DIGIPASS Authentication for Citrix NetScaler (with AGEE) - Vasco

INTEGRATION GUIDE 

DIGIPASS Authentication for 

Citrix NetScaler (with AGEE)

Disclaimer 

Disclaimer of Warranties and Limitation of Liabilities 

1 DIGIPASS Authentication for NetScaler (with CAG) 

DIGIPASS Authentication for NetScaler (with CAG) 

All information contained in this document is provided 'as is'; VASCO Data Security assumes no 

responsibility for its accuracy and/or completeness. 

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any 

use of the information contained in this document. 

Copyright 

Copyright © 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All 

rights reserved. VASCO ® , Vacman ® , IDENTIKEY ® , aXsGUARD, DIGIPASS ® and ® logo 

are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data 

Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. 

and/or VASCO Data Security International GmbH own or are licensed under all title, rights and 

interest in VASCO Products, updates and upgrades thereof, including copyrights, patent 

rights, trade secret rights, mask work rights, database rights and all other intellectual and 

industrial property rights in the U.S. and other countries. Microsoft and Windows are 

trademarks or registered trademarks of Microsoft Corporation. Other names may be 

trademarks of their respective owners.

Table of Contents 



Reference guide ............................................................................................................. 4 

1 Overview................................................................................................................... 5 

2 Technical Concepts ................................................................................................... 6 

2.1 Citrix ................................................................................................................... 6 

2.1.1 NetScaler ....................................................................................................... 6 

2.1.2 Access Gateway Enterprise Edition .................................................................... 6 

2.1.3 Web Interface ................................................................................................. 6 

2.2 VASCO ................................................................................................................. 6 

2.2.1 IDENTIKEY Authentication server ...................................................................... 6 

3 Citrix setup ............................................................................................................... 7 

3.1 Architecture .......................................................................................................... 7 

3.2 Prerequisites ......................................................................................................... 7 

3.3 Citrix ................................................................................................................... 7 

3.3.1 Access Gateway .............................................................................................. 7 

3.3.1.1 Policies .................................................................................................... 7 

3.3.1.2 Virtual Servers ........................................................................................ 11 

3.3.1.3 Groups .................................................................................................. 12 

3.4 Test the setup .................................................................................................... 14 

4 Citrix Receiver on mobile ........................................................................................ 15 

4.1 Architecture ........................................................................................................ 15 

4.2 Prerequisites ....................................................................................................... 15 

4.3 Citrix ................................................................................................................. 15 

4.3.1 Access Gateway ............................................................................................ 15 

4.3.1.1 Policies .................................................................................................. 15 


4.4 Test ................................................................................................................... 19



5 Solution .................................................................................................................. 22 

5.1 Architecture ........................................................................................................ 22 

5.2 Citrix ................................................................................................................. 22 

5.2.1 Access Gateway ............................................................................................ 22 

5.2.1.1 Policies .................................................................................................. 22 


5.3 IDENTIKEY Authentication Server .......................................................................... 26 

5.3.1 Policies ........................................................................................................ 27 

5.3.2 Client .......................................................................................................... 28 

5.3.3 User ............................................................................................................ 29 

5.3.4 DIGIPASS .................................................................................................... 29 

5.4 Test the Solution ................................................................................................. 31 

5.4.1 With the browser .......................................................................................... 31 

5.4.2 With Citrix Receiver ....................................................................................... 31 

6 FAQ ......................................................................................................................... 34 

7 Appendix ................................................................................................................. 34

Reference guide 



ID Title Author Publisher Date ISBN

1 Overview 



This whitepaper describes how to configure a Citrix NetScaler with Citrix Access Gateway 

Enterprise Edition (AGEE) in combination with the VASCO IDENTIKEY AUTHENTICATION Server. 

That way an extra security layer can be added to the SSL VPN solution the CITRIX AGEE provides. 

Netscaler 

Authentication 

Servers 

XenApp 

XenDesktop

2 Technical Concepts 

2.1 Citrix 

2.1.1 NetScaler 



Citrix NetScaler makes apps and cloud-based services run five times better by offloading 

application and database servers, accelerating application and service performance, and 

integrating security. Deployed in front of web and database servers, NetScaler combines highspeed 

load balancing and content switching, data compression, content caching, SSL acceleration, 

network optimization, application visibility and application security on a single, comprehensive 

platform. 

2.1.2 Access Gateway Enterprise Edition 

Citrix Access Gateway Enterprise Edition (AGEE) is a secure application access solution that 

provides administrators granular application-level control while empowering users with remote 

access from anywhere. It gives IT administrators a single point to manage access control and 

limit actions within sessions based on both user identity and the endpoint device, providing better 

application security, data protection, and compliance management. 

2.1.3 Web Interface 

The Citrix Web Interface provides users with access to XenApp applications and content and 

XenDesktop virtual desktops. Users access their resources through a standard Web browser or 

through the Citrix online plug-in. 

2.2 VASCO 

2.2.1 IDENTIKEY Authentication server 

IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that 

supports the deployment, use and administration of DIGIPASS strong user authentication. It 

offers complete functionality and management features without the need for significant budgetary 

or personnel investments. 

IDENTIKEY Authentication Server Server is supported on 32bit systems as well as on 64bit 

systems.

3 Citrix setup 



Before adding 2 factor authentication it is important to validate a standard configuration without 

One Time Password (OTP). 

3.1 Architecture 

Virtual server 

IP 10.4.0.204 

LDAP 

IP:10.4.0.10 


Servers 

NetScaler with Access Gateway 

Enterprise Edition 

IP: 10.4.0.206 

Domain: labs.vasco.com (LABS) 

Citrix Web 

Interface 

IP:10.4.0.201 

XenApp 

XenDesktop 

IP:10.4.0.202 

When a user connects trough the CITRIX AGEE, it will be asked to authenticate. The 

authentication will be performed, using Active Directory via LDAP. If the authentication is 

successful, the user is logged in on the Citrix Web Interface where he can access the XenApp en 

XenDesktop nodes. 

3.2 Prerequisites 

To the Citrix installation there are many components that can and need to be configured. For this 

white paper we are going to concentrate on the NetScaler and CITRIX AGEE. 

In order for this set-up to work, a Citrix Web Interface needs to be created: 

http://10.4.0.202/Citrix/XenAppCAG 


Log in to the NetScaler by browsing to 10.4.0.206 

3.3.1 Access Gateway 

3.3.1.1 Policies 

Policies are used to define components that will be used to create a virtual server. 

3.3.1.1.1 Authentication Server 

An authentication policy will be created to enable LDAP/Active Directory authentication.

Open the Authentication tree item 

Select the Servers Tab 

Click Add… 



• Name: authsrv_ad 

• Authentication Type: LDAP 

• IP Address: 10.4.0.10 

• Port: 389 

• Time-out (seconds): 3 

• Base DN: DC=labs,DC=vasco,DC=com 

• Administrator Bind DN: CN=citrix_admin,CN=Users,DC=labs,DC=vasco,DC=com 

• Administrator Password: password of the administrator user 

• Server Logon Name Attribute: samAccountName 

• Group Attribute: memberOf 

• Sub Attribute Name: CN 

• Secure Type: PLAINTEXT 

• Check Authentication 

• Check User Required 

Click Create 

3.3.1.1.2 Authentication Policy 

Select the Policies tab 

Click Add…

• Name: auth_ad 

• Authentication Type: LDAP 

• Server: authsrv_ad 

• Named Expression: General True Value 

• Click Add Expression 

Click Create 

3.3.1.1.3 Session Profiles 

Open the Session tree item 

Select the Profiles Tab 

Click Add… 

• Name: profile_publishedapps 

Go to Client Experience 


DIGIPASS Authentication for NetScaler (with CAG)

• Check Single Sign-on to Web Applications 

Go to Published Applications tab 



• ICA Proxy: ON 

• Web Interface Address: http://10.4.0.202/Citrix/XenAppCAG/ 

• Web Interface Portal Mode: NORMAL 

• Single Sign-on Domain: LABS 

Click Create 

3.3.1.1.4 Session Policy 

Select the Policies Tab 

Click Add… 

• Name: sess_icaproxy_nonmobile 

• Request Profile: profile_publishedapps 

• Named Expression: General True Value

Click Add Expression 

Click Create 

ns_true is general expression, which catches every call 

3.3.1.2 Virtual Servers 

Select the Virtual Servers tree item 

Click Add… 

• Name: citrix2-labs-vasco-com-AGEEauth 

• IP Address: 10.4.0.204 

• Port: 443 

• Max Users: 0 

• Select SmartAccess Mode 

• Check Enable Virtual Server 



The chosen IP Address needs to be a free IP Address in the subnet. 

Select Certificates tab 

• Select the Server certificate 

Click Add> 

If the server certificate is not in the Certificates list click install… and add the needed 

server certificate. 

Select the Authentication tab

• Check Enable Authentication 

• Click Insert Policy 

• Select auth_ad 


• Select Session 

Click Insert Policy 

• Select sess_icaproxy_nonmobile 

Click OK 

3.3.1.3 Groups 



Groups are used to apply authorization and session policies, create bookmarks and specify 

applications. 

User groups are created locally on the Citrix NetScaler. When an external authentication method 

is used, like Active Directory, the User group from the external authentication will be mapped to 

the local group on the Citrix NetScaler.



For example: On the Citrix NetScaler a group “Citrix” is created. Active Directory is used as an 

external authentication method. Then a group needs to be created on Active Directory with the 

name “Citrix”. The user that wants to be authenticated needs to be a member of the “Citrix” 

group on Active Directory. 

Click Add… 

Go to tab Authorization 

• Group Name: Citrix 

Click Insert Policy 

• Select New Policy…

• Name: VascoAllow 

• Action: ALLOW 

• Named Expressions: General True value 

Click Add Expression 

Click Create 

Click Create 

3.4 Test the setup 

Open a browser and browse to https://10.4.0.204 

• User name: Demo 

• Static Password: Test12345 

Click Log On 



This user needs to be created in the active directory and must be a member of the group 

Citrix



4 Citrix Receiver on mobile 

In order to use Citrix Receiver on a mobile device, the first setup (Citrix Setup) will be altered. 


4.2 Prerequisites 



IP: 10.4.0.206 XenApp 


LDAP 

IP:10.4.0.10 


Servers 

Citrix Web 

Interface 

IP:10.4.0.201 

Mobile devices connect to the Citrix environment by using a Service Site. The Service Site 

provides the information about the publication for mobile devices. 

Create a Service Site on the Web Interface server: 

http://10.4.0.202/Citrix/PNAgent 




4.3.1.1.1 Session Profiles 

Open the Session tree item 

Select the Profiles Tab 

Click Add… 

• Name: profile_mobiledevices 

XenDesktop 

IP:10.4.0.202

Go to Client Experience tab 

• Check Single Sign-on to Web Applications 

Go to Published Applications tab 

• ICA Proxy: ON 





• Web Interface Address: http://10.4.0.202/Citrix/PNAgent/config.xml 

• Web Interface Portal Mode: NORMAL 

• Single Sign-on Domain: LABS 

Click Create 

4.3.1.1.2 Session Policies 

Select the Policies Tab 

Click Add… 

• Name: sess_icaproxy_mobiledev 

• Request Profile: profile_mobiledevices 

Click Add…



A number of different expressions must be added for this policy. The following table provides a 

summary of the values 

For Citrix 

Receiver 

• Expression 

Type: General 

• Flow Type: 

REQ 

• Protocol: HTTP 

• Qualifier: 

HEADER 

• Operator: 

CONTAINS 

• Value: 

CitrixReceiver 

• Header Name: 

User-Agent 

• Length: 

• Offset: 0 

Click OK 

Click Create 

For Citrix Receiver on 

iPad 


Type: General 


REQ 



HEADER 

• Operator: 

CONTAINS 

• Value: 

'CitrixReceive 

r-iPad' 


User-Agent 

• Length: 

• Offset: 0 

Click OK 

For CFNetwork For Darwin 


Type: General 


REQ 



HEADER 

• Operator: 

CONTAINS 

• Value: 

CFNetwork 


User-Agent 

• Length: 

• Offset: 0 

Click OK 


Type: General 


REQ 



HEADER 

• Operator: 

CONTAINS 

• Value: Darwin 


User-Agent 

• Length: 

• Offset: 0 

Click OK 

CFNetwork and Darwin are two Apple components. 

CFNetwork is a process running on computers when installing Apple software. 

Darwin is an open source operating system launched by Apple and is the base of Mac OS 

x 



Click citrix2-labs-vasco-com-AGEEauth and Click Open… 

Select the Policies tab

• Select Session 


• Select sess_icaproxy_mobiledev 

Click OK 

4.4 Test 



To perform the test, Citrix Receiver needs to be installed on your device. 

For BlackBerry: http://appworld.blackberry.com/webstore/content/10529?lang=en 

For Android: 

https://market.android.com/details?id=com.citrix.Receiver&feature=search_result#?t=W251bGw 

sMSwxLDEsImNvbS5jaXRyaXguUmVjZWl2ZXIiXQ 

Other platforms: http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163 

The below screenshots demonstrate the Citrix receiver on an Apple Ipad. 

Note: for this test the IP 10.4.0.204 is linked to an external host named citrix2.labs.vasco.com 

Start the receiver application

Select Add Account 

• Address: citrix2.labs.vasco.com 

• Click Next 

• Description: Vasco Virtual Apps 

• Username: Demo 

• Password: Test12345 

• Domain: Labs 

• Security Token: Disabled 

• Click Save 





5 Solution 




Radius 



IP: 10.4.0.206 XenApp 


LDAP 

IP: 10.4.0.10 

Citirx Web 

Interface 

IP: 10.4.0.201 

IP: 10.4.0.13 


Servers 

XenDesktop 

IP:10.4.0.202 

When implemented, the user will perform an authentication against 2 authentication servers. One 

being Active Directory, using LDAP, and one against IDENTIKEY Authentication Server, using 

RADIUS. This results in a login with 2 password fields. 




5.2.1.1.1 Authentication Server 

RADIUS authentication server needs to be added. This RADIUS server will point to the IDENTIKEY 

Authentication server. 

Open the Authentication tree item 

Select the Servers Tab 

Click Add…

• Name: authsrv_vasco 

• Authentication Type: RADIUS 

• IP Address: 10.4.0.13 

• Port: 1812 

• Time-out (seconds): 3 

• Secret Key: Test1234 

• Confirm Secret Key: Test1234 

• Password Encoding: pap 

• Accounting: OFF 

Click Create 

5.2.1.1.2 Authentication Policy 



Because the HTTP login behavior is different than the login over Citrix Receiver we need to make 

multiple Authentication Policies. 

1 st 2 nd 

HTTP Active Directory IDENTIKEY Authentication 

Server 

Citrix Receiver IDENTIKEY Authentication 

Server 

Active Directory 


Click Add…



Choose the configuration depending on your preferred access method 

Access Method 

 


policy to be 

created 

Expression to 

add by clicking 

the Add… 

button in the 


policy 

Radius for HTTP Radius for Citrix 

Receiver 

• Name: 

auth_vasco 

• Authentication 

Type: RADIUS 

• Server: 

authsrv_vasco 

• Remove ns_true 

from expression 

list 

• Expression Type: 

General 

• Flow Type: REQ 



HEADER 

• Operator: 

NOTCONTAINS 

• Value: 



User-Agent 

• Length: 

• Offset: 0 

• Name: 

auth_mobile_va 

sco 


Type: RADIUS 

• Server: 

authsrv_vasco 



list 


General 




HEADER 

• Operator: 

CONTAINS 

• Value: 



User-Agent 

• Length: 

• Offset: 0 

• Click OK 

LDAP for Citrix Receiver 

• Name: 

auth_mobile_a 

d 


Type: LDAP 

• Server: 

authsrv_ad 



list 


General 




HEADER 

• Operator: 

CONTAINS 

• Value: 



User-Agent 

• Length: 

• Offset: 0



Now the new Authentication Policies are created, the existing auth_ad policy needs to be updated 

Select auth_ad 

Click Open… 

• Remove ns_true from expression list 

Click Add… 

• Expression Type: General 



• Qualifier: HEADER 

• Operator: NOTCONTAINS 

• Value: CitrixReceiver 

• Header Name: User-Agent 

• Length: 

• Offset: 0 

Click OK 

Click OK 



Click citrix2-labs-vasco-com-CAGuth and Click Open… 

Select the Authentication tab


• Select auth_mobile_vasco 

• Priority: 90 

Click Secondary 


• Select auth_mobile_ad 



• Select auth_vasco 


5.3 IDENTIKEY Authentication Server 



There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate 

with: 

• Local users (Defined in IDENTIKEY Authentication Server) 

• Active Directory (Windows)

In this whitepaper we will use Local users to authenticate. 

5.3.1 Policies 



In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got 

a user and a password, what now? 

• Create a new Policy 

• Policy ID : Test 

• Inherits From: Base Policy 

Inherits means: The new policy will have the same behavior as the policy from which he 

inherits, except when otherwise specified in the new policy. 

Example: 

Base 

Policy 

New 

Policy Behaviour 

1 a New policy will do a 

2 b New policy will do b 

3 c f New policy will do f 

4 d New policy will do d 

5 e g New policy will do g 

The new policy is created, now we are going to edit it. 

• Click edit

• Local Authentication : Digipass/Password 


5.3.2 Client 



In the clients we specify the location from which IDENTIKEY Authentication Server will accept 

requests and which protocol they use. 

We are going to add a new RADIUS client. 

• Client Type : select Radius Client from “select from list” 

• Location : 10.4.0.206 

• Policy ID : Select the Policy that was created in Policies 

• Protocol ID: RADIUS 

• Shared Secret: Test1234 

• Confirm Shared Secret: reenter the shared secret 

• Click Save

5.3.3 User 

We are going to create a user. 

• User ID: Fill in the Demo 

• Enter static password: Test12345 

Password is used when there is no Digipass assigned. 

• Confirm static password: Test12345 

5.3.4 DIGIPASS 



The purpose of using IDENTIKEY Authentication Server, is to be able to log in using One Time 

Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The 

Digipass is a device that generates the OTP’s. 

• Open the user by clicking on its name 

• Select Assigned Digipass 

• Click ASSIGN


• Grace period: 0 Days 



Grace period is the period that a user can log in with his static password. The first time 

the user uses his DIGIPASS the grace period will expire. 

• Click ASSIGN 

• Click Finish

5.4 Test the Solution 

5.4.1 With the browser 



Open the browser and browse to https://10.4.0.204 or https://citrix2.labs.vasco.com 

• User name: Demo 

• Static Password: Test12345 

• Vasco Password: a One Time Password generated by the users Digipass 

Vasco Password is not the standard field label. This is done to display the difference 

between the Active Directory Password and the Vasco One Time Password. This is done 

trough the command line interface of the Citrix Netscaler 

5.4.2 With Citrix Receiver 

This test is done on an Apple iPad. 

Start the Citrix Receiver application

Select Add Acount 

• Adress: citrix2.labs.vasco.com 


• Description: Vasco Virtual Apps 

• Username: Demo 

• Password: Test12345 

• Domain: Labs 

• Security Token: Enabled 

• Select Domain + Security Token 






Token: a One Time Password generated by the users Digipass

6 FAQ 

7 Appendix

DIGIPASS Authentication for Citrix NetScaler (with AGEE) - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?