Connectivity RequirementsThis application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review. First StepsBefore moving on to the deployment steps, it's a good idea to familiarize yourself with concepts and features like, and.You should already have a working primary authentication configuration for your VMware View Server users before you begin to deploy Duo.To integrate Duo with your VMware View Server, you will need to install a local proxy service on a machine within your network.
This Duo proxy server also acts as a RADIUS server — there's usually no need to deploy a separate RADIUS server to use Duo.Next, locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports these operating systems:. Windows Server 2008 R2 or later (Server 2016 or 2019 recommended). CentOS 7 or later. Red Hat Enterprise Linux 7 or later. Ubuntu 16.04 or later. Debian 7 or later.Then you'll need to:.
Log in to the and navigate to Applications. Click Protect an Application and locate VMware View in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. See for help.Ensure that Perl, Python 2.6 or 2.7 (including development headers and libraries), and a compiler toolchain are installed.
On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install these by running (as root): $ yum install gcc make python-devel libffi-devel perl zlib-develOn Debian-derived systems, install these dependencies by running (as root): $ apt-get install build-essential python-dev libffi-dev perl zlib1g-dev.Download the most recent Authentication Proxy for Unix from. Depending on your download method, the actual filename may reflect the version e.g. View checksums for Duo downloads.Extract the Authentication Proxy files and build it as follows: $ tar xzf duoauthproxy-latest-src.tgz$ cd duoauthproxy- version-src$ make.Install the authentication proxy (as root): $ cd duoauthproxy-build$./installFollow the prompts to complete the installation. The installer creates a user to run the proxy service and a group to own the log directory and files. You can accept the default user and group names or enter your own.If you ever need to uninstall the proxy, run /opt/duoauthproxy/uninstall. Configure the ProxyAfter the installation completes, you will need to configure the proxy.The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at: PlatformDefault Configuration PathWindows (64-bit)C:Program Files (x86)Duo Security Authentication Proxyconfauthproxy.cfgWindows (32-bit)C:Program FilesDuo Security Authentication Proxyconfauthproxy.cfgLinux/opt/duoauthproxy/conf/authproxy.cfgThe configuration file is formatted as a simple.
Vmware View Client 5.1 11
Section headings appear as: sectionIndividual properties beneath a section appear as: name=valueThe Authentication Proxy may include an existing authproxy.cfg with some example content. For the purposes of these instructions, however, you should delete the existing content and start with a blank text file. We recommend using WordPad or another text editor instead of Notepad when editing the config file on Windows. Configure the Proxy for Your Primary AuthenticatorIn this step, you'll set up the Proxy's primary authenticator — the system which will validate users' existing passwords. In most cases, this means configuring the Proxy to communicate with Active Directory or RADIUS. Active DirectoryTo use Active Directory/LDAP as your primary authenticator, add an adclient section to the top of your config file. Add the following properties to the section:Required hostThe hostname or IP address of your domain controller.serviceaccountusernameThe username of a domain account that has permission to bind to your directory and perform searches.
We recommend creating a service account that has read-only access.serviceaccountpasswordThe password corresponding to serviceaccountusername. If you're on Windows and would like to encrypt this password, see in the full Authentication Proxy documentation.searchdnThe LDAP distinguished name (DN) of an Active Directory container or organizational unit (OU) containing all of the users you wish to permit to log in.
For example: searchdn=DC=example,DC=comOptional host2The hostname or IP address of a secondary/fallback domain controller. You can add additional domain controllers as host3, host4, etc.securitygroupdnTo further restrict access, specify the LDAP distinguished name (DN) of a security group that contains the users who should be able to log in. Other users will not pass primary authentication.
For example: securitygroupdn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=comFor example: adclienthost=1.2.3.4host2=1.2.3.5serviceaccountusername=duoserviceserviceaccountpassword=password1searchdn=DC=example,DC=comsecuritygroupdn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=comFor advanced Active Directory configuration, see the. RADIUSTo use RADIUS as your primary authenticator, add a radiusclient section to the top of your config file. Then add the following properties to the section:Required hostThe IP address of your RADIUS server. You can add backup servers with host2, host3, etc.secretA secret to be shared between the Authentication Proxy and your existing RADIUS server.
If you're on Windows and would like to encrypt this secret, see in the full Authentication Proxy documentation.Optional portThe authentication port on your RADIUS server. Use port2, port3, etc. To specify ports for the backup servers.Default: 1812passthroughallIf this option is set to true, all RADIUS attributes set by the primary authentication server will be copied into RADIUS responses sent by the proxy.Default: falseFor example: radiusclienthost=1.2.3.4secret=radiusclientsecretIn addition, make sure that the RADIUS server is configured to accept authentication requests from the Authentication Proxy.For advanced RADIUS configuration, see the. Configure the Proxy for Your VMware View ServerNext, we'll set up the Authentication Proxy to work with your VMware View Server. Create a radiusserverchallenge section and add the properties listed below.
If you've already set up the Duo Authentication Proxy for a different RADIUS Challenge application, append a number to the section header to make it unique, like radiusserverchallenge2.Required ikeyYour integration key.skeyYour secret key.apihostYour API hostname (e.g. 'api-XXXXXXXX.duosecurity.com').radiusip1The IP address of your VMware View Server.radiussecret1A secret to be shared between the proxy and your VMware View Server.
If you're on Windows and would like to encrypt this secret, see in the full Authentication Proxy documentation.clientThe mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a 'client' section elsewhere in the config file. AdclientUse Active Directory for primary authentication. Make sure you have an adclient section configured.radiusclientUse RADIUS for primary authentication. Make sure you have a radiusclient section configured.duoonlyclientDo not perform primary authentication.
Make sure you have a duoonlyclient section configured.This parameter is optional if you only have one 'client' section. If you have multiple, each 'server' section should specify which 'client' to use.Optional portThe port on which to listen for incoming RADIUS Access Requests. If you have multiple RADIUS server sections you should use a unique port for each one.Default: 1812.failmodeEither 'safe' or 'secure':'safe'In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. This is the default.' Open an Administrator command prompt and run: net start DuoAuthProxyAlternatively, open the Windows Services console ( services.msc), locate 'Duo Security Authentication Proxy Service' in the list of services, and click the Start Service button.If the service starts successfully, Authentication Proxy service output is written to the authproxy.log file, which can be found in the log subdirectory.If you see an error saying that the 'service could not be started', open the Application Event Viewer and look for an Error from the source 'DuoAuthProxy'. The traceback may include a 'ConfigError' that can help you find the source of the issue.Stop and restart the Authentication Proxy service by either clicking the Restart Service button in the Windows Services console or issuing these commands from an Administrator command prompt: net stop DuoAuthProxy & net start DuoAuthProxy. Open a root shell and run: # /opt/duoauthproxy/bin/authproxyctl startTo ensure the proxy started successfully, run: # /opt/duoauthproxy/bin/authproxyctl statusAuthentication Proxy service output is written to the authproxy.log file, which can be found in the log subdirectory.To stop and restart the Authentication Proxy, open a root shell and run: # /opt/duoauthproxy/bin/authproxyctl restartIf you modify your authproxy.cfg configuration after initial setup, you'll need to stop and restart the Duo Authentication Proxy service or process for your change to take effect.
Share This Post On.By Pat Lee, director, End-User Clients, VMwareThe View Clients team is excited to release our latest clients for Windows, Linux, Mac, iPad and Android. The new client releases are optimized to deliver the best possible experience when combined with.Optimized for VMware View 5.1The new View Clients have up to 3x better video playback, improved interactive performance, and more robust performance on high-latency and lossy networks. See for more details.Also, the new View Clients work with VMware View 5.1 to support additional two-factor authentication vendors, leveraging a RADIUS client in the View 5.1 Connection Server.
This gives you more choice when implementing single sign-on or security tokens in your virtual desktops.Support for the Latest iPad and Android DevicesThe new VMware View Client for iPad has been updated to support the new third-generation iPad and deliver better video playback and interactive performance for users of the new iPad.The new VMware View Client for Android supports Android 4.0, otherwise known as Ice Cream Sandwich (ICS). The latest View Client takes advantages of new ICS features to deliver excellent support for USB and Bluetooth external mice.