DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

Similar documents
DIGIPASS Authentication for O2 Succendo

DIGIPASS Authentication for NETASQ

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Check Point VPN-1

INTEGRATION GUIDE. DIGIPASS Authentication for VMware View

DIGIPASS Authentication for F5 BIG-IP

DIGIPASS Authentication for Check Point VPN-1

axsguard Identifier Product Guide Product Guide axsguard AXSGuard ConfigurationTool

DIGIPASS Authentication for Citrix Access Essentials Web Interface

Citrix StoreFront 2.0

SafeNet Authentication Service

Authlogics Forefront TMG and UAG Agent Integration Guide

Access Gateway 9.3, Enterprise Edition

Partner Information. Integration Overview. Remote Access Integration Architecture

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10 for App and Desktop Solutions. Version: Demo

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

NetScaler Gateway 10.5

SafeNet Authentication Service

Citrix Exam 1Y0-253 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions Version: 6.0 [ Total Questions: 186 ]

NetScaler Radius Authentication. Integration Guide

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

Receiver for BlackBerry 2.2

App Orchestration 2.6

Use Digipass two-factor authentication

SafeNet Authentication Service

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

Modify these field values (right-click and select Fields) to change text throughout the document:

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

Azure MFA Integration with NetScaler

Entrust GetAccess 7.0 Technical Integration Brief for IBM WebSphere Portal 5.0

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

VACMAN Controller. HSM Integration Guide - White Paper. Revision 4.0

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Steel-Belted RADIUS. Digipass Plug-In for SBR. SBR Plug-In SBR. G etting Started

Prerequisites CNS-220 Citrix NetScaler Essentials and Traffic Management

axsguard Gatekeeper PPTP How To 1.7

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

SafeNet Authentication Service

Creation date: 19/03/2010 Last Review: 08/06/2010 Revision number: 3

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Cloud Access Manager Overview

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Secure your business. Use DIGIPASS two-factor authentication. The world s leading software company specializing in Internet Security.

HySecure Quick Start Guide. HySecure 5.0

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

SafeNet Authentication Service

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

SurePassID Local Agent Guide SurePassID Authentication Server 2016

visionapp Workspace Management 2008 (vwm)

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

ForeScout CounterACT. Configuration Guide. Version 4.1

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

VMware Identity Manager Administration

DameWare Server. Administrator Guide

How to social login with Aruba controller. Bo Nielsen, CCIE #53075 (Sec) December 2016, V1.00

Installation Guide Worksoft Certify

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 1 Known Issues... 2 Resolved Issues...

Table of Contents 1 Citrix Access Gateway 5 VPX Introduction...1

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Citrix GoToMyPC

StoreFront :47:53 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Deployment Guide. ICA Proxy for Citrix Receiver with SMS Authentication. Access Gateway Enterprise Edition XenApp XenDesktop

Citrix NetScaler Administration Training

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Polycom RealPresence Resource Manager System, Virtual Edition

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality)

AppScaler SSO Active Directory Guide

This Readme describes the NetIQ Access Manager 3.1 SP5 release.

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Cisco Unified Communications Domain Manager manual configuration

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Giovanni Carnovale Technical Account Manager Southeast Europe VASCO Data Security

Pass Citrix 1Y0-306 Exam

ISA 2006 and OWA 2003 Implementation Guide

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with CA SiteMinder

Novell Access Manager

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Dell One Identity Cloud Access Manager 8.0. Overview

Deploying F5 with Microsoft Active Directory Federation Services

SafeNet Authentication Client

Echidna Concepts Guide

BIG-IP Access Policy Manager : Portal Access. Version 12.1

Deploying F5 with Microsoft Active Directory Federation Services

Quantum Policy Suite Subscriber Services Portal 2.9 Interface Guide for Managers

App Orchestration 2.0

Sophos Mobile. startup guide. Product Version: 8.1

Integrate Citrix NetScaler

Transcription:

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection SmartAccess Configuration with Digipass INTEGRATION GUIDE

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. Integration Guidelines 1 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Table of Contents Disclaimer... 1 Table of Contents... 2 1 Abstract... 4 2 Reader... 4 3 Overview... 4 How SmartAccess Works for XenApp and XenDesktop... 5 4 Problem Description... 6 5 Solution... 6 6 Technical Concept... 8 6.1 General overview... 8 6.2 Citrix prerequisites... 8 6.3 IDENTIFIER prerequisites... 8 7 Citrix Configuration... 9 7.1 Netscaler Authentication configuration... 9 7.2 Web Interface configuration... 10 8 IDENTIFIER DMZ... 10 8.1 Policy configuration... 10 8.2 Client configuration... 13 8.3 LDAP Synchronization... 14 9 IDENTIFIER LAN... 14 9.1 Policy configuration... 14 9.2 Client configuration... 17 9.3 LDAP Synchronization... 17 10 DIGIPASS Authentication for IIS basic... 18 11 Citrix CAG login with DIGIPASS... 19 11.1 Logon... 19 2 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

12 DIGIPASS and User Management... 20 12.1 DIGIPASS... 20 12.2 Users... 20 13 Additional functionalities... 20 13.1 Password change policies... 20 13.2 DIGIPASS provisioning... 20 14 About VASCO Data Security... 20 3 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

1 Abstract SmartAccess allows to control the users system requesting access to available applications published with Citrix XenAPP through the use of Access Gateway Enterprise policies and filters. This permits the use of endpoint analysis as a condition for application access, along with other factors. This functionality is achieved by integrating Access Gateway Enterprise components with the Web Interface for Citrix XenApp Server, and Citrix XenApp Server. This provides advanced authentication and access control. To protect the user`s identity and the company`s network, the use of static password, the weakest link in security, should be eliminated and replaced by DIGIPASS. DIGIPASS by VASCO provides one-time passwords, which allows the user to logon with a unique time-based password which can only be used once, within a certain time frame. This one-time password replaces the static password stored in Active Directory or any other database. VASCO`s strong authentication DIGIPASS allows the use of DIGIPASS to log-on with a single one-time password to the multiple Citrix environments used in by the SmartAccess scenario. SmartAccess in combination with DIGIPASS offers: - Citrix Online Applications and Desktops provisioning - no user-controlled password - Single Sign On to all sessions - SmartAccess capability, i.e. the ability to influence application properties being connection properties / context 2 Reader This document is a guideline for configuring a partner product with IDENTIFIER or IDENTIKEY Server. For details about the setup and configuration of IDENTIEKEY Server and IDENTIFIER, we refer to the installation and administration manuals of these products. IDENTIFIER is VASCO s appliance which by default runs IDENTIKEY Server by default. Within this document, VASCO Data Security, provides the reader guidelines for the configuration of the partner product with its specific configuration in combination with VASCO Server solutions and DIGIPASS. Any change in the concept might require a change in the configuration of the VASCO Server products. The product name`identifier`will be used throughout the document keeping in mind that it also applies to IDENTIKEY Server. 3 Overview The purpose of this document is to demonstrate how to configure IDENTIFIER and configure DIGIPASS authentication on Citrix Web Interface in a SmartAccess configuration. 4 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

For the standard configuration of the SmartAccess configuration we refer to Citrix documentation. For the standard configuration of DIGIPASS integration with CAG/Netscaler/ Web Interface we refer to the DIGIPASS integration guide for Citrix CAG. How SmartAccess Works for XenApp and XenDesktop To configure SmartAccess, you need to configure the Access Gateway settings on the Web Interface and configure session policies on the Access Gateway. When you run the Published Applications Wizard, you can select the session policies you created for SmartAccess. When a user types the web address of a virtual server in a web browser, the configured preauthentication policies are downloaded on to the user s device. The Access Gateway sends the pre-authentication and session policy names to the Web interface as filters. If the policy condition is set to true, the policy is always sent as a filter name. If the policy condition is not met, the filter name is not set. This allows you to differentiate the list of published applications and desktops and the effective policies on a computer running XenApp or XenDesktop based on the results of the endpoint analysis. The Web interface contacts the XenApp or XenDesktop server and returns the published resource list to the user. Any resources that have filters applied to them do not appear in the user s list unless the condition of the filter is met. Endpoint analysis can be configured on the Access Gateway. To configure endpoint analysis, you create a session policy that enables the ICA proxy setting and which configures a client security string. When the session policy is configured, you can link the policy to the entire user base or to users, groups, and virtual servers. When the user logs on, the endpoint analysis policy runs a security check of the client device using the client security strings configured on the Access Gateway. For example, if you want to check for a specific version of anti-virus. The client security string in the expression editor appears as follows: client.application.av.version == 10.0.2 After the policy is configured, link it to a user, group, virtual server or the entire user base. When users log-on, the endpoint analyses policy check starts and verifies whether or not the client device has version 10.0.2 or higher of the installed antivirus installed. When the endpoint analysis check is successful, the Web Interface portal appears in case the user is running a clientless session; if not, the Access Interface will appear. When you are creating a session policy for endpoint analyses, the session profile does not have any pre-configured settings, creating a null profile. The Access Gateway uses the Web Interface URL configured globally for SmartAccess. 5 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Resources DMZ2 DMZ1 Microsoft Active Directory Services Citrix XenApp Farm Publiek Netwerk Internet End Point Scenario s Citrix Access Gateway Citrix NetScaler Web Interface Web Interface NetScaler Network Load Balancing Virtual Server Figure 1: Overview The basic configuration of Citrix in this SmartAccess configuration is based on authentication with static passwords using existing media (LDAP, RADIUS, local authentication ). VASCO DIGIPASS authentication is by default supported within a Citrix SmartAccess configuration, where the one-time password in combination with the static password is verified (combination of RADIUS and LDAP authentication on Citrix Access Gateway, with SSO to Netscaler and WebInterface) 4 Problem Description To increase the security at a level where it is `no longer allowed` to use any static password, does the standard configuration of Citrix and IDENTIFIER with RADIUS and LDAP verification, not offer the desired results. In this standard solution does the logon screen present 3 fields (user name, static password, OTP). We are seeking for a solution where ONLY the OTP can be used. Working in a SmartAccess configuration, also requires that an OTP is checked in each zone, keeping in mind that the user will enter the OTP only once at initial logon to the CAG and that it is not requesting a second or third logon when SSO authenticates the user on Web Interface. 5 Solution After setting up and configuring the IDENTIFIER appliances within 2 of the 3 Citrix zones, the user only needs the PIN code of his DIGIPASS and the one-time password generated by the DIGIPASS. Additionally we install and configure an IIS agent to support SSO and password management. 6 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Get USR TCP??? Get Credentials TCP 1812 TCP 80/443 TCP 445 NTLM Figure 2: Solution 7 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

6 Technical Concept 6.1 General overview The main goal of Citrix CAG is to perform authentication in a secure way to set up a secure SSL VPN connection and retrieve a single sign on to connect to the Web Interface. The use of DIGIPASS, and DIGIPASS solely, makes the setup unique and is very different from the standard 2FA integrations. We describe the setup in separate chapters, describing the setup for each zone. The first zone, DMZ, will be authenticated by using RADIUS. The second zone containing the Citrix Netscaler forwards the credentials which use the Citrix standard configuration. The third zone, LAN, will use a DIGIPASS Pack for Citrix with enhanced functionality interacting with IIS running on the Citrix Web Interface. 6.2 Citrix prerequisites Make sure you have an operational setup of the Citrix SmartAccess configuration using a static password(ldap, edir, AD,..). It is very important this is working correctly before you start implementing the VASCO part. Current configuration: Windows/ Windows 2008R2 Citrix CAG 9.1 Citrix Netscaler 9.1 Citrix XenApp 6.0 Citrix Web Interface 5.3 All support updates for future versions will be available in the DIGIPASS Authentication for Web Interface, downloadable from www.vasco.com 6.3 IDENTIFIER prerequisites We assume, you already installed IDENTIFIER, a test user has been created, a domain has been created, LDAP sync has been configured, DIGIPASS is imported and tested locally within the web administration. Make sure you can synchronize the LDAP users from AD or any other repository. Check the manuals for configuring the LDAP synchronization in IDENTIFIER. The quick start guide of IDENTIFIER helps you to configure these basic features. Throughout this document, we will specify the differences between the IDENTIFIER in the DMZ zone and the IDENTIFIER in the LAN environment. 8 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

7 Citrix Configuration Configure CAG, Netscaler and Web Interface according to the standard procedure of Citrix. 7.1 Netscaler Authentication configuration On the Netscaler in the DMZ you configure the authentication to use RADIUS. LDAP will no longer be used here. The DIGIPASS password will be verified locally against the IDENTIFIER in the DMZ. Configure the authentication server on the Netscaler with: the IP address of the IDENTIFIER the shared secret you configured for the client in IDENTIFIER Figure 3: RADIUS config Netscaler Configure the AG server on port 1080/443. On the first-hop appliance, you also need an AG server, an LDAP group extractor and a session policy pointing to the WI. You also need at least one STA bound to the CAG. To support you in this matter, we refer to the SmartAccess Deployment Guide http://www.jaytomlin.com/citrix/ag/ag- E%208.0%20SmartAccess%20Deployment%20Guide%20Dec%202007.pdf, 9 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

7.2 Web Interface configuration Within this SmartAccess configuration we configure the Citrix Web Interface being published by the CAG. Web Interface has to be of the `Authentication at Access Gateway` type in Gateway direct access mode. 8 IDENTIFIER DMZ Go to the IDENTIFIER web administration page, and authenticate with the administrative account created during setup. 8.1 Policy configuration To add a new policy, select Policies Create. Figure 4: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or policies from which you inherit the settings by default or from other policies. We suggest to create a new policy, without inheritance and give it the name `DMZ` 10 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Fill in a policy ID and description. Figure 5: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another RADIUS server. This is probably the same as in your default client authentication options before you changed them. Or you use the local database, Windows or you go on to another RADIUS server. In our example we select our newly made DMZ Policy and change it like this: Local auth.: DIGIPASS/Password Back-End Auth.: None (None) Back-End Protocol: None (None) Dynamic User Registration: No (No) Password Autolearn: No (No) Stored Password Proxy: No (No) Windows Group Check: No Check (No Check) After configuring this policy, the authentication will happen locally in the IDENTIFIER User credentials are passed on to the IDENTIFIER which will check these credentials against its local user database and will respond to the client with an Access-Accept or Access-Reject message. 11 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

In the Policy tab, click the Edit button, and change the Local Authentication to DIGIPASS/Password. Figure 6: Policy configuration (3) The user details can keep their default settings. 12 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Figure 7: Policy configuration (4) 8.2 Client configuration Now create a new component by right-clicking the Components and choose New Component. Figure 8: Client configuration (1) As component type you choose RADIUS Client. The location is the IP address of the client (Citrix Access Gateway). In the policy field you should find your newly created policy. Fill in the shared secret you entered in the client for the RADIUS options. In our example this was VASCO. Click Create. Figure 9: Client configuration (2) Now the client and the IDENTIFIER are set up. We will now see if the configuration is working. 13 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

8.3 LDAP Synchronization Configure the IDENTIFIER LDAP synchronization to retrieve user information from the user repository. The Netscaler can re-route that information towards the LDAP server. TIP: check the Administration guide of the IDENTIFIER. TIP: Logon to the configuration page of the IDENTIFIER to configure LDAP sync. 9 IDENTIFIER LAN Go to the IDENTIFIER web administration page, and authenticate with the administrative account. 9.1 Policy configuration To add a new policy, select Policies Create. Figure 10: Policy configuration (1) There are some policies available by default. You can also create new policies which suit your needs. Those can be independent policies or policies which inherit their settings by default or from other policies. To make things easier, create a new policy, without inheritance and use a practical name. In this configuration we called the policy `LAN` 14 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Fill in a policy ID and description. Choose the option which is most suitable for your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. In this example we chose not to inherit. Figure 11: Policy configuration (2) After configuring this policy, the authentication will happen locally in the IDENTIFIER and the user`s LDAP credentials will be verified against AD. User credentials are passed on to the IDENTIFIER, it will check these credentials against its local user database it also checks the AD password and will respond to the client with an Access-Accept or Access-Reject message. The client in the LAN will be the IIS on which we installed an agent. This agent is a type of middleware between IIS and IDENTIFIER. 15 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

In the Policy tab, click the Edit button, and change the settings to Local auth.: DIGIPASS/Password Back-End Auth.: If Needed Back-End Protocol: Mircrosoft AD(LDAP) Figure12: Policy configuration (3) In the User tab, click the Edit button, and change the settings to Dynamic User Registration: Password Autolearn: Stored Password Proxy: Default Domain: Windows Group Check: No Yes Yes enter the name of your domain No Check Figure13: Policy configuration (4) 16 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

9.2 Client configuration Create a new component by right-clicking the Components and choose New Component. During setup of the DIGIPASS Citrix Web Interface, an administration program, as client type is required to allow, the creation of an IIS Module client. Select for Client Type Administration Program Location IP address of the IIS server running Web Interface Policy ID IDENTIKEY Administration Logon Protocol ID SEAL Figure14: Client Configuration During the setup of the DIGIPASS for Citrix Web Interface, allow the creation of the IIS Module component. 9.3 LDAP Synchronization Configure the IDENTIFIER LDAP synchronization to retrieve user information from the user repository. In this zone, we sync directly with AD whereas in the DMZ the Netscaler forwarded the requests. TIP: check the Administration guide of the IDENTIFIER. TIP: Logon to the configuration page of the IDENTIFIER to configure LDAP sync. 17 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

10 DIGIPASS Authentication for IIS basic Check the DIGIPASS Authentication for IIS basic installation guide for installation instructions. This DIGIPASS installer has to be installed on the server running Citrix Web Interface. Once the DIGIPASS Authentication for IIS Basic is installed, open via Start >All Programs>VASCO>DIGIPASS Authentication for IIS basic>digipass Authentication for IIS basic configuration Select Tracing > select Full Tracing. The tracing might help you checking the log files. Figure15: DIGIPASS Authentication for IIS Basic Configuration 18 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Select Connections > the connections should have been configured already during the setup. The connection refers to the IP address of the authentication server being the IDENTIFIER. If set correctly, no changes required. Select Authentication > Select HTTP Header Filtering Check enabled Base URL: Enter the path to the Citrix logon page being login.aspx Select Header Fields > enter within the User Name field the value `user`, enter within the Password field the value `password` Select Apply and accept to restart the IIS service The DIGIPASS IIS basic configuration is completed. 11 Citrix CAG login with DIGIPASS 11.1 Logon For user and DIGIPASS assignment, check section 12 in this document. To start the test, browse to the public IP address or hostname of the CAG. In our example this is https://test.vasco.com Enter your Username and PIN and DIGIPASS Password (one-time password) and click the Logon button. Figure 2: Response Only If all goes well, you will be authenticated and be directed to the Citrix Web Interface Portal publishing your resources. 19 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

12 DIGIPASS and User Management 12.1 DIGIPASS The DIGIPASS is delivered with a database file, DPX. This file protected by a transport key, should be loaded on to the IDENTIFIER in the DMZ and once more on to the IDENTIFIER in the LAN. Be sure that the time settings on both IDENTIFIER appliances is configured correctly. It is possible to configure the ntp server address. The DIGIPASS devices, represented by a serial number in the IDENTIFIER, can be assigned manually or automatically. The automated procedures allow user to self-assign a DIGIPASS to their account. It is also possible to automatically assign a DIGIPASS to a user without the need for registration. This auto-assignment is interesting for DIGIPASS Mobile. To provision the DIGIPASS Mobile, see section 13. 12.2 Users Within this SmartAccess configuration, users will be synchronized automatically by means of LDAP sync. 13 Additional functionalities 13.1 Password change policies The VASCO server products (IDENTIFIER and IDENTIKEY server) provide the tools to update the local database with the password changes. These password updates can be treated at the moment the password is changed or at a later stage. The Password Sync Tool, providing this functionality is available on www.vasco.com. 13.2 DIGIPASS provisioning VASCO provides a wide range of hardware and software DIGIPASS devices. The provisioning functionalities within VASCO`s server products, like IDENTIKEY and IDENTIFIER, offer the lowest TCO and a user friendly provisioning of software and hardware DIGIPASS. Check with your VASCO contact to discuss the possibilities. 14 About VASCO Data Security VASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in Internet Security applications and transactions. VASCO has positioned itself as global software company for Internet Security serving customers in more than 100 countries, including several international financial institutions. VASCO s prime markets are the financial sector, enterprise security, e-commerce and e- government. 20 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback