Question

How to enable MFA for user coming from external connections only

Directory Server Security

Updated October 19, 2022

asked on October 19, 2022

The customer has internal LF, Web client and LFDS in addition to DMZ server with reverse proxy for the same user in case they login from outside their internal network

How can we enable MFA for the users only in case they logged in externally?

0 0

Replies

replied on October 19, 2022

MFA is not set on the LFDSSTS, it is set at the LFDS level. Because of this, I believe it is either enabled for certain user accounts or it isn't. I don't think there is a way to only set it based on if they are authenticating internally or externally. I would also note that MFA in LFDS only works for Laserfiche Accounts. If you want MFA for other types of accounts that would need to be configured based on the type of identity provider you are using.

1 0

replied on October 19, 2022 • Show version history

Correct.

The typical way we see people enforce this is with a federated SSO authentication provider like AD FS, Azure AD, or Okta, and then setting up "Conditional Access" policies that only challenge for MFA when the request comes from outside the network.

Laserfiche (LFDS) accounts do not have conditional MFA policies. MFA is either enabled or not.

1 0

replied on October 19, 2022

Currently the DMZ configured as reverse proxy for LFDSSTS, and we are thinking event if we installed another LFDSSTS instance on the DMZ server this will not solve the problem as MFA configuration is on the LFDS level not STS.

0 0

You are not allowed to follow up in this post.

Question

Question

How to enable MFA for user coming from external connections only

Replies

Sign in to reply to this post.