DIGIPASS SSO Authentication for CITRIX SmartAccess end ... - Vasco

DIGIPASS Authentication to Citrix 

XenDesktop with endpoint protection 

SmartAccess Configuration with Digipass 

INTEGRATION GUIDE

Disclaimer 

Disclaimer of Warranties and Limitation of Liabilities 

All information contained in this document is provided 'as is'; VASCO Data Security assumes no 

responsibility for its accuracy and/or completeness. 

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any 

use of the information contained in this document. 

Copyright 

Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All 

rights reserved. VASCO ® , Vacman ® , IDENTIKEY ® , aXsGUARD, DIGIPASS ® and ® logo 

are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data 

Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. 

and/or VASCO Data Security International GmbH own or are licensed under all title, rights and 

interest in VASCO Products, updates and upgrades thereof, including copyrights, patent 

rights, trade secret rights, mask work rights, database rights and all other intellectual and 

industrial property rights in the U.S. and other countries. Microsoft and Windows are 

trademarks or registered trademarks of Microsoft Corporation. Other names may be 

trademarks of their respective owners. 

Integration Guidelines 

1 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments

Table of Contents 

Disclaimer ...................................................................................................................... 1 

Table of Contents ........................................................................................................... 2 

1 Abstract .................................................................................................................... 4 

2 Reader ...................................................................................................................... 4 

3 Overview................................................................................................................... 4 

How SmartAccess Works for XenApp and XenDesktop ................................................... 5 

4 Problem Description ................................................................................................. 6 

5 Solution .................................................................................................................... 6 

6 Technical Concept ..................................................................................................... 8 

6.1 General overview .................................................................................................. 8 

6.2 Citrix prerequisites ................................................................................................ 8 

6.3 IDENTIFIER prerequisites ....................................................................................... 8 

7 Citrix Configuration ................................................................................................... 9 

7.1 Netscaler Authentication configuration ..................................................................... 9 

7.2 Web Interface configuration .................................................................................. 10 

8 IDENTIFIER DMZ .................................................................................................... 10 

8.1 Policy configuration ............................................................................................. 10 

8.2 Client configuration ............................................................................................. 13 

8.3 LDAP Synchronization .......................................................................................... 14 

9 IDENTIFIER LAN .................................................................................................... 14 

9.1 Policy configuration ............................................................................................. 14 

9.2 Client configuration ............................................................................................. 17 

9.3 LDAP Synchronization .......................................................................................... 17 

10 DIGIPASS Authentication for IIS basic ................................................................ 18 

11 Citrix CAG login with DIGIPASS ........................................................................... 19 

11.1 Logon ................................................................................................................ 19 


12 DIGIPASS and User Management ......................................................................... 20 

12.1 DIGIPASS ........................................................................................................... 20 

12.2 Users ................................................................................................................. 20 

13 Additional functionalities ..................................................................................... 20 

13.1 Password change policies ..................................................................................... 20 

13.2 DIGIPASS provisioning ......................................................................................... 20 

14 About VASCO Data Security .................................................................................. 20 


1 Abstract 

SmartAccess allows to control the users system requesting access to available applications 

published with Citrix XenAPP through the use of Access Gateway Enterprise policies and filters. 

This permits the use of endpoint analysis as a condition for application access, along with other 

factors. 

This functionality is achieved by integrating Access Gateway Enterprise 

components with the Web Interface for Citrix XenApp Server, and Citrix 

XenApp Server. This provides advanced authentication and access control. 

To protect the user`s identity and the company`s network, the use of static password, the 

weakest link in security, should be eliminated and replaced by DIGIPASS. DIGIPASS by VASCO 

provides one-time passwords, which allows the user to logon with a unique time-based password 

which can only be used once, within a certain time frame. This one-time password replaces the 

static password stored in Active Directory or any other database. VASCO`s strong authentication 

DIGIPASS allows the use of DIGIPASS to log-on with a single one-time password to the multiple 

Citrix environments used in by the SmartAccess scenario. 

SmartAccess in combination with DIGIPASS offers: 

- Citrix Online Applications and Desktops provisioning 

- no user-controlled password 

- Single Sign On to all sessions 

- SmartAccess capability, i.e. the ability to influence application properties being connection 

properties / context 

2 Reader 

This document is a guideline for configuring a partner product with IDENTIFIER or IDENTIKEY 

Server. For details about the setup and configuration of IDENTIEKEY Server and IDENTIFIER, we 

refer to the installation and administration manuals of these products. IDENTIFIER is VASCO’s 

appliance which by default runs IDENTIKEY Server by default. 

Within this document, VASCO Data Security, provides the reader guidelines for the configuration 

of the partner product with its specific configuration in combination with VASCO Server solutions 

and DIGIPASS. Any change in the concept might require a change in the configuration of the 

VASCO Server products. 

The product nameÌDENTIFIER`will be used throughout the document keeping in mind that it 

also applies to IDENTIKEY Server. 

3 Overview 

The purpose of this document is to demonstrate how to configure IDENTIFIER and configure 

DIGIPASS authentication on Citrix Web Interface in a SmartAccess configuration. 


For the standard configuration of the SmartAccess configuration we refer to Citrix documentation. 

For the standard configuration of DIGIPASS integration with CAG/Netscaler/ Web Interface we 

refer to the DIGIPASS integration guide for Citrix CAG. 

How SmartAccess Works for XenApp and XenDesktop 

To configure SmartAccess, you need to configure the Access Gateway settings on the Web 

Interface and configure session policies on the Access Gateway. When you run the Published 

Applications Wizard, you can select the session policies you created for SmartAccess. 

When a user types the web address of a virtual server in a web browser, the configured preauthentication 

policies are downloaded on to the user’s device. The Access Gateway sends the 

pre-authentication and session policy names to the Web interface as filters. If the policy condition 

is set to ‘true’, the policy is always sent as a filter name. If the policy condition is not met, the 

filter name is not set. This allows you to differentiate the list of published applications and 

desktops and the effective policies on a computer running XenApp or XenDesktop based on the 

results of the endpoint analysis. 

The Web interface contacts the XenApp or XenDesktop server and returns the published resource 

list to the user. Any resources that have filters applied to them do not appear in the user’s list 

unless the condition of the filter is met. 

Endpoint analysis can be configured on the Access Gateway. To configure endpoint analysis, you 

create a session policy that enables the ICA proxy setting and which configures a client security 

string. When the session policy is configured, you can link the policy to the entire user base or to 

users, groups, and virtual servers. 

When the user logs on, the endpoint analysis policy runs a security check of the client device 

using the client security strings configured on the Access Gateway. 

For example, if you want to check for a specific version of anti-virus. The client security string in 

the expression editor appears as follows: 

client.application.av.version == 10.0.2 

After the policy is configured, link it to a user, group, virtual server or the entire user base. When 

users log-on, the endpoint analyses policy check starts and verifies whether or not the client 

device has version 10.0.2 or higher of the installed antivirus installed. 

When the endpoint analysis check is successful, the Web Interface portal appears in case the user 

is running a clientless session; if not , the Access Interface will appear. 

When you are creating a session policy for endpoint analyses, the session profile does not have 

any pre-configured settings, creating a null profile. The Access Gateway uses the Web Interface 

URL configured globally for SmartAccess. 


End Point Scenario’s 

Publiek Netwerk 

Internet 

Figure 1: Overview 

The basic configuration of Citrix in this SmartAccess configuration is based on authentication with 

static passwords using existing media (LDAP, RADIUS, local authentication …). 

VASCO DIGIPASS authentication is by default supported within a Citrix SmartAccess 

configuration, where the one-time password in combination with the static password is verified 

(combination of RADIUS and LDAP authentication on Citrix Access Gateway, with SSO to 

Netscaler and WebInterface) 

4 Problem Description 

To increase the security at a level where it is `no longer allowed` to use any static 

password, does the standard configuration of Citrix and IDENTIFIER with RADIUS and LDAP 

verification, not offer the desired results. In this standard solution does the logon screen present 

3 fields (user name, static password, OTP). 

We are seeking for a solution where ONLY the OTP can be used. Working in a SmartAccess 

configuration, also requires that an OTP is checked in each zone, keeping in mind that the user 

will enter the OTP only once at initial logon to the CAG and that it is not requesting a second or 

third logon when SSO authenticates the user on Web Interface. 

5 Solution 

DMZ2 DMZ1 

Citrix Access Gateway Citrix NetScaler 

After setting up and configuring the IDENTIFIER appliances within 2 of the 3 Citrix zones , the 

user only needs the PIN code of his DIGIPASS and the one-time password generated by the 

DIGIPASS. Additionally we install and configure an IIS agent to support SSO and password 

management. 

Resources 

Citrix XenApp Farm 

Microsoft Active 

Directory 

Services 

Web Interface Web Interface 

NetScaler – Network Load Balancing Virtual Server 


Figure 2: Solution 

TCP 1812 

7 DIGIPASS SSO Authentication to Citrix XenDesktop in High Security Environments 

TCP ??? Get Credentials 

Get USR 

TCP 80/443 

TCP 445 NTLM

6 Technical Concept 

6.1 General overview 

The main goal of Citrix CAG is to perform authentication in a secure way to set up a secure SSL 

VPN connection and retrieve a single sign on to connect to the Web Interface. The use of 

DIGIPASS , and DIGIPASS solely , makes the setup unique and is very different from the 

standard 2FA integrations. 

We describe the setup in separate chapters , describing the setup for each zone. The first zone, 

DMZ, will be authenticated by using RADIUS. The second zone containing the Citrix Netscaler 

forwards the credentials which use the Citrix standard configuration. The third zone, LAN, will use 

a DIGIPASS Pack for Citrix with enhanced functionality interacting with IIS running on the Citrix 

Web Interface. 

6.2 Citrix prerequisites 

Make sure you have an operational setup of the Citrix SmartAccess configuration using a static 

password(LDAP, eDir, AD,..). It is very important this is working correctly before you start 

implementing the VASCO part. 

Current configuration: 

• Windows/ Windows 2008R2 

• Citrix CAG 9.1 

• Citrix Netscaler 9.1 

• Citrix XenApp 6.0 

• Citrix Web Interface 5.3 

All support updates for future versions will be available in the DIGIPASS Authentication for Web 

Interface , downloadable from www.vasco.com 

6.3 IDENTIFIER prerequisites 

We assume, you already installed IDENTIFIER , a test user has been created , a domain has been 

created, LDAP sync has been configured, DIGIPASS is imported and tested locally within the web 

administration. 

Make sure you can synchronize the LDAP users from AD or any other repository. Check the 

manuals for configuring the LDAP synchronization in IDENTIFIER. 

The quick start guide of IDENTIFIER helps you to configure these basic features. 

Throughout this document, we will specify the differences between the IDENTIFIER in the DMZ 

zone and the IDENTIFIER in the LAN environment. 


7 Citrix Configuration 

Configure CAG, Netscaler and Web Interface according to the standard procedure of Citrix. 

7.1 Netscaler Authentication configuration 

On the Netscaler in the DMZ you configure the authentication to use RADIUS. LDAP will no longer 

be used here. The DIGIPASS password will be verified locally against the IDENTIFIER in the DMZ. 

Configure the authentication server on the Netscaler with: 

• the IP address of the IDENTIFIER 

• the shared secret you configured for the client in IDENTIFIER 

Figure 3: RADIUS config Netscaler 

Configure the AG server on port 1080/443. On the first-hop appliance, you also need an AG 

server, an LDAP group extractor and a session policy pointing to the WI. You also need at least 

one STA bound to the CAG. 

To support you in this matter, we refer to the SmartAccess Deployment Guide 

http://www.jaytomlin.com/citrix/AG/AG- 

E%208.0%20SmartAccess%20Deployment%20Guide%20Dec%202007.pdf, 


7.2 Web Interface configuration 

Within this SmartAccess configuration we configure the Citrix Web Interface being published by 

the CAG. Web Interface has to be of the Àuthentication at Access Gateway` type in Gateway 

direct access mode. 

8 IDENTIFIER DMZ 

Go to the IDENTIFIER web administration page, and authenticate with the administrative account 

created during setup. 

8.1 Policy configuration 

To add a new policy, select PoliciesCreate. 

Figure 4: Policy configuration (1) 

There are some policies available by default. You can also create new policies to suit your needs. 

Those can be independent policies or policies from which you inherit the settings by default or 

from other policies. 

We suggest to create a new policy, without inheritance and give it the name `DMZ` 


Fill in a policy ID and description. 


In the policy options configure it to use the right back-end server. This could be the local 

database, but also active directory or another RADIUS server. 

This is probably the same as in your default client authentication options before you changed 

them. Or you use the local database, Windows or you go on to another RADIUS server. 

In our example we select our newly made DMZ Policy and change it like this: 

Local auth.: DIGIPASS/Password 

Back-End Auth.: None (None) 

Back-End Protocol: None (None) 

Dynamic User Registration: No (No) 

Password Autolearn: No (No) 

Stored Password Proxy: No (No) 

Windows Group Check: No Check (No Check) 

After configuring this policy, the authentication will happen locally in the IDENTIFIER User 

credentials are passed on to the IDENTIFIER which will check these credentials against its local 

user database and will respond to the client with an Access-Accept or Access-Reject message. 


In the Policy tab, click the Edit button, and change the Local Authentication to 

DIGIPASS/Password. 


The user details can keep their default settings. 



8.2 Client configuration 

Now create a new component by right-clicking the Components and choose New Component. 

Figure 8: Client configuration (1) 

As component type you choose RADIUS Client. The location is the IP address of the client 

(Citrix Access Gateway). In the policy field you should find your newly created policy. Fill in the 

shared secret you entered in the client for the RADIUS options. In our example this was 

“VASCO”. Click Create. 

Figure 9: Client configuration (2) 

Now the client and the IDENTIFIER are set up. We will now see if the configuration is working. 


8.3 LDAP Synchronization 

Configure the IDENTIFIER LDAP synchronization to retrieve user information from the user 

repository. The Netscaler can re-route that information towards the LDAP server. 

TIP: check the Administration guide of the IDENTIFIER. 

TIP: Logon to the configuration page of the IDENTIFIER to configure LDAP sync. 

9 IDENTIFIER LAN 

Go to the IDENTIFIER web administration page, and authenticate with the administrative account. 

9.1 Policy configuration 

To add a new policy, select PoliciesCreate. 


There are some policies available by default. You can also create new policies which suit your 

needs. Those can be independent policies or policies which inherit their settings by default or 

from other policies. 

To make things easier, create a new policy, without inheritance and use a practical name. In this 

configuration we called the policy `LAN` 


Fill in a policy ID and description. Choose the option which is most suitable for your situation. If 

you want the policy to inherit setting from another policy, choose the right policy in the Inherits 

From list. Otherwise leave this field to None. In this example we chose not to inherit. 


After configuring this policy, the authentication will happen locally in the IDENTIFIER and the 

user`s LDAP credentials will be verified against AD. User credentials are passed on to the 

IDENTIFIER, it will check these credentials against its local user database it also checks the AD 

password and will respond to the client with an Access-Accept or Access-Reject message. The 

client in the LAN will be the IIS on which we installed an agent. This agent is a type of 

middleware between IIS and IDENTIFIER. 


In the Policy tab, click the Edit button, and change the settings to 

Local auth.: DIGIPASS/Password 

Back-End Auth.: If Needed 

Back-End Protocol: Mircrosoft AD(LDAP) 

Figure12: Policy configuration (3) 

In the User tab, click the Edit button, and change the settings to 

Dynamic User Registration: No 

Password Autolearn: Yes 

Stored Password Proxy: Yes 

Default Domain: enter the name of your domain 

Windows Group Check: No Check 

Figure13: Policy configuration (4) 


9.2 Client configuration 

Create a new component by right-clicking the Components and choose New Component. During 

setup of the DIGIPASS Citrix Web Interface , an administration program, as client type is 

required to allow, the creation of an IIS Module client. 

Select for 

• Client Type Administration Program 

• Location IP address of the IIS server running Web Interface 

• Policy ID IDENTIKEY Administration Logon 

• Protocol ID SEAL 

Figure14: Client Configuration 

During the setup of the DIGIPASS for Citrix Web Interface, allow the creation of the IIS Module 

component. 

9.3 LDAP Synchronization 

Configure the IDENTIFIER LDAP synchronization to retrieve user information from the user 

repository. In this zone, we sync directly with AD whereas in the DMZ the Netscaler forwarded 

the requests. 

TIP: check the Administration guide of the IDENTIFIER. 

TIP: Logon to the configuration page of the IDENTIFIER to configure LDAP sync. 


10 DIGIPASS Authentication for IIS basic 

Check the DIGIPASS Authentication for IIS basic installation guide for installation instructions. 

This DIGIPASS installer has to be installed on the server running Citrix Web Interface. 

• Once the DIGIPASS Authentication for IIS Basic is installed, open via Start >All 

Programs>VASCO>DIGIPASS Authentication for IIS basic>DIGIPASS Authentication for IIS 

basic configuration 

• Select Tracing > select Full Tracing. The tracing might help you checking the log files. 

Figure15: DIGIPASS Authentication for IIS Basic Configuration 


• Select Connections > the connections should have been configured already during the setup. 

The connection refers to the IP address of the authentication server being the IDENTIFIER. If 

set correctly, no changes required. 

• Select Authentication > Select HTTP Header Filtering 

• Check enabled 

• Base URL: Enter the path to the Citrix logon page being login.aspx 

• Select Header Fields > enter within the User Name field the value ùser`, enter within the 

Password field the value `password` 

• Select Apply and accept to restart the IIS service 

The DIGIPASS IIS basic configuration is completed. 

11 Citrix CAG login with DIGIPASS 

11.1 Logon 

For user and DIGIPASS assignment, check section 12 in this document. 

To start the test, browse to the public IP address or hostname of the CAG. 

In our example this is https://test.vasco.com Enter your Username and PIN and DIGIPASS 

Password (one-time password) and click the Logon button. 

Figure 2: Response Only 

If all goes well, you will be authenticated and be directed to the Citrix Web Interface Portal 

publishing your resources. 


12 DIGIPASS and User Management 

12.1 DIGIPASS 

The DIGIPASS is delivered with a database file, DPX. This file protected by a transport key, 

should be loaded on to the IDENTIFIER in the DMZ and once more on to the IDENTIFIER 

in the LAN. Be sure that the time settings on both IDENTIFIER appliances is configured correctly. 

It is possible to configure the ntp server address. 

The DIGIPASS devices, represented by a serial number in the IDENTIFIER, can be assigned 

manually or automatically . The automated procedures allow user to self-assign a DIGIPASS to 

their account. It is also possible to automatically assign a DIGIPASS to a user without the need 

for registration. This auto-assignment is interesting for DIGIPASS Mobile. 

To provision the DIGIPASS Mobile, see section 13. 

12.2 Users 

Within this SmartAccess configuration, users will be synchronized automatically by means of 

LDAP sync. 

13 Additional functionalities 

13.1 Password change policies 

The VASCO server products (IDENTIFIER and IDENTIKEY server) provide the tools to update the 

local database with the password changes. These password updates can be treated at the 

moment the password is changed or at a later stage. 

The Password Sync Tool, providing this functionality is available on www.vasco.com. 

13.2 DIGIPASS provisioning 

VASCO provides a wide range of hardware and software DIGIPASS devices. The provisioning 

functionalities within VASCO`s server products, like IDENTIKEY and IDENTIFIER, offer the lowest 

TCO and a user friendly provisioning of software and hardware DIGIPASS. Check with your 

VASCO contact to discuss the possibilities. 

14 About VASCO Data Security 

VASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in 

Internet Security applications and transactions. VASCO has positioned itself as global software company for 

Internet Security serving customers in more than 100 countries, including several international financial 

institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and egovernment.

DIGIPASS SSO Authentication for CITRIX SmartAccess end ... - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?