Author: Carl Stalhood

Navigation

• Change Log
• Overview
• AAA Virtual Server
  • Create AAA vServer
  • AAA Portal Theme
  • AAA Client Certificate Authentication
• Login Schema
  • Login Schema XML File
  • Login Schema Profile
  • Login Schema Policy
• Advanced Authentication Policies
  • Create Advanced Authentication Policy
  • Bind Advanced Authentication Policy to AAA
  • LDAP Group Extraction
• Authentication Policy Label
  • Create Authentication Policy Label
  • Bind Authentication Policy Label
• nFactor for NetScaler Gateway
  • AAA Authentication Profile
  • Unified Gateway
  • Gateway Client Certificate Authentication
  • nFactor Single Sign-on to StoreFront
  • Endpoint Analysis and nFactor
• Sample Configurations:
  • Certificate auth: If Success, LDAP only. If fails, LDAP+RADIUS
  • Endpoint Analysis: If Success, LDAP only. If fails, LDAP+RADIUS

💡 = Recently Updated

Change Log

• 2018 Feb 4 – updated the Sample Configurations section to match the nFactor 12 article

Overview

nFactor lets you configure an unlimited number of authentication factors. You are no longer limited to just two factors. Each authentication factor performs the following tasks:

• nFactor requests credentials from the user. These credentials can be anything supported by NetScaler including:
  • SAML
  • Certificate
  • oAuth
  • Kerberos
  • Forms-based authentication (traditional web-based logon page) for LDAP, RADIUS, etc.
    • Multiple passwords can be collected with one form.
    • Or prompt the user multiple times throughout the authentication chain.
    • The logon page can contain a domain drop-down.
• nFactor evaluates the credentials. The results can be:
  • Authentication success
  • Authentication failure
  • Group extraction
  • Attribute extraction from SAML, Certificate, etc.
• Based on the evaluation results, do one of the following:
  • Allow access
  • Use authentication evaluation results to select next factor
  • Deny access
• Multiple factor evaluations can be chained together. The chosen next factor is based on the results of the prior factor. This can continue indefinitely. The next factor can do one of the following:
  • Prompt the user for more credentials
  • Evaluate the already entered next set of credentials
  • Use policy expression to select another next factor (no authentication). This is typically used with group extraction so that groups determine the next factor.
• NetScaler Gateway can perform Endpoint Analysis (EPA) and use the scan results to select nFactor authentication factors.

Here are some nFactor use cases, but the combinations are almost limitless:

• Authentication method based on Active Directory group: Logon screen asks for user name only. Extract user’s groups from Active Directory. Based on user’s Active Directory groups, either ask user for certificate, or ask user for LDAP password. If LDAP, the username doesn’t need to be entered again.
• Ask for Certificate first:
  • If certificate, perform LDAP only.
  • If no certificate, perform LDAP + RADIUS
• Two-factor with passwords checked in specific order: Logon screen with two password fields. Check the first password. If the first password succeeds, then check the second password. This lets you check RADIUS before LDAP.
• Run Endpoint Analysis first:
  • If passes, perform LDAP only.
  • If fails, perform LDAP + RADIUS

You configure nFactor in the AAA feature, and then bind it to NetScaler Gateway Virtual Servers. Because of AAA, NetScaler Enterprise Edition is required.

• Note: nFactor works with browser clients, but it does not work with Receiver Self-Service (native Receiver).

nFactor configuration summary (detailed instructions below):

• Each factor is a combination of Advanced Authentication Policies and Login Schema.
  • Advanced policy means it uses an Advanced (Default Syntax) expression as opposed to the classic syntax expression traditionally used in NetScaler Gateway authentication policies.
  • Login Schema is a custom HTML form where users enter credentials.
• The first factor (Advanced Authentication Policies and Login Schema) is bound directly to a AAA Virtual Server.
• Next factors are bound to Authentication Policy Labels. These Labels are then chained to Advanced Authentication Policies in prior factors.
• Authentication Profile links AAA nFactor with NetScaler Gateway.

Also see Citrix CTX222713 Concepts, Entities and Terms used for nFactor Authentication through NetScaler.  💡

AAA Virtual Server

Create AAA Virtual Server

To use nFactor with NetScaler Gateway, you first configure it on a AAA Virtual Server. Then you later bind the AAA Virtual Server to the NetScaler Gateway Virtual Server.

1. If AAA feature is not already enabled, go to Security > AAA, right-click AAA, and Enable Feature.
   
2. Go to Security > AAA > Virtual Servers.
   
3. On the right, click Add.
   
4. Give the Virtual Server a name.
5. If you are only using this AAA Virtual Server for NetScaler Gateway, then you can change the IP address Type to Non Addressable. It’s also possible to content switch to AAA.
6. Click OK.
   
7. In the Certificates section, click where it says No Server Certificate.
   
8. Click to select.
   
9. Select a certificate for the AAA Virtual Server, and click Select. Since this AAA Virtual Server is not directly addressable, the chosen certificate doesn’t matter.
   
10. Click Bind.
    
11. Click Continue.
    
12. You probably don’t have any Advanced Authentication Policies yet, so just click Continue.
    

AAA Portal Theme

If this AAA Virtual Server is used not just for NetScaler Gateway, but also for traffic management (Load Balancing, Content Switching), then you might want to change the AAA Portal theme.

1. Go to NetScaler Gateway > Portal Themes and add a theme.
   
2. After adjusting it as desired, at the top of the portal theme editing page, Click to Bind and View Configured Theme.
   
3. Change the selection to Authentication.
4. Use the Authentication Virtual Server Name drop-down to select the AAA Virtual Server, and click Bind and Preview.
   

Client Certificate Authentication

If one of your authentication Factors is certificate, then you must perform some SSL configuration on the AAA Virtual Server:

1. Go to Traffic Management > SSL > Certificates > CA Certificates, and install the root certificate for the issuer of the client certificates. Root certificates do not have a key file.
   
2. Go to Security > AAA > Virtual Servers, and edit an existing AAA Virtual Server.
   
3. On the left, in the SSL Parameters section, click the pencil icon.
4. If you don’t see this section, then Default SSL Profiles are probably enabled. You’ll need to create a custom SSL Profile at System > Profiles > SSL Profile. Unfortunately, it’s not possible to bind the custom SSL Profile to AAA vServer using the GUI, but you can do it using the CLI (set ssl vserver MyAAAvServerName -sslProfile MySSLProfileName)
   
5. Check the box next to Client Authentication.
6. Make sure Client Certificate drop-down is set to Optional, and click OK.
   
7. On the left, in the Certificates section, click where it says No CA Certificate.
   
8. Click to select.
   
9. Select the root certificate for the issuer of the client certificates, and click Select.
   
10. Click Bind.
    

Login Schema

Login Schema XML File

Login Schema is an XML file providing the structure of forms-based authentication logon pages.

nFactor implies multiple authentication Factors that are chained together. Each Factor can have different Login Schema pages/files. In some authentication scenarios, users could be presented with multiple logon screens.

Or you can have one Factor gather information that can be passed on to later Factors, so that the later Factors don’t need to display another Login Schema. This is particularly useful for traditional two-password logon screens (LDAP + RADIUS), since each password is evaluated in a separate Factor:

• The first password is evaluated in the first factor (e.g. LDAP). If successful, then proceed to the second factor.
• The second factor (e.g. RADIUS) evaluates the second password. However, the second password has already been entered, so there’s no need to ask the user for it again. To prevent a Login Schema from being shown to the user, select noschema (LSCHEMA_INT) in the Authentication Policy Label.

Several Login Schema .xml files are included with NetScaler under /nsconfig/loginschema/LoginSchema.

NetScaler 11.1 lets you edit the labels from within the GUI. When the labels are changed, NetScaler copies the Login Schema to a new .xml file.

Or you can use WinSCP to connect to the appliance, duplicate one of the existing .xml files, and edit it as desired. For example, you can configure fields (InitialValue tag) to pre-fill information from previous Factors, as shown below:

The login schema can also contain a domain drop-down. See CTX201760 nFactor – Domain Drop-Down in First Factor then Different Policy Evaluations Based on Groups for a sample configuration.

CTX219545 Custom Login Labels in NetScaler nFactor Authentication: add a Requirement element with a Label sub-element to the Login Schema .xml file. Then use Javascript to populate the label with any desired HTML. For example:

Login Schema Profile

To configure a Login Schema Profile:

1. Create or Edit a Login Schema .XML file based on your nFactor design.
2. Go to Security > AAA > Login Schema.
   
3. On the right, switch to the Profiles tab, and click Add.
   
4. In the Authentication Schema field, click the pencil icon.
   
5. Click the LoginSchema folder to see the files in it.
   
6. Select one of the files. You can see a preview on the right. The labels can be changed by clicking the Edit button on the top right.
   
7. When you Save the changes, a new file is created under /nsconfig/LoginSchema.
   
8. On the top right, click Select.
   
9. Give the Login Schema a name, and click More.
   
10. You typically need to use the entered credentials elsewhere. For example, you might need to use the username and one of the passwords to later Single Sign-on to StoreFront. Near the bottom of the Login Schema Profile, enter unique values for the indexes. These values can be between 1 and 16.
11. You can also configure these values on your noschema profiles so that passwords received from a previous factor can be put into a different Index.
    
12. Later you reference these index values in a Traffic Policy/Profile by using the expression HTTP.REQ.USER.ATTRIBUTE(#).
    
13. Click Create.
    
14. Note: if you later edit the Login Schema .xml file, the changes might not be reflected until you edit the Login Schema Profile and select the .xml file again

Login Schema Policy

Login Schemas can be bound directly to a AAA Virtual Server. If one of the Advanced Authentication policies bound directly to the AAA Virtual Server is forms-based, then bind the Login Schema directly to the AAA Virtual Server. If you are binding the Login Schema directly to a AAA Virtual Server, then you must first create a Login Schema Policy expression that is linked to the Login Schema Profile.

Or Login Schemas can be bound to an Authentication Policy Label (described later). If you are binding a Login Schema to an Authentication Policy Label, then there’s no need to create a Login Schema policy expression.

To create and bind a Login Schema Policy:

1. On the left, go to Security > AAA > Login Schema.
2. On the right, switch to the Policies tab, and click Add.
   
3. Use the Profile drop-down to select the Login Schema Profile you already created.
4. Enter a Default Syntax expression in the Rule box, and click Create.
   
5. On the left, go to Security > AAA > Virtual Servers, and edit an existing AAA Virtual Server.
   
6. On the right, in the Advanced Settings column, click Login Schemas.
   
7. On the left, in the Login Schemas section, click where it says No Login Schemas.
   
8. Click to select.
   
9. Select the Login Schema policy, and click Select. Only Login Schema Policies appear in this list. Login Schema Profiles (without a policy) do not appear.
   
10. Click Bind.
    

Advanced Authentication Policies

Authentication policies are a combination of policy expression and policy action. If the expression is true, then evaluate the action.

The Action is always an authentication server (LDAP, RADIUS, etc.).

The policy expression can be either in classic syntax, or in the newer default syntax.

The policy type is either Basic or Advanced. Basic policies can only use classic syntax. Advanced policies only use the newer default syntax. Both types of policies use the same Actions (authentication servers).

nFactor requires Advanced Authentication Policies; Basic policies won’t work.

Create Advanced Authentication Policy

You will need Authentication Actions/Servers (e.g. LDAP, RADIUS, CERT, SAML, etc.)

When creating an Advanced Authentication Policy, there’s a plus icon that lets you create Authentication Actions/Servers.

Or you can create Authentication Actions prior to creating the Advanced Authentication Policy. The Authentication Actions are located under the Security > AAA > Policies > Basic Policies > <Action Type> node. On the right, switch to the Servers tab to create the Actions/Servers. Once the Actions are created, use the instructions below to create the Advanced Authentication Policy. There’s no need to create a Basic Authentication Policy.

To create an Advanced Authentication Policy:

1. Go to Security > AAA > Authentication > Advanced Policies > Policy.
   
2. On the right, click Add. You typically create at least one Authentication Policy for each Factor. When you create multiple Authentication Policies for one Factor, NetScaler checks each policy in priority order until one of them succeeds.
   
3. Use the Action Type drop-down to select the Action Type (e.g. LDAP). The Action Type depends on your nFactor flow design.
   
4. If you don’t currently have any Actions configured, of if you want to create a new one, click the plus icon next to the Action drop-down. The Actions/Servers are created in the normal fashion.
   
5. In the Expression box, enter an expression using the Default Syntax. ns_true won’t work because that’s Classic syntax. There’s an Expression Editor link on the right. Or hit Ctrl+Space to see your options. true is a valid Default expression. Click Create when done.
6. Create more Advanced Authentication Policies as needed for your nFactor design.
   

Bind Advanced Authentication Policy to AAA

Only the Advanced Authentication Policies for the first Factor are bound directly to the AAA Virtual Server. The Advanced Authentication Policies for the remaining Factors are bound to Authentication Policy Labels as detailed in the next section.

1. Go to Security > AAA > Virtual Servers.
2. Edit an existing AAA Virtual Server.
   
3. On the left, in the Advanced Authentication Policies section, click where it says No Authentication Policy.
   
4. Click to select.
   
5. Select the Advanced Authentication Policy, and click Select.
   
6. The Select Next Factor field can optionally point to an Authentication Policy Label as detailed in the next section. The Next Factor is only evaluated if this Advanced Authentication Policy succeeds.
7. If this Advanced Authentication Policy fails, then the Goto Expression determines what happens next. If it is set to NEXT, then the next Advanced Authentication Policy bound to this Factor is evaluated. If it is set to END, of if there are no more Advanced Authentication Policies bound to this Factor, then authentication is finished and marked as failed.
8. Click Bind.
   

LDAP Group Extraction

Sometimes you only want to extract a user’s groups from Active Directory, but have don’t actually want to authenticate with LDAP. These groups can then be used to select the next authentication Factor.

To configure an LDAP Action/Server for only group extraction:

1. When creating or editing an LDAP Server, make sure Authentication is unchecked.
   
2. Make sure Group Attribute and Sub Attribute Name are filled in.
   

Authentication Policy Label

When configuring the first Factor, you bind two objects to the AAA Virtual Server:

• Login schema – for forms-based authentication
• Advanced Authentication Policy

When binding the Advanced Authentication Policy to the AAA Virtual Server, there’s a field to Select Next Factor. If the Advanced Authentication Policy succeeds, then the Next Factor is evaluated.

The Next Factor is actually an Authentication Policy Label.

Authentication Policy Labels contain three objects:

• Login Schema
• Advanced Authentication Policies
• Next Factor – the next Authentication Policy Label

Here’s the flow:

1. User connects to AAA or NetScaler Gateway Virtual Server.
2. If forms-based authentication, the Login Schema bound to the AAA Virtual Server is displayed.
3. Advanced Authentication Policies bound to the AAA Virtual Server are evaluated.
   1. If the Advanced Authentication Policy is successful, go to the configured Next Factor, which is an Authentication Policy Label.
      1. If Next Factor is not configured, then authentication is complete and successful.
   2. If the Advanced Authentication Policy fails, and if Goto Expression is Next, then evaluate the next bound Advanced Authentication Policy.
   3. If none of the Advanced Authentication Policies are successful, then authentication failed.
4. If the Next Factor Authentication Policy Label has a Login Schema bound to it, display it to the user.
5. Evaluate the Advanced Authentication Policies bound to the Next Factor Authentication Policy Label.
   1. If the Advanced Authentication Policy is successful, go to the configured Next Factor, which is an Authentication Policy Label.
      1. If Next Factor is not configured, then authentication is complete and successful.
   2. If the Advanced Authentication Policy fails, and if Goto Expression is Next, then evaluate the next bound Advanced Authentication Policy.
   3. If none of the Advanced Authentication Policies are successful, then authentication failed.
6. Continue evaluating the Next Factor Authentication Policy Label until authentication succeeds or fails. You can chain together an unlimited number of Authentication Policy Labels.

If you are binding a Login Schema to an Authentication Policy Label, then you only need the Login Schema Profile. There’s no need to create a Login Schema Policy.

Not every Factor needs a Login Schema (logon page). It’s possible for a prior Factor to gather all of the credential information and simply pass it on to the next Factor. If you don’t need a Login Schema for a particular Authentication Policy Label, simply select LSCHEMA_INT, which is mapped to noschema. Or create a new Login Schema Profile based on noschema.

Create Authentication Policy Label

To create an Authentication Policy Label:

1. Authentication Policy Labels are configured at Security > AAA > Policies > Authentication > Advanced Policies > PolicyLabel.
   
2. On the right, click Add.
   
3. Give the Policy Label a name.
4. Select a Login Schema Profile. This can be one that is set to noschema if you don’t actually want to display anything to the user. Then click Continue.
   
5. In the Policy Binding section, Click to select.
   
6. Select an Advanced Authentication Policy that evaluates this Factor. Click Select.
   
7. Use the Goto Expression drop-down to select NEXT or END. If you want to bind more Advanced Authentication Policies to this Factor, then select NEXT.
   
8. In the Select Next Factor field, if you chain another Factor, Click to select, and bind the next Authentication Policy Label (Next Factor).
9. Or don’t select anything, and if this Advanced Authentication Policy succeeds, then authentication is successful and complete. This ends the chaining.
   
10. Click Bind when done.
    
11. You can click Add Binding to add more Advanced Authentication Policies to this Policy Label (Factor). Or you can bind Advanced Authentication Policies to the next Policy Label (Next Factor). Click Done.
    

Bind Authentication Policy Label

Once the Policy Label (Factor) is created, you bind it to an existing Advanced Authentication Policy binding. This is how you chain Factors together.

1. Either edit an existing AAA Virtual Server that has an Advanced Authentication Policy already bound to it.
2. Or edit a different Authentication Policy Label.
   
3. On the left, in the Advanced Authentication Policies section, click the bindings.
   
4. Click the ellipsis next to an existing binding, and click Edit Binding.
   
5. In the Select Next Factor field, Click to select.
   
6. Select the Policy Label for the Next Factor, and click Select.
   
7. Click Bind.
   
8. Click Close.
   

nFactor for NetScaler Gateway

AAA Authentication Profile

Authentication Profile lets you bind a AAA Virtual Server to NetScaler Gateway. This is what enables nFactor on NetScaler Gateway.

1. Go to NetScaler Gateway > Virtual Servers.
   
2. On the right, edit an existing Gateway Virtual Server.
   
3. Note: the new RfWebUI theme seems to interfere with Login Schema rendering. Consider changing your Gateway Portal Theme to X1 instead.
   
4. On the right, in the Advanced Settings section, click Authentication Profile.
   
5. On the left, click the plus icon next to the Authentication Profile drop-down.
   
6. Give the Authentication Profile a name.
7. In the Authentication Virtual Server field, Click to select.
   
8. Select the AAA Virtual Server that has Login Schema, Advanced Authentication Policy, and Authentication Policy Labels configured. The AAA Virtual Server does not need an IP address. Click Select.
   
9. Then click Create.
   
10. And click OK.
    
11. If one of your Factors is client certificates, then you’ll need to configure SSL Parameters and CA certificate as detailed in the next section.
12. When you browse to your Gateway, you’ll see the nFactor authentication screens.
    

Unified Gateway

If you have Unified Gateway (Content Switch in front of NetScaler Gateway), then edit the Content Switching policy and add the following expression:

|| HTTP.REQ.URL.STARTSWITH("/nf")

Gateway Client Certificate Authentication

If one of your authentication Factors is certificate, then you must perform some SSL configuration on the NetScaler Gateway Virtual Server:

1. Go to Traffic Management > SSL > Certificates > CA Certificates, and install the root certificate for the issuer of the client certificates. Certificate Authority certificates do not need key files.
   
2. Go to NetScaler Gateway > Virtual Servers, and edit an existing NetScaler Gateway Virtual Server that is enabled for nFactor.
   
3. On the left, in the SSL Parameters section, click the pencil icon.
   
4. Check the box next to Client Authentication.
5. Make sure Client Certificate drop-down is set to Optional, and click OK.
   
6. On the left, in the Certificates section, click where it says No CA Certificate.
   
7. Click to select.
   
8. Select the root certificate for the issuer of the client certificates, and click Select.
   
9. Click Bind.
   

nFactor Single Sign-on to StoreFront

When performing Single Sign-on to StoreFront, nFactor defaults to using the last entered password. If LDAP is not the last entered password, then you need to create a Traffic Policy/Profile to override the default nFactor behavior.

1. Go to NetScaler Gateway > Policies > Traffic.
   
2. On the right, switch to the Traffic Profiles tab.
3. Click Add.
   
4. Give the Traffic Profile a name.
5. In the Protocol section, select HTTP.
6. Enable Single Sign-on. Scroll down.
   
7. In the SSO Expression fields, enter an HTTP.REQ.USER.ATTRIBUTE(#) expression that matches the indexes specified in the Login Schema.
8. Click Create.
   
9. On the right, switch to the Traffic Policies tab, and click Add.
   
10. Give the policy a name.
11. Select the previously created Traffic Profile.
12. Enter a classic expression (e.g. ns_true) and click Create.
    
13. Edit an existing NetScaler Gateway Virtual Server.
    
14. Scroll down to the Policies section and click the plus icon.
    
15. Select Traffic > Request, and click Continue.
    
16. Select the previously created Traffic Policy and click Bind.
    

Endpoint Analysis and nFactor

When combining nFactor with NetScaler Gateway (or Universal Gateway), you can use Endpoint Analysis scans to control nFactor flow.

1. Create a Preauthentication Profile (NetScaler Gateway > Policies > Preauthentication > Preauthentication Profiles).
   
2. In the Default EPA Group field, enter a new group name. If the EPA scan succeeds, users are added to this group. This group name can then be used later in policy expressions (e.g. HTTP.REQ.USER.IS_MEMBER_OF(“Corporate”))
   
3. Switch to the Preauthentication Policies tab and add a policy.
   
4. Give the policy a name and select the Preauthentication Profile.
5. Configure the EPA expression by using the OPSWAT EPA Editor or Expression Editor links on the right. More details at https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-11-1/#epa.
   
6. You can create a Preauthentication Policy with expression ns_true to capture all failed EPA scans. The Preauthentication Profile would place users in EPA group that indicates the scans failed.
   
7. Edit your Gateway vServer, scroll to the Policies section, and click the plus icon to bind the Preauthentication policies.
   
   
8. If you have a catchall (ns_true) Preauthentication Policy, make sure it has the highest priority number so it is evaluated last.
   
9. In your 1st factor AAA Advanced Authentication Policies, use expressions similar to HTTP.REQ.USER.IS_MEMBER_OF(“MyEPAGroup”). The group name should match whatever group name you specified in the Preauthentication Profile.
   
10. For the 1st factor, bind the Advanced Authentication Policies directly to the AAA vServer. Configure the Next Factor based on your nFactor design (e.g. Next Factor = RADIUS if EPA fails).
    
11. In your Login Schema Policies (1st factor), use the same type of expression.
    
12. For the 1st factor, bind the Login Schema Policies directly to the AAA vServer.
    
13. See below for a sample EPA / nFactor configuration.

Note: if the user skips the EPA scan, then this message will be displayed. This appears to be a limitation of EPA with nFactor.

Sample Configurations

From Citrix Docs: Sample deployments using nFactor authentication:

• Get two passwords up-front, pass-through in next factor. Read
• Username and 2 passwords with group extraction in third factor. Read
• Configure nFactor to process the second password before the first password, Read
  
• Modify first factor username for second factor. Read
  • NO_AUTHN authentication policy expression checks first factor POST Body login value for UPN format. If true, Next Factor is noschema Login Schema with User Expression that transforms the HTTP.REQ.USER.NAME to DOMAIN\Username before passing to second factor authentication policy.
• Group extraction followed by certificate or LDAP authentication, based on group membership. Read
  
  
• SAML followed by LDAP or certificate authentication, based on attributes extracted during SAML. Read
  
• SAML in first factor, followed by group extraction, and then LDAP or certificate authentication, based on groups extracted. Read
• Capture email address in first factor, and then choose one of multiple SAML iDP based on email address suffix. Read (Manuel Kolloff)
  
  
• Prefill user name from certificate. Read
• Certificate authentication followed by group extraction for 401 enabled traffic management virtual servers. Read
  
• Certificate fallback to LDAP in same cascade; one virtual server for both certificate and LDAP authentication. Read
• LDAP in first factor and WebAuth in second factor. Read
• WebAuth in first factor, LDAP in second factor. Read
  
• Domain drop down in first factor, then different policy evaluations based on group. Read
  
• Google reCAPTCHA first factor, LDAP second. Read (George Spiers)
  
• Supporting reCaptcha with NetScaler nFactor. Read
  
• CTX225938 nFactor – Customizing UI to Display Images – e.g. Swivel
  
• Configure EULA (End User License Agreement) as an Authentication Factor. Read
  
• Show a drop-down box in the logon form and automatically hide or show certain fields based on drop-down selection. Read
  
  
• Step-up authentication – i.e. one Unified Gateway website needs single factor, while other website needs multi-factor. Read
  

Certificate auth: If Successful, LDAP only. If Failure, LDAP+RADIUS

This scenario is described in Citrix Blog Post Configuration Notes on nFactor

The authentication process flows like this:

1. User connects to NetScaler Gateway.
2. NetScaler Gateway asks user for certificate.
3. If user selects a certificate, NetScaler Gateway compares certificate signature to the CA certificate that is bound to the NetScaler Gateway. If it doesn’t match, then user certificate is ignored.
4. Bound to the NetScaler Gateway Virtual Server is an Authentication Profile, which links NetScaler Gateway to AAA nFactor.
5. Certificate authentication: The lowest priority number authentication policy on the AAA Virtual Server is Certificate. If there’s a valid user certificate:
   1. Extract the user’s userPrincipalName from the certificate.
   2. Next Factor = policy label that displays a logon screen (Single-factor Login Schema)
   3. The username field is pre-populated with the userPrincipalName attribute extracted from the certificate.
   4. User is prompted to enter the LDAP password only.
   5. LDAP policy/server is configured to use userPrincipalName to login to LDAP.
   6. If successful, NetScaler Gateway authentication is complete. Next step is to Single Sign-on to StoreFront.
   7. If LDAP authentication fails, then NetScaler Gateway authentication fails, and the user is prompted to try LDAP-only authentication again.
6. LDAP authentication: If certificate authentication fails, try next authentication policy bound to the AAA Virtual Server, which is a different LDAP Policy.
   1. Bound to the AAA Virtual Server is a Dual Factor Login Schema that asks for username, LDAP password, and RADIUS password.
   2. LDAP policy/server is configured to use sAMAccountName to login to LDAP. SAMAccountName means users don’t have to enter full userPrincipalName.
   3. If LDAP authentication is successful:
      2. Put username in Credential Index 1 and put password in Credential Index 2. These will later be used by a Traffic Policy to Single Sign-on to StoreFront.
      3. Proceed to next factor (Policy Label), which is RADIUS.
   4. If LDAP authentication fails, NetScaler Gateway login fails, and the user is prompted to try two-factor authentication again.
7. RADIUS authentication: the second factor Policy Label is configured with Noschema. This means no additional logon form is displayed because the RADIUS password was already collected in the previous factor.
   1. When multiple passwords are collected, they are tried in order. The first password was used by the previous factor. The second password is tried by this factor (Policy Label).
   2. RADIUS policy/profile attempts authentication.
   3. If RADIUS authentication is successful, NetScaler Gateway authentication is complete. Next step is Single Sign-on to StoreFront.
   4. If RADIUS authentication fails, NetScaler Gateway login fails, and the user is prompted to try two-factor authentication again.
8. Single Sign-on to StoreFront: NetScaler Gateway uses the last password collected by nFactor to Single Sign-on with StoreFront. If the last password is LDAP, then no additional configuration is needed. If the last password is not LDAP, then a Traffic Policy/Profile is needed.
   1. Bound to the NetScaler Gateway Virtual Server is a Traffic Policy.
   2. The Traffic Policy/Profile users Credential Index 1 for username and Credential Index 2 for Password. These are the same indexes configured in the Dual Factor Login Schema.

The order of configuration doesn’t match the authentication flow because some objects have to be created before others.

# Create Auth vServer, bind server cert, bind CA cert for client certificates
# Enable Optional client certificates
add authentication vserver nFactorAAA SSL 0.0.0.0 443
bind ssl vserver nFactorAAA -certkeyName WildCorpCom
bind ssl vserver nFactorAAA -certkeyName CorpRoot -CA -ocspCheck Optional
set ssl vserver nFactorAAA -clientAuth ENABLED -clientCert Optional -ssl3 DISABLED

# Create auth policy for LDAP-UPN. UPN is extracted from certificate.
add authentication ldapAction Corp-UserPrincipalName -serverIP 10.2.2.220 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword "MyPassword" -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication Policy Corp-UserPrincipalName -rule true -action Corp-UserPrincipalName

# Create PolicyLabel LDAPPasswordOnly with Single-factor Login Schema
# Login Schema has InitialValue with username from certificate.
add authentication loginSchema SingleAuth -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth-Corp.xml"
add authentication policylabel LDAPPasswordOnly -loginSchema SingleAuth
bind authentication policylabel LDAPPasswordOnly -policyName Corp-UserPrincipalName -priority 100 -gotoPriorityExpression NEXT

# Create Cert policy and bind to AAA vServer with LDAPPasswordOnly PolicyLabel as Next Factor
# Cert policy must have lower priority number (higher priority) than LDAP-SAM policy
# Cert is evaluated first. If succeed, ask for LDAP password. If fails, ask for two factor.
add authentication certAction Cert_Auth_Profile -userNameField SubjectAltName:PrincipalName
add authentication Policy Cert_Auth_Policy -rule true -action Cert_Auth_Profile
bind authentication vserver nFactorAAA -policy Cert_Auth_Policy -priority 100 -nextFactor LDAPPasswordOnly -gotoPriorityExpression NEXT

# Create LDAP-SAM Auth Policy for two-factor
# Only evaluated if cert auth fails. Login Schema asks for user, password, and passcode.
add authentication ldapAction Corp-Gateway -serverIP 10.2.2.220 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword "MyPassword" -ldapLoginName samaccountname -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication Policy Corp-SAMAccountName -rule true -action Corp-Gateway

# Create RADIUS Auth Policy for two-factor
add authentication radiusAction RADIUS-Action -serverIP 10.2.2.42 -serverPort 1812 -radKey MyKey
add authentication Policy RADIUS-Policy -rule true -action RADIUS-Action

# Create Dual-factor Login Schema and bind directly to AAA vServer
# This Login Schema is only shown if Cert auth fails
add authentication loginSchema DualAuth -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -userCredentialIndex 1 -passwordCredentialIndex 2
add authentication loginSchemaPolicy DualAuth -rule true -action DualAuth
bind authentication vserver nFactorAAA -policy DualAuth -priority 100 -gotoPriorityExpression END

# Create RADIUS Policy Label with noschema and RADIUS Auth Policy
# Already got passcode from previous factor so don't show Login Schema again
add authentication loginSchema Noschema -authenticationSchema noschema
add authentication policylabel NoSchema-RADIUS -loginSchema Noschema
bind authentication policylabel NoSchema-RADIUS -policyName RADIUS-Policy -priority 100 -gotoPriorityExpression NEXT

# Bind LDAP-SAM Auth Policy to AAA vServer with RADIUS as next factor
# LDAP-SAM Auth Policy must have higher priority number (lower priority) than Cert Policy
bind authentication vserver nFactorAAA -policy Corp-SAMAccountName -priority 110 -nextFactor NoSchema-RADIUS -gotoPriorityExpression NEXT

# Create Authentication Profile to link AAA with Gateway. Bind to Gateway.
add authentication authnProfile nFactor -authnVsName nFactorAAA -AuthenticationHost aaa.corp.com
add vpn vserver gateway.corp.com SSL 10.2.2.220 443 -icaOnly ON -dtls ON -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -appflowLog ENABLED -authnProfile nFactor

# Enable Optional Client certs on Gateway
set ssl vserver gateway.corp.com -clientAuth ENABLED -clientCert Optional -ssl3 DISABLED
bind ssl vserver gateway.corp.com -certkeyName CorpRoot -CA -ocspCheck Optional

# Create Traffic Policy to SSON to StoreFront. Bind to Gateway.
add vpn trafficAction nFactorSSO http -kcdAccount NONE -userExpression "http.req.user.attribute(1)" -passwdExpression "http.req.user.attribute(2)"
add vpn trafficPolicy nFactorSSO ns_true nFactorSSO
bind vpn vserver gateway.corp.com -policy nFactorSSO -priority 100

Enpoint Analysis Scan: If succeed, LDAP only. If fails, LDAP+RADIUS.

The authentication process flows like this:

1. User connects to NetScaler Gateway.
2. The Gateway has Preauthentication Policies, which causes Endpoint Analysis scan to occur.
3. Preauthentication Profiles put users in different AAA Groups depending on results of the scan.
4. The Login Schema Policies bound to the AAA vServer have user group expressions based on the Preauthentication Profile EPA Groups.
   1. If scan passed (Corporate group), show Login Schema with one password only.
   2. If scan failed (NonCorporate group), show Login Schema with two password fields.
5. The Advanced Authentication Policies bound to the AAA vServer have user group expressions based on the Preauthentication Profile EPA Groups.
   1. If scan passed (Corporate group), evaluate LDAP password only. No Next Factor.
   2. If scan failed (NonCorporate group), evaluate LDAP, then Next Factor to RADIUS Policy Label.

Here’s a sample config:

# Two Login Schema Profiles - one with one password only, one with two passwords
add authentication loginSchema TwoFactor -authenticationSchema "/nsconfig/loginschema/DualAuth_new.xml" -userCredentialIndex 1 -passwordCredentialIndex 2
add authentication loginSchema LDAPOnly -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml"
# Login Schema Policies based on EPA Groups
add authentication loginSchemaPolicy NonCorporateSchema -rule "http.REQ.USER.IS_MEMBER_OF(\"NonCorporate\")" -action TwoFactor
add authentication loginSchemaPolicy CorporateSchema -rule "http.REQ.USER.IS_MEMBER_OF(\"Corporate\")" -action LDAPOnly

# LDAP Action
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword "MyPassword" -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
# Two LDAP Policies based on EPA Groups. Same Action for each.
add authentication Policy NonCorporateLDAP -rule "http.REQ.USER.IS_MEMBER_OF(\"NonCorporate\")" -action LDAP-Corp
add authentication Policy CorporateLDAP -rule "http.REQ.USER.IS_MEMBER_OF(\"Corporate\")" -action LDAP-Corp

# RSA Action
add authentication radiusAction RSA -serverIP 10.2.2.42 -serverPort 1812 -radKey MyKey -accounting ON
add authentication Policy RSAAdv -rule true -action RSA
# RSA Policy Label for Next Factor
add authentication policylabel Non-Corporate-RADIUS -loginSchema LSCHEMA_INT
bind authentication policylabel Non-Corporate-RADIUS -policyName RSAAdv -priority 100 -gotoPriorityExpression NEXT

# AAA vServer
add authentication vserver aaanFactor SSL 0.0.0.0
# AAA vServer - bind Login Schema Policies
bind authentication vserver aaanFactor -policy CorporateSchema -priority 100 -gotoPriorityExpression END
bind authentication vserver aaanFactor -policy NonCorporateSchema -priority 110 -gotoPriorityExpression END
# AAA vServer - bind LDAP Auth Policies. Failed EPA has Next Factor configured.
bind authentication vserver aaanFactor -policy CorporateLDAP -priority 100 -gotoPriorityExpression NEXT
bind authentication vserver aaanFactor -policy NonCorporateLDAP -priority 110 -nextFactor Non-Corporate-RADIUS -gotoPriorityExpression NEXT

# Preauth Profiles have EPA Groups (AAA Groups) defined
add aaa preauthenticationaction Corporate ALLOW -defaultEPAGroup Corporate
add aaa preauthenticationaction NonCorporate ALLOW -defaultEPAGroup NonCorporate
# Preauth Policies use EPA Expressions. ns_true captures all failed EPA scans.
add aaa preauthenticationpolicy CorporateEPA "CLIENT.SYSTEM(\'DOMAIN_SUFFIX_anyof_corp.local[COMMENT: Domain check]\') EXISTS" Corporate
add aaa preauthenticationpolicy NonCorporate ns_true NonCorporate

# Authentication Profile
add authentication authnProfile nFactor-Gateway -authnVsName aaanFactor

# Gateway vServer - Create and bind Auth Profile
add vpn vserver UG_VPN_UG SSL 0.0.0.0 -dtls ON -loginOnce ON -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -appflowLog ENABLED -authnProfile nFactor-Gateway
# Gateway vServer - Bind Preauthentcation Policies
bind vpn vserver UG_VPN_UG -policy CorporateEPA -priority 100
bind vpn vserver UG_VPN_UG -policy NonCorporate -priority 110
# Gateway vServer - Bind Traffic Policy for SSON to StoreFront
bind vpn vserver UG_VPN_UG -policy nFactorSSO -priority 100
# Gateway vServer - remaining configuration is normal (session policies, STA, SSL cert, etc.)

Navigation

• Prerequisites
• Endpoint Analysis
  • Additional EPA Configuration
  • EPA Troubleshooting
• SmartControl
• SmartAccess

💡 = Recently Updated

SmartAccess / SmartControl

SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings) based on how users connect. Decisions are based on NetScaler Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.

SmartAccess can also control application/desktop icon visibility.

Prerequisites

Both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in XenApp/XenDesktop at any time, but it won’t work, until you do the following:

1. NetScaler appliance license – SmartAccess works with all editions of NetScaler appliances.  However, SmartControl only works with NetScaler Platinum Edition.
2. On the NetScaler, go to System > Licenses and make sure you have NetScaler Gateway Universal Licenses allocated to the appliance.
   1. NetScaler 11.1 build 49 and later come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and NetScaler Platinum Edition = unlimited licenses.
   2. The Universal licenses are allocated to the hostname of the appliance (click the gear icon), not the MAC address. In a High Availability pair, if each node has a different hostname, then you can allocate the licenses to one hostname, then reallocate to the other hostname.
      
      
3. After installing licenses, go to NetScaler Gateway > Global Settings.
   
4. On the top right, click Change authentication AAA settings.
   
5. At the top of the page, change the Maximum Number of Users to match your installed license count. Then click OK. In NetScaler 11.1 build 49 and newer, this value should already match the number of licensed users. In older builds, you must manually configure this setting, and if not configured, then it defaults to only 5 concurrent connections.
   
   
6. On a XenApp/XenDesktop Controller, run PowerShell as Administrator.
7. Run asnp citrix.* to load the snapins.
8. Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
   
9. In StoreFront Console, edit the existing Gateway object.
   
10. Make sure a Callback URL is configured. The Callback URL must resolve to a NetScaler Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external, then the Callback FQDN must be different than the Single FQDN.
    
11. On the NetScaler, go to NetScaler Gateway > Virtual Servers, and edit your Gateway Virtual Server.
    
    
12. In the Basic Settings section, click the pencil icon.
    
13. Click More.
    
14. Uncheck the box next to ICA Only, and click OK. This tells NetScaler Gateway to start using Universal licenses, and enables the SmartAccess and SmartControl features.
    

Once the prerequisites are in place, do the following as detailed below:

• Optionally, configure Endpoint Analysis.
• Configure either SmartControl or SmartAccess.

Endpoint Analysis

Endpoint Analysis scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.

Endpoint Analysis is supported on Windows and Mac devices. Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.

There are two methods of Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.

• With a Preauthentication Policy, if the Endpoint Analysis scan fails, then users can’t login.
• With a Postauthentication Policy, Endpoint Analysis doesn’t run until after the user logs in. Typically, you create multiple Session Policies. One or more Session Policies has Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there’s a fallback in case the client device doesn’t support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.

NetScaler has two Endpoint Analysis engines: the classic Client Security engine, and the newer OPSWAT Advanced EPA engine.

To configure OPSWAT Advanced EPA expressions:

1. When creating a Preauthentication Policy or Session Policy, click the OPSWAT EPA Editor link.
   
2. Use the drop-down menus to select the scan criteria. Then click Done.
   

Additional EPA Info – See the following links for more Advanced EPA information:

• Advanced Endpoint Analysis Policy Expression Reference at Citrix Docs
• Citrix CTX220961 Pre authentication scan on Netscaler gateway for domain check
  
• Citrix CTX204764 Expression for EPA scan through NetScaler Gateway to check a generic antivirus and a generic firewall

  CLIENT.APPLICATION('ANTIVIR_0_RTP_==_TRUE[COMMENT: Generic Antivirus Product Scan]') EXISTS
  &&
  CLIENT.APPLICATION('FIREWALL_0_ENABLED_==_TRUE[COMMENT: Generic Firewall Product Scan]') EXISTS

• Citrix Blog Post Patch Management Endpoint Analysis on NetScaler Gateway
  
• Citrix CTX207623 OPSWAT Windows and MAC EPA Scan Support for NetScaler Gateway contains a list of applications supported by OPSWAT Windows and MAC EPA Scan
• Citrix CTX219296 How to configure EPA Expression to validate if the “Windows update” date is within specific time period
  
• Citrix CTX205267 How Do I Configure EPA for Registry Check?
  
• CTX221121 Create EPA Scans to Detect Receiver on Clients. Clients without Receiver installed are sent to the a page with a link to the Receiver Download page, and Clients with Receiver are allowed through to their ICA applications

  CLIENT.SYSTEM('REG-NON-NUM_HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Citrix\\Install\\ICA Client\\InstallFolder') EXISTS

To configure Client Security expressions:

1. When creating a Preauthentication Policy or Session Policy, click the Expression Editor link.
   
2. Change the Expression Type to Client Security.
   
3. Use the Component drop-down to select a component. A common configuration is to check for domain membership as detailed at CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.
   

You can also use EPA expressions when configuring a Quarantine Group.

Once the Preauthentication and/or Session Policies are created, bind them to your NetScaler Gateway Virtual Server:

1. Edit a NetScaler Gateway Virtual Server.
2. Scroll down to the Policies section, and click the plus icon.
   
3. Select either Preauthentication or Session, and select the policy you already created. Then click Bind.
   

EPA Troubleshooting

Citrix CTX209148 Understanding/Configuring EPA Verbose Logging Feature:

1. Go to NetScaler Gateway > Global Settings.
2. On the right, click Change Global Settings.
   
3. On the Security tab, click Advanced Settings.
   
4. Scroll down, check the box next to Enable Client Security Logging, and click OK.
   
5. When the scan fails, the user is presented with a Case ID.
   
6. You can then grep /var/log/ns.log for the Case ID. Or search your syslog.
   

To determine why your EPA scans fail, on the client machine, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.
Make a DWORD value named “EnableEPALogging“, and set the value to 1.

After attempting the scan again, you’ll find the file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.

NetscalerAssasin EPA OPSWAT Packet flow and Troubleshooting shows a Wireshark trace of an EPA scan.

SmartControl

The SmartControl feature lets you configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at Citrix Docs for detailed instructions.

Note: SmartControl requires NetScaler Platinum Edition.

1. If you are using a Preauthentication Policy to run an Endpoint Analysis scan, edit the Preauthentication Profile.
   
2. Configure the Default EPA Group with a new group name. You’ll use this group name later.
   
3. If you are instead using a Session Policy/Profile to run the post-authentication Endpoint Analysis scan, edit the Session Profile, on the Security tab, use the Smartgroup field to define a group name for users that pass the scan. You’ll use this group name later.
   
4. On the left, expand NetScaler Gateway, expand Policies, and click ICA.
   
5. On the right, switch to the Access Profiles tab, and click Add.
   
6. Configure the restrictions as desired, and click Create.
   
7. Switch to the ICA Action tab, and click Add.
   
8. Give the Action a name. Select the ICA Access Profile. Click Create.
   
9. Switch to the ICA Policies tab, and click Add.
   
10. Select the previously created ICA Action.
11. Enter an expression. You can use HTTP.REQ.USER.IS_MEMBER_OF(“MyGroup”).NOT where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan. Click Create when done.
    
12. Edit your Gateway Virtual Server.
13. Scroll down to the Policies section, and click the plus icon.
    
14. Change the Policy Type to ICA, and click Continue.
    
15. Select the SmartControl policy you created earlier, and click Bind.
    

SmartAccess

CTX138110 How to Configure the SmartAccess feature on Access Gateway Enterprise Edition Appliance

In XenApp/XenDesktop, edit a Citrix policy, and add the Access Control filter. If you are using GPO to deliver Citrix Policies, then only Citrix Policies in the user half of the GPO support Access Control filters.

You can leave the default wildcards for farm name and condition to match all NetScaler Gateway connections. Or you can match specific NetScaler Gateway / Session Policy connections:

• AG farm name = name of the NetScaler Gateway Virtual Server.
• Access condition = name of the NetScaler Gateway Session Policy.

You typically create a Citrix policy to turn off all client device mappings for all external users. Then you create a higher priority Citrix policy that re-enables client device mappings for those users that passed the Endpoint Analysis scan expression on a particular Session Policy.

If you edit a Delivery Group, there’s an Access Policy page where you can hide or show the Delivery Group for all NetScaler Gateway connections, or for specific NetScaler Gateway Virtual Server / Session Policy connections.

• Site or Farm name = NetScaler Gateway Virtual Server name
• Filter = NetScaler Gateway Session Policy name

This configuration is only available at the entire Delivery Group. It is not possible to perform this configuration for only specific published applications, unless they are on different Delivery Groups.

When connected to a session, Director shows SmartAccess Filters on the session Details page. Notice the Farm Name (vServer name) and Filter Name (Session Policy name)

Related Pages

• NetScaler Gateway 11.1 Virtual Server
• Back to NetScaler 11.1

RDP Proxy

NetScaler supports RDP Proxy through NetScaler Gateway. No VPN required. In 11.1 and newer, RDP can connect to Gateway on 443. In older NetScaler, RDP connects on 3389.

There are several ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

• Bookmarks on the Clientless Access portal page.
  • Bookmarks can be defined by the administrator.
  • Or users can add their own RDP bookmarks.
• After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.
• In the RfWebUI Portal Theme, the Add Bookmark link lets users enter an RDP address, and click Go.
  

The easy configuration is for one Gateway to do both authentication and RDP Proxy. Alternatively, you can have one Gateway vServer that authenticates the user and a different Gateway vServer to proxy the RDP connection. The Gateways use Secure Ticket Authority (STA) for mutual authentication. See Stateless RDP Proxy at docs.citrix.com for more information.

Links:

• RDP Proxy at Citrix Docs
• Kenny Baldwin blog post RDP-Proxy on NetScaler!
• Citrix Blog Post RDP Gateway on a NetScaler SSLVPN Virtual Server
• Citrix CTX200853 How to Configure RDP Profile on NetScaler Gateway
• RDP Proxy section in Unified Gateway FAQ at docs.citrix.com
• Anton van Pelt NetScaler Gateway = RD Gateway

Here are some requirements for RDP Proxy:

• NetScaler Enterprise Edition or Platinum Edition.
• NetScaler Gateway Universal Licenses for each user.
  • NetScaler 11.1 build 49 and later come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and NetScaler Platinum Edition = unlimited licenses.
• TCP 443 opened to the NetScaler Gateway Virtual Server. If older NetScaler, open TCP 3389 to the Gateway.
• TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Do the following to configure RDP Proxy:

1. Go to System > Settings, and click Configure Advanced Features.
   
2. Check the box for RDP Proxy, and click OK.
   
3. Expand NetScaler Gateway, expand Policies, and click RDP.
   
4. On the right, switch to the Client Profiles tab, and click Add.
   
5. Give the Client Profile a name, and configure it as desired. Scroll down.
   
6. It is no longer necessary to configure a Pre shared key or RDP Host. Just click Create.
   
7. It is no longer necessary to create a RDP Server Profile.
8. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
9. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.
   
10. On the right, click Add.
    
11. Give the Bookmark a name.
12. For the URL, enter rdp://MyRDPServer using IP or DNS.
13. Check the box next to Use NetScaler Gateway As a Reverse Proxy, and click Create.
14. Create more bookmarks as desired.
    
15. Create or edit a Session Profile/Policy.
16. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
    
17. On the Remote Desktop tab, Override Global and select the RDP Client Profile you created earlier.
    
18. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
    
19. On the Published Applications tab, make sure ICA Proxy is OFF.
    
20. Edit or Create your Gateway Virtual Server.
21. In the Basic Settings section, click More.
    
22. It is no longer necessary to bind a RDP Server Profile. Instead, RDP is proxied through 443 on the Gateway.
23. Scroll down. Make sure ICA Only is not checked. This means you’ll need NetScaler Gateway Universal licenses for each user that connects through this Gateway.
    
24. Bind a certificate.
25. Bind authentication policies.
26. Bind the session policy/profile that has the RDP Client Profile configured.
    
27. You can bind Bookmarks to either the NetScaler Gateway Virtual Server, or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
    
28. On the left, in the Published Applications section, click where it says No Url.
    
29. While editing your Gateway vServer, you can also enable the new RfWebUI Portal Theme. This requires StoreFront to be 3.6 or newer.
    
30. Bind your Bookmarks.
    
31. Since this NetScaler Gateway Virtual Server has ICA Only unchecked, make sure your NetScaler Gateway Universal licenses are configured correctly. On the left, expand NetScaler Gateway and click Global Settings.
    
32. On the right, click Change authentication AAA settings.
    
33. Change the Maximum Number of Users to your licensed limit. In NetScaler 11.1 build 49 and newer, this value should already match the number of licensed users. In older builds, you must manually configure this setting, and if not configured, then it defaults to only 5 concurrent connections.
    
    
34. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
    
35. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).
    
36. Connect to your Gateway and login.
    
37. If you configured Bookmarks, if RfWebUI theme, on the Apps tab, click Web and SaaS Apps.
    
38. If X1 theme, the bookmarks are on the Web Apps page.
    
39. Then click the Bookmark. If RfWebUI theme, you can also click Details to mark the Bookmark as a Favorite.
    
40. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/192.168.1.50) or a DNS name (/rdpproxy/myserver).
    
41. If you edit the downloaded .rdp file, notice that it’s connecting on port 443.
    
42. Then open the downloaded .rdp file.
    
43. You can view the currently connected users by going to NetScaler Gateway > Policies > RDP, and on the right is the Connections tab.
    
44. If using the RfWebUI theme, another way to launch RDP sessions is to click the Add Bookmark link, enter a destination DNS/IP, check the box next to RDP Link, and click Go.
    
45. You can also Save the bookmark.
    
46. Then access the saved bookmark from Apps > Personal Bookmarks.
    
    
47. Personal bookmarks are stored in /var/vpn/bookmark on the appliance. You might want to back these up and replicate them to other Gateway appliances participating in GSLB. See NetScaler 11.1 Personal Bookmarks at Citrix Discussions.
    
48. The X1 theme has an Add button on the Web Apps page.
    
49. But there is no Go button. Instead, you save the Bookmark and launch it from the list.