Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Excerpt Include
VPN and Device Integration Guides (versions 9.1+)
VPN and Device Integration Guides (versions 9.1+)
nopaneltrue

Warning

For Citrix NetScaler versions 10.5+, the No Certificate Redirect function is not supported if Subject:CN is selected from the User Name Field dropdown in the Certificate Authentication AAA section (resolved in NetScaler 11.0+ versions)

To access NetScaler with a SecureAuth IdP-issued certificate, end-users must go to the SecureAuth IdP certificate enrollment realm (SecureAuth IdP Configuration Steps below) first to enroll for a certificate, and then go into NetScaler where it is validated

Versions pre-10.5 support the No Certificate Redirect, so end-users can initiate the login process at Citrix and be redirected to SecureAuth IdP if no certificate is present

...

Panel
borderColor#444443
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#444443
borderStylesolid
titlePrerequisites

1. Have a Citrix Receiver AGEE and access to the management console

2. Download the SecureAuth CA Public Certificates zip bundle

3. Create a New Realm for the Citrix Receiver integration in the SecureAuth IdP Web Admin

4. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Registration Methods / Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined
Info
The Registration Methods tab in SecureAuth IdP Version 9.0 has been renamed Multi-Factor Methods as of Version 9.0.1
Panel
borderColor#135570
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#135570
borderStylesolid
titleCitrix Receiver Configuration Steps
Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titleCertificates
Section
Column
width50%

Column

 

1. Log into the Citrix Receiver AGEE admin console, and expand the SSL menu under Traffic Management, and click Certificates

2. Click Install to upload the SecureAuth CA Public Certificates zip bundle

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleInstall Certificate
Section
Column
width50%

Column

 

3. Provide the Certificate-Key Pair Name of the certificate

4. Click Browse in the Certificate File Name section, and select the SecureAuth CA Public Certificates file

5. Select PEM from the Certificate Format options

6. Click Install

7. Repeat steps 3-6 as needed to upload the certificates

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleLink Server Certificates
Section
Column
width50%

Column

 

8. Once the certificates are uploaded, they will appear on the Certificates page

9. Right-click the Intermediate certificates, and click Link

Section
Column
width50%

Column

 

10. Select the appropriate Root Certificate from the CA Certificate Name dropdown

11. Click OK

12. Repeat steps 9-11 as needed to link the intermediate certificates with the root certificates

Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titleVPN Virtual Server
Section
Column
width50%

Column

 

A VPN Virtual Server is required for this integration

13. In the admin console, select Virtual Servers under NetScaler Gateway

14. Select the appropriate Virtual Server to use for this integration, or click Add to create a new one

See below for Virtual Server creation steps

Expand
titleCreate New Virtual Server
Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleVPN Virtual Server
Section
Column
width50%

Column

 

1. Set a Name for the new Virtual Server

2. Provide the IPAddress

3. Provide the Port number

4. Click OK

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleCA Certificate
Section
Column
width50%

Column

 

15. Open the Virtual Server, and click on the CA Certificate option under Certificates

Section
Column
width50%

Column

 

16. Click the Select CA Certificate dropdown to be taken to the SSL Certificates page

17. Select the Certificates uploaded in steps 3-6, and click OK

Expand
Section
Column
width100%

18. Click Bind

19. Repeat steps 16-19 until the five certificates are uploaded to the Virtual Server

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleCertificate Policy
Section
Column
width50%

Column

 

20. In the Virtual Server, click the + in the Authentication section to add an Authentication CERT Policy

Section
Column
width50%

Column

 

21. Select CERTIFICATE from the Choose Policy dropdown

22. Select Primary from the Choose Type dropdown

23. Click Continue

Section
Column
width50%

Column

 

24. Click the + in the Select Policy section to create a new certificate policy

25. Once the policy and profile are created (steps 26-34 below), click Bind

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleCreate Authentication CERT Policy
Section
Column
width50%

Column

 

26. Provide a Name for the new certificate policy

27. Click the + in the Server section to create a new certificate profile

28. Select the newly created profile (steps 31-34 below) from the Server dropdown

29. Create an ns_true Expression

30. Click Create

Panel
borderColor#33b2e1
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#33b2e1
borderStylesolid
titleCreate Authentication CERT Profile
Section
Column
width50%

Column

 

31. Provide a Name for the new certificate profile

32. Select ON from the Two Factor options

33. Select Subject:CN from the User Name Field dropdown

34. Click Create

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleLDAP Policy
Section
Column
width50%

Column

 

35. In the Virtual Server, click the + in the Authentication section to add an Authentication LDAP Policy  

Section
Column
width50%

Column

 

36. Select LDAP from the Choose Policy dropdown

37. Select Secondary from the Choose Type dropdown

38. Click Continue

Section
Column
width50%

Column

 

39. Click the + in the Select Policy section to create a new LDAP policy

40. Once the policy and profile are created (steps 41-57 below), click Bind

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleCreate Authentication LDAP Policy
Section
Column
width50%

Column

 

41. Provide a Name for the new LDAP policy

42. Click the + in the Server section to create a new LDAP server

43. Select the newly created server (steps 46-57 below) from the Server dropdown

44. Create an ns_true Expression

45. Click Create

Panel
borderColor#33b2e1
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#33b2e1
borderStylesolid
titleCreate Authentication LDAP Server
Section
Column
width50%

Column

 

46. Provide a Name for the new LDAP server

47. Provide the Server Name or the Server IP Address

48. Select the Security Type from the dropdown

49. Provide the Port of the LDAP directory

50. Provide the Base DN of the location of users in the LDAP directory

51. Provide the Citrix service account information in the Administrator Bind DN field

52. Select --<< New >>-- from the Server Logon Name Attribute dropdown, and set it to sAMAccountName

53. Select memberOf from the Group Attribute dropdown

54. Select --<< New >>-- from the Sub Attribute Name dropdown, and set it to Subject:CN

55. Select Disabled in the Nested Group Extraction section

56. Configure the rest as required for the LDAP directory

57. Click Create

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleSSL Profile
Section
Column
width50%

Column

 

58. In the Virtual Server, open the SSL Profile menu

59. Click the + in the SSL Profile section to create a new SSL profile

60. Select the newly created SSL profile (steps 61-63 below) from the SSL Profile dropdown, and click OK

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleCreate SSL Profile
Section
Column
width50%

Column

 

61. Provide a Name for the new SSL profile

62. Select NO from the Deny SSL Renegotiation dropdown

63. Click Create

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleSession Policy
Section
Column
width50%

Column

 

64. In the Virtual Server, click the + in the Policies section to configure the Client Experience

Section
Column
width50%

Column

 

65. Select Session from the Choose Policy dropdown

66. Select Request from the Choose Type dropdown

67. Click Continue

68. Click the + in the Select Policy section to create a new session policy

69. Once the policy and profile are created (steps 70-78 below), click Bind

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleCreate Session Policy
Section
Column
width50%

 

Column

 

70. Provide a Name for the new session policy

71. Click the + in the Action section to create a new session profile

72. Select the newly created session profile (steps 74-78 below) from the Action dropdown

73. Click Create

Panel
borderColor#33b2e1
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#33b2e1
borderStylesolid
titleCreate Session Profile
Section
Column
width50%

Column

 

74. Provide a Name for the new session profile

75. In the Client Experience section, select Allow from the Clientless Access dropdown

76. Select Clear from the Clientless Access URL Encoding dropdown

77. Select Java from the Plug-in Type dropdown

78. Click Create

Info

For the Citrix Receiver policy, the User Agent could be Citrix Receiver, iOS, and Android

Make sure that the Citrix Receiver policy has the highest Priority, i.e. the lowest number

Panel
borderColor#135570
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#135570
borderStylesolid
titleSecureAuth IdP Configuration Steps

Excerpt Include
C-SSL Configuration GuideC-SSL Configuration GuideCertificate authentication via SSL configuration guide
Certificate authentication via SSL configuration guide
nopaneltrue

Excerpt Include
Certificate Enrollment Workflow Configuration
Certificate Enrollment Workflow Configuration
nopaneltrue