Overview
This deployment guide assists Citrix Endpoint Management (CEM) administrators in transitioning from NetScaler classic to advanced authentication policies, allowing users to log on via CEM for Mobile Application Management (MAM) traffic.
This is especially useful for customers using Citrix Secure Mail, Citrix Secure Web, or line-of-business MAM SDK apps that leverage microVPN connections via NetScaler Gateway. We are covering the use case of Domain authentication.
For this guide, we cover the use case of domain authentication using Citrix Endpoint Management service (24.8.0) and NetScaler 14.1 build 21.57nc.
Applicable Deployments
This deployment guide applies to customers using Citrix Endpoint Management service (cloud) or Citrix XenMobile Server (on-premises), regardless of version.
We highly recommend running a recent version of Citrix Endpoint Management (cloud or on-premises) and NetScaler Gateway to ensure stability, performance, and fixes are included.
Prerequisites
Before moving to Netscaler's advanced authentication policies configuration, make sure to follow the prerequisites from this Citrix Documentation: https://docs.citrix.com/en-us/citrix-endpoint-management/authentication/nfactor-authentication#prerequisites
Note:
Follow all prerequisites to avoid connectivity issues from the mobile device to the NetScaler Gateway virtual server assigned for CEM.
To configure Domain (LDAP) on Citrix Endpoint Management, please follow the steps outlined in this link: https://docs.citrix.com/en-us/citrix-endpoint-management/authentication/authentication-domain-security-token
Important
Once you save the NetScaler Gateway settings with Domain as the logon type in the CEM console, export the NetScaler script.
Ensure to run the NetScaler script for Advanced policies (filename: ConfigureCitrixGatewayScript_Advanced.txt)
The current script only applies to NetScaler advanced session policies and not to advanced authentication policies.
An enhancement request is needed to update the CEM NS script to include advanced authentication policies. In the meantime, follow the below steps to create the new advanced authentication policies and unbind the classic policies generated by the NS script.
Alternatively, if you would like to convert classic to advanced authentication policies using Netscaler's NSPEPI too, refer to: https://docs.netscaler.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/converting-policy-expressions-nspepi-tool.html.
Configure NetScaler Gateway advanced authentication policies.
From the NetScaler Gateway: Create LDAP profile
We will configure Domain policies with the corresponding profile in the following steps.
As a use case, we will use UPN (UserPrincipalName) to enroll end users' mobile devices with CEM (e.g username@company.com).
Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > click Add.
Select Action Type: LDAP
For Action, select the previously created LDAP server profile generated by the NS script (e.g., Gateway_LDAP_ACTION_UPN). In this example, I’m selecting the UPN one.
Expression is true.
Click Create.
Example:
Repeat the same steps above for LDAP, but this time, create an LDAP policy for SAMAccountName. This will be needed if end users enroll the mobile device using just their username for CEM (e.g username).
It will look like this:
As noted above, you can reuse the same LDAP profile for SAM (e.g., Gateway_LDAP_ACTION_SAM) created by the NS script.
In the next step, unbind the classic authentication policies from the NetScaler Gateway virtual server.
Next, we must bind the newly created advanced authentication policies under the same NetScaler Gateway virtual server for CEM.
This time, the new two advanced authentication policies will be bound to a new AAA virtual server that NetScaler Gateway will use as authentication/authorization.
Next, create a new AAA virtual server. You can do it inside the NetScaler Gateway virtual server > Create Authentication Profile > Authentication Virtual Servers section.
For IP Address, you can select as non-addressable, since this is an internal AAA virtual server that will be used by the NetScaler Gateway.
It is a good practice to bind a server certificate so the AAA virtual server status shows UP. Nevertheless, this is not necessary since this is not a virtual server exposed to the outside world.
Next, all two new advanced authentication policies will be bound to this AAA virtual server. It should look like this:
Policies bound to the AAA virtual server
Next, bind the newly created AAA virtual server under the NetScaler Gateway authentication profile.
Click Create.
It will look like this.
From Citrix Endpoint Management console
- Ensure Domain logon type are still set in the Citrix Gateway settings.
- Set the Client Property ENABLE_MAM_NFACTOR_SSO to true. For more information on how to create the Client Property value, go here.
End user testing
- For new devices, enroll using UPN format or SAMAccountName as desired.
- For existing devices, make sure to sign off/on from Secure Hub. Validate users can still connect/authenticate successfully to the NetScaler Gateway.
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now