<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Similar documents
<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

VMware Identity Manager vidm 2.7

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Microsoft Unified Access Gateway 2010

Barracuda Networks SSL VPN

Pulse Secure Policy Secure

RSA Ready Implementation Guide for

Security Access Manager 7.0

RSA SecurID Access SAML Configuration for Datadog

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

Barracuda Networks NG Firewall 7.0.0

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

Citrix Systems, Inc. Web Interface

Configuring Confluence

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

Dell SonicWALL NSA 3600 vpn v

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Cisco Systems, Inc. Aironet Access Point

Cisco Systems, Inc. Wireless LAN Controller

Cyber Ark Software Ltd Sensitive Information Management Suite

Microsoft Forefront UAG 2010 SP1 DirectAccess

Cisco Systems, Inc. Catalyst Switches

RSA SecurID Access SAML Configuration for Kanban Tool

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Apple Computer, Inc. ios

Okta Integration Guide for Web Access Management with F5 BIG-IP

Sentry SSO with Netscaler

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Table of Contents 1 Citrix Access Gateway 5 VPX Introduction...1

SecureW2 Enterprise Client

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

RSA SecurID Ready Implementation Guide

Cisco Systems, Inc. IOS Router

Barron McCann Technology X-Kryptor

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

RSA SecurID Access SAML Configuration for StatusPage

Azure MFA Integration with NetScaler

RSA SecurID Implementation

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

Citrix Access Gateway Enterprise Edition 10

SSH Communications Tectia 6.4.5

NetScaler Radius Authentication. Integration Guide

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

Attachmate Reflection for Secure IT 8.2 Server for Windows

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

RSA Ready Implementation Guide for

Infosys Limited Finacle e-banking

Remote Access User Guide for Mac OS (Citrix Instructions)

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

RSA Ready Implementation Guide for

Vanguard Integrity Professionals ez/token

How to RSA SecureID with Clustered NATIVE

Setting Up Resources in VMware Identity Manager

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

VMware Identity Manager Administration

Integrating AirWatch and VMware Identity Manager

SailPoint IdentityIQ 6.4

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

RSA SecurID Access SAML Configuration for Samanage

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

Authlogics Forefront TMG and UAG Agent Integration Guide

Oracle WebLogic. Overview. Prerequisites. Baseline. Architecture. Installation. Contents

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

2 Oracle WebLogic Overview Prerequisites Baseline Architecture...6

Advantage Cloud Two-Factor Security Process

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for Web Access Management with Multifactor Authentication

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

VMware Identity Manager Administration

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

AirWatch Mobile Device Management

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Hitachi ID Systems Inc Identity Manager 8.2.6

RSA Two Factor Authentication. Feature Description

1Y Citrix. Designing Deploying and Managing Citrix XenMobile 10 Enterprise Solutions

Rocket Software Strong Authentication Expert

TalariaX sendquick Alert Plus

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

Open System Consultants Radiator RADIUS Server

Transcription:

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide Citrix 12.0 Peter Waranowski, RSA Partner Engineering Last Modified: February 20 th, 2018

Table of Contents Table of Contents... 2 Solution Summary... 3 Supported Authentication Methods by Integration Point... 4 Configuration Summary... 5 RSA SecurID Access Configuration... 6 RSA Cloud Authentication Service Configuration... 6 RSA Authentication Manager Configuration... 13 Partner Product Configuration... 14 Before You Begin... 14 Configure an Authentication Policy... 15 Bind the SecurID Access Authentication Policy... 40 Configure Risk-Based Authentication... 44 Login Screenshots... 52 Certification Checklist for RSA SecurID Access... 54 -- 2 -

Solution Summary Citrix NetScaler can integrate with RSA Cloud Authentication Service by using RADIUS or SAML. When integrated via RADIUS, users can use policy-driven multi-factor authentication for cases where authentication happens either in the Web browser or in Citrix Receiver. SSO into StoreFront can be maintained using a single primary RADIUS authentication policy. When integrated via SAML, users can use policy and context-driven multi-factor authentication for cases where authentication happens in the Web browser. SSO into StoreFront can be maintained by using an nfactor policy with RSA Cloud IdP with additional authentication only option or by using Citrix Federated Authentication Service (FAS). Citrix NetScaler can integrate with RSA Authentication Manager in two different ways: 1. Integrate Citrix NetScaler with RSA Authentication Manager using a RADIUS authentication policy. If SSO to StoreFront is needed, include an authentication policy for AD as well. 2. Install the RSA Authentication Agent for Citrix StoreFront on your Citrix StoreFront server(s) and integrate Citrix NetScaler with Citrix StoreFront using a Delegated Forms Authentication (DFA) authentication policy. If SSO to StoreFront is needed, the agent can securely store and retrieve the users AD credentials for the user during logon. Both approaches will allow users to authenticate with RSA SecurID in cases where authentication happens in the Web browser or in Citrix Receiver. Citrix NetScaler can also be configured with RSA Authentication Manager for Risk-Based Authentication (RBA). When configured, users can be authenticated using RBA in cases where authentication happens in the Web browser. SSO into Citrix StoreFront can be maintained by using the RSA Authentication Agent for Citrix StoreFront with DFA policy integration approach. On Premise Methods RSA SecurID On Demand Authentication Risk-Based Authentication (AM) Cloud Authentication Service Methods Authenticate App FIDO Token SSO SAML SSO RSA SecurID Access Features Citrix NetScaler 12.0 HFED SSO - Identity Assurance Collect Device Assurance and User Behavior -- 3 -

Supported Authentication Methods by Integration Point This section indicates which authentication methods are supported by integration point. The next section (Configuration Summary) contains links to the appropriate configuration sections for each integration point. Citrix integration with RSA Cloud Authentication Service Authentication Methods REST IDR SAML Cloud SAML HFED RADIUS RSA SecurID - - LDAP Password - - Authenticate Approve - - Authenticate Tokencode - - Device Biometrics - - SMS Tokencode - - Voice Tokencode - - FIDO Token - Citrix integration with RSA Authentication Manager Authentication Methods REST RADIUS UDP Agent TCP Agent RSA SecurID - - AM RBA Supported - Not supported n/t Not yet tested or documented, but may be possible -- 4 -

Configuration Summary All of the supported use cases of RSA SecurID Access with Citrix require both serverside and client-side configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case. RSA Cloud Authentication Service Citrix can be integrated with RSA Cloud Authentication Service in the following way(s): SAML via RSA Identity Router (IdP) Cloud Authentication Service Identity Router IdP Configuration Citrix SAML SP Configuration SAML via RSA Cloud (IdP) All authentication option Cloud Authentication Service Cloud IdP Configuration Citrix SAML SP Configuration SAML via RSA Cloud (IdP) Additional authentication only option Cloud Authentication Service Cloud IdP Configuration Citrix nfactor LDAP to SAML Configuration RADIUS Cloud Authentication Service RADIUS Server Configuration Citrix RADIUS Configuration RSA Authentication Manager Citrix can be integrated with RSA Authentication Manager in the following way(s): RADIUS Authentication Manager RADIUS Server Configuration Citrix RADIUS Client Configuration DFA + RSA Authentication Agent for Citrix StoreFront Citrix StoreFront DFA Configuration Risk-Based Authentication - RADIUS Authentication Manager Risk-Based Configuration Citrix Risk-Based Authentication Configuration Risk-Based Authentication DFA + RSA Authentication Agent for Citrix StoreFront Authentication Manager Risk-Based Configuration Citrix Risk-Based Authentication Configuration -- 5 -

RSA SecurID Access Configuration RSA Cloud Authentication Service Configuration SAML via RSA Identity Router (IdP) To configure a SAML Service Provider in RSA Identity Router, you must deploy a connector for the application in the RSA SecurID Access Console. During configuration of the IdP you will need some information from the SP. This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider Entity ID. 1. Logon to the RSA SecurID Access console and browse to Applications > Application Catalog, search for Citrix NetScaler and click +Add to add the connector. 2. On the Basic Information page, specify the application name and click Next Step. 3. On the Connection Profile page, choose SP initiated and POST as the method for SAML Request and scroll down to SAML Identity Provider (Issuer) section. -- 6 -

4. Upload the certificate and the private key, then scroll down to the Service Provider section. 5. Enter the Assertion Consumer Service (ACS) URL, the Audience (Service Provider Entity ID) and scroll down to the User Identity section. -- 7 -

6. Set the Identifier Type to Email Address and Property to mail and click Next Step. 7. On the User Access page, select the desired user policy from the drop down list and click Next Step. 8. On the Portal Display page, select Display in Portal. 9. Click Save and Finish. 10. Click Publish Changes. Your application is now enabled for SSO. Refer to the NetScaler SAML Policy Configuration section for instructions on how to configure the service provider for SAML SSO. -- 8 -

SAML via RSA Cloud (IdP) To configure a SAML Service Provider in RSA Cloud IdP, you must add a Service Provider for in the RSA SecurID Access Console. During configuration of the IdP you will need some information from the SP. This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider Entity ID. 1. Logon to the RSA SecurID Access console and browse to Authentication Clients > Relying Parties. 2. Click Add a Relying Party. -- 9 -

3. Enter a Name for the relying party and click Next Step. 4. Choose your Authentication settings and clicks Next Step. -- 10 -

5. Enter the Assertion Consumer Service URL, Service Provider Entity ID and click Save and Finish. -- 11 -

6. Select the Edit pulldown list and choice View or Download IdP Metadata. 7. Make a note of the entityid value and click Cancel to close the window. This is the same value as the IdP s SSO Sign-In URL. 8. Click Publish Changes. Your application is now enabled for SSO. Refer to the NetScaler SAML Policy Configuration section for instructions on how to configure the service provider for SAML SSO. RADIUS To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first configure a RADIUS client in the RSA SecurID Access Console. Logon to the RSA SecurID Access console and browse to Authentication Clients > RADIUS > Add RADIUS Client and enter the Name, IP Address and Shared Secret. Click Publish to push your configuration change to the RADIUS server. RSA Cloud Authentication RADIUS server listens on port UDP 1812. -- 12 -

RSA Authentication Manager Configuration RADIUS To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the Authentication Manager Security Console. The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global). RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812. UDP Agent To configure your RSA Authentication Manager for use with a UDP-based agent, you must create an agent host record in the Security console of your Authentication Manager and download its configuration file (sdconf.rec). Hostname: Configure the agent host record name to match the hostname of the agent. IP Address: Configure the agent host record to match the IP address of the agent. Important: Authentication Manager must be able to resolve the IP address from the hostname. Risk-Based Authentication To configure your RSA Authentication Manager for risk-based authentication with Citrix NetScaler Gateway, you must create an agent host record and enable it for risk-based authentication in the RSA Authentication Manager Security Console. You will need to download the sdconf.rec and the risk-based authentication integration script for the appropriate device type to configure the agent. RSA Authentication Manager can integrate risk-based authentication with UDP-based or RADIUS agents only. The latest risk-based authentication script template is at the following link. For RADIUS integration approach https://sftp.rsa.com/human.aspx?username=partner&password=rsas3cur3d!&arg01=228 719215&arg12=downloaddirect&transaction=signon&quiet=true For DFA + RSA Authentication Agent for Citrix StoreFront integration approach https://sftp.rsa.com/human.aspx?username=partner&password=rsas3cur3d!&arg01=458 478494&arg12=downloaddirect&transaction=signon&quiet=true Download this file and copy it to the following directory in your primary RSA Authentication Manager server. /opt/rsa/am/utils/rba-agents Please refer to RSA documentation for more information on RBA integration scripts. -- 13 -

Partner Product Configuration Before You Begin This section provides instructions for configuring Citrix NetScaler with RSA SecurID Access. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Citrix NetScaler components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configuration Overview Configure an Authentication Policy SAML RADIUS DFA (for use with RSA Authentication Agent for Citrix StoreFront) nfactor (LDAP to RSA Cloud IdP) Bind the SecurID Access Authentication Policy Configure with Risk Based Authentication RADIUS DFA + RSA Authentication Agent for Citrix StoreFront -- 14 -

Configure an Authentication Policy NetScaler SAML Policy Configuration Complete the steps in this section to create a NetScaler SAML authentication policy that can integrate with RSA Cloud Authentication Service using either the Identity Router IdP or Cloud IdP in RSA SecurID Access manages all authentication mode. This policy works with Web logon cases only and does not provide for SSO into StoreFront on its own. 1. Logon to the web administration console and browse to Configuration > > Policies > Authentication > SAML and click Add. 2. Enter a Name for the Authentication SAML Policy and click the + to add a server. -- 15 -

3. Configure the Authentication SAML Server settings and click OK. Enter a Name. Add and/or select your public certificate from the IDP Certificate Name dropdown menu. Copy the URL from the Identity Provider URL field in the SecurID Access application into the Redirect URL field. Enter mail into the User Field. 4. Enter ns_true into the Expression field and click Create. The SAML authentication policy is complete. Proceed to the Bind SecurID Access Authentication Policy section of this guide. -- 16 -

NetScaler RADIUS Policy Configuration Complete the steps in this section to integrate with RSA SecurID Access using RADIUS authentication protocol. This policy works with both Web and client logon cases. 1. Logon to the web administration console and browse to Configuration > > Policies > Authentication > SAML and click Add. 2. Click + to add a new Server. -- 17 -

3. Configure the RADIUS server settings for Authentication Manager or Cloud Authentication Service and click Create. Name: Enter a name to reference this RADIUS server object. Enter the Server Name or Server IP. Port: Enter the port the server is listening on. RSA Authentication Manager listens on 1812 and 1645. RSA Cloud Authentication Service listens on 1812. Secret Key: Also known as shared secret. This string must match the string entered on the RSA side. Time-out: 4. Enter ns_true into the Expression field and click Create. The RADIUS authentication policy is complete. Proceed to the Bind SecurID Access Authentication Policy section of this guide. -- 18 -

NetScaler DFA Policy Configuration DFA is a Citrix technology which allows Citrix NetScaler to delegate authentication to Citrix StoreFront. The DFA server must be installed and configured on a Citrix StoreFront server in order for NetScaler to integrate using a DFA policy. When the RSA Authentication Agent for Citrix StoreFront is installed on the DFA server, NetScaler users can be authenticated by the agent using DFA. The agent integrates with RSA Authentication Manager using native RSA protocol and brings some helpful features like auto registration and password integration. This policy works with Web and client logon cases and can provide SSO into Citrix StoreFront. Refer to the Citrix document DFAServerFPReadMe.txt located at the following path for information on how to install and configure the DFA server. C:\Program Files\Citrix\Receiver StoreFront\Management\Cmdlets Refer to RSA Authentication Agent 1.5 for Citrix StoreFront Installation and Administration Guide for information on how to install and configure the agent for use with DFA. Complete the steps in this section to integrate with Citrix DFA server. 1. Logon to the web administration console and browse to Configuration > > Policies > Authentication > DFA and click Add. 2. Enter a Name and click the + to add a new Action. -- 19 -

3. Configure the DFA Server settings and click Create. 4. Enter an expression in the Rule field and click Create. The DFA authentication policy is complete. Proceed to the Bind the SecurID Access Authentication Policy section of this guide. -- 20 -

nfactor (LDAP to RSA Cloud IdP) Complete the steps in this section to create a NetScaler nfactor policy that will first challenge for username + password (LDAP), and then redirect to RSA Cloud IdP (SAML) for additional authentication only. This policy works for Web cases only and can provide SSO into Citrix StoreFront. 1. Browse to Configuration > Security > AAA Application Traffic > Virtual Servers and click Add. 2. Add a Name, set IP Address Type to Non Addressable and click OK. -- 21 -

3. Click to add a Server Certificate. 4. Select the Server Certificate from the drop-down menu and click Bind. -- 22 -

5. Click Continue and Continue again to complete the AAA virtual server. Configure and Bind the Login Schema 1. Browse to Configuration > AAA Application Traffic > Login Schema, open the Profiles tab and click Add. -- 23 -

2. Enter a Name and click the Authentication Schema edit icon. 3. Click to open the LoginSchema folder, scroll down to SingleAuth.xml and click Select. -- 24 -

4. Click More to show advanced options. Enter 1 in the User Credential Index field, enter 2 in the Password Credential Index field, mark the checkbox to Enable Single Sign On Credentials and click Create. 5. Browse to Configuration > Security > AAA Application Traffic > Login Schema and click Add to add a new Login Schema policy. -- 25 -

6. Enter a Name, select your Authentication Login Schema profile from the Profile drop-down menu, enter a Rule and click Create. 7. Browse to Configuration > Security > AAA Application Traffic > Virtual Servers and click to edit your AAA virtual server. -- 26 -

8. Under Advanced Settings menu, click + Login Schemas. 9. Highlight your Authentication Login Schema policy from the list and click Select. 10. Click Bind to bind the policy and then Done to save the changes. -- 27 -

Configure and Bind the Authentication Policy 1. Browse to Configuration > Security > AAA Application Traffic > Policies > Authentication > Advanced Policies > Policy and click Add. 2. Enter a Name, select LDAP from the Authentication Type drop-down menu and click + to add a new Action. 3. Configure the Authentication LDAP server settings and click Create. -- 28 -

4. Enter true in the Expression field and click Create. 5. Browse to Configuration > Security > AAA Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel and click Add. -- 29 -

6. Enter a Name, select Login Schema and click Continue. 7. Click + to create a new policy. -- 30 -

8. Enter a Name and click + to create a new Action. 9. Configure the Authentication SAML Server settings and click Create. Enter a name in the Name field. Select the RSA Cloud IdP signing certificate from the IDP Certificate Name drop-down menu. Enter the RSA Cloud IdP Single Sign On Service URL into the Redirect URL field. Enter samaccountname into the User Field. Enter a value into the Issuer Name. This will serve as the SP Entity ID. Note: Due to a defect in the NetScaler web administration console, you may not be able to add a certificate without including the private key (which RSA does not provide). In this case you will need to install the certificate using the NetScaler shell. Run the command add ssl certkey mycert -cert "/nsconfig/ssl/mycert.cer. -- 31 -

10. Enter true in the Expression field and click Create. 11. Choose END from the Goto Expression drop-down menu and click Bind. 12. Click Done to save the Authentication PolicyLabel. -- 32 -

Bind the Advanced Authentication Policy to the AAA Virtual Server. 1. Browse to Configuration > Security > AAA Application Traffic > Virtual Servers and click to edit your AAA virtual server. 2. In the Advanced Authentication Policy section, click No Authentication Policy. -- 33 -

3. Configure the Policy Binding and click Bind and then Done to save your changes. Select your AD/LDAP policy from the Select Policy drop-down menu. Select NEXT from the Goto Expression drop-down menu Select your SAML policylabel from the Select Next Factor drop-down menu. Configure and Bind the AAA Authentication Profile 1. Browse to Configuration > Security > AAA Application Traffic > Authentication Profile and click Add. -- 34 -

2. Enter Name, Authentication Host, select your AAA virtual server from the Authentication Virtual Server drop-down menu and click Create. Note: The value entered into the Authentication Host field is trivial but required. It is optional when configuring via shell. 3. Browse to Configuration > > Virtual Servers and edit your NetScaler Gateway virtual server. -- 35 -

4. Click + Authentication Profile from the Advanced Settings menu. 5. Select your nfactor authentication profile from the Authentication Profile drop-down menu and click OK and Done to complete the virtual server configuration. Configure and Bind the Traffic Policy 1. Browse to Configuration > > Policies > Traffic and click Add. -- 36 -

2. Enter a Name for the traffic policy and click + to add a new Request Profile. 3. Configure the Traffic Profile and click Create. Enter a Name for the traffic profile. Enter HTTP.REQ.USER.ATTRIBUTE(1) into the SSO User Expression field. Enter HTTP.REQ.USER.ATTRIBUTE(2) into the SSO Password Expression field. -- 37 -

4. Enter ns_true into the Expression field and click Create. 5. Browse to Configuration > > Virtual Servers and click to edit your virtual server. 6. Scroll down to Policies and click + to add a new policy. -- 38 -

7. Select Traffic from the Choose Policy drop-down menu and click Continue. 8. Choose your traffic policy from the Select Policy drop-down menu and click Bind. Your virtual server is now configured for LDAP authentication with step-up to RSA Cloud Authentication Service with LDAP credential pass-through to StoreFront. -- 39 -

Bind the SecurID Access Authentication Policy To integrate with RSA SecurID Access, you must bind the authentication policy to your virtual server. If SSO to StoreFront is not needed, then this is very straight-forward. Simply bind your SecurID Access authentication policy to either primary or secondary type. If SSO into StoreFront is needed, then additional considerations must be made. Review the cases below to determine how authentication policies should be bound. RSA Cloud Authentication Service Cases: VPN access Primary Authentication Policy: Bind Cloud Authentication Service (RADIUS or SAML) policy Secondary Authentication Policy: Not required Session Policy: Not required Remote access to StoreFront (RADIUS) Primary Authentication Policy: Bind Cloud Authentication Service (RADIUS) policy Secondary Authentication Policy: Not required. Do not bind an AD policy as Cloud Authentication Service s first prompt is for AD credentials. Session Policy: Set SSO credential index set to primary Remote access to StoreFront (nfactor policy using AD and Cloud IdP) Primary Authentication Policy: none Secondary Authentication Policy: none RSA Authentication Manager Cases: VPN access Primary Authentication Policy: Bind Authentication Manager (RADIUS) policy Secondary Authentication Policy: Not required Session Policy: Not required Remote access to StoreFront (RADIUS) Primary Authentication Policy: Bind Authentication Manager (RADIUS) policy Secondary Authentication Policy: Bind Active Directory (LDAP) policy Session Policy: Set SSO credential index set to secondary Remote access to StoreFront (DFA + RSA Agent for StoreFront) Primary Authentication Policy: Bind DFA policy Secondary Authentication Policy: Not required Session Policy: Set SSO credential index to primary -- 40 -

1. Logon to the web administration console and browse to Configuration > and click to edit the Virtual Server. 2. Click the + to bind a Basic Authentication policy. 3. Select RADIUS or SAML Policy and Primary or Secondary Type and click Continue. -- 41 -

4. Choose the authentication policy to bind and click Select. 5. Click the > icon to Select Policy. 6. Choose your authentication policy and click Select. -- 42 -

7. Set the Priority and click Bind. 8. Repeat the steps in this section to bind failover / replica server instances. Change the Priority value to reflect the order in which server instances should be tried. 9. Click Done when finished. -- 43 -

Configure Risk-Based Authentication There are two ways to configure Citrix NetScaler with risk-based authentication: one which uses a RADIUS authentication policy and one which uses a DFA authentication policy and RSA Authentication Agent for Citrix StoreFront. The RADIUS integration approach is suitable for VPN cases and the DFA + agent approach is suitable for cases where remote access into Citrix StoreFront is needed. Both cases require that Citrix NetScaler be enabled with RSA SecurID authentication before adding risk-based authentication. RADIUS This solution requires that the following components have already been installed and configured: Citrix NetScaler configured with: Virtual server Primary RADIUS policy with no other authentication policies RBA Integration Overview Configure and upload RBA script and customized pages Configure responder policy Configure and upload RBA script and customized pages 1. Download the am_integration.js integration script from the NetScaler s Authentication Agent in the RSA Security Console and copy it to the /netscaler/ns_gui/vpn/ directory on the NetScaler Gateway. 2. Add a new file with the filename index_rba.html in the /netscaler/ns_gui/vpn/ directory on and insert the following text. <FORM method="post" action="/cgi/login" name="vpnform"/> <input id="enter user name" name="login" /> </FORM> <script type="text/javascript" language="javascript" src="am_integration.js"></script> <script type="text/javascript" language="javascript"> window.onload=redirecttoidp(); </script> 3. Execute the following shell commands on the device to copy these two files to the customization directory: > shell > cd /netscaler/ns_gui/vpn > cp am_integration.js /var/customizations/am_integration.js.mod > cp index_rba.html /var/customizations/index_rba.html.mod Note: Create the /var/customizations/ directory if it does not already exist. 4. If the /nsconfig/rc.netscaler file does not yet exist, create it: > touch /nsconfig/rc.netscaler -- 44 -

5. Add the following lines to rc.netscaler. These commands will instruct the to recopy your modified files into the vpn directory during each boot sequence: > echo cp /var/customizations/am_integration.js.mod /netscaler/ns_gui/vpn/am_integration.js >> /nsconfig/rc.netscaler > echo cp /var/customizations/index_rba.html.mod /netscaler/ns_gui/vpn/index_rba.html >> /nsconfig/rc.netscaler 6. Make a note of your RBA target URL. https://virtual_server_hostname/vpn/index_rba.html DFA + RSA Agent for StoreFront approach This solution requires that the following components have already been installed and configured: Citrix NetScaler configured with Virtual server Primary DFA policy with no other authentication policies Citrix StoreFront with DFA server enabled RSA Authentication Agent for Citrix StoreFront Note: Refer to the RSA Authentication Agent for Citrix StoreFront Installation and Administration guide for information on RSA Authentication Agent for more information on these subjects. RBA Integration Overview Install RSA Risk-Based Authentication Helper Configure and upload RBA script and customized pages Configure responder policy Install RSA Risk-Based Authentication Helper application Install the RSA Risk-Based Authentication Helper web application (RBA Helper) according to the instructions in the RSA Authentication Agent for Citrix StoreFront Installation and Administration guide. The only requirement for this solution is that the web application must be reachable from the end user s browser. Two options for accomplishing this are: 1. Install the RSA RBA Helper on a web server (or web servers) in the DMZ along-side the NetScaler Gateway virtual server. 2. Install the RSA RBA Helper on the StoreFront server in the protected network and expose it using an SSL bridge configured on the. -- 45 -

Configure and upload RBA script and customized pages 1. Logon to the RSA Authentication Manager Security Console and download the Citrix_NetScaler_11_12_DFA risk-based authentication integration script (am_integration.js) file. Important: Download the RBA integration script from the agent host record which corresponds to the Citrix StoreFront agent. 2. Rename the am_integration.js file to am_integration_servername.js (where servername matches the NetScaler virtual server s hostname). Open the script the file using a text editor and modify the following variables according to the instructions included in the script file. netscalerurl netscalerrbalogonurl rbahelperurl cookiedomain cookiepath 3. Create a new file, name it index_servername_rba.html (where servername matches the NetScaler virtual server s hostname) and add the text below. This customized page will redirect the user to RSA Authentication Manager s RBA logon page. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/tr/html4/strict.dtd"> <html> <head> <title>authenticating...</title> </head> <body> <script src="am_integration_servername.js" type="text/javascript"></script> <script type="text/javascript"> createandsubmitformtorbaserver(); </script> </body> </html> 4. Save a copy of the /var/netscaler/logon/logonpoint/index.html file, name it rba_logon.html and make the changes described below. This customized page will used by the RBA Helper to invoke authentication to Citrix StoreFront. 1. Replace line 4 with: <title>authenticating...</title> 2. Insert the highlighted text on its own line following the <body> tag. <body> <script type="text/javascript" src="/logon/logonpoint/am_integration_servername.js"></script> 3. Insert the highlighted text on its own line above the </body> tag. <script> window.onload=receivecredentialsfromrba(); </script> </body> 5. Upload am_integration_servername.js, index_servername_rba.html and rba_logon.html to the /var/netscaler/logon/logonpoint directory on the NetScaler. Note: If your NetScaler is deployed in an HA pair, these files will need to be uploaded to both the primary and secondary instances. -- 46 -

6. Execute the following shell commands on the device to copy these files to the customization directory: > shell > cd /netscaler/logon/logonpoint > cp am_integration_servername.js /var/customizations/am_integration_servername.js.mod > cp index_servername_rba.html /var/customizations/index_servername_rba.html.mod > cp rba_logon.html /var/customizations/rba_logon.html.mod Note: Create the /var/customizations/ directory if it does not already exist. 7. If the /nsconfig/rc.netscaler file does not yet exist, create it: > touch /nsconfig/rc.netscaler 8. Add the following lines to rc.netscaler. These commands will instruct the to recopy your modified files into the vpn directory during each boot sequence: > echo cp /var/customizations/am_integration_servername.js.mod /netscaler/logon/logonpoint/am_integration_servername.js >> /nsconfig/rc.netscaler > echo cp /var/customizations/index_severname_rba.html.mod /netscaler/logon/logonpoint/index_servername _rba.html >> /nsconfig/rc.netscaler > echo cp /var/customizations/rba_logon.html.js.mod /netscaler/logon/logonpoint/rba_logon.html >> /nsconfig/rc.netscaler 9. Take note of the RBA target logon page: https://nsvirtualserver.mycompany.tld/logon/logonpoint/index_servername_rba.html -- 47 -

Configure and bind Responder policy 1. Logon to the web administration console and browse to Configuration > AppExpert > Responder and click on the Responder Policy Manager. 2. Configure the Bind Point and click Continue. 3. Click the + icon to create a new responder policy. -- 48 -

4. Click the + icon to create a new Action. 5. Enter the Name, select Redirect from the Type drop-down menu, add the RBA target URL into the Expression field and click Create. -- 49 -

6. Enter the Expression and click Create. HTTP.REQ.HOSTNAME.EQ("virtualserver_fqdn")&&HTTP.REQ.URL.EQ("index.html") 7. Check the Policy Binding settings and click Bind. -- 50 -

8. Click Done to complete the configuration. -- 51 -

Login Screenshots Login screen: User-defined New PIN: System-generated New PIN: -- 52 -

Next Tokencode: Authentication Method Selection: -- 53 -

Certification Checklist for RSA SecurID Access Certification Environment Details: RSA Authentication Manager 8.2 SP1, Virtual Appliance Citrix NetScaler 12.0 VPX RSA Cloud Authentication Service Authentication Method Date Tested: February 20 th, 2018 REST RADIUS Client Client RSA SecurID - LDAP Password - Authenticate Approve - Authenticate Tokencode - Device Biometrics - SMS Tokencode - Voice Tokencode - FIDO Token - RSA Authentication Manager Authentication Method Date Tested: February 20 th, 2018 REST UDP TCP RADIUS Client Agent Agent Client RSA SecurID - - - RSA SecurID Software Token Automation - - - On Demand Authentication - - - Risk-Based Authentication - = Passed, X = Failed, - = N/A -- 54 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback