Citrix and Microsoft have integrated NetScaler Unified Gateway with Microsoft EMS
Last year, Citrix and Microsoft started working together to create new solutions. One of the results of this activity is the integration of NetScaler Unified Gateway with Microsoft EMS. It allows IT administrators to define access control policies based on the end user's mobile device status. These policies check each end-user mobile device before a user session is established, determine whether the device is registered with Microsoft Intune and complies with the organization’s security policies, and then gives or denies access. Below is a diagram of the work of this solution. About what it is and how it works, I will tell in this material.
For a start, briefly about the decisions themselves. Citrix is ​​a gateway for secure network access, and Microsoft is a platform for managing applications and data in the data center and the cloud. Components of the solution:
If companies already use NetScaler Gateway for Citrix XenApp and / or XenDesktop and plan to connect with Microsoft EMS, then they should pay attention to the new version of NetScaler Gateway with the Unified prefix. Companies will receive a single entry point, pass-through authentication, simplicity and security of use.
')
Microsoft EMS and NetScaler Unified Gateway together form an intelligent system that offers an additional level of protection of local resources by pre-checking the end device. What this means: devices from which employees are trying to gain access to corporate systems, before establishing a VPN connection, will be verified by Microsoft Intune (Microsoft service for managing mobile devices and applications, included in the EMS platform). In order for a smartphone or tablet to access local resources, it must be registered with Microsoft Intune.
Administrators can set access control policies for local resources, including MS Exchange, SharePoint, and any other applications, based on the end user's mobile device status. Thus, the device of everyone who wants to connect will be checked before setting the session to determine whether a particular device is registered with the Microsoft Intune service and whether it complies with the company's security policies. While this check is in progress, the mobile user will have only conditional access, and the system will collect information and, on its basis, will decide whether to grant full access or block it. As a result, the company receives additional protection of local resources.
In addition to providing conditional access to corporate resources, this solution can scan mobile devices and identify whether there are any risk factors, such as a “hacked” state (the ability to get root-rights), outdated anti-virus databases or installed malware. According to the results of the audit, appropriate measures are taken This guarantees security and centralized management of equipment that was previously registered with Microsoft Intune.
If you use MS Intune, as well as other mobile device management systems (for example, XenMobile), you can avoid leakage of important data and delete them from your phone or tablet if an employee lost them. In addition, it is possible to manage devices, configure them remotely (for example, a Wi-Fi profile), which greatly simplifies the administration and control over corporate data.
Another feature that is worth paying attention to is enhanced user capabilities: administrators can transfer policies and configuration settings to mobile devices without the need for adjustments that do not need to be done manually by end users. The solution supports iOS and Android platforms. The user interface is the same for both platforms.
In addition, NetScaler Unified Gateway offers policy-based multi-factor authentication (nFactor Authentication). System administrators can choose any mechanisms, including RADIUS technologies, Kerberos, etc., to authenticate end users. For example, you can check the user's membership in an AD group, and based on this affiliation, whether or not to add the following authentication factor, or, in the case of a failed attempt, suggest other methods to verify the user. It is also possible to personalize the authentication portal, depending on the requirements of the company. If there is integration with Intunes — based on, for example, the user’s membership in the AD group, you can determine if he has access to secret enterprise data and, if so, then request one more option of one-time passwords (OTP). This technology provides unlimited possibilities for creating complex user authentication algorithms.
Separately, I would like to dwell on the possibility of end-to-end monitoring: NetScaler Unified Gateway, using the Gateway Insight feature, provides full and end-to-end control, as well as monitoring all users' access to local applications. This functionality is simply necessary for administrators involved in supporting such an infrastructure. Detailed monitoring allows you to track users, applications to which they want to access, and also - errors that they encounter.
Entering a username / password on a mobile device every time is not the most exciting task, especially several times. In the modern world it is safe - does not mean uncomfortable! For all applications, the Citrix NetScaler Unified Gateway allows remote access and one-time user authentication. When integrated with Microsoft EMS in NetScaler, this functionality is also implemented. Thanks to the OAuth technology supported by Citrix Netscaler, a user, having passed authentication to Intune once, can build an SSL VPN tunnel to Netscaler, and then, using Singl-Sign-ON, credentials will be forwarded to the application, for example, to Sharepoint.
Companies that use NetScaler or NetScaler Unified Gateway for Citrix XenApp / XenDesktop or for one-time user identification (for all applications in the data center or cloud) can also use these solutions to support MDM functionality in Microsoft EMS.
NetScaler Unified Gateway can be useful not only for those who switch to Microsoft EMS, but also for those who want to provide secure access to corporate resources. It can be a company from any industry: banks, telecom operators, various entrepreneurs and many others. The gateway provides trusted remote access to XenApp and XenDesktop, as well as to all corporate web, SaaS and Citrix applications. With NetScaler Unified Gateway, you can get rid of the need for a separate virtual private network with SSL encryption with remote access for corporate and cloud applications, thereby reducing overall costs and ensuring user experience.
For a start, briefly about the decisions themselves. Citrix is ​​a gateway for secure network access, and Microsoft is a platform for managing applications and data in the data center and the cloud. Components of the solution:
- Citrix NetScaler Unified Gateway provides secure access and one-time user authentication for all applications.
- The Microsoft Enterprise Mobile + Security (EMS) solution is designed to help companies manage and protect users, devices, applications and data in the face of widespread mobile and cloud technologies.
If companies already use NetScaler Gateway for Citrix XenApp and / or XenDesktop and plan to connect with Microsoft EMS, then they should pay attention to the new version of NetScaler Gateway with the Unified prefix. Companies will receive a single entry point, pass-through authentication, simplicity and security of use.
')
Microsoft EMS and NetScaler Unified Gateway together form an intelligent system that offers an additional level of protection of local resources by pre-checking the end device. What this means: devices from which employees are trying to gain access to corporate systems, before establishing a VPN connection, will be verified by Microsoft Intune (Microsoft service for managing mobile devices and applications, included in the EMS platform). In order for a smartphone or tablet to access local resources, it must be registered with Microsoft Intune.
Administrators can set access control policies for local resources, including MS Exchange, SharePoint, and any other applications, based on the end user's mobile device status. Thus, the device of everyone who wants to connect will be checked before setting the session to determine whether a particular device is registered with the Microsoft Intune service and whether it complies with the company's security policies. While this check is in progress, the mobile user will have only conditional access, and the system will collect information and, on its basis, will decide whether to grant full access or block it. As a result, the company receives additional protection of local resources.
In addition to providing conditional access to corporate resources, this solution can scan mobile devices and identify whether there are any risk factors, such as a “hacked” state (the ability to get root-rights), outdated anti-virus databases or installed malware. According to the results of the audit, appropriate measures are taken This guarantees security and centralized management of equipment that was previously registered with Microsoft Intune.
If you use MS Intune, as well as other mobile device management systems (for example, XenMobile), you can avoid leakage of important data and delete them from your phone or tablet if an employee lost them. In addition, it is possible to manage devices, configure them remotely (for example, a Wi-Fi profile), which greatly simplifies the administration and control over corporate data.
Another feature that is worth paying attention to is enhanced user capabilities: administrators can transfer policies and configuration settings to mobile devices without the need for adjustments that do not need to be done manually by end users. The solution supports iOS and Android platforms. The user interface is the same for both platforms.
In addition, NetScaler Unified Gateway offers policy-based multi-factor authentication (nFactor Authentication). System administrators can choose any mechanisms, including RADIUS technologies, Kerberos, etc., to authenticate end users. For example, you can check the user's membership in an AD group, and based on this affiliation, whether or not to add the following authentication factor, or, in the case of a failed attempt, suggest other methods to verify the user. It is also possible to personalize the authentication portal, depending on the requirements of the company. If there is integration with Intunes — based on, for example, the user’s membership in the AD group, you can determine if he has access to secret enterprise data and, if so, then request one more option of one-time passwords (OTP). This technology provides unlimited possibilities for creating complex user authentication algorithms.
Separately, I would like to dwell on the possibility of end-to-end monitoring: NetScaler Unified Gateway, using the Gateway Insight feature, provides full and end-to-end control, as well as monitoring all users' access to local applications. This functionality is simply necessary for administrators involved in supporting such an infrastructure. Detailed monitoring allows you to track users, applications to which they want to access, and also - errors that they encounter.
Entering a username / password on a mobile device every time is not the most exciting task, especially several times. In the modern world it is safe - does not mean uncomfortable! For all applications, the Citrix NetScaler Unified Gateway allows remote access and one-time user authentication. When integrated with Microsoft EMS in NetScaler, this functionality is also implemented. Thanks to the OAuth technology supported by Citrix Netscaler, a user, having passed authentication to Intune once, can build an SSL VPN tunnel to Netscaler, and then, using Singl-Sign-ON, credentials will be forwarded to the application, for example, to Sharepoint.
Companies that use NetScaler or NetScaler Unified Gateway for Citrix XenApp / XenDesktop or for one-time user identification (for all applications in the data center or cloud) can also use these solutions to support MDM functionality in Microsoft EMS.
NetScaler Unified Gateway can be useful not only for those who switch to Microsoft EMS, but also for those who want to provide secure access to corporate resources. It can be a company from any industry: banks, telecom operators, various entrepreneurs and many others. The gateway provides trusted remote access to XenApp and XenDesktop, as well as to all corporate web, SaaS and Citrix applications. With NetScaler Unified Gateway, you can get rid of the need for a separate virtual private network with SSL encryption with remote access for corporate and cloud applications, thereby reducing overall costs and ensuring user experience.
Source: https://habr.com/ru/post/324008/
All Articles