Two-factor authentication on Citrix NetScaler

2x factor authentication on NetScaler

To provide secure access to the corporate infrastructure, I use a solution based on NetScaler using 2 factor authentication. It is quite simple to build this solution; you only need to have a deployed, configured NS, a deployed certificate authority and a PKI device, for example, eToken.
Why is this? Suppose an AG server's web muzzle has unrestricted access from the Internet; therefore, potentially knowing the access login, you can initiate HTTP requests, and depending on the security policy (the number of attempts to block), block the user, etc. When using DFA (2-factor authentication), we not only guarantee the identification of the user, but also provide a secure access service.

We believe that there is already:

-We have a customized netscaler
- Raised Certificate Authority (although it is possible to use the CA on outsourcing)
- Customized Access Gateway server



I recommend delimiting access to one internal resource by 2 AG servers (for local and remote users). In the example above, ssl_ag_xd - access for XD from the local network (with restrictions on IP), ssl_ag_smart_ica - published service with certificate verification.

Let's start the setup:

In AG north, go to the SSL Parameter tab
')


We set certificate enforcement



Next, create a CERT authorization server with an identifiable field.
NetScaler Access Gateway Policies Authentication Authentication Servers



Now we create an authorization policy based on the created server.
NetScaler Access Gateway Policies Authentication Authentication Policies



It remains to connect the created policy to the server AG authorization rule

It remains to check:

Open the browser at the address specified in the AG server. The browser immediately offers to choose a certificate from a connected etoken (I have 2 certificates on my etoken)


After selecting the required certificate and verifying it, NS lets the citrix xendektop / app server go to the web where we enter the user credentials


Access using etoken is obtained



PS Thank you for your attention, if you have any questions, comments, please ask. NetScaler is a little common, but real thing.
In the article, I mentioned about the restriction on IP (this is not an intrinsic NS function), if anyone is interested, write, tell you how it is implemented, maybe it will help someone.

Original article here