-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 1 of 15
Citrix NetScaler VPX 10 Access Gateway and SAM
QUICK START GUIDE
Protecting Citrix NetScaler VPX 10 Access Gateway with SAM 8.2
Using Multi-Factor Authentication
Contents
Description
..................................................................................................................................................................................2
Applicability
..........................................................................................................................................................................2
Audience
..............................................................................................................................................................................2
Overview
.....................................................................................................................................................................................3
Dataflow of RADIUS Authentication Using SAM
.........................................................................................................................4
NPS Configuration
......................................................................................................................................................................5
SafeNet Authentication Manager Configuration
..........................................................................................................................6
SAM 8.2 Installation
.............................................................................................................................................................6
SAM 8.2 OTP Connector
.....................................................................................................................................................6
Configuring RADIUS Authentication
...........................................................................................................................................7
User Store Deployment
.............................................................................................................................................................
10
Supported User Stores
.......................................................................................................................................................
10 Supported Tokens
.....................................................................................................................................................................
11
Supported OTP Hardware Tokens
.....................................................................................................................................
11 Supported OTP Software-Based Tokens
...........................................................................................................................
11
Running the Solution
.................................................................................................................................................................
12 Customizing the Citrix Logon Page
...........................................................................................................................................
14
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 2 of 15
Description
SafeNet Authentication Manager (SAM) enables complete user
authenticator life cycle management. SAM links
tokens with users, organizational rules, and security
applications to enable streamlined handling of users' needs
throughout the various user authenticator lifecycle stages.
Citrix NetScaler VPX 10 Access Gateway (AG) is a secure
application and data access solution that gives IT
administrators a single point interface for managing access
control and limiting actions within sessions based on
both user identity and the endpoint device.
Integrating SAM with Citrix AG provides a strong authentication
approach based on multi-factor authentication
(MFA) for handling evolving business requirements, as well as
new threats, risks, and vulnerabilities.
This document provides guidance for deploying multi-factor
authentication in Citrix NetScaler VPX 10 Access
Gateway using authentication methods that are managed by SafeNet
Authentication Manager.
The user-store is configured and synched between Citrix AG and
SAM. The solution supports various user stores,
as described on page 10. In this document, Citrix AG uses
Microsoft’s Active Directory (AD) as its user store.
In this document, the demonstrated solution includes One-Time
Password (OTP) authentication.
Applicability
The information in this document applies to Citrix NetScaler VPX
10 Access Gateway and SafeNet Authentication
Manager version 8.2.
Audience
This document is targeted to system administrators who are
familiar with Citrix NetScaler VPX 10 Access Gateway
and are interested in adding multi-factor authentication using
SafeNet Authentication Manager.
NOTE
In this guide, the words “token” and “authenticator” are used
interchangeably.
http://www.citrix.com/products/netscaler-access-gateway/resources/seo-anchor--access-control.html
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 3 of 15
Overview
This document assumes that Citrix NetScaler VPX 10 Access
Gateway (AG) is deployed properly in the
organization. The guide will take you through the process of
adding multi-factor authentication (MFA) capabilities to
Citrix AG using SafeNet Authentication Manager (SAM).
While there are a number of methods by which Citrix AG can be
configured to support multi-factor authentication,
for the purpose of working with SafeNet Authentication Manager,
RADIUS protocol1 is used.
The deployment of MFA support using SAM with Citrix AG involves
the following major steps:
A. Configure RADIUS communication between Citrix AG and SAM.
B. Synchronize the AG user store with SAM.
C. Configure NPS and SafeNet's OTP Plug-In for Microsoft RADIUS
Client.
D. Assign tokens to users.
See the Supported Tokens section for the list of supported
One-Time Password (OTP) tokens.
E. Test the authentication solution.
NOTE
This document assumes that the Citrix AG environment is already
configured and working with
‘static’ passwords prior to implementing multi-factor
authentication using SAM.
1 Remote Authentication Dial In User Service (RADIUS) is a
networking protocol that provides centralized
authentication, authorization, and accounting management for
computers that connect and use a network service.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 4 of 15
Dataflow of RADIUS Authentication Using SAM
Figure 1 illustrates the dataflow of multi-factor authentication
for Citrix AG:
1. The user attempts to log on to the organizational network
which is protected by Citrix AG. The user’s two-factor
credentials are sent to AG.
2. Citrix AG sends a RADIUS request containing the user’s
credentials to the NPS Server.
3. The NPS Server forwards the user’s credentials to SafeNet
Authentication Manager through SafeNet’s OTP
Plug-In, and SAM validates the credentials.
4. SAM’s reply (approved or rejected) is sent back to the NPS
Server.
5. The NPS server forwards the reply to AG.
6. The user is granted or denied access to the network, based on
the validation process result.
Figure 1: Dataflow of multi-factor authentication for Citrix AG
using SAM
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 5 of 15
NPS Configuration
Communication between Citrix AG and Microsoft Network Policy
Server (NPS) is based on RADIUS protocol. NPS
can be used as a RADIUS Server to perform authentication,
authorization, and accounting for RADIUS clients.
To add a RADIUS client entry in NPS so that it can receive
RADIUS authentication requests from Citrix AG, ensure
that you have the following information:
the IP address of Citrix AG
the shared secret to be used by both NPS and Citrix AG
To configure Citrix AG as a RADIUS client:
1. Go to Start > Administrative Tools > Network Policy
Server.
2. In the left pane, open RADIUS Clients and Servers, and select
RADIUS Clients.
3. From the menu bar, select Action -> New.
The New RADIUS Client window opens.
4. In the Friendly name field, enter a friendly name for the
client.
5. In the Address field, enter the IP address or the DNS name of
the Citrix AG server.
6. In the Shared Secret field, enter a secret that was manually
or automatically generated.
This secret will be needed later for the Citrix AG RADIUS
authentication configuration.
7. Click OK to save the configuration.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 6 of 15
SafeNet Authentication Manager Configuration
SafeNet's OTP Plug-In for Microsoft RADIUS Client works with
Microsoft’s Internet Authentication Service (IAS)
Server or Network Policy Server (NPS) to provide strong
authentication for remote access through the Microsoft
IAS or NPS RADIUS Server. When configured, users requesting
remote access to their network using IAS or NPS
are prompted to enter a token-generated OTP passcode.
SAM 8.2 Installation
For the integration described in this document, install One-Time
Password (OTP) authentication for MS RADIUS
Client.
When installing SAM using the SafeNet Authentication Manager 8.2
Installer, install OTP Authentication >
RADIUS Authentication.
If the RADIUS Server and SAM are on the same computer, use the
SafeNet Authentication Manager 8.2
Installer to install SAM OTP Plug-Ins, or install the OTP
Plug-In for Microsoft RADIUS Client using the
SafeNet OTP Plug-In Package 8.2.
If the RADIUS Server and SAM are on different computers, install
the OTP Plug-In for Microsoft RADIUS
Client on the RADIUS Server using the SafeNet OTP Plug-In
Package 8.2.
For more information, refer to the SafeNet Authentication
Manager Version 8.2 Administrator Guide.
SAM 8.2 OTP Connector
For the integration described in this document, configure the
SAM Connector for OTP Authentication.
For more information about the OTP connector, refer to the
SafeNet Authentication Manager Version 8.2
Administrator Guide: “Connector for OTP Authentication” on page
374.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 7 of 15
Configuring RADIUS Authentication
SafeNet's OTP architecture includes the SafeNet RADIUS Server
for back-end OTP authentication. This enables
integration with any RADIUS-enabled gateway or application. For
the integration described in this document, the
SafeNet RADIUS Server accesses user information in the Active
Directory infrastructure via SafeNet Authentication
Manager.
SafeNet’s OTP architecture requires the MS RADIUS Server (NPS)
to be installed. After installing NPS, add Citrix
AG as a RADIUS Client in the NPS.
Communication between Citrix AG and SafeNet Authentication
Manager is based on RADIUS protocol.
To enable SAM to get RADIUS requests from Citrix AG:
Ensure that end-users can authenticate to Citrix AG with a
static password before configuring AG to use
RADIUS authentication.
Ensure that ports 1812 / 1813 are open to Citrix AG.
To configure Citrix AG to use RADIUS protocol as a secondary
authentication method:
1. Log on to the Citrix NetScaler administrative interface.
2. In the left panel of the administrative interface, navigate
to Access Gateway > Virtual Servers.
3. Select your existing Access Gateway Virtual Server, click
Open, and select the Authentication tab.
In the Configure Access Gateway Virtual Server window’s
Authentication Policies area, the LDAP policy for
Microsoft domain authentication is displayed.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 8 of 15
4. In the Authentication Policies area, click Secondary.
5. At the bottom of the Authentication Policies area, click
Insert Policy.
The Create Authentication Policy window opens, enabling the
creation of a new RADIUS Server authentication
policy.
6. In the Name field, enter a friendly name for the policy.
7. In the Authentication Type field, select RADIUS.
8. Next to Server, click New.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 9 of 15
The Create Authentication Server window opens.
9. In the Name field, enter a friendly name for the server.
10. In the Server > IP Address field, enter the IP address of
the RADIUS Server.
11. In the Server > Port field, enter the port. The default
port is 1812.
12. In the Details > Secret Key and Confirm Secret Key
fields, enter the RADIUS Server’s secret.
13. Click Create to return to the Create Authentication Policy
window.
14. In the Named Expressions area, select General and True
value, and click Add Expression.
15. Click Create.
16. Click Close.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 10 of 15
User Store Deployment
SafeNet Authentication Manager manages and maintains OTP token
information in its data store. This information
includes the token status, the OTP algorithm used to generate
OTPs, and the token assignment to the user.
User information is managed and maintained in a user store.
SafeNet Authentication Manager can be integrated
with your organization’s external user store.
If your organization does not use an external user store, SAM
8.2 enables the use of an internal (“Standalone”)
user store created and maintained by the SAM server.
Supported User Stores
SAM 8.2 supports the following user stores:
Microsoft Active Directory (Windows Server 2003 or Windows
Server 2008)
ADAM (in an integrated configuration solution using a
“Standalone” user store)
Remote Active Directory
Microsoft SQL Server 2005 / 2008
OpenLDAP
Novell eDirectory
For more information, refer to the SafeNet Authentication
Manager Version 8.2 Administrator Guide.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 11 of 15
Supported Tokens
SafeNet Authentication Manager supports both hardware and
software-based One Time Password (OTP)
authenticators.
Supported OTP Hardware Tokens
SAM 8.2 supports the following OTP hardware authenticators:
eToken NG-OTP
eToken PASS
eToken Gold
Supported OTP Software-Based Tokens
MobilePASS authenticators are OTP authenticators that are
software-based. These tokens enable generation of
OTP passwords on mobile devices or personal computers without
the need for a hardware token. SAM 8.2
supports MobilePASS on the following platforms:
Blackberry OS version 4.6 and later
Microsoft Windows XP, Windows 7, and Windows 8
Microsoft Windows for Phone 7
All versions of Android OS
All versions of iOS
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 12 of 15
Running the Solution
After configuring both SafeNet Authentication Manager and Citrix
AG, we recommend testing that it runs properly.
In this example, the solution is tested on MobilePASS for
Android.
To test the solution on MobilePASS for Android:
1. Open the host Web Browser on the client machine.
2. Browse to the Citrix NetScaler Virtual Server’s general
URL.
For example: https://Netscaler-Virtual Server URL
The Citrix Logon page opens.
3. Open the SafeNet MobilePASS app on your smartphone, and
generate an OTP.
NOTE
The MobilePASS app may prompt you to enter your PIN.
4. In the Citrix Logon page, enter your user name, domain
password, and the OTP passcode generated by
MobilePASS on your smartphone.
You are logged on to Citrix, and the user application set is
displayed.
https://netscaler-virtual/
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 13 of 15
5. Double-click the app to be opened.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 14 of 15
Customizing the Citrix Logon Page
When two-factor authentication is configured on Access Gateway
Enterprise Edition, the Citrix Logon page prompts
users for their User name, Password 1, and Password 2.
Citrix Logon window displaying standard field names
The Password 1 and Password 2 field names can be changed to
something more descriptive, such as Windows
Password and Token Code.
Citrix Logon window displaying sample customized field names
NOTE
User authentication is not interrupted during the field name
customization process.
To change the password field names displayed in the Citrix Logon
window:
1. Log on to the Citrix NetScaler computer using SSH.
2. Go to /netscaler/ns_gui/vpn/resources.
3. The resources folder contains several xml files, one for each
language.
-
Quick Start Guide: Protecting Citrix NetScaler VPX 10 Access
Gateway with SAM 8.2 Copyright © 2013 SafeNet, Inc., All rights
reserved.
Page 15 of 15
In this example, we modify the English version, en.xml.
4. Back up the xml language file to be modified.
In this example, we back up the en.xml file.
5. Edit the xml file using a text editor.
Search for the String id “Password”, and replace it with the
string to replace Password 1.
Search for the String id “Password2”, and replace it with the
string to replace Password 2.
6. Save the xml file.
7. Go to /netscaler/ns_gui/vpn.
8. Back up the file login.js.
9. Edit the login.js file using a text editor.
10. Search for the following line:
if ( pwc == 2 ) { document.write(' 1'); }
11. To remove the character “1” from the name displayed for the
first password field, delete the “1” in the line, so
that the line reads:
if ( pwc == 2 ) { document.write(' '); }
12. Save the login.js file.