In highly secure environments where usage of LDAP credentials outside of an organization in public or insecure networks is considered a prime security threat for the organization, two-factor authentication using a client certificate and a security token is an option.

You can configure NetScaler so that Secure Hub authenticates with a certificate plus a security token that serves as a one-time password. This configuration provides a strong security option that doesn't leave an Active Directory footprint on devices. End users can access all of their MDX and HDX apps from Secure Hub, without ever entering their LDAP password on their mobile devices.

This configuration depends on the RADIUS server returning the user’s LDAP password to NetScaler Gateway. Once NetScaler receives the returned password, it uses the password to connect to any back-end service on demand. If the user session times out, the user must re-authenticate using their token passcode.

This article guides you in configuring two-factor certificate and security token authentication.

---

Instructions

• Step 1: Verify your infrastructure
• Step 2: Configure prerequisites
• Step 3: Configure Imprivata RADIUS as a RADIUS client to return a password
• Step 4: Configure NetScaler to communicate with the RADIUS Server
• Step 5: Configure a CERT policy
• Step 6: Create a Rewrite policy
• Step 7: Configure NetScaler Gateway
• Step 8: Configure a second NetScaler Gateway virtural server
• Step 9: Configure Storefront with NetScaler Gateway settings
• Step 10: Configure XenMobile Server Properties
• Step 11: Configure enrollment

Step 1: Verify your infrastructure

1. This solution was tested on the latest versions of Citrix Mobility Suite (XenMobile, NetScaler, and ShareFile). Make sure that you have the minimum component versions supported:

Component Name	Minimum Version
XenMobile Server	10
NetScaler	10
Certificate Authority	Windows 2008 R2
Imprivata OneSign	4.0 SP3
Storefront	2

2. This solution requires a RADIUS Server – Imprivata, RSA, Cisco, or Microsoft. You must configure the RADIUS server to return the user single sign-on password in a vendor-specific attribute value pair. For more information, see Configuring Password Return with RADIUS in the Citrix product documentation.
3. You can use either SSL Bridge (if XenMobile is in the DMZ) or SSL Offload (if required to meet security standards when XenMobile server is in the internal network).

Step 2: Configure prerequisites

1. Configure XenMobile for certificate authentication, as described in Configuring Client Certificate Authentication in the XenMobile documentation.
2. You can optionally provide access to Windows-based apps and virtual desktops from StoreFront through connections with Citrix Receiver. Configure Storefront and NetScaler Gateway for certificate authentication. For more information, see User Authentication in the StoreFront documentation.

Step 3: Configure Imprivata RADIUS as a RADIUS client to return a password

Note: The following configuration is applicable if you use Imprivata OneSign. For other RADIUS servers, check with the respective vendor for configuration.
Imprivata includes a built-in Remote Authentication Dial-In User Service (RADIUS) server to provide centralized authentication for dial-up and VPN network access. The internal RADIUS server lets OneSign act as a single administration point for user remote authentication.
OneSign Authentication Management contains a built-in RADIUS host for handling remote access authentication using VASCO Digipass tokens, SecurID or Secure Computing tokens, or domain passwords.

1. In the Imprivata Admin, verify the User Policy settings to make sure that Remote Access Authentication has Vasco Digipass or ID Token selected. Password is optional, but if not selected, it will allow you to enforce the use of token authentication for remote access.
   Note: After you enable the policy, you can test it by logging in remotely with a password. You should get a login failure because the policy requires token authentication.

2. Go to Properties > RADIUS.
3. Add or edit the RADIUS Client settings.
4. Verify the Hostname / IP Address External Radius Client. For example, Netscaler.
5. Verify the Encryption Key (that is, the Shared Secret key).
6. Add a RADIUS Attribute (not a Group Attribute):
   a. Attribute Number = 26
   b. Vendor Code = 398
   c. Vendor-Specific Attribute Number = 5
   d. Attribute Value = %password%
7. Configure RADIUS for NetScaler. On your RADIUS servers, add the NetScaler appliances as RADIUS Clients:

• When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP).
• When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP).

This example uses a load balancing virtual IP to load balance RADIUS Server, thus NetScaler SNIP is used to add NetScaler as RADIUS Client.

Step 4: Configure NetScaler to communicate with the RADIUS Server

1. Log on to the NetScaler appliance and go to NetScaler > NetScaler Gateway > Policies > Authentication > RADIUS.
   

2. Create the RADIUS server.
   
   Click More and fill in following information from your RADIUS configuration:

   1. Password Vendor Identifier. For Imprivata RADIUS, use 398.

   2. Password Attribute Type. For Imprivata RADIUS, use 5.
      ​

3. Create a RADIUS policy and bind the RADIUS server just created to it.
   

Step 5: Configure a CERT policy

1. Go to NetScaler > NetScaler Gateway > Policies > Authentication > CERT
2. Based on how your RADIUS is configured to accept ‘username’, select User Name Field. In this example, the RADIUS does not accept UPN and so we selected Subject=CN. With this configuration, NetScaler will send only a user’s sAMAccountName to the RADIUS server, along with Passcode.
3. Set Two Factor to ON, to use both certificate and security token authentication.

Step 6: Create a Rewrite policy

To enable Secure Hub to use certificate and security token authentication, you must add a rewrite action and a rewrite policy in NetScaler, to insert a custom response header of the form X-Citrix-AM-GatewayAuthType: CertAndRSA. That header indicates the NetScaler Gateway logon type.
Ordinarily, Secure Hub uses the NetScaler Gateway logon type configured in the XenMobile console. However, this information isn’t available to Secure Hub until Secure Hub completes logon for the first time, so the custom header is required to allow Secure Hub to do this.

1. In NetScaler, navigate to Configuration > AppExpert > Rewrite > Actions.

2. Click Add.
   The Create Rewrite Action screen appears.

3. Fill in each field as shown in the following figure and then click Create.
   

4. The following result appears on the main Rewrite Actions screen.
   

5. You then need to bind the rewrite action to the virtual server as a rewrite policy. Go to Configuration > NetScaler Gateway > Virtual Servers and then select your virtual server.
   

6. Click Edit.
   On the Virtual Servers configuration screen, scroll down to Policies and then click + to add a new policy.
   

7. In the Choose Policy field, enter Rewrite.

8. In the Choose Type field, enter Response.
   

9. Click Continue.
   The Policy Binding section expands.
   

10. Click Select Policy.
    A screen with available policies appears.
    

11. Click the row of the policy you just created and then click Select. The Policy Binding screen appears again, with your selected policy filled in.
    

12. Click Bind.
    If the bind is successful, the main configuration screen appears with the completed rewrite policy shown.
    

13. To view the policy details, click Rewrite Policy.
    

Step 7: Configure NetScaler Gateway

Configure two NetScaler Gateways with same IP but different ports. In this example:

• _XM_XenMobileGateway is a primary gateway created to access MDX Apps.
• _XM_StroreFrontGateway is secondary gateway created to access HDX (XenApp & XenDesktop) Apps.

1. Go to NetScaler Gateway, and edit the XenMobile Gateway (_XM_XenMobileGateway) Virtual Server.
   

2. Bind the RADIUS Authentication Policy to the vServer. The vServer should have RADIUS & CERT Policies added as Primary Authentication
   

3. Select Client Authentication and, for Client Certificate, choose Mandatory.
   
   
   
   

4. Bind the Rewrite Policy, created earlier, to the vServer:

   1. Click + to add a new policy.
      

   2. From Choose Policy, select Rewrite.

   3. From Choose Type, select Response. Click Continue.
      

   4. Select the Rewrite Policy. The Policy Binding section expands.
      

   5. Click Select Policy.
      

   6. Click the row of the policy you just created and then click Select. The Policy Binding screen appears again, with your selected policy filled in. Click Bind.
      

   7. If the bind is successful, the main configuration screen appears with the completed rewrite policy shown.
      

   8. Save the configuration.

Step 8: Configure a second NetScaler Gateway virtual server

The second virtual server should have only LDAP as an Authentication Method.

1. Configure the SSL Parameters as shown in the following screen shot.
   

2. Add all STA servers, Session Policies & Clientless Access Policies which are part of _XM_XenMobileGateway vServer.
   
   
   
    

Step 9: Configure Storefront with NetScaler Gateway settings

1. In General Settings, add the NetScaler Gateway URL. This will be the public FQDN of your NetScaler Gateway, with a custom port used to configure _XM_StoreFrontGateway.
   You will use the same FQDN as a callback URL under Authentication Settings.
   

2. Set the Logon type to Domain.
   

Step 10: Configure XenMobile Server Properties

1. Log on to XenMobile Server console and go to Settings > Enrollment. Select User name + PIN as default Enrollment Mode.
   

2. Go to Settings > NetScaler Gateway. For Logon Type, choose Certificate and security token and then click Save.
   

3. In Settings > NetScaler Gateway, make sure that Authentication is ON, Deliver user certificate for authentication is ON, and the correct Credential provider is shown.
   

Step 11: Configure enrollment

Before users can enroll, you must create a one-time PIN for the users. You can create a one-time PIN per user or groups of users using AD groups.

1. Log on to the XenMobile Server console and go to Manage > Enrollment.
   

2. Click Add and then click Add Invitation.
   

3. Complete the Enrollment Invitation settings.
   

4. Enter Username and then click Save.
   
   The one-time PIN that's created is valid only for enrollment and once used, it cannot be used again.
   

In highly secure environments where usage of LDAP credentials outside of an organization in public or insecure networks is considered a prime security threat for the organization, two-factor authentication using a client certificate and a security token is an option.

For more information about certificate-based authentication, see Certificates in the XenMobile documentation.