INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for NetScaler (with CAG)

Table of Contents Reference guide... 4 1 Overview... 5 2 Technical Concepts... 6 2.1 Citrix... 6 2.1.1 NetScaler... 6 2.1.2 Access Gateway Enterprise Edition... 6 2.1.3 Web Interface... 6 2.2 VASCO... 6 2.2.1 IDENTIKEY Authentication server... 6 3 Citrix setup... 7 3.1 Architecture... 7 3.2 Prerequisites... 7 3.3 Citrix... 7 3.3.1 Access Gateway... 7 3.3.1.1 Policies... 7 3.3.1.2 Virtual Servers... 11 3.3.1.3 Groups... 12 3.4 Test the setup... 14 4 Citrix Receiver on mobile... 15 4.1 Architecture... 15 4.2 Prerequisites... 15 4.3 Citrix... 15 4.3.1 Access Gateway... 15 4.3.1.1 Policies... 15 4.3.1.2 Virtual Servers... 18 4.4 Test... 19 2 DIGIPASS Authentication for NetScaler (with CAG)

5 Solution... 22 5.1 Architecture... 22 5.2 Citrix... 22 5.2.1 Access Gateway... 22 5.2.1.1 Policies... 22 5.2.1.2 Virtual Servers... 25 5.3 IDENTIKEY Authentication Server... 26 5.3.1 Policies... 27 5.3.2 Client... 28 5.3.3 User... 29 5.3.4 DIGIPASS... 29 5.4 Test the Solution... 31 5.4.1 With the browser... 31 5.4.2 With Citrix Receiver... 31 6 FAQ... 34 7 Appendix... 34 3 DIGIPASS Authentication for NetScaler (with CAG)

Reference guide ID Title Author Publisher Date ISBN 4 DIGIPASS Authentication for NetScaler (with CAG)

1 Overview This whitepaper describes how to configure a Citrix NetScaler with Citrix Access Gateway Enterprise Edition (AGEE) in combination with the VASCO IDENTIKEY AUTHENTICATION Server. That way an extra security layer can be added to the SSL VPN solution the CITRIX AGEE provides. Authentication Servers Netscaler XenApp XenDesktop 5 DIGIPASS Authentication for NetScaler (with CAG)

2 Technical Concepts 2.1 Citrix 2.1.1 NetScaler Citrix NetScaler makes apps and cloud-based services run five times better by offloading application and database servers, accelerating application and service performance, and integrating security. Deployed in front of web and database servers, NetScaler combines highspeed load balancing and content switching, data compression, content caching, SSL acceleration, network optimization, application visibility and application security on a single, comprehensive platform. 2.1.2 Access Gateway Enterprise Edition Citrix Access Gateway Enterprise Edition (AGEE) is a secure application access solution that provides administrators granular application-level control while empowering users with remote access from anywhere. It gives IT administrators a single point to manage access control and limit actions within sessions based on both user identity and the endpoint device, providing better application security, data protection, and compliance management. 2.1.3 Web Interface The Citrix Web Interface provides users with access to XenApp applications and content and XenDesktop virtual desktops. Users access their resources through a standard Web browser or through the Citrix online plug-in. 2.2 VASCO 2.2.1 IDENTIKEY Authentication server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server Server is supported on 32bit systems as well as on 64bit systems. 6 DIGIPASS Authentication for NetScaler (with CAG)

3 Citrix setup Before adding 2 factor authentication it is important to validate a standard configuration without One Time Password (OTP). 3.1 Architecture IP:10.4.0.10 Authentication Servers LDAP Virtual server IP 10.4.0.204 NetScaler with Access Gateway Enterprise Edition IP: 10.4.0.206 Domain: labs.vasco.com (LABS) Citrix Web Interface IP:10.4.0.201 XenApp XenDesktop IP:10.4.0.202 When a user connects trough the CITRIX AGEE, it will be asked to authenticate. The authentication will be performed, using Active Directory via LDAP. If the authentication is successful, the user is logged in on the Citrix Web Interface where he can access the XenApp en XenDesktop nodes. 3.2 Prerequisites To the Citrix installation there are many components that can and need to be configured. For this white paper we are going to concentrate on the NetScaler and CITRIX AGEE. In order for this set-up to work, a Citrix Web Interface needs to be created: http://10.4.0.202/citrix/xenappcag 3.3 Citrix Log in to the NetScaler by browsing to 10.4.0.206 3.3.1 Access Gateway 3.3.1.1 Policies Policies are used to define components that will be used to create a virtual server. 3.3.1.1.1 Authentication Server An authentication policy will be created to enable LDAP/Active Directory authentication. 7 DIGIPASS Authentication for NetScaler (with CAG)

Open the Authentication tree item Select the Servers Tab Click Add Name: authsrv_ad Authentication Type: LDAP IP Address: 10.4.0.10 Port: 389 Time-out (seconds): 3 Base DN: DC=labs,DC=vasco,DC=com Administrator Bind DN: CN=citrix_admin,CN=Users,DC=labs,DC=vasco,DC=com Administrator Password: password of the administrator user Server Logon Name Attribute: samaccountname Group Attribute: memberof Sub Attribute Name: CN Secure Type: PLAINTEXT Check Authentication Check User Required Click Create 3.3.1.1.2 Authentication Policy Select the Policies tab Click Add 8 DIGIPASS Authentication for NetScaler (with CAG)

Name: auth_ad Authentication Type: LDAP Server: authsrv_ad Named Expression: General True Value Click Add Expression Click Create 3.3.1.1.3 Session Profiles Open the Session tree item Select the Profiles Tab Click Add Name: profile_publishedapps Go to Client Experience 9 DIGIPASS Authentication for NetScaler (with CAG)

Check Single Sign-on to Web Applications Go to Published Applications tab ICA Proxy: ON Web Interface Address: http://10.4.0.202/citrix/xenappcag/ Web Interface Portal Mode: NORMAL Single Sign-on Domain: LABS Click Create 3.3.1.1.4 Session Policy Select the Policies Tab Click Add Name: sess_icaproxy_nonmobile Request Profile: profile_publishedapps Named Expression: General True Value 10 DIGIPASS Authentication for NetScaler (with CAG)

Click Add Expression Click Create ns_true is general expression, which catches every call 3.3.1.2 Virtual Servers Select the Virtual Servers tree item Click Add Name: citrix2-labs-vasco-com-ageeauth IP Address: 10.4.0.204 Port: 443 Max Users: 0 Select SmartAccess Mode Check Enable Virtual Server The chosen IP Address needs to be a free IP Address in the subnet. Select Certificates tab Select the Server certificate Click Add> If the server certificate is not in the Certificates list click install and add the needed server certificate. Select the Authentication tab 11 DIGIPASS Authentication for NetScaler (with CAG)

Check Enable Authentication Click Insert Policy Select auth_ad Select the Policies tab Select Session Click Insert Policy Select sess_icaproxy_nonmobile Click OK 3.3.1.3 Groups Groups are used to apply authorization and session policies, create bookmarks and specify applications. User groups are created locally on the Citrix NetScaler. When an external authentication method is used, like Active Directory, the User group from the external authentication will be mapped to the local group on the Citrix NetScaler. 12 DIGIPASS Authentication for NetScaler (with CAG)

For example: On the Citrix NetScaler a group Citrix is created. Active Directory is used as an external authentication method. Then a group needs to be created on Active Directory with the name Citrix. The user that wants to be authenticated needs to be a member of the Citrix group on Active Directory. Click Add Go to tab Authorization Group Name: Citrix Click Insert Policy Select New Policy 13 DIGIPASS Authentication for NetScaler (with CAG)

Name: VascoAllow Action: ALLOW Named Expressions: General True value Click Add Expression Click Create Click Create 3.4 Test the setup Open a browser and browse to https://10.4.0.204 User name: Demo Static Password: Test12345 Click Log On This user needs to be created in the active directory and must be a member of the group Citrix 14 DIGIPASS Authentication for NetScaler (with CAG)

4 Citrix Receiver on mobile In order to use Citrix Receiver on a mobile device, the first setup (Citrix Setup) will be altered. 4.1 Architecture IP:10.4.0.10 Authentication Servers LDAP NetScaler with Access Gateway Enterprise Edition IP: 10.4.0.206 Domain: labs.vasco.com (LABS) Citrix Web Interface IP:10.4.0.201 XenApp XenDesktop IP:10.4.0.202 4.2 Prerequisites Mobile devices connect to the Citrix environment by using a Service Site. The Service Site provides the information about the publication for mobile devices. Create a Service Site on the Web Interface server: http://10.4.0.202/citrix/pnagent 4.3 Citrix 4.3.1 Access Gateway 4.3.1.1 Policies 4.3.1.1.1 Session Profiles Open the Session tree item Select the Profiles Tab Click Add Name: profile_mobiledevices 15 DIGIPASS Authentication for NetScaler (with CAG)

Go to Client Experience tab Check Single Sign-on to Web Applications Go to Published Applications tab ICA Proxy: ON 16 DIGIPASS Authentication for NetScaler (with CAG)

Web Interface Address: http://10.4.0.202/citrix/pnagent/config.xml Web Interface Portal Mode: NORMAL Single Sign-on Domain: LABS Click Create 4.3.1.1.2 Session Policies Select the Policies Tab Click Add Name: sess_icaproxy_mobiledev Request Profile: profile_mobiledevices Click Add 17 DIGIPASS Authentication for NetScaler (with CAG)

A number of different expressions must be added for this policy. The following table provides a summary of the values For Citrix Receiver For Citrix Receiver on ipad For CFNetwork For Darwin Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: CitrixReceiver Header Name: User-Agent Length: Offset: 0 Click OK Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: 'CitrixReceive r-ipad' Header Name: User-Agent Length: Offset: 0 Click OK Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: CFNetwork Header Name: User-Agent Length: Offset: 0 Click OK Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: Darwin Header Name: User-Agent Length: Offset: 0 Click OK Click Create CFNetwork and Darwin are two Apple components. CFNetwork is a process running on computers when installing Apple software. Darwin is an open source operating system launched by Apple and is the base of Mac OS x 4.3.1.2 Virtual Servers Select the Virtual Servers tree item Click citrix2-labs-vasco-com-ageeauth and Click Open Select the Policies tab 18 DIGIPASS Authentication for NetScaler (with CAG)

Select Session Click Insert Policy Select sess_icaproxy_mobiledev Click OK 4.4 Test To perform the test, Citrix Receiver needs to be installed on your device. For BlackBerry: http://appworld.blackberry.com/webstore/content/10529?lang=en For Android: https://market.android.com/details?id=com.citrix.receiver&feature=search_result#?t=w251bgw smswxldesimnvbs5jaxryaxguumvjzwl2zxiixq Other platforms: http://www.citrix.com/english/ps2/products/product.asp?contentid=1689163 The below screenshots demonstrate the Citrix receiver on an Apple Ipad. Note: for this test the IP 10.4.0.204 is linked to an external host named citrix2.labs.vasco.com Start the receiver application 19 DIGIPASS Authentication for NetScaler (with CAG)

Select Add Account Address: citrix2.labs.vasco.com Click Next Description: Vasco Virtual Apps Username: Demo Password: Test12345 Domain: Labs Security Token: Disabled Click Save 20 DIGIPASS Authentication for NetScaler (with CAG)

21 DIGIPASS Authentication for NetScaler (with CAG) DIGIPASS Authentication for NetScaler (with CAG)

5 Solution 5.1 Architecture IP: 10.4.0.10 IP: 10.4.0.13 Radius LDAP Authentication Servers NetScaler with Access Gateway Enterprise Edition IP: 10.4.0.206 Domain: labs.vasco.com (LABS) Citirx Web Interface IP: 10.4.0.201 XenApp XenDesktop IP:10.4.0.202 When implemented, the user will perform an authentication against 2 authentication servers. One being Active Directory, using LDAP, and one against IDENTIKEY Authentication Server, using RADIUS. This results in a login with 2 password fields. 5.2 Citrix 5.2.1 Access Gateway 5.2.1.1 Policies 5.2.1.1.1 Authentication Server RADIUS authentication server needs to be added. This RADIUS server will point to the IDENTIKEY Authentication server. Open the Authentication tree item Select the Servers Tab Click Add 22 DIGIPASS Authentication for NetScaler (with CAG)

Name: authsrv_vasco Authentication Type: RADIUS IP Address: 10.4.0.13 Port: 1812 Time-out (seconds): 3 Secret Key: Test1234 Confirm Secret Key: Test1234 Password Encoding: pap Accounting: OFF Click Create 5.2.1.1.2 Authentication Policy Because the HTTP login behavior is different than the login over Citrix Receiver we need to make multiple Authentication Policies. 1 st 2 nd HTTP Active Directory IDENTIKEY Authentication Server Citrix Receiver IDENTIKEY Authentication Server Active Directory Select the Policies tab Click Add 23 DIGIPASS Authentication for NetScaler (with CAG)

Choose the configuration depending on your preferred access method Access Method Radius for HTTP Radius for Citrix Receiver LDAP for Citrix Receiver Authentication policy to be created Name: auth_vasco Authentication Type: RADIUS Server: authsrv_vasco Remove ns_true from expression list Name: auth_mobile_va sco Authentication Type: RADIUS Server: authsrv_vasco Remove ns_true from expression list Name: auth_mobile_a d Authentication Type: LDAP Server: authsrv_ad Remove ns_true from expression list Expression to add by clicking the Add button in the Authentication policy Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: NOTCONTAINS Value: CitrixReceiver Header Name: User-Agent Length: Offset: 0 Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: CitrixReceiver Header Name: User-Agent Length: Offset: 0 Click OK Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: CitrixReceiver Header Name: User-Agent Length: Offset: 0 24 DIGIPASS Authentication for NetScaler (with CAG)

Now the new Authentication Policies are created, the existing auth_ad policy needs to be updated Select auth_ad Click Open Remove ns_true from expression list Click Add Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: NOTCONTAINS Value: CitrixReceiver Header Name: User-Agent Length: Offset: 0 Click OK Click OK 5.2.1.2 Virtual Servers Select the Virtual Servers tree item Click citrix2-labs-vasco-com-caguth and Click Open Select the Authentication tab 25 DIGIPASS Authentication for NetScaler (with CAG)

Click Insert Policy Select auth_mobile_vasco Priority: 90 Click Secondary Click Insert Policy Select auth_mobile_ad Priority: 90 Click Insert Policy Select auth_vasco Priority: 10 5.3 IDENTIKEY Authentication Server There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate with: Local users (Defined in IDENTIKEY Authentication Server) Active Directory (Windows) 26 DIGIPASS Authentication for NetScaler (with CAG)

In this whitepaper we will use Local users to authenticate. 5.3.1 Policies In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got a user and a password, what now? Create a new Policy Policy ID : Test Inherits From: Base Policy Inherits means: The new policy will have the same behavior as the policy from which he inherits, except when otherwise specified in the new policy. Example: Base Policy New Policy Behaviour 1 a New policy will do a 2 b New policy will do b 3 c f New policy will do f 4 d New policy will do d 5 e g New policy will do g The new policy is created, now we are going to edit it. Click edit 27 DIGIPASS Authentication for NetScaler (with CAG)

Local Authentication : Digipass/Password Click Save 5.3.2 Client In the clients we specify the location from which IDENTIKEY Authentication Server will accept requests and which protocol they use. We are going to add a new RADIUS client. Client Type : select Radius Client from select from list Location : 10.4.0.206 Policy ID : Select the Policy that was created in Policies Protocol ID: RADIUS Shared Secret: Test1234 Confirm Shared Secret: reenter the shared secret Click Save 28 DIGIPASS Authentication for NetScaler (with CAG)

5.3.3 User We are going to create a user. User ID: Fill in the Demo Enter static password: Test12345 Password is used when there is no Digipass assigned. Confirm static password: Test12345 5.3.4 DIGIPASS The purpose of using IDENTIKEY Authentication Server, is to be able to log in using One Time Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The Digipass is a device that generates the OTP s. Open the user by clicking on its name Select Assigned Digipass Click ASSIGN 29 DIGIPASS Authentication for NetScaler (with CAG)

Click Next Grace period: 0 Days Grace period is the period that a user can log in with his static password. The first time the user uses his DIGIPASS the grace period will expire. Click ASSIGN Click Finish 30 DIGIPASS Authentication for NetScaler (with CAG)

5.4 Test the Solution 5.4.1 With the browser Open the browser and browse to https://10.4.0.204 or https://citrix2.labs.vasco.com User name: Demo Static Password: Test12345 Vasco Password: a One Time Password generated by the users Digipass Vasco Password is not the standard field label. This is done to display the difference between the Active Directory Password and the Vasco One Time Password. This is done trough the command line interface of the Citrix Netscaler 5.4.2 With Citrix Receiver This test is done on an Apple ipad. Start the Citrix Receiver application 31 DIGIPASS Authentication for NetScaler (with CAG)

Select Add Acount Adress: citrix2.labs.vasco.com Click Next Description: Vasco Virtual Apps Username: Demo Password: Test12345 Domain: Labs Security Token: Enabled Select Domain + Security Token Click Save 32 DIGIPASS Authentication for NetScaler (with CAG)

Token: a One Time Password generated by the users Digipass 33 DIGIPASS Authentication for NetScaler (with CAG)

6 FAQ 7 Appendix 34 DIGIPASS Authentication for NetScaler (with CAG)