new citrix netscaler vpx 10 access gateway and sam · 2020. 4. 7. · citrix netscaler vpx 10...

Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights reserved.

Page 1 of 15

Citrix NetScaler VPX 10 Access Gateway and SAM

QUICK START GUIDE

Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2 Using Multi-Factor Authentication

Contents

Description ..................................................................................................................................................................................2 Applicability ..........................................................................................................................................................................2 Audience ..............................................................................................................................................................................2

Overview .....................................................................................................................................................................................3 Dataflow of RADIUS Authentication Using SAM .........................................................................................................................4 NPS Configuration ......................................................................................................................................................................5 SafeNet Authentication Manager Configuration ..........................................................................................................................6

SAM 8.2 Installation .............................................................................................................................................................6 SAM 8.2 OTP Connector .....................................................................................................................................................6

Configuring RADIUS Authentication ...........................................................................................................................................7 User Store Deployment ............................................................................................................................................................. 10

Supported User Stores ....................................................................................................................................................... 10 Supported Tokens ..................................................................................................................................................................... 11

Supported OTP Hardware Tokens ..................................................................................................................................... 11 Supported OTP Software-Based Tokens ........................................................................................................................... 11

Running the Solution ................................................................................................................................................................. 12 Customizing the Citrix Logon Page ........................................................................................................................................... 14


Page 2 of 15

Description

SafeNet Authentication Manager (SAM) enables complete user authenticator life cycle management. SAM links

tokens with users, organizational rules, and security applications to enable streamlined handling of users' needs

throughout the various user authenticator lifecycle stages.

Citrix NetScaler VPX 10 Access Gateway (AG) is a secure application and data access solution that gives IT

administrators a single point interface for managing access control and limiting actions within sessions based on

both user identity and the endpoint device.

Integrating SAM with Citrix AG provides a strong authentication approach based on multi-factor authentication

(MFA) for handling evolving business requirements, as well as new threats, risks, and vulnerabilities.

This document provides guidance for deploying multi-factor authentication in Citrix NetScaler VPX 10 Access

Gateway using authentication methods that are managed by SafeNet Authentication Manager.

The user-store is configured and synched between Citrix AG and SAM. The solution supports various user stores,

as described on page 10. In this document, Citrix AG uses Microsoft’s Active Directory (AD) as its user store.

In this document, the demonstrated solution includes One-Time Password (OTP) authentication.

Applicability

The information in this document applies to Citrix NetScaler VPX 10 Access Gateway and SafeNet Authentication

Manager version 8.2.

Audience

This document is targeted to system administrators who are familiar with Citrix NetScaler VPX 10 Access Gateway

and are interested in adding multi-factor authentication using SafeNet Authentication Manager.

NOTE

In this guide, the words “token” and “authenticator” are used interchangeably.

http://www.citrix.com/products/netscaler-access-gateway/resources/seo-anchor--access-control.html


Page 3 of 15

Overview

This document assumes that Citrix NetScaler VPX 10 Access Gateway (AG) is deployed properly in the

organization. The guide will take you through the process of adding multi-factor authentication (MFA) capabilities to

Citrix AG using SafeNet Authentication Manager (SAM).

While there are a number of methods by which Citrix AG can be configured to support multi-factor authentication,

for the purpose of working with SafeNet Authentication Manager, RADIUS protocol1 is used.

The deployment of MFA support using SAM with Citrix AG involves the following major steps:

A. Configure RADIUS communication between Citrix AG and SAM.

B. Synchronize the AG user store with SAM.

C. Configure NPS and SafeNet's OTP Plug-In for Microsoft RADIUS Client.

D. Assign tokens to users.

See the Supported Tokens section for the list of supported One-Time Password (OTP) tokens.

E. Test the authentication solution.

NOTE

This document assumes that the Citrix AG environment is already configured and working with

‘static’ passwords prior to implementing multi-factor authentication using SAM.

1 Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized

authentication, authorization, and accounting management for computers that connect and use a network service.


Page 4 of 15

Dataflow of RADIUS Authentication Using SAM

Figure 1 illustrates the dataflow of multi-factor authentication for Citrix AG:

1. The user attempts to log on to the organizational network which is protected by Citrix AG. The user’s two-factor

credentials are sent to AG.

2. Citrix AG sends a RADIUS request containing the user’s credentials to the NPS Server.

3. The NPS Server forwards the user’s credentials to SafeNet Authentication Manager through SafeNet’s OTP

Plug-In, and SAM validates the credentials.

4. SAM’s reply (approved or rejected) is sent back to the NPS Server.

5. The NPS server forwards the reply to AG.

6. The user is granted or denied access to the network, based on the validation process result.

Figure 1: Dataflow of multi-factor authentication for Citrix AG using SAM


Page 5 of 15

NPS Configuration

Communication between Citrix AG and Microsoft Network Policy Server (NPS) is based on RADIUS protocol. NPS

can be used as a RADIUS Server to perform authentication, authorization, and accounting for RADIUS clients.

To add a RADIUS client entry in NPS so that it can receive RADIUS authentication requests from Citrix AG, ensure

that you have the following information:

the IP address of Citrix AG

the shared secret to be used by both NPS and Citrix AG

To configure Citrix AG as a RADIUS client:

1. Go to Start > Administrative Tools > Network Policy Server.

2. In the left pane, open RADIUS Clients and Servers, and select RADIUS Clients.

3. From the menu bar, select Action -> New.

The New RADIUS Client window opens.

4. In the Friendly name field, enter a friendly name for the client.

5. In the Address field, enter the IP address or the DNS name of the Citrix AG server.

6. In the Shared Secret field, enter a secret that was manually or automatically generated.

This secret will be needed later for the Citrix AG RADIUS authentication configuration.

7. Click OK to save the configuration.


Page 6 of 15

SafeNet Authentication Manager Configuration

SafeNet's OTP Plug-In for Microsoft RADIUS Client works with Microsoft’s Internet Authentication Service (IAS)

Server or Network Policy Server (NPS) to provide strong authentication for remote access through the Microsoft

IAS or NPS RADIUS Server. When configured, users requesting remote access to their network using IAS or NPS

are prompted to enter a token-generated OTP passcode.

SAM 8.2 Installation

For the integration described in this document, install One-Time Password (OTP) authentication for MS RADIUS

Client.

When installing SAM using the SafeNet Authentication Manager 8.2 Installer, install OTP Authentication >

RADIUS Authentication.

If the RADIUS Server and SAM are on the same computer, use the SafeNet Authentication Manager 8.2

Installer to install SAM OTP Plug-Ins, or install the OTP Plug-In for Microsoft RADIUS Client using the

SafeNet OTP Plug-In Package 8.2.

If the RADIUS Server and SAM are on different computers, install the OTP Plug-In for Microsoft RADIUS

Client on the RADIUS Server using the SafeNet OTP Plug-In Package 8.2.

For more information, refer to the SafeNet Authentication Manager Version 8.2 Administrator Guide.

SAM 8.2 OTP Connector

For the integration described in this document, configure the SAM Connector for OTP Authentication.

For more information about the OTP connector, refer to the SafeNet Authentication Manager Version 8.2

Administrator Guide: “Connector for OTP Authentication” on page 374.


Page 7 of 15

Configuring RADIUS Authentication

SafeNet's OTP architecture includes the SafeNet RADIUS Server for back-end OTP authentication. This enables

integration with any RADIUS-enabled gateway or application. For the integration described in this document, the

SafeNet RADIUS Server accesses user information in the Active Directory infrastructure via SafeNet Authentication

Manager.

SafeNet’s OTP architecture requires the MS RADIUS Server (NPS) to be installed. After installing NPS, add Citrix

AG as a RADIUS Client in the NPS.

Communication between Citrix AG and SafeNet Authentication Manager is based on RADIUS protocol.

To enable SAM to get RADIUS requests from Citrix AG:

Ensure that end-users can authenticate to Citrix AG with a static password before configuring AG to use

RADIUS authentication.

Ensure that ports 1812 / 1813 are open to Citrix AG.

To configure Citrix AG to use RADIUS protocol as a secondary authentication method:

1. Log on to the Citrix NetScaler administrative interface.

2. In the left panel of the administrative interface, navigate to Access Gateway > Virtual Servers.

3. Select your existing Access Gateway Virtual Server, click Open, and select the Authentication tab.

In the Configure Access Gateway Virtual Server window’s Authentication Policies area, the LDAP policy for

Microsoft domain authentication is displayed.


Page 8 of 15

4. In the Authentication Policies area, click Secondary.

5. At the bottom of the Authentication Policies area, click Insert Policy.

The Create Authentication Policy window opens, enabling the creation of a new RADIUS Server authentication

policy.

6. In the Name field, enter a friendly name for the policy.

7. In the Authentication Type field, select RADIUS.

8. Next to Server, click New.


Page 9 of 15

The Create Authentication Server window opens.

9. In the Name field, enter a friendly name for the server.

10. In the Server > IP Address field, enter the IP address of the RADIUS Server.

11. In the Server > Port field, enter the port. The default port is 1812.

12. In the Details > Secret Key and Confirm Secret Key fields, enter the RADIUS Server’s secret.

13. Click Create to return to the Create Authentication Policy window.

14. In the Named Expressions area, select General and True value, and click Add Expression.

15. Click Create.

16. Click Close.


Page 10 of 15

User Store Deployment

SafeNet Authentication Manager manages and maintains OTP token information in its data store. This information

includes the token status, the OTP algorithm used to generate OTPs, and the token assignment to the user.

User information is managed and maintained in a user store. SafeNet Authentication Manager can be integrated

with your organization’s external user store.

If your organization does not use an external user store, SAM 8.2 enables the use of an internal (“Standalone”)

user store created and maintained by the SAM server.

Supported User Stores

SAM 8.2 supports the following user stores:

Microsoft Active Directory (Windows Server 2003 or Windows Server 2008)

ADAM (in an integrated configuration solution using a “Standalone” user store)

Remote Active Directory

Microsoft SQL Server 2005 / 2008

OpenLDAP

Novell eDirectory

For more information, refer to the SafeNet Authentication Manager Version 8.2 Administrator Guide.


Page 11 of 15

Supported Tokens

SafeNet Authentication Manager supports both hardware and software-based One Time Password (OTP)

authenticators.

Supported OTP Hardware Tokens

SAM 8.2 supports the following OTP hardware authenticators:

eToken NG-OTP

eToken PASS

eToken Gold

Supported OTP Software-Based Tokens

MobilePASS authenticators are OTP authenticators that are software-based. These tokens enable generation of

OTP passwords on mobile devices or personal computers without the need for a hardware token. SAM 8.2

supports MobilePASS on the following platforms:

Blackberry OS version 4.6 and later

Microsoft Windows XP, Windows 7, and Windows 8

Microsoft Windows for Phone 7

All versions of Android OS

All versions of iOS


Page 12 of 15

Running the Solution

After configuring both SafeNet Authentication Manager and Citrix AG, we recommend testing that it runs properly.

In this example, the solution is tested on MobilePASS for Android.

To test the solution on MobilePASS for Android:

1. Open the host Web Browser on the client machine.

2. Browse to the Citrix NetScaler Virtual Server’s general URL.

For example: https://Netscaler-Virtual Server URL

The Citrix Logon page opens.

3. Open the SafeNet MobilePASS app on your smartphone, and generate an OTP.

NOTE

The MobilePASS app may prompt you to enter your PIN.

4. In the Citrix Logon page, enter your user name, domain password, and the OTP passcode generated by

MobilePASS on your smartphone.

You are logged on to Citrix, and the user application set is displayed.

https://netscaler-virtual/


Page 13 of 15

5. Double-click the app to be opened.


Page 14 of 15

Customizing the Citrix Logon Page

When two-factor authentication is configured on Access Gateway Enterprise Edition, the Citrix Logon page prompts

users for their User name, Password 1, and Password 2.

Citrix Logon window displaying standard field names

The Password 1 and Password 2 field names can be changed to something more descriptive, such as Windows

Password and Token Code.

Citrix Logon window displaying sample customized field names

NOTE

User authentication is not interrupted during the field name customization process.

To change the password field names displayed in the Citrix Logon window:

1. Log on to the Citrix NetScaler computer using SSH.

2. Go to /netscaler/ns_gui/vpn/resources.

3. The resources folder contains several xml files, one for each language.


Page 15 of 15

In this example, we modify the English version, en.xml.

4. Back up the xml language file to be modified.

In this example, we back up the en.xml file.

5. Edit the xml file using a text editor.

Search for the String id “Password”, and replace it with the string to replace Password 1.

Search for the String id “Password2”, and replace it with the string to replace Password 2.

6. Save the xml file.

7. Go to /netscaler/ns_gui/vpn.

8. Back up the file login.js.

9. Edit the login.js file using a text editor.

10. Search for the following line:

if ( pwc == 2 ) { document.write(' 1'); }

11. To remove the character “1” from the name displayed for the first password field, delete the “1” in the line, so

that the line reads:

if ( pwc == 2 ) { document.write(' '); }

12. Save the login.js file.

new citrix netscaler vpx 10 access gateway and sam · 2020. 4. 7. · citrix netscaler vpx 10...

Documents