Citrix Systems, Inc. Web Interface RSA SecurID Ready Implementation Guide Last Modified: September 20, 2010 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description Citrix Systems, Inc. www.citrix.com Web Interface 5.3 for Windows Server 2008 R2 Citrix Web Interface provides users with access to Citrix XenApp or XenDesktop Server applications and content through a standard Web browser or through the Program Neighborhood Agent, and allows you to configure sites for Citrix Conferencing Manager Guest Attendee log in. The Web Interface employs Java and.net technology executed on a Web server to dynamically create an HTML depiction of server farms for Citrix XenApp or XenDesktop sites. Users are presented with all the applications published in the server farm(s) you have made available. You can create standalone Web sites for application access or Web sites that can be integrated into your corporate portal.
Solution Summary RSA SecurID two-factor authentication enhances security for Citrix solutions by creating an end-to-end trusted and secured solution for an enterprise. Previously, this solution required users to enter their username, RSA SecurID PASSCODE, Windows password, and Windows Domain. With the Citrix Web Interface 5.3, the usability of this solution has been greatly improved in that now remote users can access their applications by logging into Web Interface with a username and PASSCODE only. RSA SecurID supported features Citrix Web Interface 5.3 RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol On-Demand Authentication via RADIUS Protocol On-Demand Authentication via API RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes Web Interface Authentication Manager 2
Authentication Agent Configuration Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console. The following information is required to create an Authentication Agent: Hostname IP Addresses for network interfaces Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Citrix Web Interface will occur. te: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents. RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec de Secret sdstatus.12 sdopts.rec Location %windir%\system32 %windir%\system32 %windir%\system32 not implemented te: The appendix of this document contains more detailed information regarding these files. 3
Partner Product Configuration Before You Begin This section provides instructions for configuring the Citrix Web Interface with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Citrix Web Interface components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. RSA SecurID Agent Configuration To begin, install the RSA Authentication Agent 7.x, this must be installed before Citrix Web Interface. During the installation, select a custom installation and make sure that only the Local Authentication Client (LAC) component is checked. Important: You must install the RSA Authentication Manager Agent before installing Citrix Web Interface. Once the agent has been installed successfully, open the agent configuration utility from the control panel. Before enabling the agent, ensure that users can successfully authenticate by using the Direct Authentication Test feature within the RSA Security Center applet: 4
Once a successful test authentication has been made, copy the sdconf.rec, securid, and sdstatus.12 files from the RSA Auth Data folder to the %windir%\system32 directory. The Default RSA Auth Data folder is: C:\Program Files\Common Files\RSA Shared\Auth Data. Next, add the RSA Shared directory to the Path Environment Variable. The default RSA Shared directory is: C:\Program Files\Common Files\RSA Shared. te: If you are unable to log on to the Web Interface using RSA Windows Agent 7.x, additional configuration may be necessary. Please refer to Citrix Document ID: CTX125097. Configuring Citrix Web Interface for RSA SecurID Authentication Run the standard installation for Web Interface. Next, use the Citrix Access Management Console to configure the Web Interface site to use RSA SecurID authentication. Perform the following steps: Important: You must install the RSA Authentication Agent before installing Citrix Web Interface 1. From the Web Interface configuration settings, select Configure Authentication Methods. 5
2. Under Available methods, check Explicit, click Properties. 3. Under the Explicit heading, highlight Two-factor Authentication. 4. Select the Send domain and user name to the ACE/Server box if you have user accounts in different Domains and need to pass your usernames to the Authentication Manager server in the DOMAIN\USERNAME format. 5. If you select the Use Windows password integration box, the Citrix Web Interface server will only prompt for a username and PASSCODE after the first successful authentication. If the user s Domain password is available from the RSA Authentication Manager, then it will be retrieved by the Web Interface server. If the password is not available or is invalid, the Web Interface server will prompt to store the password on behalf of the user to allow for future logins with just a PASSCODE. te: If you are unable to log on to the Web Interface using RSA Windows Agent 7.x, additional configuration may be necessary. Please refer to Citrix Document ID: CTX125097. 6
RSA SecurID Login Screens Login screen: User-generated New PIN: 7
System-generated New PIN: Next Tokencode: 8
Certification Checklist for RSA Authentication Manager Date Tested: September 17, 2010 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 7.1 SP3 Windows Server 2003 RSA Authentication Agent 7.0.2 Windows Server 2008 R2 Citrix Web Interface 5.3.0.34 Windows Server 2008 R2 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Deny Numeric PIN Deny Numeric PIN N/A Deny PIN Reuse Deny PIN Reuse N/A Passcode 16 Digit Passcode 16 Digit Passcode N/A 4 Digit Fixed Passcode 4 Digit Fixed Passcode N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A On-Demand Authentication On-Demand Authentication On-Demand Authentication N/A On-Demand New PIN On-Demand New PIN N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A RSA Authentication Manager RSA Authentication Manager N/A PEW = Pass = Fail N/A = t Applicable to Integration 9
Appendix Partner Integration Details RSA SecurID API 7.0 RSA Authentication Agent Type Standard Agent RSA SecurID User Specification Designated Users Display RSA Server Info Perform Test Authentication Agent Tracing Yes de Secret: de secret is stored as a file (securid) in the RSA Auth Data folder, and then must be manually copied to the %windir%\system32 folder. To remove the node secret, it must be deleted from both locations. sdconf.rec: This file is copied by the RSA Agent installer to the RSA Auth Data folder. It must be copied manually to the %windir%\system32 folder. sdstatus.12: This file is generated at the time of first authentication. It must be copied manually to the %windir%\system32 folder. Agent Tracing: Agent tracing can be enabled and configured by either the RSA Security Center or by creating the necessary entries in the Windows System Registry. 10