INTEGRATION GUIDE

DIGIPASS Authentication for

Citrix NetScaler (with AGEE)

DIGIPASS Authentication for NetScaler (with CAG)

Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.

Copyright
Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All

logo
rights reserved. VASCO, Vacman, IDENTIKEY, aXsGUARD, DIGIPASS and
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data
Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH own or are licensed under all title, rights and
interest in VASCO Products, updates and upgrades thereof, including copyrights, patent
rights, trade secret rights, mask work rights, database rights and all other intellectual and
industrial property rights in the U.S. and other countries. Microsoft and Windows are
trademarks or registered trademarks of Microsoft Corporation. Other names may be
trademarks of their respective owners.

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Table of Contents
Reference guide ............................................................................................................. 4
1

Overview................................................................................................................... 5

Technical Concepts ................................................................................................... 6

2.1

Citrix ................................................................................................................... 6

2.1.1

NetScaler ....................................................................................................... 6

2.1.2

Access Gateway Enterprise Edition .................................................................... 6

2.1.3

Web Interface ................................................................................................. 6

2.2

VASCO ................................................................................................................. 6

2.2.1
3

IDENTIKEY Authentication server ...................................................................... 6

Citrix setup ............................................................................................................... 7

3.1

Architecture .......................................................................................................... 7

3.2

Prerequisites ......................................................................................................... 7

3.3

Citrix ................................................................................................................... 7

3.3.1

3.4
4

Access Gateway .............................................................................................. 7

3.3.1.1

Policies .................................................................................................... 7

3.3.1.2

Virtual Servers ........................................................................................ 11

3.3.1.3

Groups .................................................................................................. 12

Test the setup .................................................................................................... 14

Citrix Receiver on mobile ........................................................................................ 15

4.1

Architecture ........................................................................................................ 15

4.2

Prerequisites ....................................................................................................... 15

4.3

Citrix ................................................................................................................. 15

4.3.1

4.4

Access Gateway ............................................................................................ 15

4.3.1.1

Policies .................................................................................................. 15

4.3.1.2

Virtual Servers ........................................................................................ 18

Test ................................................................................................................... 19

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

5

Solution .................................................................................................................. 22
5.1

Architecture ........................................................................................................ 22

5.2

Citrix ................................................................................................................. 22

5.2.1

5.3

Access Gateway ............................................................................................ 22

5.2.1.1

Policies .................................................................................................. 22

5.2.1.2

Virtual Servers ........................................................................................ 25

IDENTIKEY Authentication Server .......................................................................... 26

5.3.1

Policies ........................................................................................................ 27

5.3.2

Client .......................................................................................................... 28

5.3.3

User ............................................................................................................ 29

5.3.4

DIGIPASS .................................................................................................... 29

5.4

Test the Solution ................................................................................................. 31

5.4.1

With the browser .......................................................................................... 31

5.4.2

With Citrix Receiver ....................................................................................... 31

FAQ ......................................................................................................................... 34

Appendix................................................................................................................. 34

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Reference guide
ID

Title

Author

Publisher

DIGIPASS Authentication for NetScaler (with CAG)

Date

ISBN

DIGIPASS Authentication for NetScaler (with CAG)

Overview

This whitepaper describes how to configure a Citrix NetScaler with Citrix Access Gateway
Enterprise Edition (AGEE) in combination with the VASCO IDENTIKEY AUTHENTICATION Server.
That way an extra security layer can be added to the SSL VPN solution the CITRIX AGEE provides.

Authentication
Servers

Netscaler
XenApp
XenDesktop

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Technical Concepts

2.1

Citrix

2.1.1

NetScaler

Citrix NetScaler makes apps and cloud-based services run five times better by offloading
application and database servers, accelerating application and service performance, and
integrating security. Deployed in front of web and database servers, NetScaler combines highspeed load balancing and content switching, data compression, content caching, SSL acceleration,
network optimization, application visibility and application security on a single, comprehensive
platform.

2.1.2

Access Gateway Enterprise Edition

Citrix Access Gateway Enterprise Edition (AGEE) is a secure application access solution that
provides administrators granular application-level control while empowering users with remote
access from anywhere. It gives IT administrators a single point to manage access control and
limit actions within sessions based on both user identity and the endpoint device, providing better
application security, data protection, and compliance management.

2.1.3

Web Interface

The Citrix Web Interface provides users with access to XenApp applications and content and
XenDesktop virtual desktops. Users access their resources through a standard Web browser or
through the Citrix online plug-in.

2.2

VASCO

2.2.1

IDENTIKEY Authentication server

IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that

supports the deployment, use and administration of DIGIPASS strong user authentication. It
offers complete functionality and management features without the need for significant budgetary
or personnel investments.
IDENTIKEY Authentication Server Server is supported on 32bit systems as well as on 64bit
systems.

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Citrix setup

Before adding 2 factor authentication it is important to validate a standard configuration without

One Time Password (OTP).

3.1

Architecture
IP:10.4.0.10

Authentication
Servers
LDAP

Virtual server
IP 10.4.0.204

NetScaler with Access Gateway

Enterprise Edition
IP: 10.4.0.206
Domain: labs.vasco.com (LABS)

Citrix Web
Interface
IP:10.4.0.201

XenApp
XenDesktop
IP:10.4.0.202

When a user connects trough the CITRIX AGEE, it will be asked to authenticate. The
authentication will be performed, using Active Directory via LDAP. If the authentication is
successful, the user is logged in on the Citrix Web Interface where he can access the XenApp en
XenDesktop nodes.

3.2

Prerequisites

To the Citrix installation there are many components that can and need to be configured. For this
white paper we are going to concentrate on the NetScaler and CITRIX AGEE.
In order for this set-up to work, a Citrix Web Interface needs to be created:
http://10.4.0.202/Citrix/XenAppCAG

3.3

Citrix

Log in to the NetScaler by browsing to 10.4.0.206

3.3.1
3.3.1.1

Access Gateway
Policies

Policies are used to define components that will be used to create a virtual server.
3.3.1.1.1

Authentication Server

An authentication policy will be created to enable LDAP/Active Directory authentication.

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Open the Authentication tree item
Select the Servers Tab
Click Add

Name: authsrv_ad
Authentication Type: LDAP
IP Address: 10.4.0.10
Port: 389
Time-out (seconds): 3
Base DN: DC=labs,DC=vasco,DC=com
Administrator Bind DN: CN=citrix_admin,CN=Users,DC=labs,DC=vasco,DC=com
Administrator Password: password of the administrator user
Server Logon Name Attribute: samAccountName
Group Attribute: memberOf
Sub Attribute Name: CN
Secure Type: PLAINTEXT
Check Authentication
Check User Required

Click Create

3.3.1.1.2

Authentication Policy

Select the Policies tab

Click Add

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Name: auth_ad
Authentication Type: LDAP
Server: authsrv_ad
Named Expression: General True Value
Click Add Expression

Click Create
3.3.1.1.3

Session Profiles

Open the Session tree item

Select the Profiles Tab
Click Add

Name: profile_publishedapps

Go to Client Experience

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Check Single Sign-on to Web Applications

Go to Published Applications tab

ICA Proxy: ON
Web Interface Address: http://10.4.0.202/Citrix/XenAppCAG/
Web Interface Portal Mode: NORMAL
Single Sign-on Domain: LABS

Click Create
3.3.1.1.4

Session Policy

Select the Policies Tab

Click Add

10

Name: sess_icaproxy_nonmobile
Request Profile: profile_publishedapps
Named Expression: General True Value

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Click Add Expression
Click Create
ns_true is general expression, which catches every call
3.3.1.2

Virtual Servers

Select the Virtual Servers tree item

Click Add

Name: citrix2-labs-vasco-com-AGEEauth
IP Address: 10.4.0.204
Port: 443
Max Users: 0
Select SmartAccess Mode
Check Enable Virtual Server
The chosen IP Address needs to be a free IP Address in the subnet.

Select Certificates tab

Select the Server certificate

Click Add>
If the server certificate is not in the Certificates list click install and add the needed
server certificate.
Select the Authentication tab

11

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Check Enable Authentication

Click Insert Policy
Select auth_ad

Select the Policies tab

Select Session

Click Insert Policy

Select sess_icaproxy_nonmobile

Click OK
3.3.1.3

Groups

Groups are used to apply authorization and session policies, create bookmarks and specify
applications.
User groups are created locally on the Citrix NetScaler. When an external authentication method
is used, like Active Directory, the User group from the external authentication will be mapped to
the local group on the Citrix NetScaler.

12

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

For example: On the Citrix NetScaler a group Citrix is created. Active Directory is used as an
external authentication method. Then a group needs to be created on Active Directory with the
name Citrix. The user that wants to be authenticated needs to be a member of the Citrix
group on Active Directory.
Click Add
Go to tab Authorization

Group Name: Citrix

Click Insert Policy

13

Select New Policy

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Name: VascoAllow
Action: ALLOW
Named Expressions: General True value

Click Add Expression

Click Create
Click Create

3.4

Test the setup

Open a browser and browse to https://10.4.0.204

User name: Demo

Static Password: Test12345

Click Log On
This user needs to be created in the active directory and must be a member of the group
Citrix

14

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Citrix Receiver on mobile

In order to use Citrix Receiver on a mobile device, the first setup (Citrix Setup) will be altered.

4.1

Architecture

IP:10.4.0.10

Authentication
Servers
LDAP

NetScaler with Access Gateway

Enterprise Edition
IP: 10.4.0.206
Domain: labs.vasco.com (LABS)

4.2

Citrix Web
Interface
IP:10.4.0.201

XenApp
XenDesktop
IP:10.4.0.202

Prerequisites

Mobile devices connect to the Citrix environment by using a Service Site. The Service Site
provides the information about the publication for mobile devices.
Create a Service Site on the Web Interface server:
http://10.4.0.202/Citrix/PNAgent

4.3

Citrix

4.3.1

Access Gateway

4.3.1.1
4.3.1.1.1

Policies
Session Profiles

Open the Session tree item

Select the Profiles Tab
Click Add

15

Name: profile_mobiledevices

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Go to Client Experience tab

Check Single Sign-on to Web Applications

Go to Published Applications tab

16

ICA Proxy: ON

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Web Interface Address: http://10.4.0.202/Citrix/PNAgent/config.xml

Web Interface Portal Mode: NORMAL
Single Sign-on Domain: LABS

Click Create
4.3.1.1.2

Session Policies

Select the Policies Tab

Click Add

Name: sess_icaproxy_mobiledev
Request Profile: profile_mobiledevices

Click Add

17

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

A number of different expressions must be added for this policy. The following table provides a
summary of the values
For Citrix
Receiver

Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0

For Citrix Receiver on

iPad

Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
'CitrixReceive
r-iPad'
Header Name:
User-Agent
Length:
Offset: 0

Click OK

For CFNetwork

Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CFNetwork
Header Name:
User-Agent
Length:
Offset: 0

For Darwin

Expression
Type: General
Flow Type:
REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value: Darwin
Header Name:
User-Agent
Length:
Offset: 0

Click OK
Click OK

Click OK
Click Create
CFNetwork and Darwin are two Apple components.
CFNetwork is a process running on computers when installing Apple software.
Darwin is an open source operating system launched by Apple and is the base of Mac OS
x

4.3.1.2

Virtual Servers

Select the Virtual Servers tree item

Click citrix2-labs-vasco-com-AGEEauth and Click Open
Select the Policies tab

18

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Select Session
Click Insert Policy
Select sess_icaproxy_mobiledev

Click OK

4.4

Test

To perform the test, Citrix Receiver needs to be installed on your device.

For BlackBerry: http://appworld.blackberry.com/webstore/content/10529?lang=en
For Android:
https://market.android.com/details?id=com.citrix.Receiver&feature=search_result#?t=W251bGw
sMSwxLDEsImNvbS5jaXRyaXguUmVjZWl2ZXIiXQ
Other platforms: http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163
The below screenshots demonstrate the Citrix receiver on an Apple Ipad.
Note: for this test the IP 10.4.0.204 is linked to an external host named citrix2.labs.vasco.com
Start the receiver application

19

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Select Add Account

20

Address: citrix2.labs.vasco.com
Click Next

Description: Vasco Virtual Apps

Username: Demo
Password: Test12345
Domain: Labs
Security Token: Disabled
Click Save

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

21

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Solution

5.1

Architecture
IP: 10.4.0.10

IP: 10.4.0.13

Radius
LDAP

Authentication
Servers

NetScaler with Access Gateway

Enterprise Edition
IP: 10.4.0.206
Domain: labs.vasco.com (LABS)

Citirx Web
Interface
IP: 10.4.0.201

XenApp
XenDesktop
IP:10.4.0.202

When implemented, the user will perform an authentication against 2 authentication servers. One
being Active Directory, using LDAP, and one against IDENTIKEY Authentication Server, using
RADIUS. This results in a login with 2 password fields.

5.2

Citrix

5.2.1

Access Gateway

5.2.1.1
5.2.1.1.1

Policies
Authentication Server

RADIUS authentication server needs to be added. This RADIUS server will point to the IDENTIKEY
Authentication server.
Open the Authentication tree item
Select the Servers Tab
Click Add

22

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Name: authsrv_vasco
Authentication Type: RADIUS
IP Address: 10.4.0.13
Port: 1812
Time-out (seconds): 3
Secret Key: Test1234
Confirm Secret Key: Test1234
Password Encoding: pap
Accounting: OFF

Click Create
5.2.1.1.2

Authentication Policy

Because the HTTP login behavior is different than the login over Citrix Receiver we need to make
multiple Authentication Policies.

HTTP
Citrix Receiver

1st
Active Directory
IDENTIKEY Authentication
Server

Select the Policies tab

Click Add

23

DIGIPASS Authentication for NetScaler (with CAG)

2nd
IDENTIKEY Authentication
Server
Active Directory

DIGIPASS Authentication for NetScaler (with CAG)

Choose the configuration depending on your preferred access method

Access Method


Authentication
policy to be
created

Radius for HTTP

Expression to
add by clicking
the Add
button in the
Authentication
policy

24

Name:
auth_vasco
Authentication
Type: RADIUS
Server:
authsrv_vasco
Remove ns_true
from expression
list

Expression Type:
General
Flow Type: REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
NOTCONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0

Radius for Citrix

Receiver

Name:
auth_mobile_va
sco
Authentication
Type: RADIUS
Server:
authsrv_vasco
Remove ns_true
from expression
list
Expression Type:
General
Flow Type: REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0
Click OK

DIGIPASS Authentication for NetScaler (with CAG)

LDAP for Citrix Receiver

Name:
auth_mobile_a
d
Authentication
Type: LDAP
Server:
authsrv_ad
Remove ns_true
from expression
list
Expression Type:
General
Flow Type: REQ
Protocol: HTTP
Qualifier:
HEADER
Operator:
CONTAINS
Value:
CitrixReceiver
Header Name:
User-Agent
Length:
Offset: 0

DIGIPASS Authentication for NetScaler (with CAG)

Now the new Authentication Policies are created, the existing auth_ad policy needs to be updated
Select auth_ad
Click Open

Remove ns_true from expression list

Click Add

Expression Type: General

Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: NOTCONTAINS
Value: CitrixReceiver
Header Name: User-Agent
Length:
Offset: 0

Click OK
Click OK
5.2.1.2

Virtual Servers

Select the Virtual Servers tree item

Click citrix2-labs-vasco-com-CAGuth and Click Open
Select the Authentication tab

25

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Click Insert Policy

Select auth_mobile_vasco
Priority: 90

Click Secondary

5.3

Click Insert Policy

Select auth_mobile_ad
Priority: 90
Click Insert Policy
Select auth_vasco
Priority: 10

IDENTIKEY Authentication Server

There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate
with:

26

Local users (Defined in IDENTIKEY Authentication Server)

Active Directory (Windows)

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

In this whitepaper we will use Local users to authenticate.

5.3.1

Policies

In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got
a user and a password, what now?

Create a new Policy

Policy ID : Test
Inherits From: Base Policy
Inherits means: The new policy will have the same behavior as the policy from which he
inherits, except when otherwise specified in the new policy.
Example:

Base
Policy
1
2
3
4
5

a
b
c
d
e

New
Policy

f
g

Behaviour
New policy will do a
New policy will do b
New policy will do f
New policy will do d
New policy will do g

The new policy is created, now we are going to edit it.

27

Click edit

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

5.3.2

Local Authentication : Digipass/Password

Click Save

Client

In the clients we specify the location from which IDENTIKEY Authentication Server will accept
requests and which protocol they use.
We are going to add a new RADIUS client.

28

Client Type : select Radius Client from select from list

Location : 10.4.0.206
Policy ID : Select the Policy that was created in Policies
Protocol ID: RADIUS
Shared Secret: Test1234
Confirm Shared Secret: reenter the shared secret
Click Save

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

5.3.3

User

We are going to create a user.

User ID: Fill in the Demo

Enter static password: Test12345
Password is used when there is no Digipass assigned.

5.3.4

Confirm static password: Test12345

DIGIPASS

The purpose of using IDENTIKEY Authentication Server, is to be able to log in using One Time
Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The
Digipass is a device that generates the OTPs.

29

Open the user by clicking on its name

Select Assigned Digipass

Click ASSIGN

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

30

Click Next

Grace period: 0 Days

Grace period is the period that a user can log in with his static password. The first time
the user uses his DIGIPASS the grace period will expire.
Click ASSIGN

Click Finish

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

5.4
5.4.1

Test the Solution

With the browser

Open the browser and browse to https://10.4.0.204 or https://citrix2.labs.vasco.com

User name: Demo

Static Password: Test12345
Vasco Password: a One Time Password generated by the users Digipass
Vasco Password is not the standard field label. This is done to display the difference
between the Active Directory Password and the Vasco One Time Password. This is done
trough the command line interface of the Citrix Netscaler

5.4.2

With Citrix Receiver

This test is done on an Apple iPad.

Start the Citrix Receiver application

31

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Select Add Acount

32

Adress: citrix2.labs.vasco.com
Click Next

Description: Vasco Virtual Apps

Username: Demo
Password: Test12345
Domain: Labs
Security Token: Enabled
Select Domain + Security Token
Click Save

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Token: a One Time Password generated by the users Digipass

33

DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

6
7

34

FAQ
Appendix

DIGIPASS Authentication for NetScaler (with CAG)