Jump to content
Welcome to our new Citrix community!

Authentication at StoreFront using NetScaler Gateway with session policies


Recommended Posts

Hi all,

 

I have to replace an old access gateway 5.04 with access controller and pre-authentication EPA with an actual Citrix ADC.
ADC v 13.0-47.24
Storefront 1912
Virtual apps / Desktops v7 1912

 

Because of security and other reasons the ADC should have no direct connections to the active directory in the backend. So i decided to use "Authentication at StoreFront using NetScaler Gateway". The login and the start and use of applications/desktops works fine. But there are no session or epa policies on the citrix controller available for filtering and creating of citrix policies. In other words: SmartAccess is not working although "ICA only" in vserver config is not checked.

It seams storefront assume every connection/session with "Authentication at StoreFront using NetScaler Gateway" as internal and there is no need for session/epa policies.

 

What is wrong? Or is SmartAccess general not available for this connection and authentication technique?

I couldn't find anything about this special configuration in citrix documents and other sources.

 

Thanks in advance
Holger

Link to comment
Share on other sites

50 minutes ago, Holger Schleife said:

Because of security and other reasons the ADC should have no direct connections to the active directory in the backend. So i decided to use "Authentication at StoreFront using NetScaler Gateway".

 

Holger, sorry to say, but this is the least secure method we have. You expose an IIS to the internet, it's totally unprotected, and it will be inside of your LAN. This totally compromises the concept of DMZ. I know, IIS is the most secure web server in the world (said Microsoft), but no matter, how secure it is, it's just an IIS and there are tons of exploits for an IIS.
I have seen this for many years in so called best practice guides, but even Citrix best practice guides go away from this kind of deployment (Citrix Consulting Services never used it because of security concerns).

 

The usual way to do is allowing TCP 636 from ADC to the domain controllers and authenticate from gateway. This will not expose Active Directory to the internet, just LDAP, a more or less harmless protocol, probably together with RADIUS. All the rest is insane.

 

EPA in session policies should be available, independand of the authentication mode you're using (I have never done this deployment, as my none of my customers ever wanted to expose an IIS in LAN to the internet). Of course there won't be any pre-authentication policies, as you don't authenticate.

 

Greetings from sunny Austria

 

Johannes Norz

CTA, CCI, CCE-N

Link to comment
Share on other sites

Hi Johannes,

 

my explanation of the underlying network was not so clear. The access gateway is not exposed to the internet. It's located in a separated LAN  with some firewalls, where only (internal) users from other trusted or sub-domains in the forest have access to it. This  it is why we will use this authentication method. The users have already a successfull login in another

trusted Domain.

 
For access  from the internet there is another Citrix ADC solution with 2FA (RADIUS) and so on.

 

Thanks
Holger

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...