You’ve decided it’s time to expand your Workspace Portal deployment from internal-only, to also allow external access. You’ve setup your Load Balancer, gotten your certificates in place, and now you’re tasked with configuring internal and external authentication methods.
This post covers the configuration needed for Kerberos on internal connections, while allowing username/password authentication from external connections.
First, let’s setup your access policies. Access Policies allow you to specify criteria that users must meet in order to access Workspace Portal. We’re going to configure the Default Access Policy Set to include two policies: internal and external
For our internal connections, we’re going to utilize Kerberos. Configuring Kerberos isn’t covered in this post, so ensure you have it working first. Here are some helpful posts for setting it up:
For our external connections, we’ll let our users utilize their Active Directory synced username and passwords for authentication. Ensure your Directory Sync rules from the Connector Service Admin page include all desired AD groups and that they’re synced regularly.
First: ensure you’ve created both an internal and an external Network Range:
- Log into the Workspace Admin Portal > Settings > Network Ranges
- Click + Network Range to add our internal range. Configure this to the appropriate subnets used in your LAN.
- We’ll use the default ALL RANGES entry for our external connections
Then, from the Policies tab, we’ll edit the default_access_policy_set to correspond to these network ranges.
- Click + Access Policy and name it internal. Set it to use a Minimum Authentication Score of 1.
- Then select the default ‘web policy’ which corresponds to our external network range. We’ll set this to a Minimum Authentication Score of 2 as seen below:
NOTE: Be sure to re-arrange the policies so that internal is on top, and ‘web policy’ is on bottom and click Save.