DIGIPASS Authentication to Citrix XenDesktop with endpoint ... · 9 DIGIPASS SSO Authentication to...

DIGIPASS Authentication to Citrix

XenDesktop with endpoint protection

SmartAccess Configuration with Digipass

INTEGRATION GUIDE

1 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document.

Copyright

Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD™™, DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.

Integration Guidelines


Table of Contents

Disclaimer ...................................................................................................................... 1

Table of Contents ........................................................................................................... 2

1 Abstract .................................................................................................................... 4

2 Reader ...................................................................................................................... 4

3 Overview................................................................................................................... 4

How SmartAccess Works for XenApp and XenDesktop ................................................... 5

4 Problem Description ................................................................................................. 6

5 Solution .................................................................................................................... 6

6 Technical Concept ..................................................................................................... 8

6.1 General overview .................................................................................................. 8

6.2 Citrix prerequisites ................................................................................................ 8

6.3 IDENTIFIER prerequisites ....................................................................................... 8

7 Citrix Configuration ................................................................................................... 9

7.1 Netscaler Authentication configuration ..................................................................... 9

7.2 Web Interface configuration .................................................................................. 10

8 IDENTIFIER DMZ .................................................................................................... 10

8.1 Policy configuration ............................................................................................. 10

8.2 Client configuration ............................................................................................. 13

8.3 LDAP Synchronization .......................................................................................... 14

9 IDENTIFIER LAN .................................................................................................... 14

9.1 Policy configuration ............................................................................................. 14

9.2 Client configuration ............................................................................................. 17

9.3 LDAP Synchronization .......................................................................................... 17

10 DIGIPASS Authentication for IIS basic ................................................................ 18

11 Citrix CAG login with DIGIPASS ........................................................................... 19

11.1 Logon ................................................................................................................ 19


12 DIGIPASS and User Management ......................................................................... 20

12.1 DIGIPASS ........................................................................................................... 20

12.2 Users ................................................................................................................. 20

13 Additional functionalities ..................................................................................... 20

13.1 Password change policies ..................................................................................... 20

13.2 DIGIPASS provisioning ......................................................................................... 20

14 About VASCO Data Security .................................................................................. 20


1 Abstract SmartAccess allows to control the users system requesting access to available applications published with Citrix XenAPP through the use of Access Gateway Enterprise policies and filters. This permits the use of endpoint analysis as a condition for application access, along with other factors. This functionality is achieved by integrating Access Gateway Enterprise components with the Web Interface for Citrix XenApp Server, and Citrix XenApp Server. This provides advanced authentication and access control. To protect the user`s identity and the company`s network, the use of static password, the weakest link in security, should be eliminated and replaced by DIGIPASS. DIGIPASS by VASCO provides one-time passwords, which allows the user to logon with a unique time-based password which can only be used once, within a certain time frame. This one-time password replaces the static password stored in Active Directory or any other database. VASCO`s strong authentication DIGIPASS allows the use of DIGIPASS to log-on with a single one-time password to the multiple Citrix environments used in by the SmartAccess scenario. SmartAccess in combination with DIGIPASS offers:

- Citrix Online Applications and Desktops provisioning

- no user-controlled password

- Single Sign On to all sessions

- SmartAccess capability, i.e. the ability to influence application properties being connection properties / context

2 Reader This document is a guideline for configuring a partner product with IDENTIFIER or IDENTIKEY Server. For details about the setup and configuration of IDENTIEKEY Server and IDENTIFIER, we refer to the installation and administration manuals of these products. IDENTIFIER is VASCO’s appliance which by default runs IDENTIKEY Server by default.

Within this document, VASCO Data Security, provides the reader guidelines for the configuration of the partner product with its specific configuration in combination with VASCO Server solutions and DIGIPASS. Any change in the concept might require a change in the configuration of the VASCO Server products.

The product name`IDENTIFIER`will be used throughout the document keeping in mind that it also applies to IDENTIKEY Server.

3 Overview The purpose of this document is to demonstrate how to configure IDENTIFIER and configure DIGIPASS authentication on Citrix Web Interface in a SmartAccess configuration.


For the standard configuration of the SmartAccess configuration we refer to Citrix documentation.

For the standard configuration of DIGIPASS integration with CAG/Netscaler/ Web Interface we refer to the DIGIPASS integration guide for Citrix CAG.

How SmartAccess Works for XenApp and XenDesktop

To configure SmartAccess, you need to configure the Access Gateway settings on the Web Interface and configure session policies on the Access Gateway. When you run the Published Applications Wizard, you can select the session policies you created for SmartAccess.

When a user types the web address of a virtual server in a web browser, the configured pre-authentication policies are downloaded on to the user’s device. The Access Gateway sends the pre-authentication and session policy names to the Web interface as filters. If the policy condition is set to ‘true’, the policy is always sent as a filter name. If the policy condition is not met, the filter name is not set. This allows you to differentiate the list of published applications and desktops and the effective policies on a computer running XenApp or XenDesktop based on the results of the endpoint analysis.

The Web interface contacts the XenApp or XenDesktop server and returns the published resource list to the user. Any resources that have filters applied to them do not appear in the user’s list unless the condition of the filter is met.

Endpoint analysis can be configured on the Access Gateway. To configure endpoint analysis, you create a session policy that enables the ICA proxy setting and which configures a client security string. When the session policy is configured, you can link the policy to the entire user base or to users, groups, and virtual servers.

When the user logs on, the endpoint analysis policy runs a security check of the client device using the client security strings configured on the Access Gateway.

For example, if you want to check for a specific version of anti-virus. The client security string in the expression editor appears as follows:

client.application.av.version == 10.0.2

After the policy is configured, link it to a user, group, virtual server or the entire user base. When users log-on, the endpoint analyses policy check starts and verifies whether or not the client device has version 10.0.2 or higher of the installed antivirus installed.

When the endpoint analysis check is successful, the Web Interface portal appears in case the user is running a clientless session; if not , the Access Interface will appear.

When you are creating a session policy for endpoint analyses, the session profile does not have any pre-configured settings, creating a null profile. The Access Gateway uses the Web Interface URL configured globally for SmartAccess.


Figure 1: Overview

The basic configuration of Citrix in this SmartAccess configuration is based on authentication with static passwords using existing media (LDAP, RADIUS, local authentication …).

VASCO DIGIPASS authentication is by default supported within a Citrix SmartAccess configuration, where the one-time password in combination with the static password is verified (combination of RADIUS and LDAP authentication on Citrix Access Gateway, with SSO to Netscaler and WebInterface)

4 Problem Description To increase the security at a level where it is `no longer allowed` to use any static password, does the standard configuration of Citrix and IDENTIFIER with RADIUS and LDAP verification, not offer the desired results. In this standard solution does the logon screen present 3 fields (user name, static password, OTP).

We are seeking for a solution where ONLY the OTP can be used. Working in a SmartAccess configuration, also requires that an OTP is checked in each zone, keeping in mind that the user will enter the OTP only once at initial logon to the CAG and that it is not requesting a second or third logon when SSO authenticates the user on Web Interface.

5 Solution After setting up and configuring the IDENTIFIER appliances within 2 of the 3 Citrix zones , the user only needs the PIN code of his DIGIPASS and the one-time password generated by the DIGIPASS. Additionally we install and configure an IIS agent to support SSO and password management.

Resources

DMZ2 DMZ1

Citrix Access Gateway Citrix NetScaler

Publiek Netwerk

Internet

End Point Scenario’s

Citrix XenApp Farm

NetScaler – Network Load Balancing Virtual Server

Web Interface Web Interface

Microsoft Active Directory Services


TCP 445 NTLM

TCP 80/443

TCP ??? Get Credentials

TCP 1812

Get USR

Figure 2: Solution


6 Technical Concept 6.1 General overview

The main goal of Citrix CAG is to perform authentication in a secure way to set up a secure SSL VPN connection and retrieve a single sign on to connect to the Web Interface. The use of DIGIPASS , and DIGIPASS solely , makes the setup unique and is very different from the standard 2FA integrations.

We describe the setup in separate chapters , describing the setup for each zone. The first zone, DMZ, will be authenticated by using RADIUS. The second zone containing the Citrix Netscaler forwards the credentials which use the Citrix standard configuration. The third zone, LAN, will use a DIGIPASS Pack for Citrix with enhanced functionality interacting with IIS running on the Citrix Web Interface.

6.2 Citrix prerequisites

Make sure you have an operational setup of the Citrix SmartAccess configuration using a static password(LDAP, eDir, AD,..). It is very important this is working correctly before you start implementing the VASCO part.

Current configuration:

• Windows/ Windows 2008R2 • Citrix CAG 9.1 • Citrix Netscaler 9.1 • Citrix XenApp 6.0 • Citrix Web Interface 5.3

All support updates for future versions will be available in the DIGIPASS Authentication for Web Interface , downloadable from www.vasco.com

6.3 IDENTIFIER prerequisites

We assume, you already installed IDENTIFIER , a test user has been created , a domain has been created, LDAP sync has been configured, DIGIPASS is imported and tested locally within the web administration.

Make sure you can synchronize the LDAP users from AD or any other repository. Check the manuals for configuring the LDAP synchronization in IDENTIFIER.

The quick start guide of IDENTIFIER helps you to configure these basic features.

Throughout this document, we will specify the differences between the IDENTIFIER in the DMZ zone and the IDENTIFIER in the LAN environment.


7 Citrix Configuration Configure CAG, Netscaler and Web Interface according to the standard procedure of Citrix.

7.1 Netscaler Authentication configuration

On the Netscaler in the DMZ you configure the authentication to use RADIUS. LDAP will no longer be used here. The DIGIPASS password will be verified locally against the IDENTIFIER in the DMZ.

Configure the authentication server on the Netscaler with:

• the IP address of the IDENTIFIER

• the shared secret you configured for the client in IDENTIFIER

Figure 3: RADIUS config Netscaler

Configure the AG server on port 1080/443. On the first-hop appliance, you also need an AG server, an LDAP group extractor and a session policy pointing to the WI. You also need at least one STA bound to the CAG.

To support you in this matter, we refer to the SmartAccess Deployment Guide

http://www.jaytomlin.com/citrix/AG/AG-E%208.0%20SmartAccess%20Deployment%20Guide%20Dec%202007.pdf,


7.2 Web Interface configuration

Within this SmartAccess configuration we configure the Citrix Web Interface being published by the CAG. Web Interface has to be of the `Authentication at Access Gateway` type in Gateway direct access mode.

8 IDENTIFIER DMZ

Go to the IDENTIFIER web administration page, and authenticate with the administrative account created during setup.

8.1 Policy configuration To add a new policy, select Policies��Create.

Figure 4: Policy configuration (1)

There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or policies from which you inherit the settings by default or from other policies.

We suggest to create a new policy, without inheritance and give it the name `DMZ`


Fill in a policy ID and description.


In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another RADIUS server.

This is probably the same as in your default client authentication options before you changed them. Or you use the local database, Windows or you go on to another RADIUS server.

In our example we select our newly made DMZ Policy and change it like this:

Local auth.: DIGIPASS/Password Back-End Auth.: None (None) Back-End Protocol: None (None) Dynamic User Registration: No (No) Password Autolearn: No (No) Stored Password Proxy: No (No) Windows Group Check: No Check (No Check)

After configuring this policy, the authentication will happen locally in the IDENTIFIER User credentials are passed on to the IDENTIFIER which will check these credentials against its local user database and will respond to the client with an Access-Accept or Access-Reject message.


In the Policy tab, click the Edit button, and change the Local Authentication to DIGIPASS/Password.


The user details can keep their default settings.



8.2 Client configuration

Now create a new component by right-clicking the Components and choose New Component.

Figure 8: Client configuration (1)

As component type you choose RADIUS Client. The location is the IP address of the client (Citrix Access Gateway). In the policy field you should find your newly created policy. Fill in the shared secret you entered in the client for the RADIUS options. In our example this was “VASCO”. Click Create.

Figure 9: Client configuration (2)

Now the client and the IDENTIFIER are set up. We will now see if the configuration is working.


8.3 LDAP Synchronization

Configure the IDENTIFIER LDAP synchronization to retrieve user information from the user repository. The Netscaler can re-route that information towards the LDAP server.

TIP: check the Administration guide of the IDENTIFIER.

TIP: Logon to the configuration page of the IDENTIFIER to configure LDAP sync.

9 IDENTIFIER LAN

Go to the IDENTIFIER web administration page, and authenticate with the administrative account.

9.1 Policy configuration

To add a new policy, select Policies��Create.


There are some policies available by default. You can also create new policies which suit your needs. Those can be independent policies or policies which inherit their settings by default or from other policies.

To make things easier, create a new policy, without inheritance and use a practical name. In this configuration we called the policy `LAN`


Fill in a policy ID and description. Choose the option which is most suitable for your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. In this example we chose not to inherit.


After configuring this policy, the authentication will happen locally in the IDENTIFIER and the user`s LDAP credentials will be verified against AD. User credentials are passed on to the IDENTIFIER, it will check these credentials against its local user database it also checks the AD password and will respond to the client with an Access-Accept or Access-Reject message. The client in the LAN will be the IIS on which we installed an agent. This agent is a type of middleware between IIS and IDENTIFIER.


In the Policy tab, click the Edit button, and change the settings to Local auth.: DIGIPASS/Password Back-End Auth.: If Needed Back-End Protocol: Mircrosoft AD(LDAP)

Figure12: Policy configuration (3)

In the User tab, click the Edit button, and change the settings to

Dynamic User Registration: No Password Autolearn: Yes Stored Password Proxy: Yes Default Domain: enter the name of your domain Windows Group Check: No Check

Figure13: Policy configuration (4)


9.2 Client configuration

Create a new component by right-clicking the Components and choose New Component. During setup of the DIGIPASS Citrix Web Interface , an administration program, as client type is required to allow, the creation of an IIS Module client.

Select for

• Client Type Administration Program • Location IP address of the IIS server running Web Interface • Policy ID IDENTIKEY Administration Logon • Protocol ID SEAL

Figure14: Client Configuration

During the setup of the DIGIPASS for Citrix Web Interface, allow the creation of the IIS Module component.

9.3 LDAP Synchronization

Configure the IDENTIFIER LDAP synchronization to retrieve user information from the user repository. In this zone, we sync directly with AD whereas in the DMZ the Netscaler forwarded the requests.

TIP: check the Administration guide of the IDENTIFIER.

TIP: Logon to the configuration page of the IDENTIFIER to configure LDAP sync.


10 DIGIPASS Authentication for IIS basic Check the DIGIPASS Authentication for IIS basic installation guide for installation instructions. This DIGIPASS installer has to be installed on the server running Citrix Web Interface.

• Once the DIGIPASS Authentication for IIS Basic is installed, open via Start >All Programs>VASCO>DIGIPASS Authentication for IIS basic>DIGIPASS Authentication for IIS basic configuration

• Select Tracing > select Full Tracing. The tracing might help you checking the log files.

Figure15: DIGIPASS Authentication for IIS Basic Configuration


• Select Connections > the connections should have been configured already during the setup. The connection refers to the IP address of the authentication server being the IDENTIFIER. If set correctly, no changes required.

• Select Authentication > Select HTTP Header Filtering

• Check enabled

• Base URL: Enter the path to the Citrix logon page being login.aspx

• Select Header Fields > enter within the User Name field the value `user`, enter within the Password field the value `password`

• Select Apply and accept to restart the IIS service

The DIGIPASS IIS basic configuration is completed.

11 Citrix CAG login with DIGIPASS 11.1 Logon

For user and DIGIPASS assignment, check section 12 in this document.

To start the test, browse to the public IP address or hostname of the CAG.

In our example this is https://test.vasco.com Enter your Username and PIN and DIGIPASS Password (one-time password) and click the Logon button.

Figure 2: Response Only

If all goes well, you will be authenticated and be directed to the Citrix Web Interface Portal publishing your resources.


12 DIGIPASS and User Management

12.1 DIGIPASS

The DIGIPASS is delivered with a database file, DPX. This file protected by a transport key, should be loaded on to the IDENTIFIER in the DMZ and once more on to the IDENTIFIER in the LAN. Be sure that the time settings on both IDENTIFIER appliances is configured correctly. It is possible to configure the ntp server address.

The DIGIPASS devices, represented by a serial number in the IDENTIFIER, can be assigned manually or automatically . The automated procedures allow user to self-assign a DIGIPASS to their account. It is also possible to automatically assign a DIGIPASS to a user without the need for registration. This auto-assignment is interesting for DIGIPASS Mobile.

To provision the DIGIPASS Mobile, see section 13.

12.2 Users

Within this SmartAccess configuration, users will be synchronized automatically by means of LDAP sync.

13 Additional functionalities 13.1 Password change policies The VASCO server products (IDENTIFIER and IDENTIKEY server) provide the tools to update the local database with the password changes. These password updates can be treated at the moment the password is changed or at a later stage.

The Password Sync Tool, providing this functionality is available on www.vasco.com.

13.2 DIGIPASS provisioning

VASCO provides a wide range of hardware and software DIGIPASS devices. The provisioning functionalities within VASCO`s server products, like IDENTIKEY and IDENTIFIER, offer the lowest TCO and a user friendly provisioning of software and hardware DIGIPASS. Check with your VASCO contact to discuss the possibilities.

14 About VASCO Data Security

VASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in Internet Security applications and transactions. VASCO has positioned itself as global software company for

Internet Security serving customers in more than 100 countries, including several international financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and e-government.

DIGIPASS Authentication to Citrix XenDesktop with endpoint ... · 9 DIGIPASS SSO Authentication to...

Documents

Transcript of DIGIPASS Authentication to Citrix XenDesktop with endpoint ... · 9 DIGIPASS SSO Authentication to...