Documente Academic
Documente Profesional
Documente Cultură
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All
logo
rights reserved. VASCO, Vacman, IDENTIKEY, aXsGUARD, DIGIPASS and
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data
Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH own or are licensed under all title, rights and
interest in VASCO Products, updates and upgrades thereof, including copyrights, patent
rights, trade secret rights, mask work rights, database rights and all other intellectual and
industrial property rights in the U.S. and other countries. Microsoft and Windows are
trademarks or registered trademarks of Microsoft Corporation. Other names may be
trademarks of their respective owners.
Table of Contents
Reference guide ............................................................................................................. 4
1
Overview................................................................................................................... 5
Citrix ................................................................................................................... 6
2.1.1
NetScaler ....................................................................................................... 6
2.1.2
2.1.3
2.2
VASCO ................................................................................................................. 6
2.2.1
3
Architecture .......................................................................................................... 7
3.2
Prerequisites ......................................................................................................... 7
3.3
Citrix ................................................................................................................... 7
3.3.1
3.4
4
3.3.1.1
Policies .................................................................................................... 7
3.3.1.2
3.3.1.3
Groups .................................................................................................. 12
Architecture ........................................................................................................ 15
4.2
Prerequisites ....................................................................................................... 15
4.3
Citrix ................................................................................................................. 15
4.3.1
4.4
4.3.1.1
Policies .................................................................................................. 15
4.3.1.2
Test ................................................................................................................... 19
Solution .................................................................................................................. 22
5.1
Architecture ........................................................................................................ 22
5.2
Citrix ................................................................................................................. 22
5.2.1
5.3
5.2.1.1
Policies .................................................................................................. 22
5.2.1.2
5.3.1
Policies ........................................................................................................ 27
5.3.2
Client .......................................................................................................... 28
5.3.3
User ............................................................................................................ 29
5.3.4
DIGIPASS .................................................................................................... 29
5.4
5.4.1
5.4.2
FAQ ......................................................................................................................... 34
Appendix................................................................................................................. 34
Reference guide
ID
Title
Author
Publisher
Date
ISBN
Overview
This whitepaper describes how to configure a Citrix NetScaler with Citrix Access Gateway
Enterprise Edition (AGEE) in combination with the VASCO IDENTIKEY AUTHENTICATION Server.
That way an extra security layer can be added to the SSL VPN solution the CITRIX AGEE provides.
Authentication
Servers
Netscaler
XenApp
XenDesktop
Technical Concepts
2.1
Citrix
2.1.1
NetScaler
Citrix NetScaler makes apps and cloud-based services run five times better by offloading
application and database servers, accelerating application and service performance, and
integrating security. Deployed in front of web and database servers, NetScaler combines highspeed load balancing and content switching, data compression, content caching, SSL acceleration,
network optimization, application visibility and application security on a single, comprehensive
platform.
2.1.2
Citrix Access Gateway Enterprise Edition (AGEE) is a secure application access solution that
provides administrators granular application-level control while empowering users with remote
access from anywhere. It gives IT administrators a single point to manage access control and
limit actions within sessions based on both user identity and the endpoint device, providing better
application security, data protection, and compliance management.
2.1.3
Web Interface
The Citrix Web Interface provides users with access to XenApp applications and content and
XenDesktop virtual desktops. Users access their resources through a standard Web browser or
through the Citrix online plug-in.
2.2
VASCO
2.2.1
Citrix setup
3.1
Architecture
IP:10.4.0.10
Authentication
Servers
LDAP
Virtual server
IP 10.4.0.204
Citrix Web
Interface
IP:10.4.0.201
XenApp
XenDesktop
IP:10.4.0.202
When a user connects trough the CITRIX AGEE, it will be asked to authenticate. The
authentication will be performed, using Active Directory via LDAP. If the authentication is
successful, the user is logged in on the Citrix Web Interface where he can access the XenApp en
XenDesktop nodes.
3.2
Prerequisites
To the Citrix installation there are many components that can and need to be configured. For this
white paper we are going to concentrate on the NetScaler and CITRIX AGEE.
In order for this set-up to work, a Citrix Web Interface needs to be created:
http://10.4.0.202/Citrix/XenAppCAG
3.3
Citrix
3.3.1
3.3.1.1
Access Gateway
Policies
Policies are used to define components that will be used to create a virtual server.
3.3.1.1.1
Authentication Server
Name: authsrv_ad
Authentication Type: LDAP
IP Address: 10.4.0.10
Port: 389
Time-out (seconds): 3
Base DN: DC=labs,DC=vasco,DC=com
Administrator Bind DN: CN=citrix_admin,CN=Users,DC=labs,DC=vasco,DC=com
Administrator Password: password of the administrator user
Server Logon Name Attribute: samAccountName
Group Attribute: memberOf
Sub Attribute Name: CN
Secure Type: PLAINTEXT
Check Authentication
Check User Required
Click Create
3.3.1.1.2
Authentication Policy
Name: auth_ad
Authentication Type: LDAP
Server: authsrv_ad
Named Expression: General True Value
Click Add Expression
Click Create
3.3.1.1.3
Session Profiles
Name: profile_publishedapps
Go to Client Experience
ICA Proxy: ON
Web Interface Address: http://10.4.0.202/Citrix/XenAppCAG/
Web Interface Portal Mode: NORMAL
Single Sign-on Domain: LABS
Click Create
3.3.1.1.4
Session Policy
10
Name: sess_icaproxy_nonmobile
Request Profile: profile_publishedapps
Named Expression: General True Value
Virtual Servers
Name: citrix2-labs-vasco-com-AGEEauth
IP Address: 10.4.0.204
Port: 443
Max Users: 0
Select SmartAccess Mode
Check Enable Virtual Server
The chosen IP Address needs to be a free IP Address in the subnet.
Click Add>
If the server certificate is not in the Certificates list click install and add the needed
server certificate.
Select the Authentication tab
11
Select Session
Select sess_icaproxy_nonmobile
Click OK
3.3.1.3
Groups
Groups are used to apply authorization and session policies, create bookmarks and specify
applications.
User groups are created locally on the Citrix NetScaler. When an external authentication method
is used, like Active Directory, the User group from the external authentication will be mapped to
the local group on the Citrix NetScaler.
12
13
Name: VascoAllow
Action: ALLOW
Named Expressions: General True value
3.4
Click Log On
This user needs to be created in the active directory and must be a member of the group
Citrix
14
In order to use Citrix Receiver on a mobile device, the first setup (Citrix Setup) will be altered.
4.1
Architecture
IP:10.4.0.10
Authentication
Servers
LDAP
4.2
Citrix Web
Interface
IP:10.4.0.201
XenApp
XenDesktop
IP:10.4.0.202
Prerequisites
Mobile devices connect to the Citrix environment by using a Service Site. The Service Site
provides the information about the publication for mobile devices.
Create a Service Site on the Web Interface server:
http://10.4.0.202/Citrix/PNAgent
4.3
Citrix
4.3.1
Access Gateway
4.3.1.1
4.3.1.1.1
Policies
Session Profiles
15
Name: profile_mobiledevices
16
ICA Proxy: ON
Click Create
4.3.1.1.2
Session Policies
Name: sess_icaproxy_mobiledev
Request Profile: profile_mobiledevices
Click Add
17
Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0
Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
'CitrixReceive
r-iPad'
Header Name:
User-Agent
Length:
Offset: 0
Click OK
For CFNetwork
Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CFNetwork
Header Name:
User-Agent
Length:
Offset: 0
For Darwin
Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value: Darwin
Header Name:
User-Agent
Length:
Offset: 0
Click OK
Click OK
Click OK
Click Create
CFNetwork and Darwin are two Apple components.
CFNetwork is a process running on computers when installing Apple software.
Darwin is an open source operating system launched by Apple and is the base of Mac OS
x
4.3.1.2
Virtual Servers
18
Select Session
Click Insert Policy
Select sess_icaproxy_mobiledev
Click OK
4.4
Test
19
20
Address: citrix2.labs.vasco.com
Click Next
21
Solution
5.1
Architecture
IP: 10.4.0.10
IP: 10.4.0.13
Radius
LDAP
Authentication
Servers
Citirx Web
Interface
IP: 10.4.0.201
XenApp
XenDesktop
IP:10.4.0.202
When implemented, the user will perform an authentication against 2 authentication servers. One
being Active Directory, using LDAP, and one against IDENTIKEY Authentication Server, using
RADIUS. This results in a login with 2 password fields.
5.2
Citrix
5.2.1
Access Gateway
5.2.1.1
5.2.1.1.1
Policies
Authentication Server
RADIUS authentication server needs to be added. This RADIUS server will point to the IDENTIKEY
Authentication server.
Open the Authentication tree item
Select the Servers Tab
Click Add
22
Name: authsrv_vasco
Authentication Type: RADIUS
IP Address: 10.4.0.13
Port: 1812
Time-out (seconds): 3
Secret Key: Test1234
Confirm Secret Key: Test1234
Password Encoding: pap
Accounting: OFF
Click Create
5.2.1.1.2
Authentication Policy
Because the HTTP login behavior is different than the login over Citrix Receiver we need to make
multiple Authentication Policies.
HTTP
Citrix Receiver
1st
Active Directory
IDENTIKEY Authentication
Server
23
2nd
IDENTIKEY Authentication
Server
Active Directory
Expression to
add by clicking
the Add
button in the
Authentication
policy
24
Name:
auth_vasco
Authentication
Type: RADIUS
Server:
authsrv_vasco
Remove ns_true
from expression
list
Expression Type:
General
Flow Type: REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
NOTCONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0
Name:
auth_mobile_va
sco
Authentication
Type: RADIUS
Server:
authsrv_vasco
Remove ns_true
from expression
list
Expression Type:
General
Flow Type: REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0
Click OK
Name:
auth_mobile_a
d
Authentication
Type: LDAP
Server:
authsrv_ad
Remove ns_true
from expression
list
Expression Type:
General
Flow Type: REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0
Now the new Authentication Policies are created, the existing auth_ad policy needs to be updated
Select auth_ad
Click Open
Click Add
Click OK
Click OK
5.2.1.2
Virtual Servers
25
Click Secondary
5.3
There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate
with:
26
5.3.1
Policies
In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got
a user and a password, what now?
Policy ID : Test
Inherits From: Base Policy
Inherits means: The new policy will have the same behavior as the policy from which he
inherits, except when otherwise specified in the new policy.
Example:
Base
Policy
1
2
3
4
5
a
b
c
d
e
New
Policy
f
g
Behaviour
New policy will do a
New policy will do b
New policy will do f
New policy will do d
New policy will do g
27
Click edit
5.3.2
Client
In the clients we specify the location from which IDENTIKEY Authentication Server will accept
requests and which protocol they use.
We are going to add a new RADIUS client.
28
User
5.3.4
DIGIPASS
The purpose of using IDENTIKEY Authentication Server, is to be able to log in using One Time
Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The
Digipass is a device that generates the OTPs.
29
Click ASSIGN
30
Click Next
Grace period is the period that a user can log in with his static password. The first time
the user uses his DIGIPASS the grace period will expire.
Click ASSIGN
Click Finish
5.4
5.4.1
5.4.2
31
32
Adress: citrix2.labs.vasco.com
Click Next
33
6
7
34
FAQ
Appendix