2FA group or user depending

Discussion in 'Parallels Remote Application Server Feature Suggestions' started by PatrickD8, Jun 19, 2019.

  1. PatrickD8

    PatrickD8 Bit Poster

    Messages:
    30
    Hi Parallels team,
    we want to provide 2FA to some of our users. Enabling 2FA under "Connection >> Second level authentication" activates 2FA for all.
    I know you can use exclusion lists. However, I find this approach a bit unfavorable and cumbersome to manage.
    If you have a 2FA and a non-2FA environment, you would need 4 secure gateways for fail-safety.
    In my opinion, it would make more sense to whitelist at group or user level, just like with the published items.
    This reduces the complexity of the environment and an admin has more precise control over the authorized users.

    I would be very happy if you implement this option.

    Best regards
    Patrick
     
  2. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    Hi Patrick,
    Thanks for the feedback! We have this request already and plan to implement it in future versions. Can't give you any precise estimates at the moment.
    I'll add you to the list of requestors of the feature.
     
  3. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    The feature was just released in RAS version 17.1-Update1.
    To configure it Open MFA configuration in RAS Console, select the User or group exclude list option and click Configure.
     
  4. PatrickD8

    PatrickD8 Bit Poster

    Messages:
    30
    Hi Eugene,
    I have already taken note of this. Thanks for the implementation. I don't understand your strict blacklisting approach.
    Why not whitelisting? For most companies, 2FA is still something optional, which allows users to further increase their security.
    It would be easier for administrators to assign users to a 2FA group than to create multiple exclusions and possibly even cause problems.
    Or maybe I somehow misunderstand your approach?

    Best regards
    Patrick
     
  5. JulianMoo

    JulianMoo Bit Poster

    Messages:
    16
    I have a similar request.
    Lets say we have two different kind of of users.

    User #1: Internal User (will never access the environment from external)
    User #2: Internal & External Users (should use 2FA outside the corporate network)

    If we enable the MFA Provider (Google Authenticator) without any exclusions both users need to enroll a TOTP during the first login.
    This is not a scenario we want to happen. We only want to enroll a TOTP for User #2.
    So my idea was to exclude the Multi-factor authentication with an Active Director Group called "Parallels_2FA-Exclude".
    Unfortunately the exclude is only working if we specify a Secure Gateway... In this environment we only have two Secure Gateways for External connections.
    Does it mean that we need to have dedicated Gateways for the LAN? We plan to use "Direct SSL Mode" inside the company network and not tunnel the connections trough a Secure Gateway. This is creating unnecessary overhead, increasing virtual machine resources and of course we will need more Windows Server licenses.
    Lets just assume we would go the path with two dedicated Gateways in the LAN zone: How should we configure the Load Balancing? HALB is already in use for the DMZ Gateways. This will result in a second site = even more resources. Another approach would be to make use of a 3rd party load balancing system like Citrix ADC or KEMP. (As I have heard the Load Balancing issue will be gone with RAS 18 because there will be a change with HALB -> Allowing multiple VIPs to be created)

    Feature Requests:
    - Do not allow TOTP Enrollment when working in Direct SSL Mode (or give an option to enable it)
    - Only allow enrolling TOTP from inside the company's network (Security)
    - Allow to specify Public IPs/Ranges to exclude Multi-Factor authentication

    Julian
     

Share This Page