Obtain internal IP address (not public) when applying policy for Omnissa VDI

We've integrated AuthPoint with our Omnissa UAG server so external users need to MFA but internal users do not. We also installed the AuthPoint Login App on the VDI clients themselves. What I'd like to have happen is allow certain AuthPoint groups to bypass MFA when logging into the VDI clients internally from a private subnet (using network locations created in the 'Policy Objects' area). However, it seems AuthPoint is only obtaining the public IP address users login from when determining which policy to apply.

Is AuthPoint able to be able to get the local IP from the VDI Blast Protocol, or is it planned? I also tried allowing the desktop pool to use RDP with the same result.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @bmccorkle Logon app works based off the public IP of the network.

    (Network Location Policy Objects)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/policy-objects_network-location.html

    See "Example 1 — Terminal Safe Location"
    The network location must include the public IP address of the Firewall or NAT device. In the example shown, you would create a network location with the public IP addresses 203.0.113.25 and 192.0.2.30.

    AuthPoint won't accept the IP from something else for the logon app. You'll need to use the public IP instead of the private one.

    -James Carson
    WatchGuard Customer Support

  • edited August 7

    Thanks James, maybe I'm reading the documentation too fast but why does it talk about creating a 'Safe Location' then in Example 3 (RDP), if it only grabs public IP addresses?

    "This example applies to organizations that only use virtual machines that are deployed on local servers. In this example, we want to allow users that are on a local network to connect to virtual machines that have the agent for Windows (Logon app) installed and log in with only their passwords.

    Because AuthPoint uses the internal IP address to validate the network location for RDP requests, we must configure the network location to use the local network IP address or IP range. In the example shown, you would create a network location with the IP address of the computer: 172.16.0.33."

Sign In to comment.