Citrix NetScaler and one-time passwords

Good day friends! I have been thinking about the topic of another article for a long time, I wanted to cover the immense and not seem biased. I also thought about analytics, administration, and just about “how to”. As a result, the factor of the next address of the acquaintance “on the shop floor” with the question of organizing 2 factor authentication for Citrix solutions became decisive. At one time I wrote about the decision based on x509 certificates, and offered them to a colleague. But most of his remote clients were based on Apple solutions, and in this case the access device and certificate were like in the old advertisement Head & Shoulders 2 in 1, or as a bunch of keys to all the locks on the same bundle. In the end, I want this article to cover a little administration, analysis and analytics.

The architectural solution was founded by OTP, or simply - the second “factor” is a one-time password. I suppose you should not dwell on the advantages of using OTP, understanding their effectiveness, in the same way as on the need to use 2-factor authorization of resources and services that are accessible on the Internet (or on the Internet). Here I’ll run a little ahead: in my work, after the introduction of 2-factor authentication for access to corporate information systems using one-time passwords, users who have remote access (mostly middle managers) began to ask questions about “what’s so difficult and uncomfortable ??? ”, they say no one uses it anywhere, so why run ahead of the rest? I ask, and the client bank each time sends a new password - this is normal. Usually after this the issue of safety and convenience is removed. So, here are the lyrics and analytics have passed, we will continue further.

On the edge, I’ll focus on the components of the solution used to implement this solution, and on the description I’ll focus only on the cornerstones of the settings, namely, NetScaler profiles, StoreFront settings, and iPad client devices. So, available: Deployed infrastructure XenDesktop / App, StoreFront, Citrix NetScalaler, RADIUS server, OTP server. As clients, I suggest using Google Authenticator (although the choice of free OTP clients is quite large). With regards to the implementation of OTP solutions, I also believe that this remains on the “conscience” of a specific project. This can be a one-time password on a mobile phone or via SMS or other options. Setting up a RADIUS server with one-time password functionality is a topic for a separate conversation, its outlines are outlined in passing.

Having decided on the need to use 2-factor authentication, let's look at the NetScaler settings that ensure the use of the selected method and the correct operation from all types of devices:
')
First of all, create rules for the RADIUS connection and the RADIUS server:

add authentication radiusPolicy RSA-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA add authentication radiusPolicy RSA-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA add authentication radiusAction RSA -serverIP 192.168.60.43 -serverPort 1812 -radKey …… 

 add authentication ldapPolicy LDAP-Corp-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" AD add authentication ldapPolicy LDAP-Corp-Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" AD 

The final chord is to connect the created policies to the SSL VPNc prepared server:

 bind vpn vserver ssl_ag_xd_wa2.*******.ru -policy LDAP-Corp-Web -priority 100 bind vpn vserver ssl_ag_xd_wa2.*******.ru -policy RSA-SelfService -priority 110 bind vpn vserver ssl_ag_xd_wa2.*******.ru -policy RSA-ReceiverForWeb -priority 100 -secondary bind vpn vserver ssl_ag_xd_wa2.*******.ru -policy LDAP-Corp-SelfService -priority 110 -secondary 

It remains to register a connection point on StoreFront (in the video below it will be clear):



In the Logon type field, select “Domain and security token”



With administration it is simple, we will go further. It remains to see this solution in “live”:

1. Access via WEB browser



2. Access from iOS (iPad)

Add a new account:



Enter the login, password, domain, one-time code:



In the connection properties we see the type of the selected location (This is on StoreFront)):



See the list of published applications:



When you start the application, a password and PIN code are requested:



3. Classic Citrix Receiver



So, 2-factor authorization is not only an effective and reliable method of publishing corporate information systems on the Internet, but also a convenient, and most importantly, this is a modern solution, so to speak “up to date”.

Staying on x509 or OTP is up to you, but the fact that this mechanism should be implemented is unique.

PS In my daily work, I “use a mandatory procedure” using 2-factor authorization, based on all of the above, a question has arisen to the readers, formulated in the survey. Please vote: