New Citrix NetScaler VPX 10 Access Gateway and SAM · 2020. 4. 7. · Citrix NetScaler VPX 10...
Transcript of New Citrix NetScaler VPX 10 Access Gateway and SAM · 2020. 4. 7. · Citrix NetScaler VPX 10...
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 1 of 15
Citrix NetScaler VPX 10 Access Gateway and SAM
QUICK START GUIDE
Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Using Multi-Factor Authentication
Contents
Description ..................................................................................................................................................................................2 Applicability ..........................................................................................................................................................................2 Audience ..............................................................................................................................................................................2
Overview .....................................................................................................................................................................................3 Dataflow of RADIUS Authentication Using SAM .........................................................................................................................4 NPS Configuration ......................................................................................................................................................................5 SafeNet Authentication Manager Configuration ..........................................................................................................................6
SAM 8.2 Installation .............................................................................................................................................................6 SAM 8.2 OTP Connector .....................................................................................................................................................6
Configuring RADIUS Authentication ...........................................................................................................................................7 User Store Deployment ............................................................................................................................................................. 10
Supported User Stores ....................................................................................................................................................... 10 Supported Tokens ..................................................................................................................................................................... 11
Supported OTP Hardware Tokens ..................................................................................................................................... 11 Supported OTP Software-Based Tokens ........................................................................................................................... 11
Running the Solution ................................................................................................................................................................. 12 Customizing the Citrix Logon Page ........................................................................................................................................... 14
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 2 of 15
Description
SafeNet Authentication Manager (SAM) enables complete user authenticator life cycle management. SAM links
tokens with users, organizational rules, and security applications to enable streamlined handling of users' needs
throughout the various user authenticator lifecycle stages.
Citrix NetScaler VPX 10 Access Gateway (AG) is a secure application and data access solution that gives IT
administrators a single point interface for managing access control and limiting actions within sessions based on
both user identity and the endpoint device.
Integrating SAM with Citrix AG provides a strong authentication approach based on multi-factor authentication
(MFA) for handling evolving business requirements, as well as new threats, risks, and vulnerabilities.
This document provides guidance for deploying multi-factor authentication in Citrix NetScaler VPX 10 Access
Gateway using authentication methods that are managed by SafeNet Authentication Manager.
The user-store is configured and synched between Citrix AG and SAM. The solution supports various user stores,
as described on page 10. In this document, Citrix AG uses Microsoft’s Active Directory (AD) as its user store.
In this document, the demonstrated solution includes One-Time Password (OTP) authentication.
Applicability
The information in this document applies to Citrix NetScaler VPX 10 Access Gateway and SafeNet Authentication
Manager version 8.2.
Audience
This document is targeted to system administrators who are familiar with Citrix NetScaler VPX 10 Access Gateway
and are interested in adding multi-factor authentication using SafeNet Authentication Manager.
NOTE
In this guide, the words “token” and “authenticator” are used interchangeably.
http://www.citrix.com/products/netscaler-access-gateway/resources/seo-anchor--access-control.html
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 3 of 15
Overview
This document assumes that Citrix NetScaler VPX 10 Access Gateway (AG) is deployed properly in the
organization. The guide will take you through the process of adding multi-factor authentication (MFA) capabilities to
Citrix AG using SafeNet Authentication Manager (SAM).
While there are a number of methods by which Citrix AG can be configured to support multi-factor authentication,
for the purpose of working with SafeNet Authentication Manager, RADIUS protocol1 is used.
The deployment of MFA support using SAM with Citrix AG involves the following major steps:
A. Configure RADIUS communication between Citrix AG and SAM.
B. Synchronize the AG user store with SAM.
C. Configure NPS and SafeNet's OTP Plug-In for Microsoft RADIUS Client.
D. Assign tokens to users.
See the Supported Tokens section for the list of supported One-Time Password (OTP) tokens.
E. Test the authentication solution.
NOTE
This document assumes that the Citrix AG environment is already configured and working with
‘static’ passwords prior to implementing multi-factor authentication using SAM.
1 Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized
authentication, authorization, and accounting management for computers that connect and use a network service.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 4 of 15
Dataflow of RADIUS Authentication Using SAM
Figure 1 illustrates the dataflow of multi-factor authentication for Citrix AG:
1. The user attempts to log on to the organizational network which is protected by Citrix AG. The user’s two-factor
credentials are sent to AG.
2. Citrix AG sends a RADIUS request containing the user’s credentials to the NPS Server.
3. The NPS Server forwards the user’s credentials to SafeNet Authentication Manager through SafeNet’s OTP
Plug-In, and SAM validates the credentials.
4. SAM’s reply (approved or rejected) is sent back to the NPS Server.
5. The NPS server forwards the reply to AG.
6. The user is granted or denied access to the network, based on the validation process result.
Figure 1: Dataflow of multi-factor authentication for Citrix AG using SAM
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 5 of 15
NPS Configuration
Communication between Citrix AG and Microsoft Network Policy Server (NPS) is based on RADIUS protocol. NPS
can be used as a RADIUS Server to perform authentication, authorization, and accounting for RADIUS clients.
To add a RADIUS client entry in NPS so that it can receive RADIUS authentication requests from Citrix AG, ensure
that you have the following information:
the IP address of Citrix AG
the shared secret to be used by both NPS and Citrix AG
To configure Citrix AG as a RADIUS client:
1. Go to Start > Administrative Tools > Network Policy Server.
2. In the left pane, open RADIUS Clients and Servers, and select RADIUS Clients.
3. From the menu bar, select Action -> New.
The New RADIUS Client window opens.
4. In the Friendly name field, enter a friendly name for the client.
5. In the Address field, enter the IP address or the DNS name of the Citrix AG server.
6. In the Shared Secret field, enter a secret that was manually or automatically generated.
This secret will be needed later for the Citrix AG RADIUS authentication configuration.
7. Click OK to save the configuration.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 6 of 15
SafeNet Authentication Manager Configuration
SafeNet's OTP Plug-In for Microsoft RADIUS Client works with Microsoft’s Internet Authentication Service (IAS)
Server or Network Policy Server (NPS) to provide strong authentication for remote access through the Microsoft
IAS or NPS RADIUS Server. When configured, users requesting remote access to their network using IAS or NPS
are prompted to enter a token-generated OTP passcode.
SAM 8.2 Installation
For the integration described in this document, install One-Time Password (OTP) authentication for MS RADIUS
Client.
When installing SAM using the SafeNet Authentication Manager 8.2 Installer, install OTP Authentication >
RADIUS Authentication.
If the RADIUS Server and SAM are on the same computer, use the SafeNet Authentication Manager 8.2
Installer to install SAM OTP Plug-Ins, or install the OTP Plug-In for Microsoft RADIUS Client using the
SafeNet OTP Plug-In Package 8.2.
If the RADIUS Server and SAM are on different computers, install the OTP Plug-In for Microsoft RADIUS
Client on the RADIUS Server using the SafeNet OTP Plug-In Package 8.2.
For more information, refer to the SafeNet Authentication Manager Version 8.2 Administrator Guide.
SAM 8.2 OTP Connector
For the integration described in this document, configure the SAM Connector for OTP Authentication.
For more information about the OTP connector, refer to the SafeNet Authentication Manager Version 8.2
Administrator Guide: “Connector for OTP Authentication” on page 374.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 7 of 15
Configuring RADIUS Authentication
SafeNet's OTP architecture includes the SafeNet RADIUS Server for back-end OTP authentication. This enables
integration with any RADIUS-enabled gateway or application. For the integration described in this document, the
SafeNet RADIUS Server accesses user information in the Active Directory infrastructure via SafeNet Authentication
Manager.
SafeNet’s OTP architecture requires the MS RADIUS Server (NPS) to be installed. After installing NPS, add Citrix
AG as a RADIUS Client in the NPS.
Communication between Citrix AG and SafeNet Authentication Manager is based on RADIUS protocol.
To enable SAM to get RADIUS requests from Citrix AG:
Ensure that end-users can authenticate to Citrix AG with a static password before configuring AG to use
RADIUS authentication.
Ensure that ports 1812 / 1813 are open to Citrix AG.
To configure Citrix AG to use RADIUS protocol as a secondary authentication method:
1. Log on to the Citrix NetScaler administrative interface.
2. In the left panel of the administrative interface, navigate to Access Gateway > Virtual Servers.
3. Select your existing Access Gateway Virtual Server, click Open, and select the Authentication tab.
In the Configure Access Gateway Virtual Server window’s Authentication Policies area, the LDAP policy for
Microsoft domain authentication is displayed.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 8 of 15
4. In the Authentication Policies area, click Secondary.
5. At the bottom of the Authentication Policies area, click Insert Policy.
The Create Authentication Policy window opens, enabling the creation of a new RADIUS Server authentication
policy.
6. In the Name field, enter a friendly name for the policy.
7. In the Authentication Type field, select RADIUS.
8. Next to Server, click New.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 9 of 15
The Create Authentication Server window opens.
9. In the Name field, enter a friendly name for the server.
10. In the Server > IP Address field, enter the IP address of the RADIUS Server.
11. In the Server > Port field, enter the port. The default port is 1812.
12. In the Details > Secret Key and Confirm Secret Key fields, enter the RADIUS Server’s secret.
13. Click Create to return to the Create Authentication Policy window.
14. In the Named Expressions area, select General and True value, and click Add Expression.
15. Click Create.
16. Click Close.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 10 of 15
User Store Deployment
SafeNet Authentication Manager manages and maintains OTP token information in its data store. This information
includes the token status, the OTP algorithm used to generate OTPs, and the token assignment to the user.
User information is managed and maintained in a user store. SafeNet Authentication Manager can be integrated
with your organization’s external user store.
If your organization does not use an external user store, SAM 8.2 enables the use of an internal (“Standalone”)
user store created and maintained by the SAM server.
Supported User Stores
SAM 8.2 supports the following user stores:
Microsoft Active Directory (Windows Server 2003 or Windows Server 2008)
ADAM (in an integrated configuration solution using a “Standalone” user store)
Remote Active Directory
Microsoft SQL Server 2005 / 2008
OpenLDAP
Novell eDirectory
For more information, refer to the SafeNet Authentication Manager Version 8.2 Administrator Guide.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 11 of 15
Supported Tokens
SafeNet Authentication Manager supports both hardware and software-based One Time Password (OTP)
authenticators.
Supported OTP Hardware Tokens
SAM 8.2 supports the following OTP hardware authenticators:
eToken NG-OTP
eToken PASS
eToken Gold
Supported OTP Software-Based Tokens
MobilePASS authenticators are OTP authenticators that are software-based. These tokens enable generation of
OTP passwords on mobile devices or personal computers without the need for a hardware token. SAM 8.2
supports MobilePASS on the following platforms:
Blackberry OS version 4.6 and later
Microsoft Windows XP, Windows 7, and Windows 8
Microsoft Windows for Phone 7
All versions of Android OS
All versions of iOS
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 12 of 15
Running the Solution
After configuring both SafeNet Authentication Manager and Citrix AG, we recommend testing that it runs properly.
In this example, the solution is tested on MobilePASS for Android.
To test the solution on MobilePASS for Android:
1. Open the host Web Browser on the client machine.
2. Browse to the Citrix NetScaler Virtual Server’s general URL.
For example: https://Netscaler-Virtual Server URL
The Citrix Logon page opens.
3. Open the SafeNet MobilePASS app on your smartphone, and generate an OTP.
NOTE
The MobilePASS app may prompt you to enter your PIN.
4. In the Citrix Logon page, enter your user name, domain password, and the OTP passcode generated by
MobilePASS on your smartphone.
You are logged on to Citrix, and the user application set is displayed.
https://netscaler-virtual/
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 13 of 15
5. Double-click the app to be opened.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 14 of 15
Customizing the Citrix Logon Page
When two-factor authentication is configured on Access Gateway Enterprise Edition, the Citrix Logon page prompts
users for their User name, Password 1, and Password 2.
Citrix Logon window displaying standard field names
The Password 1 and Password 2 field names can be changed to something more descriptive, such as Windows
Password and Token Code.
Citrix Logon window displaying sample customized field names
NOTE
User authentication is not interrupted during the field name customization process.
To change the password field names displayed in the Citrix Logon window:
1. Log on to the Citrix NetScaler computer using SSH.
2. Go to /netscaler/ns_gui/vpn/resources.
3. The resources folder contains several xml files, one for each language.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.
Page 15 of 15
In this example, we modify the English version, en.xml.
4. Back up the xml language file to be modified.
In this example, we back up the en.xml file.
5. Edit the xml file using a text editor.
Search for the String id “Password”, and replace it with the string to replace Password 1.
Search for the String id “Password2”, and replace it with the string to replace Password 2.
6. Save the xml file.
7. Go to /netscaler/ns_gui/vpn.
8. Back up the file login.js.
9. Edit the login.js file using a text editor.
10. Search for the following line:
if ( pwc == 2 ) { document.write(' 1'); }
11. To remove the character “1” from the name displayed for the first password field, delete the “1” in the line, so
that the line reads:
if ( pwc == 2 ) { document.write(' '); }
12. Save the login.js file.