Jump to content
Welcome to our new Citrix community!

Citrix ADC: Azure MFA with separate (independent) access on existing appliance


Recommended Posts

Hi Citrix community

 

We want to start some testing and POC with our already existing Citrix ADC appliance and Azure AD MFA for accessing our internal Citrix platform. For our users it is already possible to access our internal Citrix platform through Citrix ADC appliance, but without Azure AD MFA.

 

I'm not deep in Citrix ADC, so I have some questions for next steps.

 

How would you proceed in context with POC and after success, with Migration?

 

I thought it would be nice if we could use our already existing appliance with e separate, independent access for MFA to our Citrix platform. For our users it should still be possible to access our Citrix platform as usual until we hopefully later move to production with Azure AD MFA.

 

Is this possible and if so, how can I configure a second, separate and independent access without impact the existing access through appliance without MFA?

 

I found some tutorials to configure Citrix ADC with Azure MFA (NPS/SAML) but I don't know how to do this with an already existing Citrix ADC appliance and an existing Citrix platform.

 

Is there anything more, I should consider?

 

Any help is appreciated. Thanks in advance for your help.

Link to comment
Share on other sites

Hello Lukas,

 

there are a few ways to achieve this. I would like to give you two most common.

1. Create a separate Citrix Gateway vServer (different public Name, different public IP) so you are able to configure / test in no dependence to your Prod environment

2. If your using ADC at a minimum of Advanced Edition - use nFactor (so you don't need a separate Gateway) and use the first loginschema only with username / upn for doing group extraction. For example, User is member of "ACL-AzureMFA" Group, the redirect via SAML to AAD will happen. Any other user will still login with your default auth-mechanism.

Regards

Julian

Link to comment
Share on other sites

Hi Lukas,

 

Since a while now, you can also use nFactor in Standard license if you're using it for Gateway. I would however also recommend an Advanced license as it will allow to use that auth flow for other applications as well.

 

To implement AzureMFA you are correct that there's 2 options, being via NPS or doing SAML SP to Azure. Both work fine but there are cases where one would be preferred over the other. For example, if you have a lot of legacy applications that you'd also like to protect with MFA, then I would suggest going the NPS route as it will give you more flexibility for doing (legacy) SSO to those applications. If however you are already heavily invested in cloud and SaaS then doing SAML would be the more obvious choice here.

 

Complexity wise the NPS way is maybe a bit easier as it's basically just setting up RADIUS auth in your flow. Don't be scared of SAML though, it's very different, but I wouldn't say it's really all that more complex to setup. Julian's suggestion to setup a seperate Gateway instance is definitely a good recommedation for testing things out without having to impact production users.  I would suggest to build a completely new auth flow though, but you can reuse some parts (e.g. LDAP actions) from your production setup of course.

 

Cheers,

G.

Link to comment
Share on other sites

Hello Julian

 

Thank you for your answer.

 

We're using "Citrix Gateway Advanced VPX" so I think i'll give a shot to nFactor. I think with this the migration from default auth-mechanism to AAD should be an easy one. So I have to deal with nfactor a bit more in depth. Seems complicated at the moment.

 

Do I have to use SAML when I want to use nFactor, it should be with NPS possible, too - correct? I don't know yet which option we are definitely using in the future. Do you have any recommendation?

 

Thank you!

 

Regards

Lukas

 

Link to comment
Share on other sites

Hi Gunther

 

Thank you for your answer.

 

At the moment we just want to protect external access through Citrix ADC (only for Citrix platform) and second for Microsoft Exchange (On-Premise). I think we'll go with NPS because of legacy apps which may comes in the future. Thank you for camperison of both NPS and SAML.

 

Because I'm not deep in Citrix ADC I have to do some research on how to configure Citrix ADC with an already existing authentication (through LDAPS).

 

Maybe I'll set up a separate Citrix ADC with a Trial license or somethin like this.

 

Regards,

Lukas

Link to comment
Share on other sites

Hi Lukas,

 

If you're planning to use this for Exchange and maybe other non-Gateway things, best way to implement this is by creating an nFactor flow for use on an Authentication vServer. You don't necessarily need a seperate ADC for this, you can build the new flow on your production instance without having to impact the production flows. Advantage would be that you can already use your existing LDAP policies and also once you've validated it works, you can put activate it on production very quickly.

 

There's may excellent guides to be found on how to do this, but I think for your scenario the one from https://lalmohan.co.nz/2020/06/08/integrate-azure-mfa-with-netscaler-gateway-for-two-factor-authentication/ will fit best. Keep in mind though this guide relies on NPS to do both the password and token validation, you don't necessarily need to do that, you can still first talk to LDAP (e.g. if you need group extraction, ...) and just talk to NPS for token validation using the next factor functionality. I couldn't quickly find a guide that's outlining that but feel free to ask here if you get stuck. Also note that screenshots in this guide (but also in many others) might be outdated a bit, so things could look a little different, especially in the Azure Admin console :).

 

Cheers,

G.

Link to comment
Share on other sites

  • 2 weeks later...

Depending on how good your knowhow with ADC is, you can do both.

 

Option 1)

Create a independent access (new virtual IP, new external IP or use same IP as productive one with a different port) => let test user use this access and configure your session profile to use the same store as the productive one

 

Option 2)

Create an nFactor Flow (can be extremely complex to understand how nFactor works, but in your case it should be okay as you "just" use two different methods based on AD group membership) which differentiates between different AD Groups, have one AD Group with productive user, using access as before (no MFA) and one Group with test user, using Azure MFA for authentication

This Option could also be achieved without nFactor by just doing some intelligent Basic Authentication Policy chain-binding on the Gateway vServer itself, but since Basic Authenticaiton Policy got deprecated with 13.1 (still working tho, no one knows for how long) you shouldn't use these.

 

In General:

You need to know what kind of Azure MFA implementation you want. There are two possibilities:

 

Use RADIUS:

Have a local NPS-Server with AzureMFA Extension (requires AAD P2 Licenses for each user), have NetScaler make a RADIUS request towards that local NPS-Server which then will forward the request towards Azure (see: https://www.deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/)

 

2) Use SAML:

Set up FAS-infrastructure (requires an Enterprise CA) for Desktop SSO, make NetScaler request SAML towards Azure (in fact you won't use NetScaler for authentication anymore, NetScaler redirects the user towards Azure directly and uses SAML Answer to pass user towards Citrix infrastructure). Downside: more complex since you need to set up FAS correctly and need good know how about certificate and how they work

Upside: User experience is a lot better as you can use all the cool Azure MFA functions (change method with each sign on, same look a like etc, password won't get transmitted to NetScaler, see: https://www.deyda.net/index.php/en/2021/12/21/saml-authentication-between-citrix-microsoft-with-azure-mfa/)

 

I've configurd both, both is working great, in the end it's a design decision what to use, depending on your infrastructure in general.

 

If you will use SAML I'd strongly recommend you to create a completely new Virtual Server for an independent test-environment

 

 

 

P.S: Im really sorry, somehow my browser didn't load the other answers so I thought this was unanswered yet. Most of my points are already pointed out, sorry for answering it again. 

Link to comment
Share on other sites

Thank you all for your help and answers to my thread.

 

May I'll test both possibilities. But first I'll start with NPS configuration, because I think it's the easier one. As I understand, with SAML it's possible to use all authentications (approving through push on smartphone, entering one time password (Authenticator App), also approving through phone calls)? But with NPS only OTP is possible? (Edit: It's possible to use calls, too as mentioned on website from Jens - Thank you!)

 

All the documentations I found only show screenshots with authenticator app. As I was told, we have to use phone calls, too - I did not know that yet so I may have to change POC to SAML. SAML may is better for user experience, too.

 

Do I really need AAD P2, is AAD P1 not enough for MFA?

 

I just began with 2FA configuration with Citrix ADC. I'm already struggling with enabling the nfactor flow visualizer. As I thought it would be available with Citrix Advanced VPX but I didn't find a way to enable it. We're on NS13.0 build-86.17.

 

Wish me luck ?

Link to comment
Share on other sites

Me again.. sorry!

 

Is there a possibility to configure Citrix ADC with NPS, that a user only gets redirected to NPS (for 2FA), if the user is a member of an active directory goup? (e.g. Group "AzureADMFA")? For all other users (not in "AzureADMFA" group) authentication process should go through on-premise active directory (single factor: username, password).

 

So I can't use nfactore I have to do some workaround ?

 

Actually, our users are logging in with an active directory username (not with mailaddress or upn -> e.g. jane smith username may is "jansmi"). Do they have to enter the UPN after NPS is implemented for MFA or is it possible with username, too?

 

questions, questions, querstions..

 

Oops.. I was logged in with another account.

 

TIA for your help and support!

Link to comment
Share on other sites

Yes you need to use nFactor with it. If you have only Gateway licensed you need to upgrade to a recent build, Citrix made nFactor for Gateway available in order to shift from basic policies to advanced.

 

You can use both, UPN or SAM should work, but in order to make AzureMFA work in general, your user need to have same UPN as mail. User authenticate with SAM at NetScaler -> NetScaler passes UPN to NPS, NPS passes UPN to Azure (where your user are identified via mailaddress, thats why both attributes must match)

Link to comment
Share on other sites

Thanks Jens!

 

So if I understand you correctly, it should be possible for me to use nfactor, even if I only have Citrix Gateway Advanced VPX license? Or what do you mean with "...you need to upgrade to a recent build" -  a license upgrade? We are on recent NS13.0 build-86.17.

 

Under "Configuration -> Traffic Management -> "AAA - Application Traffic" has a red exclamation mark but sub-configurations like "nFactor Visualizer", "Groups", "Users", etc. don't have.

But it seems that I could create and add  virtual servers and nfactor flows within. Am I allowed to do so?

 

Nice to read that with UPN/SAM. UPN are matching on-premise with AAD

Link to comment
Share on other sites

On 7/11/2022 at 3:13 PM, Lukas Rusch1709162191 said:

Thanks Jens!

 

So if I understand you correctly, it should be possible for me to use nfactor, even if I only have Citrix Gateway Advanced VPX license? Or what do you mean with "...you need to upgrade to a recent build" -  a license upgrade? We are on recent NS13.0 build-86.17.

 

Under "Configuration -> Traffic Management -> "AAA - Application Traffic" has a red exclamation mark but sub-configurations like "nFactor Visualizer", "Groups", "Users", etc. don't have.

But it seems that I could create and add  virtual servers and nfactor flows within. Am I allowed to do so?

 

Nice to read that with UPN/SAM. UPN are matching on-premise with AAD

Yes, that should be possible, as you mentioned it would not be possible for customers with Gateway Only License to switch to advanced policies since nFactor/AAA is not licensed with Gateay. So Citrix made nFactor/AAA availbable for Gateway module when you only have a Gateway License. Im just not sure when they implemented it, thats why I said you may need to upgrade to latest firmware (not license, i meant something like most recent 13.1 - maybe it is available in 13.0 as well, im not that experienced with 13.x versions as they still have so many bugs and luckily Im only working with Advanced licensed appliances). 

 

Oh and I was wrong regarding the expalantion with UPN/SAM, it doesn't change anything on what you need to do, but just to clarify and correct myself: If you authenticate with SAM at NetScaler, NetScaler will pass the SAM towards the local NPS (NetScaler does NOT do AD extraction, hence cannot replace the Sign On Attribute Name), NPS will check with local AD if user is present and at the same time will use the configured UserPrincipalName from the authenticating SAM. This UPN will then be passed towards Azure. You don't need to manually configure this on NetScaler, as you will just need a RADIUS policy. You will need to create appropriate NPS policies though, but there are plenty guides on what you need to do and why. (for example https://www.deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/)

 

 

 

  

On 7/11/2022 at 6:14 AM, Alban Hoop said:

Thank you all for your help and answers to my thread.

 

May I'll test both possibilities. But first I'll start with NPS configuration, because I think it's the easier one. As I understand, with SAML it's possible to use all authentications (approving through push on smartphone, entering one time password (Authenticator App), also approving through phone calls)? But with NPS only OTP is possible? (Edit: It's possible to use calls, too as mentioned on website from Jens - Thank you!)

 

All the documentations I found only show screenshots with authenticator app. As I was told, we have to use phone calls, too - I did not know that yet so I may have to change POC to SAML. SAML may is better for user experience, too.

 

Do I really need AAD P2, is AAD P1 not enough for MFA?

 

I just began with 2FA configuration with Citrix ADC. I'm already struggling with enabling the nfactor flow visualizer. As I thought it would be available with Citrix Advanced VPX but I didn't find a way to enable it. We're on NS13.0 build-86.17.

 

Wish me luck ?

 

Using NPS you can still use all the authentication methods proposed by AzureMFA, but you cannot change them while authenticating. It will always use your preferred option, so if it is configured to use Push notification but you somehow lost your authenticator phone, you cannot change the MFA method to SMS/call - this only works when authenticating to Azure directly (which would be the SAML option). Using local NPS should support all methods, but you need to be aware of your RADIUS timeout, since calls/sms can take a bit longer than OTP/Push.

 

Im not a licensing guy ? But as far as I remember you need P2 user licenses, but maybe check it with someone who actually is into this whole big bubble of Azure licensing. There is something called "Azure MFA external/third party usage", which would be the option with local NPS and needs to be licensed with P2 (or maybe P1).

Link to comment
Share on other sites

 Thank you again for your detailed answers, Jens. You are really helping me!

 

The more I read, the more and more I'm into SAML. Anyway I want to do some testing with NPS, just for me and to see what works best (for me and the company) related to our POC.

 

In case of SAML all is clear, authentication works like when I logon to Microsoft (same 1:1 look-a-like). But in case of NPS there are two possibilities to logon:

  1. Logon with a 2nd factor, I don't have to type in anything (e.g. smartphone approving through push, or Call)
  2. Logon with a 2nd factor, I have to type in (e.g. Push code from SMS or code from authenticator app)

Do I need to configure this in Citrix ADC (nfactor?), too or (how) will ADC know if it has to show an entry field for 2nd factor or not? May thats another point for SAML, too ?

Link to comment
Share on other sites

Wow this thread really exploded ? 

 

Anyhow, Jens's responses are spot on, not much I can add to that... To respond to your last question about the 2nd factor, you shouldn't have to explicitly configure this as NPS will do a challenge to the NetScaler if input is required, which will trigger the NetScaler to automatically display an input box.

Link to comment
Share on other sites

Excactly what Gunther says - NetScaler will present you the corresponding Logon Page depending on the RADIUS challenge it got from the local NPS (which constructs the challenge based on what the User has configured as his primary MFA method). You MAY want still to consider nFactor because you can implement your PoC in your production environment without affecting production user (which should not get AzureMFA) - in case you need this kind of scenario

 

If you use Phone Call or Push you will notice that after you entered credentials, the logon page "stalls" (basically loads endlessly) until you approve the challenge. For non-familiar user this could look like a timeout (there won't be a message telling you to approve the Push notification like it is in Azure). 

 

 

One more note regardind SAML: don't underestimate the MUCH more configuration complexity and effort you need to do, as you will have a lot more point of failures and different products interacting with everything.

 

best of luck ?

 

 

Link to comment
Share on other sites

  • 2 weeks later...

You all are best! - THANK YOU

 

I configured MFA with NPS first and it works fine but without nfactor implemented. We probably buy an upgrade from Citrix ADC Gateway Advanced VPX to Citrix ADC VPX 200 Standard Edition. With that, migration should be easy as you mentioned without affecting production or existing users without MFA.

 

Next I will configure and test SAML. With Standard Edition (nfactor) it should be possible to use MFA with Citrix Workspace, too. May that's also possible with NPS but I didn't test that yet. With nfactor I can test all authentication methods at the same time without reconfigure Citrix ADC and that is nice.

 

Again: Thanks, thanks, thanks to all of you! You really helped me.

Link to comment
Share on other sites

On 7/26/2022 at 11:08 AM, Lukas Rusch1709162191 said:

You all are best! - THANK YOU

 

I configured MFA with NPS first and it works fine but without nfactor implemented. We probably buy an upgrade from Citrix ADC Gateway Advanced VPX to Citrix ADC VPX 200 Standard Edition. With that, migration should be easy as you mentioned without affecting production or existing users without MFA.

 

Next I will configure and test SAML. With Standard Edition (nfactor) it should be possible to use MFA with Citrix Workspace, too. May that's also possible with NPS but I didn't test that yet. With nfactor I can test all authentication methods at the same time without reconfigure Citrix ADC and that is nice.

 

Again: Thanks, thanks, thanks to all of you! You really helped me.

Good to hear everything works so far.

But take care regarding licensing!

 

Citrix ADC STANDARD Edition does NOT contain licensing for nFactor (since the module is AAA is not licensed in Standard) - so you would need to upgrade towards Citrix ADC Advanced Edition (not Gateway Advanced) in order to use nFactor with AAA module.

But as mentioned before you could also try to upgrade your current Gateway Advanced to the newest 13.1 build - you should be able to use nFactor with Gateway then without any license upgrade.

Link to comment
Share on other sites

Thanks for your Input

 

Maybe I'm misunderstanding something here, but as I see in nFactor authentication it should be possible to use nfactor in Citrix ADC Standard but only for Gateway/VPN virtual server and this should be enough I think. We are using Citrix ADC only for external access to our Citrix infrastructure.

Quote

Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license only for Gateway/VPN virtual server.

 

As Carl Stalhood wrote: ADC Standard definitely has nfactor (Citrix ADC Gateway Advanced VPX and nfactor)

Quote

ADC Standard Edition definitely has it. You access it from the Authentication Profile section of a Gateway Virtual Server.

 

I'll try an upgrade to 13.1 with our license, may nfactor is available then without any license upgrade. This would be more as nice!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...