Configuring XenMobile for Certificate and Security Token Authentication

In highly secure environments where usage of LDAP credentials outside of an organization in public or insecure networks is considered a prime security threat for the organization, two-factor authentication using a client certificate and a security token is an option.

You can configure NetScaler so that Secure Hub authenticates with a certificate plus a security token that serves as a one-time password. This configuration provides a strong security option that doesn't leave an Active Directory footprint on devices. End users can access all of their MDX and HDX apps from Secure Hub, without ever entering their LDAP password on their mobile devices.

This configuration depends on the RADIUS server returning the user’s LDAP password to NetScaler Gateway. Once NetScaler receives the returned password, it uses the password to connect to any back-end service on demand. If the user session times out, the user must re-authenticate using their token passcode.

This article guides you in configuring two-factor certificate and security token authentication.

• Step 1: Verify your infrastructure
• Step 2: Configure prerequisites
• Step 3: Configure Imprivata RADIUS as a RADIUS client to return a password
• Step 4: Configure NetScaler to communicate with the RADIUS Server
• Step 5: Configure a CERT policy
• Step 6: Create a Rewrite policy
• Step 7: Configure NetScaler Gateway
• Step 8: Configure a second NetScaler Gateway virtural server
• Step 9: Configure Storefront with NetScaler Gateway settings
• Step 10: Configure XenMobile Server Properties
• Step 11: Configure enrollment

Step 1: Verify your infrastructure

1. This solution was tested on the latest versions of Citrix Mobility Suite (XenMobile, NetScaler, and ShareFile). Make sure that you have the minimum component versions supported:

Component Name	Minimum Version
XenMobile Server	10
NetScaler	10
Certificate Authority	Windows 2008 R2
Imprivata OneSign	4.0 SP3
Storefront	2

2. This solution requires a RADIUS Server – Imprivata, RSA, Cisco, or Microsoft. You must configure the RADIUS server to return the user single sign-on password in a vendor-specific attribute value pair. For more information, seeConfiguring Password Return with RADIUSin the Citrix product documentation.
3. You can use either SSL Bridge (if XenMobile is in the DMZ) or SSL Offload (if required to meet security standards when XenMobile server is in the internal network).

Step 2: Configure prerequisites

1. Configure XenMobile for certificate authentication, as described inConfiguring Client Certificate Authenticationin the XenMobile documentation.
2. You can optionally provide access to Windows-based apps and virtual desktops from StoreFront through connections with Citrix Receiver. Configure Storefront and NetScaler Gateway for certificate authentication. For more information, seeUser Authenticationin the StoreFront documentation.

Step 3: Configure Imprivata RADIUS as a RADIUS client to return a password

Note:The following configuration is applicable if you use Imprivata OneSign. For other RADIUS servers, check with the respective vendor for configuration.
Imprivata includes a built-in Remote Authentication Dial-In User Service (RADIUS) server to provide centralized authentication for dial-up and VPN network access. The internal RADIUS server lets OneSign act as a single administration point for user remote authentication.
OneSign Authentication Management contains a built-in RADIUS host for handling remote access authentication using VASCO Digipass tokens, SecurID or Secure Computing tokens, or domain passwords.

1. In the Imprivata Admin, verify theUser Policysettings to make sure thatRemote Access AuthenticationhasVasco DigipassorID Tokenselected.Passwordis optional, but if not selected, it will allow you to enforce the use of token authentication for remote access.
   Note:After you enable the policy, you can test it by logging in remotely with a password. You should get a login failure because the policy requires token authentication.

2. Go toProperties > RADIUS.
3. Add or edit theRADIUS Clientsettings.
4. Verify theHostname / IP Address External Radius Client. For example, Netscaler.
5. Verify theEncryption Key(that is, the Shared Secret key).
6. Add aRADIUS Attribute(not a Group Attribute):
   a.Attribute Number=26
   b.Vendor Code=398
   c.Vendor-Specific Attribute Number=5
   d.Attribute Value=%password%
7. Configure RADIUS for NetScaler. On your RADIUS servers, add the NetScaler appliances as RADIUS Clients:

• When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP).
• When NetScaler uses a direct connection to a RADIUSServer without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP).

This example uses a load balancing virtual IP to load balance RADIUS Server, thus NetScaler SNIP is used to add NetScaler as RADIUS Client.

Step 4: Configure NetScaler to communicate with the RADIUS Server

1. Log on to the NetScaler appliance and go toNetScaler> NetScaler Gateway > Policies > Authentication > RADIUS.
   

2. Create the RADIUS server.
   
   ClickMore并填写以下信息从your RADIUS configuration:

   1. Password Vendor Identifier. For Imprivata RADIUS, use398.

   2. Password Attribute Type. For Imprivata RADIUS, use5.
      

3. Create a RADIUS policy and bind the RADIUS server just created to it.
   

Step 5: Configure a CERT policy

1. Go toNetScaler> NetScaler Gateway > Policies > Authentication > CERT
2. Based on how your RADIUS is configured to accept ‘username’, selectUser Name Field. In this example, the RADIUS does not accept UPN and so we selectedSubject=CN. With this configuration, NetScaler will send only a user’ssAMAccountNameto the RADIUS server, along withPasscode.
3. SetTwo FactortoON, to use both certificate and security token authentication.

Step 6: Create a Rewrite policy

To enable Secure Hub to use certificate and security token authentication, you must add a rewrite action and a rewrite policy in NetScaler, to insert a custom response header of the formX-Citrix-AM-GatewayAuthType: CertAndRSA. That header indicates the NetScaler Gateway logon type.
通常,使用NetScaler网关安全中心logon type configured in the XenMobile console. However, this information isn’t available to Secure Hub until Secure Hub completes logon for the first time, so the custom header is required to allow Secure Hub to do this.

1. In NetScaler, navigate toConfiguration > AppExpert > Rewrite > Actions.

2. ClickAdd.
   TheCreate Rewrite Actionscreen appears.

3. Fill in each field as shown in the following figure and then clickCreate.
   

4. The following result appears on the mainRewrite Actionsscreen.
   

5. You then need to bind the rewrite action to the virtual server as a rewrite policy. Go toConfiguration > NetScaler Gateway > Virtual Serversand then select your virtual server.
   

6. ClickEdit.
   On theVirtual Servers configurationscreen, scroll down toPoliciesand then click+to add a new policy.
   

7. In theChoose Policyfield, enterRewrite.

8. In theChoose Typefield, enterResponse.
   

9. ClickContinue.
   ThePolicy Bindingsection expands.
   

10. ClickSelect Policy.
    A screen with available policies appears.
    

11. Click the row of the policy you just created and then clickSelect. ThePolicy Bindingscreen appears again, with your selected policy filled in.
    

12. ClickBind.
    If the bind is successful, the main configuration screen appears with the completed rewrite policy shown.
    

13. To view the policy details, clickRewrite Policy.
    

Step 7: Configure NetScaler Gateway

Configure two NetScaler Gateways with same IP but different ports. In this example:

• _XM_XenMobileGatewayis a primary gateway created to access MDX Apps.
• _XM_StroreFrontGatewayis secondary gateway created to access HDX (XenApp & XenDesktop) Apps.

1. Go to NetScaler Gateway, and edit the XenMobile Gateway (_XM_XenMobileGateway) Virtual Server.
   

2. Bind the RADIUS Authentication Policy to the vServer. The vServer should have RADIUS & CERT Policies added as Primary Authentication
   

3. SelectClient Authenticationand, forClient Certificate, chooseMandatory.
   
   
   
   

4. Bind the Rewrite Policy, created earlier, to the vServer:

   1. Click+to add a new policy.
      

   2. FromChoose Policy, selectRewrite.

   3. FromChoose Type, selectResponse. ClickContinue.
      

   4. Select the Rewrite Policy.ThePolicy Bindingsection expands.
      

   5. ClickSelect Policy.
      

   6. Click the row of the policy you just created and then clickSelect. ThePolicy Bindingscreen appears again, with your selected policy filled in. ClickBind.
      

   7. If the bind is successful, the main configuration screen appears with the completed rewrite policy shown.
      

   8. Save the configuration.

Step 8: Configure a second NetScaler Gateway virtual server

The second virtual server should have only LDAP as an Authentication Method.

1. Configure theSSL Parametersas shown in the following screen shot.
   

2. Add all STA servers, Session Policies & Clientless Access Policies which are part of _XM_XenMobileGateway vServer.
   
   
   
   

Step 9: Configure Storefront with NetScaler Gateway settings

1. InGeneral Settings, add theNetScalerGateway URL. This will be the public FQDN of your NetScaler Gateway, with a custom port used to configure _XM_StoreFrontGateway.
   You will use the same FQDN as a callback URL underAuthentication Settings.
   

2. Set theLogon typetoDomain.
   

Step 10: Configure XenMobile Server Properties

1. Log on to XenMobile Server console and go toSettings > Enrollment. SelectUser name + PINas defaultEnrollment Mode.
   

2. Go toSettings > NetScaler Gateway. ForLogon Type, chooseCertificate and security tokenand then clickSave.
   

3. InSettings > NetScaler Gateway, make sure thatAuthenticationisON,Deliver user certificate for authenticationisON, and the correctCredential provideris shown.
   

Step 11: Configure enrollment

Before users can enroll, you must create a one-time PIN for the users. You can create a one-time PIN per user or groups of users using AD groups.

1. Log on to the XenMobile Server console and go toManage > Enrollment.
   

2. ClickAddand then clickAdd Invitation.
   

3. Complete theEnrollment Invitationsettings.
   

4. EnterUsernameand then clickSave.
   
   The one-time PIN that's created is valid only for enrollment and once used, it cannot be used again.
   

关于基于证书的authe的更多信息ntication, seeCertificatesin the XenMobile documentation.