Streamline 3rd party application access with VMware Horizon by leveraging Azure AD B2B Guest Accounts

Most organisations need to provide secure access to third party organisations to their on-premises applications. How can you achieve this without the burden of creating internal identities, providing remote staff/contractors virtual private network (VPN) access? Which by its very nature may provide those contractors access to a far wider range of services than you would like. It also introduces unforeseen risks by allowing unmanaged and unprotected devices access to your corporate network.

VMware Horizon can provide fantastic solution to provide a flexible presentation layer for remote contractors and 3rd parties to access your internal systems. There is also the ability for Horizon to leverage SaaS Identity Providers such as Azure AD (Entra ID) and Okta so that only authorised users can access your internal applications.

For many customers who are leveraging Azure AD, you can also leverage Azure Active Directory (Azure AD) B2B guest accounts (or collaboration). As detailed here, “B2B collaboration, you can securely share your company’s applications and services with external users, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don’t have Azure AD or an IT department“

Combined with Horizon, it provides a much easier approach to providing secure access to Horizon delivered applications by eliminating VPN solutions and having to maintain 3rd party identities in your corporate directory. The following architecture diagram highlights this approach.

This blog article details how to configure this architecture in your environment. I’ll refer to a range of existing (fantastic) blog articles which already cover some areas.

Enable Horizon Unauthenticated Access

VMware Horizon provides a feature called Unauthenticated Access allow published applications to be accessed without Active Directory Access. You might be thinking, I certainly don’t want people external to my organisation access without authentication! True. Authentication will be performed by Azure AD (SAML) via the Unified Access Gateway (UAG) virtual appliances. Only authenticated users will then be given access to the published applications. We’ll configure Horizon Unauthenticated Access to use a default Active Directory account. For example unauthenticateduser@acme.org.

Create Users for Unauthenticated Access

Within Active Directory create a new user you will use for authenticated access. For example, in my lab I created a user account called UnAuthenicated User1

As per this this document guide, add this user to the Horizon console:

1. In Horizon Administrator, select Users and Groups.
2. On the Unauthenticated Access tab, click Add.
3. In the Add Unauthenticated User wizard, select one or more search criteria and click Find to find users based on your search criteria (The user must have a valid UPN)
4. Select a user and click Next (Repeat this step to add multiple users)
   (Optional) Enter the user alias.
   The default user alias is the user name that was configured for the AD account. End users can use the user alias to log in to the Connection Server instance from Horizon Client.
   (Optional) Review the user details and add comments.
5. Click Finish.

My account in my lab is shown below:

Enable Unauthenticated Access for Users

After you create users for unauthenticated access, you must enable unauthenticated access in the Connection Server to enable users to connect and access published applications.

As per this this document guide, enable this in the Horizon console:

1. In Horizon Administrator, select View Configuration > Servers.
2. Click the Connection Servers tab.
3. Select the Connection Server instance and click Edit.
4. Click the Authentication tab.
5. Change Unauthenticated Access to Enabled.
6. From the Default unauthenticated access user drop-down menu, select a user as the default user. The default user must be present on the local pod in a Cloud Pod Architecture environment. If you select a default user from a different pod, Connection Server creates the user on the local pod before it makes the user the default user.
   (Optional) Enter the default session timeout for the user.
   The default session timeout is 10 minutes after being idle.
7. Click OK.

The settings from my lab are as follows:

Entitle Unauthenticated Access Users to Published Applications

After you create an unauthenticated access user, you must entitle the user to access published applications.

As per this this document guide, entitle Unauthenticated Access for each published application:

1. In Horizon Administrator, select Catalog > Application Pools and click the name of the application pool.
2. Select Add entitlement from the Entitlements drop-down menu.
3. Click Add, select one or more search criteria, click Find, and select the Unauthenticated Users check box to find unauthenticated access users based on your search criteria.
4. Select the users to entitle to the applications in the pool and click OK.
5. Click OK to save your changes. An unauthenticated access icon appears next to the unauthenticated access user after the entitlement process completes.

This is shown as follows:

Test Unauthenticated Access

Let’s test this is working from your internal network first. From a Windows desktop, open the Horizon client and select the three dots (top right hand corner) and enable Unauthenticated Access as shown:

Click Add Server and enter the host name of your internal Horizon connection server. You should be able to then double click on the Horizon server to launch your published application.

Deploy Unified Access Gateway (UAG) virtual appliances

The next step is to deploy a UAG virtual appliance. I’ve detailed how to deploy a UAG previously in the blog article Getting Started with Horizon 8, then scroll down to the UAG section.

Once your UAG is deployed, next ensure you can successfully access a Horizon published application from the Internet by authenticating with your Active Directory credentials.

Login to the UAG admin, select the gear icon next to Horizon Settings. Change the Gateway Location to Internal

Ensure you select Save

Azure AD Guest Group

Create a Guest Users Group in Azure AD

The next step is to create a group called Guest Users (or similar name) in Azure AD.

As Pete Lindley spells out in his blog article using Workspace ONE Access (same approach but we’re using UAG’s instead), because we don’t want to have to add a user every time to this group, we can just add this dynamic group and every guest user will automatically entitled. This isn’t mandatory, it is just an easy way to enable Guest Users to authentication to Identity Manager.

Create the dynamic rule as follows:

Integrating the UAG with Azure AD

The next step is to configure the UAG appliance with Azure AD, so that only authenticated users via Azure AD can access Horizon resources.

There is an excellent blog article by Michiel (MickeyByte) titled VMware Horizon authentication using AzureAD (with multifactor) – Part 4: SAML Setup which details the steps to integrate both solutions.

For the Azure AD enterprise app, ensure that you add the dynamic group Guest Users you created in the previous step.

Setup Horizon True SSO

Since you’ll be using SAML authentication with Azure AD, you’ll need to setup Horizon True SSO.

To setup True SSO on the MSP Access tenant, follow Carl Stalhood’s excellent step by step instructions in VMware Horizon True SSO with UAG SAML

Once True SSO setup, check that it’s all showing up as health in the Horizon console.

Even with everything showing as green ticks, my test users were still being prompted for their password. So I downloaded the True SSO Diagnostic Utility Fling to check everything was ok. You can run this command from your enrollment server.

If everything is shown with green ticks on the Horizon side, and TrueSSO has passed its Diagnostics tests and you’re ready to go.

Invite an external user

Login to your Azure console, select Azure Active Directory. Then select Users – New user – Invite external user.

Fill in details for the user at another company as follows:

Click Review + invite.

The invited user will receive an email to accept this invitation as follows:

The user will need to click Accept.

Accessing your Horizon Apps

The final step is to access browse to your UAG from an Internet connected device. You’ll either select Launch Native Client or VMware Horizon HTML Access. You will be redirected to the guest users Azure AD tenant authenticate (not your companies Azure AD tenant). Remember, you invited them!

Once they have authenticated, they’ll be shown Horizon apps in your organisation via the Horizon portal or native client as shown.

Once they double click on an application and it will seamlessly launch on their computer. That’s it!