Azure MFA Integration with NetScaler

Similar documents
Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

How to buy or cancel the XenDesktop Essentials Service

Oracle PeopleSoft 9.2 with NetScaler for Global Server Load Balancing

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider)

Integrating PingFederate with Citrix NetScaler Unified Gateway as SAML IDP

XenApp 7.x on Oracle Cloud Infrastructure

Your Adoption Kit for Citrix Workspace Standard

Deploying Virtual Apps and Desktops with Citrix Provisioning using Oracle Cloud Infrastructure

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

XenApp, XenDesktop and XenMobile Integration

SAML 2.0 Single Sign On with Citrix NetScaler

Integrating Microsoft Intune/ Enterprise Mobility Suite with NetScaler (LDAP+OTP Scenario)

User Management Tool

Configuring and Delivering ServiceNow as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider)

NetScaler Radius Authentication. Integration Guide

Welcome to your Citrix User Adoption Kit

Deployment Guide. ICA Proxy for Citrix Receiver with SMS Authentication. Access Gateway Enterprise Edition XenApp XenDesktop

SAP NetWeaver Server with NetScaler for Load Balancing(SSL offload), Application Firewall and- Integrated Caching

Citrix Tech Zone Citrix Product Documentation docs.citrix.com November 13, 2018

NetScaler Management and Analytics System service trial account checklist

Citrix ADC Web App Firewall Service

Deployment Guide. ICA Proxy for Citrix Receiver. Access Gateway Enterprise Edition XenApp XenDesktop

Deploying NetScaler with Microsoft Exchange 2016

Self-Service Password Reset

ShareFile Account Admin Guide

Deploying Oracle ATG with NetScaler

Configuring Confluence

Single Sign On for GoToMeeting with NetScaler Unified Gateway

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

Deploying Oracle Hyperion 11.1 with NetScaler

Comprehensive Citrix HDX visibility powered by NetScaler Management and Analytics System

White Paper Taking Windows Mobile on Any Device Taking Windows Mobile on Any Device

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

Configuring and Delivering AetherPal as a managed application to XenMobile ios Users for Mobile Support.

Configuring and Delivering Notate for Enterprise as a managed application to XenMobile Users

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Deployment Guide. Policy Engine (PE) Deployment Guide. A Technical Reference

Citrix Exam 1Y0-253 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions Version: 6.0 [ Total Questions: 186 ]

App Orchestration 2.6

Mobilize with Enterprise Security and a Productive User Experience

Welcome to your Citrix Endpoint Management (formerly XenMobile) User Adoption Kit

Citrix XenApp and XenDesktop 7.6 LTSR FIPS Sample Deployments

Hands-on Lab Exercise Guide

Citrix XenApp and XenDesktop 7.15 LTSR FIPS Sample Deployments

Yubico with Centrify for Mac - Deployment Guide

Augmenting security and management of. Office 365 with Citrix XenMobile

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

DEPLOYMENT GUIDE XenApp, Avaya 1X Agent. Deployment Guide. Avaya 1X Agent R2 SP2. XenApp 6.0.

A comprehensive security solution for enhanced mobility and productivity

Citrix Federated Authentication Service Integration with APM

Partner Information. Integration Overview. Remote Access Integration Architecture

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Design and deliver cloud-based apps and data for flexible, on-demand IT

Setting Up Resources in VMware Identity Manager

Load Balancing Web Servers with OWASP Top 10 WAF in Azure

Hands-on Lab Exercise Guide

Installation Guide. Citrix License Server VPX v1.01

A simple, cost-effective way to transition your workloads to the cloud

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Adding XenMobile Users to an Existing XenDesktop Environment

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Migrating from Citrix XenApp (IMA / FMA) to Parallels Remote Application Server

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

XenMobile 10 Cluster installation. Here is the task that would be completed in order to implement a XenMobile 10 Cluster.

Symantec VIP. Integration Guide for Citrix NetScaler

Entrust Cloud Enterprise. Enrollment Guide

DEPLOYMENT GUIDE Amazon EC2 Security Groups. Deployment Guide. Security Groups Amazon EC2.

Receiver for BlackBerry 2.2

OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

AppScaler SSO Active Directory Guide

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

Citrix StoreFront 2.0

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

VMware Identity Manager Administration

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Citrix SSO for ios. Page 1 18

MFA (Multi-Factor Authentication) Enrollment Guide

Your Adoption Kit for Citrix Workspace Premium

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Merchandising Server 2.2

Plug-in Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.1

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

SafeNet Authentication Service

1Y Citrix NetScaler 12 Essentials and Unified Gateway. vmexam.com Exam Summary Syllabus Questions

Remote access to enterprise PCs

FAQ. General Information: Online Support:

Citrix Workspace app for ios

VMware AirWatch Integration with RSA PKI Guide

Transcription:

Azure MFA Integration with NetScaler This guide focuses on describing the configuration required for integrating Azure MFA (Multi-Factor Authentication) with NetScaler. Citrix.com 1

NetScaler is a world-class application delivery controller (ADC) with the proven ability to load balance, accelerate, optimize and secure enterprise applications. Azure Multi-Factor Authentication (MFA) is Microsoft's two-step verification solution. It delivers authentication through multiple verification methods, including phone call, text message, or mobile app verification. By integrating with NetScaler, the time required for configuring Azure MFA as part of an enterprise authentication solution is significantly reduced by configuring Azure MFA as an authentication factor for NetScaler. This deployment guide focuses on integrating Microsoft Azure Multi Factor Authentication (MFA) with NetScaler. This integration will allow use of the Azure MFA server as one of the authentication factors on NetScaler. This will allow users to use NetScaler for all authentication while being able to utilize Azure's multi factor authentication capabilities,. NetScaler is a world-class application delivery controller (ADC) with the proven ability to load balance, accelerate, optimize and secure enterprise applications. Azure Multi-Factor Authentication seamlessly integrates with NetScaler to provide additional security for logins and portal access. Multi-factor authentication (MFA) is combined with standard user credentials to increase security for user identity verification. NetScaler also supports similar capabilties as Azure MFA; this enables enterprise users to choose how they want their authentication landscape to be built. In this guide, we will be looking at LDAP based integration for Azure MFA. NOTE: Parts of this document use configuration information from https://docs.microsoft.com/en-us/azure/ multi-factor-authentication/multi-factor-authentication-advanced-vpn-configurations#citrix-netscaler-ssl-vpnand-azure-multi-factor-authentication Citrix.com Azure MFA Integration with NetScaler (LDAP) 2

The following software versions are used and recommended for this configuration - Software Version NetScaler VPX (Enterprise/Platinum) 11.1 Azure MFA Server 7.3.0.3 Configuration Details The test deployment topology is shown in Figure 1. This features an authentication setup with one NetScaler appliance, one Azure MFA server and a a backend Active Directory/LDAP server for authentication. Figure 1: Deployment Topology Citrix.com Azure MFA Integration with NetScaler (LDAP) 3

Part 1: Configure Azure MFA Server The following configuration is for the Azure MFA Server. 1. Configure LDAP Authentication on the Azure MFA Server. 2. Connect Azure MFA to the directory service (Active Directory), then configure a default authentication method. 3. Import accounts to the MFA Users group. Configuring Azure MFA authentication 1. Connect and log in to the Windows server where Azure MFA is installed. 2. Open the Apps screen. (Windows Server 2012) 3. Click the Multi-Factor Authentication Server icon under Multi-Factor Authentication Server (shown below) 4. The Multi-Factor Authentication Server window will open as shown below. Citrix.com Azure MFA Integration with NetScaler (LDAP) 4

1. Now, enable LDAP authentication and add NetScaler as a client. Click the LDAP authentication icon in the left hand side panel as shown below - 2. When the LDAP Authentication section is opened, select Enable LDAP Authentication. Citrix.com Azure MFA Integration with NetScaler (LDAP) 5

1. Select the Clients tab and change the port number, if necessary. The default ports are 389 for plaintext and 636 for SSL encryption. 2. if secure LDAP (LDAPS) is in use, click Browse and add the SSL certificate. Citrix.com Azure MFA Integration with NetScaler (LDAP) 6

1. Click Add in the last dialog box shown to add a new LDAP client. Enter the following details here: IP address enter the NetScaler SNIP that will be used to communicate with Azure MFA Application name enter a descriptive name for the NetScaler client connection Require Multi-Factor Authentication user match If selected, only users who are included in the MFA Users list will be granted access; otherwise, only users who are included in the MFA Users list will need to authenticate with MFA. Other domain users will be able to authenticate without MFA. 2. Select the Target tab and verify that it shows LDAP. This completes the adding of NetScaler as an LDAP client and enabling of LDAP authentication. Citrix.com Azure MFA Integration with NetScaler (LDAP) 7

Directory Integration 1. On the Multi-Factor Authentication Server window, click on Directory Integration in the navigation section. 2. When the Directory Integration tool opens, select the Settings tab. Citrix.com Azure MFA Integration with NetScaler (LDAP) 8

1. Select Use Specific LDAP configuration. 2. Click Edit to open the Edit LDAP Configuration dialog box. Citrix.com Azure MFA Integration with NetScaler (LDAP) 9

1. Enter the following settings: Server enter the directory server host name or IP address. NOTE: An FQDN is required if the Bind type below is set to SSL. Base DN enter the directory path. Bind type select the protocol to use for directory searches and authentication. NOTE: assigning the correct bind type is essential for security. Queries search options are: Anonymous Simple SSL Windows Authentication authentication options are: Anonymous Simple SSL Windows Bind DN only required for the SSL Bind type; enter a domain\user account with administrator privileges. Bind Password only required for the SSL Bind type; enter the password for the account. Query size limit specify the maximum number of users a search will return.test click to confirm that the 2. MFA server is able to successfully connect to the LDAP server. 3. Once the test completes successfully, click OK. 4. Click OK to close the completion prompt. This completes MFA server directory service setup. Default Authentication Method The Default Authentication Method defines the default authentication method that will be automatically assigned to MFA users; this method is required when users are not allowed to change authentication methods to ensure that there is a base authentication option assigned to every user. This is optional when users are allowed to change authentication methods. Citrix.com Azure MFA Integration with NetScaler (LDAP) 10

1. Next, configure Company Settings. Click on Company Settings in the Navigation area: 2. Select the General tab Citrix.com Azure MFA Integration with NetScaler (LDAP) 11

1. Leave default settings except for the following: User defaults select one of the options below: Phone call select Standard from the dropdown menu. Text message select Two-Way and OTP from the dropdown menus: Citrix.com Azure MFA Integration with NetScaler (LDAP) 12

Mobile app select Standard from the drop menu: (this option requires device registration through the Azure Authentication app) This completes the configuration for the Company Information Section for LDAP authentication. Now, as the NetScaler is configured as an LDAP client, access is restricted to the vserver to only MFA users. To avoid the need for LDAP requests to require MFA, the administrator account has to the configured, and user accounts must be imported from the LDAP directory. Importing of User Accounts 1. Click the Users icon in the navigation section as shown below - Citrix.com Azure MFA Integration with NetScaler (LDAP) 13

1. In the Users section, Click Import from LDAP. 2. Select a user group on the Import screen - Citrix.com Azure MFA Integration with NetScaler (LDAP) 14

1. Select the user accounts you want to import. Leave the settings as is, in this deployment flow the Import Phone option is set to Mobile. (Other options are also available) 2. Click the Import button. Then, click OK in the Import Success dialog box. Click Close on the Import screen to go back to the Users pane. Citrix.com Azure MFA Integration with NetScaler (LDAP) 15

Configuring the MFA Administrator Account Now, configure the MFA administrator account to allow LDAP requests without requiring MFA requests. 1. Select the Administrator account in the Users screen. 2. Click Edit. 1. Select the General tab. Citrix.com Azure MFA Integration with NetScaler (LDAP) 16

1. Clear the Enabled checkbox. 1. Select the Advanced tab. Citrix.com Azure MFA Integration with NetScaler (LDAP) 17

1. Leave the default settings, except for the following: When user is disabled select Succeed Authentication. Account is used for LDAP Authentication password changes this will allow end users to change their own passwords. 2. Click Apply, then click Close. This completes configuration of the MFA server. Citrix.com Azure MFA Integration with NetScaler (LDAP) 18

Part 2: Configure the NetScaler Appliance The following configuration is required on the NetScaler appliance: LDAP authentication policy and server for domain authentication SSL certificate with external and internal DNS configured for the FQDN presented by the certificate (Wildcard certificates are supported.) VPN virtual server This guide covers the configuration described above. The SSL certificate and DNS configurations should be in place prior to setup. Configuring LDAP domain authentication For domain users to be able to log on to the NetScaler appliance by using their corporate email addresses, you must configure an LDAP authentication server and policy on the appliance and bind it to your VPN VIP address. (Use of an existing LDAP configuration is also supported) 1. In the NetScaler configuration utility, in the navigation pane, select NetScaler Gateway > Policies > Authentication > LDAP. 2. To create a new LDAP policy: On the Policies tab click Add, and then enter LDAP_Policy as the name. In the Server field, click the + icon to add a new server. The Authentication LDAP Server window appears. In the Name field, enter LDAP_Server. Select the bullet for Server IP. Enter the IP address of one of your Active Directory domain controllers. (You can also point to a virtual server IP for the purpose of redundancy if you are load balancing domain controllers) Specify the port that the NetScaler will use to communicate with the domain controller. Use 389 for LDAP or 636 for Secure LDAP (LDAPS). 3. Under Connection Settings, enter the base domain name for the domain in which the user accounts reside within the Active Directory (AD) for which you want to allow authentication. The example below uses cn=users,dc=ctxns,dc=net. 4. In the Administrator Bind DN field, add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. A service account is advisable, so that there will be no issues with logins if the account that is configured has a password expiration. 5. Check the box for Bind DN Password and enter the password twice. Citrix.com Azure MFA Integration with NetScaler (LDAP) 19

6. Under Other Settings: Enter samaccountname as the Server Logon Name Attribute. 7. In the SSO Name Attribute field, enter UserPrincipalName. Enable the User Required and Referrals options. Leave the other settings as they are. 8. Click on More at the bottom of the screen, then add mail as Attribute 1 in the Attribute Fields section. Leave Nested Group Extraction in the Disabled state (we are not going to be using this option for this deployment) 9. Click the Create button to complete the LDAP server settings. 10. For the LDAP Policy Configuration, select the newly created LDAP server from the Server drop-down list, and in the Expression field type ns_true. Citrix.com Azure MFA Integration with NetScaler (LDAP) 20

To Configure your VPN (NetScaler Gateway) Virtual Server An employee trying to log in using is redirected to a NetScaler VPN virtual server that validates the employee's corporate credentials. This virtual server listens on port 443, which requires an SSL certificate. External and/or internal DNS resolution of the virtual server's IP address (which is on the NetScaler appliance) is also required. The following steps require a preexisting virtual server to be in place. In addition, they assume that DNS name resolution is already in place, and that the SSL certificate is already installed on your NetScaler appliance. 1. In the NetScaler Configuration tab navigate to NetScaler Gateway > Virtual Servers and click the Add button. 2. In the Gateway Virtual Server window, enter the virtual server's name and IP address. Citrix.com Azure MFA Integration with NetScaler (LDAP) 21

4. Click Continue. 5. In the Certificates section, select No Server Certificate. 6. In the Server Cert Key window, click Bind. 7. Under SSL Certificates, choose your AAA SSL Certificate and select Insert. (Note This is NOT the SFDC SP certificate.) 8. Click Save, then click Continue. 9. Click Continue again to bypass the Advanced Policy creation option, instead opting to add a Basic Authentication Policy by selecting the + icon on the right side of the window. 10. From the Choose Type window, select Choose Policy from the drop-down list, select LDAP, leaving Primary as the type, and select Continue. 11. Select Bind and from within the Policies window select the LDAP Policy created earlier. Citrix.com Azure MFA Integration with NetScaler (LDAP) 22

12. Click OK to return to the Gateway Virtual Server screen. Testing Authentication Device Registration for Azure Authenticator Users (This step only applies when the mobile app authentication method is used.) The instructions below explain activation of a user device through the MFA server Users Portal. Requirements A device with the Azure Authenticator mobile application installed. The application can be downloaded from the platform store for the following devices: Windows Phone Android ios The Azure Users Portal address. A computer to access the Users Portal. User credentials Activate Device 1. Log in to the Azure user portal from a browser. 2. On the setup screen, click on Generate Activation Code Citrix.com Azure MFA Integration with NetScaler (LDAP) 23

4. Activation code options are shown as below. 5. Activate the mobile authentication app on the test device Citrix.com Azure MFA Integration with NetScaler (LDAP) 24

6. There are two options: Enter the Activation Code and URL displayed on the Users Portal screen on the device activation screen. Use the device to scan the barcode displayed on Users Portal screen. This completes device activation. Login Now you are ready to test MFA authentication. Please note the requirements listed below before you start. General Requirements A computer to access the login screen. The SSL VPN appliance URL for network sign in. User credentials Phone Call Required: A phone with the number listed in the AD user account Mobile phone attribute. 1. On a computer, open the login page in a web browser. 2. Enter user credentials. 3. Check the phone for a call. NOTE: The call originates in the cloud from the Azure MFA application. Example: 4. The phone call will provide instructions to complete authentication. Text Message Required: An SMS-capable phone with the number listed in the user account Mobile phone attribute 1. On a computer, open the login page in a web browser. 2. Enter user credentials. 3. Check the phone for a text message with the verification code. Example Citrix.com Azure MFA Integration with NetScaler (LDAP) 25

4. Reply to the text message with the same verification code. Mobile App Required: A device with the Azure Authenticator app activated. 1. On a computer, open the login page in a web browser. 2. Enter user credentials. 3. Check the device with Azure Authenticator for a prompt. Example 4. Click Verify. 5. The authentication application will communicate with the MFA server to complete authentication. Successful authentication will grant access through the browser session. This completes the setup and testing for Azure Multi-Factor Authentication using the LDAP protocol in a Citrix NetScaler SSL VPN appliance deployment. Citrix.com Azure MFA Integration with NetScaler (LDAP) 26

Conclusion Citrix NetScaler enables integration with Azure MFA, allowing a multitude of authentication use cases to be delivered successfully for enterprise customers. Enterprise Sales North America 800-424-8749 Worldwide +1 408-790-8000 Locations Corporate Headquarters 851 Cypress Creek Road Fort Lauderdale, FL 33309 United States Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054 United States Copyright 2018 Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of their respective owner/s. Citrix.com Azure MFA Integration with NetScaler (LDAP) 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback