Jump to content

NetScaler Advanced Authentication for Citrix Endpoint Management: Certificate and Domain

  • Contributed By: Adolfo Montoyo Special Thanks To: Steve Beals

Overview

This deployment guide assists Citrix Endpoint Management (CEM) administrators in transitioning from NetScaler classic to advanced authentication policies, allowing users to log on via CEM for Mobile Application Management (MAM) traffic.

This is especially useful for customers using Citrix Secure Mail, Citrix Secure Web, or line-of-business MAM SDK apps that leverage microVPN connections via NetScaler Gateway. We are covering the use case of Domain—and certificate-based authentication

For this guide we are covering the use case of Domain and Certificate based authentication, and we have used Citrix Endpoint Management service (24.8.0) and NetScaler 14.1 build 21.57nc.

Applicable Deployments

This deployment guide applies to customers using Citrix Endpoint Management service (cloud) or Citrix XenMobile Server (on-premises), regardless of version.

We highly recommend running a recent version of Citrix Endpoint Management (cloud or on-premises) and NetScaler Gateway to ensure stability, performance, and fixes are included.

Prerequisites

Before moving to NetScaler's advanced authentication policies configuration, make sure to follow the prerequisites from this Citrix Documentation: https://docs.citrix.com/en-us/citrix-endpoint-management/authentication/nfactor-authentication#prerequisites

Note:

Follow all prerequisites noted to avoid connectivity issues from the mobile device to the NetScaler Gateway virtual server assigned for CEM.

To configure Certificate Based Authentication and Domain (LDAP) on Citrix Endpoint Management, please follow the steps outlined in this link: https://docs.citrix.com/en-us/citrix-endpoint-management/authentication/client-certificate

 

Important:

In the CEM console, once you save the NetScaler Gateway settings with Certificate and Domain as the logon type, export the NetScaler script.

 

Ensure to run the NetScaler script for Advanced policies (filename: ConfigureCitrixGatewayScript_Advanced.txt)

The current script only applies to NetScaler advanced session policies and not to advanced authentication policies.

An enhancement request is needed to update the CEM NS script to include advanced authentication policies. In the meantime, follow the below steps to create the new advanced authentication policies and unbind the classic policies generated by the NS script.

Alternatively, if you would like to convert classic to advanced authentication policies using NetScaler’s NSPEPI too, refer to: https://docs.netscaler.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/converting-policy-expressions-nspepi-tool.html
 

Configure NetScaler Gateway advanced authentication policies.

From the NetScaler Gateway: Create CERT profile

We will configure CERT policies with the corresponding profile in the following steps.

As a use case, we will use UPN (UserPrincipalName) to enroll end users' mobile devices with CEM (e.g, username@company.com).

In the NetScaler administration console, go to:

  1. Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > click Add.
  2. Select Action Type: CERT.
  3. Select the Profiles tab and then select Add.

Complete the following fields to create the Authentication CERT Profile.

  1. Name - Name for the client cert authentication server profile (action).
  2. Two factor – In this instance, the two-factor authentication option is ON.
  3. User Name Field – select SubjectAltName: PrincipalName
  4. Click Create.

Example:

image.png

 

Note:

If end users will be enrolling to CEM using SAMAccountName (e.g., username), then the CERT profile will look like this:

image.png

Finish the wizard to create the authentication policy for CERT.

Set expression as true.

Click Create.

image.png

From the NetScaler Gateway: Create LDAP profile

Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > click Add.

Select Action Type: LDAP

For Action, select the previously created LDAP server profile generated by the NS script (e.g., Gateway_LDAP_ACTION_UPN). In this example, I’m selecting the UPN one.

Expression is true.

Click Create.

Example:

image.png

Repeat the same steps above for LDAP, but this time, create an LDAP policy for SAMAccountName. This will be needed when Certificate + Domain (LDAP) authentication is used for CEM.

It will look like this:

image.png

As noted above, you can reuse the same LDAP profile for SAM (e.g., Gateway_LDAP_ACTION_SAM) created by the NS script.

In the next step, unbind the classic authentication policies from the NetScaler Gateway virtual server.

image.png

Next, we must bind the newly created advanced authentication policies under the same NetScaler Gateway virtual server for CEM.

This time, the new three advanced authentication policies will be bound to a new AAA virtual server that NetScaler Gateway will use as authentication/authorization.

Next, create a new AAA virtual server. You can do it inside the NetScaler Gateway virtual server > Create Authentication Profile > Authentication Virtual Servers section. 

For IP Address, you can select as non-addressable, since this is an internal AAA virtual server that will be used by the NetScaler Gateway.

image.png

For the server certificate, it is a good practice to bind a server certificate so the AAA virtual server status shows UP. Nevertheless this is not necessary, since this is not a virtual server exposed to the outside world.

image.png

 

image.png

Next, all three new advanced authentication policies will be bound to this AAA virtual server. It should look like this:

Policies bound to the AAA virtual server

image.png

Next, bind the newly created AAA virtual server under the NetScaler Gateway authentication profile.

Click create.

It will look like this.

image.png

Finally, double-check on the NetScaler Gateway virtual server for CEM. You have Client Authentication ENABLED and Client Certificate as MANDATORY.

image.png

From Citrix Endpoint Management console

  • Ensure Certificate and Domain logon type are still set in the Citrix Gateway settings.

image.png

  • Set the Client Property ENABLE_MAM_NFACTOR_SSO to true. For more information on how to create the Client Property value, go here.

image.png

End user testing

  • For new devices, enroll using UPN format or SAMAccountName as desired.
  • For existing devices, make sure to sign off/on from Secure Hub. Validate users can still connect/authenticate successfully to the NetScaler Gateway.

User Feedback


There are no comments to display.



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...