![]() Citrix XenMobile – Before you get started! Citrix XenMobile, before you get started. Although this might sound boring I’ll assure you you’ll thank me when you. About two and a half years ago I published the ultimate Citrix XenDesktop 7.x internals cheat sheet, version 1.0 and it turned out to be a big hit. In the meantime. Q: Does NetScaler VPX support SSL offload? A: Yes. However, NetScaler VPX does all SSL processing in software, so NetScaler VPX does not offer the same SSL.![]() How to deploy Microsoft Azure MFA & AD Connect with Citrix Net. Scaler Gateway – Jason. Samuel. com. I’ve deployed a lot of 2 factor authentication products with Citrix Net. Scaler Gateway in my career but the one I’ve always liked a lot is Microsoft Azure Multi- Factor Authentication (MFA). I used to deploy this product years ago when it was called Phone. Factor. Microsoft purchased Phone. Factor in 2. 01. 2 and I was worried that would be the end of the service. But Microsoft has really taken the product to the next level. There are several steps involved in deploying it now that Phone. Factor is integrated with Microsoft Azure. I’m going to break it down step- by- step for you and cover the following in this article: Why You Should Deploy a 2 Factor Or Multi- Factor Authentication Solution. Setting Up Azure Active Directory. Setting Up Azure AD Connect. Setting Up Azure AD Premium. Setting Up Azure Multi- Factor Authentication Server On Premise. Configuring Azure MFA Server For Net. Scaler Gateway. Configuring Net. Scaler Gateway To Use MFAModifying Net. Scaler Gateway Logon Page For MFATroubleshooting MFA Authentication Issue. Auditing & Reporting MFA Logins. Azure MFA Hacking Attempt Notifications. Consider Deploying the Azure MFA User Portal For Self Service. Final Thoughts. WHY YOU SHOULD DEPLOY A 2 FACTOR OR MULTI- FACTOR AUTHENTICATION SOLUTIONThere are many reasons why you should endeavor to deploy a 2 factor or multi- factor authentication system at any size organization. Privacy and security have never been so prevalent subjects of discussion in organizations as it has been in recent times. Pretty much any consumer level service worth mentioning has some form of 2 factor authentication available for users. I would almost call it a necessity these days. Two- factor_authentication. A Net. Scaler is a very powerful device and you can setup all sorts of authentication methods on it (LDAP/LDAPS, RADIUS, SAML, OAuth, etc.) and the list keeps growing. But if someone were to guess your user’s ID and domain password they’re in and there’s nothing you can do about it unless you authenticate based on another factor. This is where the “something you have” part of 2 factor authentication comes in. A One Time Passcode/Password (OTP) usually in the form of a PIN number is provided to the user on something they have in their possession to verify they are who they say they are. Years ago I used to deploy solutions using little tokens people had to carry around on their keychains like RSA Secur. ID. Nobody wanted to carry those little tokens around. If they loose it, there’s a cost to IT to have to replace it. It was tough for the Help Desk to manage them. And when the 2 factor system itself gets hacked like it did in 2. RSA_Secur. ID#March_2. Then came phone apps like Google Authenticator, Symantec VIP, etc. This has become more convenient for users but it still slows down the login process. It requires the user to have to transcribe a PIN code into the Net. Scaler Gateway logon page. One that changes every 6. Mission Impossible or stand there and stare at your phone aimlessly for 1.People want things to be simple.They want to get in quickly.So this became a real hassle for them.Citrix technologies are first and foremost about the User Experience. Update Asus Eee Pad Transformer Tf101 Price . Whatever solution you choose needs to be easy on the users. If you don’t make technology easy and convenient to use they will reject the solution. They’ll circumvent it using an easier to use consumer level technology if they can. I covered this last year in article about User Experience and MDM. The same holds true for anything customer facing you deploy: http: //www. The two solutions that work quickly for the user are phone calls and SMS text messages. This is what many of my clients prefer now for their organizations. They are fast and convenient methods to verify a user’s identity. Azure MFA/Phone. Factor, SMSPasscode, Duo Security, etc. With a phone call based system you simply answer the call and hit the “#” or other key you specify in the system and the user is in. With a text message you simply respond back to the text message or type in the PIN code presented to you and you’re in. Most all vendors support multiple paths to authenticate as fallback. Azure MFA for example has options like using a mobile app as well as a self service user portal website where the user can do a One- Time Bypass of MFA or enter security questions authenticate. Azure MFA even has support for OATH (Initiative For Open Authentication) tokens so it’s compatible with a variety of hard token manufacturers that support this standard. You can get even more advanced than this. You can look at each login in real- time and compare several factors like the IP address for geo- location, company device vs. Let’s say a hacker in another country compromised the user’s cell phone carrier account and is forwarding calls and texts to their cell phone. They can get the One Time Password now but because their IP is coming from a different country or untrusted device, you can now react to this and deny access even though they have all the right credentials. Many of the services I have described can do this and you can also leverage some of these protection features on the Net. Scaler itself but that’s a whole other article. SETTING UP AZURE ACTIVE DIRECTORYI’m going to write this article assuming you have 0 presence in the Azure cloud right now. If you already have Azure AD up and running, skip to the next section. If you don’t, the first thing you’ll need to do is sign up for an Azure subscription followed by setting up AD Connect which will get you connected to the cloud. Even a trial subscription of Azure is fine: https: //azure. Once that’s done, follow these steps to link your on premise Active Directory to Azure using AD Connect: 1. First login to to your Microsoft Azure account. For this example I’m using an MSDN subscription with a certain amount of monthly credit for Microsoft Azure included. Just sign in at: https: //msdn. Activate Microsoft Azure” to activate your subscription if you haven’t done so already (will take about 3- 4 min to get it setup). Otherwise you can go directly to the “Microsoft Azure Management Portal”: 2. In the Azure Management Portal (https: //manage. New button in the bottom left: 3. You’ll be presented with a quick tour and then finally the All Items section where the only thing you’ll see is Default Directory. Go ahead and click on it: 4. First thing to do is create your domain. So go ahead and click “Add domain”.Please make sure this is a domain you already own by the way.Add your domain name and click the check box saying “I plan to configure this domain for single sign- on with my local Active Directory”: 6. here. On the next screen it wants to take you to the Directory Integration page to verify domain ownership.Hit the check icon in the bottom right: SETTING UP AZURE AD CONNECTNote, AD Connect is not necessary if all you have is an on premise AD.I wanted to show you the whole cloud setup but if you only have an on premise Active Directory, then skip to the AD Premium setup in the next section. You’ll notice you have 1 domain planned for single sign- on. So the next step is to run Azure AD Connect. Click the little blue cloud next to Users to get back to the Quick Start screen. Download Azure AD Connect, it’s a 6. MB file called Azure. ADConnect. msi: 9. Run Azure AD Connect on a DC or a member server, both are supported. For production environments I always recommend have dedicated servers for everything. It does install a very light weight SQL Express Local. DB database on the server so I really recommend keeping it off a DC if you can. I know what you’re thinking, “What is this thing going to do to my Active Directory?”. Don’t be afraid. It’s just a simple sync tool and won’t do anything to your AD. Bill Mather wrote a great guide on integrating your on- premise Active Directory user IDs with Azure Active Directory here: https: //azure. Hit Agree, then Continue. I chose Express Settings but you can Customize if you want to. You can point at a SQL Server, use a different service account, create custom sync groups, etc. You’ll want to do a Custom install if doing this in a production environment so you know everything it’s doing. Type in your Azure AD credentials. Note, this account must end with “. Global Admin in Azure. I just created a new user in Azure with the Global Administrator role for this purpose: 1. Citrix Receiver – Security Warning” explained and demystified. When you’ve worked with a Citrix Xen. App or Xen. Desktop environment you must be familiar with the Security Warning dialog. It prevents a remote machine (your hosted application or desktop) from accessing resources on the client device, a security boundary you want to protect when from unmanaged systems. But on managed systems you want to prevent this message, you don’t want your users to be confronted with a message you tell them to accept (otherwise it won’t work and they’re to blame). In this article I’ll explain why this message is displayed and how you can prevent it. Resources types. A users can be confronted with a security warning dialog for different resources, this depends on the client used: Resource description. Client version < 1. Client version > 1. Client drives. XXMicrophone and webcams. XX (only audio)PDA devices. X–USB and other devices. X–Client versions“Back in the old days”, or when you’re using Citrix Presentation Server 4. Citrix ICA Client is used with a version lower than 1. The security warning dialog can be configured with the webica. The Citrix Receiver (version 1. A new feature with the name ‘Client Selective Trust’ was introduced to allow a more fine grained configuration that can be set via a group policy. Before version 1. When you’re using a Citrix ICA client before version 1. The users can choose between three access levels: No Access Read Access Full Access Depending of the version used the following message will be displayed Preventing the message. This message can be prevented by placing a webica. System. Root% (version 1. App. Data%\ICAClient directory (version 1. The file has the following content. Global. Security. Access=4. 03. Global. Security. Access=8. Access]Global. Security. Access=4. 03[Audio. Input]Global. Security. Access=8. 03. Where the number represents an access level. Access Audio. Input - 1. No security setting configured. No Access, never ask me again. No Access. 80. 4Full Access, never ask me again. Read Access. 80. 6Never prompt current application. Full Access. 80. 7Never prompt any application 8. Version 1. 2. 0 and up (Citrix Receiver)From Citrix Online Plugin 1. Citrix Receiver 3. The content of the message depends on the resource that is accessed from the remote server. GUIDFor each target environment that is accessed a unique registry key is made in registry with the name HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}. It seems that the {GUID} is generated during runtime and (therefore) cannot be predicted. You can find what GUID belongs to what connection by reading the value HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}\Region. Name\@. This value contains the name of the environment. If you connect via a webinterface / cloudgateway this key contains the URL (like lab. When you connected directly to a published application / server via an ICA file the content will be something like ica: //1. Preventing the message. The message van be configured per resource type, where each resource type is a subkey of ICA Client\Client Selective Trust\{GUID}Ica. Authorization. Decision (no \ after the GUID!). Resource type. Subkey. Client drives. File. Security. Permission. . Microphones and webcams.Microphone. And. Webcam.Security. Permission. PDA devices. Pda. Security. Permission. USB and other devices. Scanner. And. Digital. Camera. Security. Permission. The access level can be set in the default (@) value where the number represents an access level. Value. Description. No access. 1Read access. Full access. 3Prompt the user for access. The access level can be set per accessed environment (per GUID) or per region. By configuring the access level on the HKEY_LOCAL_MACHINE (HKLM) hive instead on the HKEY_CURRENT_USER (HKCU) hive the setting is inherited by all users. If you can to configure the access permission per region you need to change the value of Is. Ism. Deferal. Enabled to true and set the access level per resource type. The regions that can be configured in HKLM match the regions that can be found (and configured) in Internet Explorer. Zone. Subkey. Internetoid. Internet. Region. Local Intranetoid. Intranet. Region. Trusted sitesoid. Trusted. Sites. Region. Restricted sitesoid. Restricted. Sites. Region. Keep in mind that if you configure the settings on a x. HKLM\SOFTWARE\Wow. Node\Citrix\ICA Client\Client Selective Trust.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |