralized VLAN and VSAN management.
  • Support for Cisco M-Series Servers.
  • Connecting to SQL server that uses dynamic port.
  • Support for SQL 2014 database and Oracle 12c Database.

Upgrading

For upgrading Cisco UCS Central, use the ISO image. You can upgrade Cisco UCS Central to release 1.3(1a) from any of the following two releases:

  • From 1.1(2a) to 1.3(1a)
  • From 1.2(x) to 1.3(1a)

The upgrade process is simple, attach the ISO and reboot the the Cisco UCS Central Virtual Machine and select the upgrade option.

1 2 3

After a couple of minutes the upgrade is finished and the appliance can rebooted.

User Interfaces (UI)

The legacy interface can still be used by using a https connection to the UCSC appliance.

4

The new HTML 5 interface can be accessed by using the following URL:

  • https://<ucs central ip>/ui

Below are some screenshots of the new HTML-5 UI:

5 6 7 8

More information can be found in the following blog post from: UCS Central User Interface Reworked with UCS Central 1.3 release, link.

 

vCenter Server 6 and the vPostgres database

In vCenter Server 5.x the embedded SQL Express database supports a maximum of 5 hosts and 50 Virtual Machines. With vCenter Server 6 the embedded database is changes from SQL Express to a vPostgress database. The vPostgres database supports a maximum of 20 hosts and 200 VMs. In comparison the vPostgres database on the vCenter Server Appliance (VCSA) 6 supports 1000 hosts and 10000. When upgrading or fresh installing  vCenter Server 6 make sure to note the following items:

  • When upgrading to vCenter Server 6.0, the Microsoft SQL Express database is migrated to a vPostgres database.
  • Oracle, SQL Standard and Enterprise database editions will not be migrated to vPostgres.
  • It is possible to upgrade without migrating the SQL database to vPostgres. Make sure you have a supported SQL database before upgrading. More information can be found here, link.
  • When uninstalling vCenter Server 6 the  embedded VMware vPostgres database will be removed with all the data!  More information can be found here, link.
  • How to backup and restore the vPostgres database there is a Python script available. This script can be found here, link.
  • VMware vSphere Update Manager can’t use the embedded vPostgres database! For VMware vSphere Update Manager you need a Microsoft SQL (Express) database.  When combining the vCenter Server, PSC and VUM on one server, two different databases engines are used. This looks like this:

vcenter-vpostgres

What VMware Horizon View PowerCLI features you like to see?

PowerCLI 6.0 R1 is released with some cool new features. One thing I missed in this announcement is improvements in the PowerCLI support for VMware Horizon View. The latest release of VMware Horizon View 6.1 still has NO PowerCLI improvements! This is a huge bummer because PowerCLI is very limited in VMware Horizon View.

On the VMware PowerCLI Blog the following statement is written (link):
Each new release tends to have several features or enhancements that have been asked for by YOU, our customers. These new features come to us by way of interaction at events like VMworld, Partner Exchange, VMUG Conferences, Twitter, Email, and customer visits. What better way to show our customers that we listen then by adding in features they ask for? This release does not disappoint! Thank you to all who provide feedback and help us continue to improve this great tool.
So we must provide feature request feedback to the PowerCLI team to improve PowerCLI for VMware Horizon View!
I have the following feature requests:
  • Ability to run from remote systems
  • Creating and exporting desktop pools with all the settings available as in the GUI (Horizon View Administrator)
  • Available as module
  • Getting the Health overview as in the VMware Horizon View Administrator
  • Filter on the desktop status such as problem desktops, agent unreachable, deleting, missing, disconnected, available etc.
  • Filter pools and display the amount of desktops that are used, available desktops, headroom and total desktops.
  • Check the ADAM replication between the Connection Servers
  • Search and filter the Event database on error and warnings
  • Add or remove a VM to a manual pool
  • Send messages to desktops
Please let me know what features request you have by placing a comment in this blog post, even if it is already mention. All the feature requests will be bundled and forwarded to the PowerCLI team. I hope to see some of the feature requests in the next release of PowerCLI for VMware Horizon View.
Looking forward for your feature requests!

Tips for installing System Center Virtual Machine Manager 2012 R2 Update Rollup (UR5)

Here are some tips for installing System Center 2012 R2 Virtual Machine Manager Update Rollup (UR5):

      • UR5 is available from Microsoft Update or by manual download. If you are not installing UR5 through Microsoft Update (e.g. you’re downloading the update and then installing it), you must install using elevated privileges. If you do not do this the update may fail silently.
      • During the UR5 installion the System Center Virtual Machine Manager & Agent will be stopped
      • 3
      • After the SCVMM UR5 server component, reboot the VMM server before installing the UR5 console
      • Before Update Rollup 5, you had to manually update the System Center Virtual Machine Manager DHCP Server (x64) component. As of Update Rollup 5, this is no longer required. When updating the agent on the server the DHCP server components is updated too.
      • Agents DHCP
      • The new SCVMM UR5 agent build version is: 3.2.7895.0
      • The Microsoft System Center Virtual Machine Manager DHCP Server (x64) build version is still 3.2.7768.0
      • Make sure to update the agent on all the infrastructure servers such as the Update Server and library server. In VMM click on Fabric- Server for a complete overview
      • Updateagent
      • Refresh the cluster after updating the agents
      • When starting the VMM console the following error appears:
      • pipeline error
      • This error is permission related. To solve this error add the “Authenticated Users” group to the AddInPipeline directory and assign read and execute rights. The installation of VMM can be found under: <Driveletter>:\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\bin\AddInPipeline.
      • Update 24-02-2015: Microsoft released a hotfix for UR5 that addresses replica and smb shares issues. The link to the KB can be found here, link.

For all the details on SCVMM 2012 R2 UR5, see the following:

  • KB3023195 – Description of the security update for Update Rollup 5 for System Center 2012 R2 Virtual Machine Manager, link