Overview
This deployment guide assists Citrix Endpoint Management (CEM) administrators in transitioning from NetScaler classic to advanced authentication policies, allowing users to log on via CEM for Mobile Application Management (MAM) traffic.
This is especially useful for customers using Citrix Secure Mail, Citrix Secure Web, or line-of-business MAM SDK apps that leverage microVPN connections via NetScaler Gateway. We are covering the use case of Domain—and certificate-based authentication
For this guide we are covering the use case of Domain and Certificate based authentication, and we have used Citrix Endpoint Management service (24.8.0) and NetScaler 14.1 build 21.57nc.
Applicable Deployments
This deployment guide applies to customers using Citrix Endpoint Management service (cloud) or Citrix XenMobile Server (on-premises), regardless of version.
We highly recommend running a recent version of Citrix Endpoint Management (cloud or on-premises) and NetScaler Gateway to ensure stability, performance, and fixes are included.
Prerequisites
Before moving to NetScaler's advanced authentication policies configuration, make sure to follow the prerequisites from this Citrix Documentation: https://docs.citrix.com/en-us/citrix-endpoint-management/authentication/nfactor-authentication#prerequisites
Note:
Follow all prerequisites noted to avoid connectivity issues from the mobile device to the NetScaler Gateway virtual server assigned for CEM.
To configure Certificate Based Authentication and Domain (LDAP) on Citrix Endpoint Management, please follow the steps outlined in this link: https://docs.citrix.com/en-us/citrix-endpoint-management/authentication/client-certificate
Important:
In the CEM console, once you save the NetScaler Gateway settings with Certificate and Domain as the logon type, export the NetScaler script.
Ensure to run the NetScaler script for Advanced policies (filename: ConfigureCitrixGatewayScript_Advanced.txt)
The current script only applies to NetScaler advanced session policies and not to advanced authentication policies.
An enhancement request is needed to update the CEM NS script to include advanced authentication policies. In the meantime, follow the below steps to create the new advanced authentication policies and unbind the classic policies generated by the NS script.
Alternatively, if you would like to convert classic to advanced authentication policies using NetScaler’s NSPEPI too, refer to: https://docs.netscaler.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/converting-policy-expressions-nspepi-tool.html
Configure NetScaler Gateway advanced authentication policies.
From the NetScaler Gateway: Create CERT profile
We will configure CERT policies with the corresponding profile in the following steps.
As a use case, we will use UPN (UserPrincipalName) to enroll end users' mobile devices with CEM (e.g, username@company.com).
In the NetScaler administration console, go to:
- Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > click Add.
- Select Action Type: CERT.
- Select the Profiles tab and then select Add.
Complete the following fields to create the Authentication CERT Profile.
- Name - Name for the client cert authentication server profile (action).
- Two factor – In this instance, the two-factor authentication option is ON.
- User Name Field – select SubjectAltName: PrincipalName
- Click Create.
Example:
Note:
If end users will be enrolling to CEM using SAMAccountName (e.g., username), then the CERT profile will look like this:
Finish the wizard to create the authentication policy for CERT.
Set expression as true.
Click Create.
From the NetScaler Gateway: Create LDAP profile
Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > click Add.
Select Action Type: LDAP
For Action, select the previously created LDAP server profile generated by the NS script (e.g., Gateway_LDAP_ACTION_UPN). In this example, I’m selecting the UPN one.
Expression is true.
Click Create.
Example:
Repeat the same steps above for LDAP, but this time, create an LDAP policy for SAMAccountName. This will be needed when Certificate + Domain (LDAP) authentication is used for CEM.
It will look like this:
As noted above, you can reuse the same LDAP profile for SAM (e.g., Gateway_LDAP_ACTION_SAM) created by the NS script.
In the next step, unbind the classic authentication policies from the NetScaler Gateway virtual server.
Next, we must bind the newly created advanced authentication policies under the same NetScaler Gateway virtual server for CEM.
This time, the new three advanced authentication policies will be bound to a new AAA virtual server that NetScaler Gateway will use as authentication/authorization.
Next, create a new AAA virtual server. You can do it inside the NetScaler Gateway virtual server > Create Authentication Profile > Authentication Virtual Servers section.
For IP Address, you can select as non-addressable, since this is an internal AAA virtual server that will be used by the NetScaler Gateway.
For the server certificate, it is a good practice to bind a server certificate so the AAA virtual server status shows UP. Nevertheless this is not necessary, since this is not a virtual server exposed to the outside world.
Next, all three new advanced authentication policies will be bound to this AAA virtual server. It should look like this:
Policies bound to the AAA virtual server
Next, bind the newly created AAA virtual server under the NetScaler Gateway authentication profile.
Click create.
It will look like this.
Finally, double-check on the NetScaler Gateway virtual server for CEM. You have Client Authentication ENABLED and Client Certificate as MANDATORY.
From Citrix Endpoint Management console
- Ensure Certificate and Domain logon type are still set in the Citrix Gateway settings.
- Set the Client Property ENABLE_MAM_NFACTOR_SSO to true. For more information on how to create the Client Property value, go here.
End user testing
- For new devices, enroll using UPN format or SAMAccountName as desired.
- For existing devices, make sure to sign off/on from Secure Hub. Validate users can still connect/authenticate successfully to the NetScaler Gateway.
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now