Citrix NetScalerGateway12 RSA SecurID Access PDF

<Partner Name>
<Partner Product>
RSA SECURID® ACCESS

Implementation Guide
Citrix NetScaler Gateway 12.0
Peter Waranowski, RSA Partner Engineering

Last Modified: Feb 21st, 2019
Citrix Systems, Inc.
NetScaler Gateway
Table of Contents
Table of Contents................................................................................................................................2
Solution Summary ...............................................................................................................................3
Supported Authentication Methods by Integration Point ........................................................................4
Configuration Summary .......................................................................................................................5
RSA SecurID Access Configuration .......................................................................................................6
RSA Cloud Authentication Service Configuration ................................................................................6
RSA Authentication Manager Configuration ...................................................................................... 13
Partner Product Configuration ............................................................................................................ 14
Before You Begin ........................................................................................................................... 14
Configure an Authentication Policy .................................................................................................. 15
Bind the SecurID Access Authentication Policy ................................................................................. 40
Configure Risk-Based Authentication ............................................................................................... 44
Login Screenshots ............................................................................................................................. 52
Certification Checklist for RSA SecurID Access .................................................................................... 54
-- 2 -
NetScaler Gateway
Solution Summary
Citrix NetScaler can integrate with RSA Cloud Authentication Service by using RADIUS or SAML.
When integrated via RADIUS, users can use policy-driven multi-factor authentication for cases where
authentication happens either in the Web browser or in Citrix Receiver. SSO into StoreFront can be
maintained using a single primary RADIUS authentication policy.
When integrated via SAML, users can use policy and context-driven multi-factor authentication for cases
where authentication happens in the Web browser. SSO into StoreFront can be maintained by using an
nFactor policy with RSA Cloud IdP with additional authentication only option or by using Citrix Federated
Authentication Service (FAS).
Citrix NetScaler can integrate with RSA Authentication Manager in two different ways:
1. Integrate Citrix NetScaler with RSA Authentication Manager using a RADIUS authentication
policy. If SSO to StoreFront is needed, include an authentication policy for AD as well.
2. Install the RSA Authentication Agent for Citrix StoreFront on your Citrix StoreFront server(s) and
integrate Citrix NetScaler with Citrix StoreFront using a Delegated Forms Authentication (DFA)
authentication policy. If SSO to StoreFront is needed, the agent can securely store and retrieve
the users’ AD credentials for the user during logon.
Both approaches will allow users to authenticate with RSA SecurID in cases where authentication
happens in the Web browser or in Citrix Receiver.
Citrix NetScaler can also be configured with RSA Authentication Manager for Risk-Based Authentication
(RBA). When configured, users can be authenticated using RBA in cases where authentication happens
in the Web browser. SSO into Citrix StoreFront can be maintained by using the RSA Authentication Agent
for Citrix StoreFront with DFA policy integration approach.
RSA SecurID Access Features
Citrix NetScaler 12.0
On Premise Methods
RSA SecurID ✔
On Demand Authentication ✔
Risk-Based Authentication (AM) ✔
Cloud Authentication Service Methods
Authenticate App ✔
FIDO Token ✔
SSO
SAML SSO ✔
HFED SSO -
Identity Assurance
Collect Device Assurance and User Behavior ✔
-- 3 -
NetScaler Gateway
Supported Authentication Methods by Integration Point

This section indicates which authentication methods are supported by integration point. The next section
(Configuration Summary) contains links to the appropriate configuration sections for each integration
point.
Citrix NetScaler Gateway integration with RSA Cloud Authentication Service
IDR Cloud
Authentication Methods REST HFED RADIUS
SAML SAML
RSA SecurID - ✔ ✔ - ✔
LDAP Password - ✔ ✔ - ✔
Authenticate Approve - ✔ ✔ - ✔
Authenticate Tokencode - ✔ ✔ - ✔
Device Biometrics - ✔ ✔ - ✔
SMS Tokencode - ✔ ✔ - ✔
Voice Tokencode - ✔ ✔ - ✔
FIDO Token ✔ ✔ -
Citrix NetScaler Gateway integration with RSA Authentication Manager
UDP TCP
Authentication Methods REST RADIUS
Agent Agent
RSA SecurID - ✔ ✔ -
AM RBA ✔ ✔
✔ Supported
- Not supported
n/t Not yet tested or documented, but may be possible
-- 4 -
NetScaler Gateway
Configuration Summary
All of the supported use cases of RSA SecurID Access with Citrix NetScaler Gateway require both server-
side and client-side configuration changes. This section of the guide includes links to the appropriate
sections for configuring both sides for each use case.
RSA Cloud Authentication Service – Citrix NetScaler Gateway can be integrated with RSA Cloud
Authentication Service in the following way(s):
SAML via RSA Identity Router (IdP)
Cloud Authentication Service – Identity Router IdP Configuration
Citrix NetScaler Gateway SAML SP Configuration
SAML via RSA Cloud (IdP) All authentication option
Cloud Authentication Service – Cloud IdP Configuration
Citrix NetScaler Gateway SAML SP Configuration
SAML via RSA Cloud (IdP) Additional authentication only option
Cloud Authentication Service – Cloud IdP Configuration
Citrix NetScaler Gateway – nFactor LDAP to SAML Configuration
RADIUS
Cloud Authentication Service RADIUS Server Configuration
Citrix NetScaler Gateway RADIUS Configuration
RSA Authentication Manager – Citrix NetScaler Gateway can be integrated with RSA Authentication
Manager in the following way(s):
RADIUS
Authentication Manager RADIUS Server Configuration
Citrix NetScaler Gateway RADIUS Client Configuration
DFA + RSA Authentication Agent for Citrix StoreFront
Citrix StoreFront DFA Configuration
Risk-Based Authentication - RADIUS
Authentication Manager Risk-Based Configuration
Citrix NetScaler Gateway Risk-Based Authentication Configuration
Risk-Based Authentication – DFA + RSA Authentication Agent for Citrix StoreFront
Authentication Manager Risk-Based Configuration
Citrix NetScaler Gateway Risk-Based Authentication Configuration
-- 5 -
NetScaler Gateway
RSA SecurID Access Configuration

RSA Cloud Authentication Service Configuration
SAML via RSA Identity Router (IdP)
To configure a SAML Service Provider in RSA Identity Router, you must deploy a connector for the
application in the RSA SecurID Access Console. During configuration of the IdP you will need some
information from the SP. This information includes (but is not limited to) Assertion Consumer Service
URL and Service Provider Entity ID.
1. Logon to the RSA SecurID Access console and browse to Applications > Application Catalog,
search for Citrix NetScaler and click +Add to add the connector.
2. On the Basic Information page, specify the application name and click Next Step.
3. On the Connection Profile page, choose IDP–initiated and POST as the method for SAML
Request and scroll down to SAML Identity Provider (Issuer) section.
-- 6 -
NetScaler Gateway
4. Upload the certificate and the private key, then scroll down to the Service Provider section.
5. Enter the Assertion Consumer Service (ACS) URL, the Audience (Service Provider Entity
ID) and scroll down to the User Identity section.
-- 7 -
NetScaler Gateway
6. Set the Identifier Type to Email Address and Property to mail and click Next Step.
7. On the User Access page, select the desired user policy from the drop down list and click Next
Step.
8. On the Portal Display page, select Display in Portal.

9. Click Save and Finish.
10. Click Publish Changes. Your application is now enabled for SSO.
Refer to the NetScaler SAML Policy Configuration section for instructions on how to configure the
service provider for SAML SSO.
-- 8 -
NetScaler Gateway
SAML via RSA Cloud (IdP)

To configure a SAML Service Provider in RSA Cloud IdP, you must add a Service Provider for in the RSA
SecurID Access Console. During configuration of the IdP you will need some information from the SP.
This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider
Entity ID.
1. Logon to the RSA SecurID Access console and browse to Authentication Clients > Relying
Parties.
2. Click Add a Relying Party.
-- 9 -
NetScaler Gateway
3. Enter a Name for the relying party and click Next Step.
4. Choose your Authentication settings and clicks Next Step.
-- 10 -
NetScaler Gateway
5. Enter the Assertion Consumer Service URL, Service Provider Entity ID and click Save and
Finish.
-- 11 -
NetScaler Gateway
6. Select the Edit pulldown list and choice View or Download IdP Metadata.
7. Make a note of the entityID value and click Cancel to close the window. This is the same value as
the IdP’s SSO Sign-In URL.
8. Click Publish Changes. Your application is now enabled for SSO.
Refer to the NetScaler SAML Policy Configuration section for instructions on how to configure the
service provider for SAML SSO.
RADIUS
To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first
configure a RADIUS client in the RSA SecurID Access Console.
Logon to the RSA SecurID Access console and browse to Authentication Clients > RADIUS > Add
RADIUS Client and enter the Name, IP Address and Shared Secret. Click Publish to push your
configuration change to the RADIUS server.
RSA Cloud Authentication RADIUS server listens on port UDP 1812.
-- 12 -
NetScaler Gateway
RSA Authentication Manager Configuration

RADIUS
To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a
RADIUS client and a corresponding agent host record in the Authentication Manager Security Console.
The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to
many or 1 to all (global).
RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.
UDP Agent
To configure your RSA Authentication Manager for use with a UDP-based agent, you must create an
agent host record in the Security console of your Authentication Manager and download its configuration
file (sdconf.rec).
 Hostname: Configure the agent host record name to match the hostname of the agent.
 IP Address: Configure the agent host record to match the IP address of the agent.
Important: Authentication Manager must be able to resolve the IP

address from the hostname.
Risk-Based Authentication
To configure your RSA Authentication Manager for risk-based authentication with Citrix NetScaler
Gateway, you must create an agent host record and enable it for risk-based authentication in the RSA
Authentication Manager Security Console. You will need to download the sdconf.rec and the risk-based
authentication integration script for the appropriate device type to configure the agent. RSA
Authentication Manager can integrate risk-based authentication with UDP-based or RADIUS agents only.
The latest risk-based authentication script template is at the following link.
For RADIUS integration approach
https://sftp.rsa.com/human.aspx?Username=partner&password=RSAS3cur3d!&arg01=228
719215&arg12=downloaddirect&transaction=signon&quiet=true
For DFA + RSA Authentication Agent for Citrix StoreFront integration approach
https://sftp.rsa.com/human.aspx?Username=partner&password=RSAS3cur3d!&arg01=458
478494&arg12=downloaddirect&transaction=signon&quiet=true
Download this file and copy it to the following directory in your primary RSA Authentication Manager
server.
/opt/rsa/am/utils/rba-agents
Please refer to RSA documentation for more information on RBA integration scripts.
-- 13 -
NetScaler Gateway
Partner Product Configuration

Before You Begin
This section provides instructions for configuring Citrix NetScaler with RSA SecurID Access. This
document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. Administrators should have access to the product
documentation for all products in order to install the required components.
All Citrix NetScaler components must be installed and working prior to the integration. Perform the
necessary tests to confirm that this is true before proceeding.
Configuration Overview
Configure an Authentication Policy
SAML
RADIUS
DFA (for use with RSA Authentication Agent for Citrix StoreFront)
nFactor (LDAP to RSA Cloud IdP)
Bind the SecurID Access Authentication Policy
Configure NetScaler Gateway with Risk Based Authentication
RADIUS
DFA + RSA Authentication Agent for Citrix StoreFront
-- 14 -
NetScaler Gateway
Configure an Authentication Policy

NetScaler SAML Policy Configuration
Complete the steps in this section to create a NetScaler SAML authentication policy that can integrate
with RSA Cloud Authentication Service using either the Identity Router IdP or Cloud IdP in “RSA SecurID
Access manages all authentication” mode. This policy works with Web logon cases only and does not
provide for SSO into StoreFront on its own.
1. Logon to the NetScaler Gateway web administration console and browse to Configuration >
NetScaler Gateway > Policies > Authentication > SAML and click Add.
2. Enter a Name for the Authentication SAML Policy and click the + to add a server.
-- 15 -
NetScaler Gateway
3. Configure the Authentication SAML Server settings and click OK.
 Enter a Name.
 Add and/or select your public certificate from the IDP Certificate Name dropdown menu.
 Copy the URL from the Identity Provider URL field in the SecurID Access application into the Redirect URL
field.
 Enter mail into the User Field.
4. Enter ns_true into the Expression field and click Create.
The SAML authentication policy is complete. Proceed to the Bind SecurID Access Authentication
Policy section of this guide.
-- 16 -
NetScaler Gateway
NetScaler RADIUS Policy Configuration

Complete the steps in this section to integrate with RSA SecurID Access using RADIUS authentication
protocol. This policy works with both Web and client logon cases.
NetScaler Gateway > Policies > Authentication > RADIUS and click Add.
2. Click + to add a new Server.
-- 17 -
NetScaler Gateway
3. Configure the RADIUS server settings for Authentication Manager or Cloud Authentication Service and
click Create.
 Name: Enter a name to reference this RADIUS server object.

 Enter the Server Name or Server IP.
 Port: Enter the port the server is listening on. RSA Authentication Manager listens on 1812 and 1645. RSA
Cloud Authentication Service listens on 1812.
 Secret Key: Also known as shared secret. This string must match the string entered on the RSA side.
 Time-out:
The RADIUS authentication policy is complete. Proceed to the Bind SecurID Access Authentication
-- 18 -
NetScaler Gateway
NetScaler DFA Policy Configuration

DFA is a Citrix technology which allows Citrix NetScaler to delegate authentication to Citrix StoreFront.
The DFA server must be installed and configured on a Citrix StoreFront server in order for NetScaler to
integrate using a DFA policy. When the RSA Authentication Agent for Citrix StoreFront is installed on the
DFA server, NetScaler users can be authenticated by the agent using DFA. The agent integrates with
RSA Authentication Manager using native RSA protocol and brings some helpful features like auto
registration and password integration. This policy works with Web and client logon cases and can
provide SSO into Citrix StoreFront.
Refer to the Citrix document DFAServerFPReadMe.txt located at the following path for information on
how to install and configure the DFA server.
C:\Program Files\Citrix\Receiver StoreFront\Management\Cmdlets
Refer to RSA Authentication Agent 1.5 for Citrix StoreFront Installation and Administration Guide for
information on how to install and configure the agent for use with DFA.
Complete the steps in this section to integrate with Citrix DFA server.
NetScaler Gateway > Policies > Authentication > DFA and click Add.
2. Enter a Name and click the + to add a new Action.
-- 19 -
NetScaler Gateway
3. Configure the DFA Server settings and click Create.
4. Enter an expression in the Rule field and click Create.
The DFA authentication policy is complete. Proceed to the Bind the SecurID Access Authentication
-- 20 -
NetScaler Gateway
nFactor (LDAP to RSA Cloud IdP)

Complete the steps in this section to create a NetScaler nFactor policy that will first challenge for
username + password (LDAP), and then redirect to RSA Cloud IdP (SAML) for additional authentication
only. This policy works for Web cases only and can provide SSO into Citrix StoreFront.
1. Browse to Configuration > Security > AAA – Application Traffic > Virtual Servers and click
Add.
2. Add a Name, set IP Address Type to Non Addressable and click OK.
-- 21 -
NetScaler Gateway
3. Click to add a Server Certificate.
4. Select the Server Certificate from the drop-down menu and click Bind.
-- 22 -
NetScaler Gateway
5. Click Continue and Continue again to complete the AAA virtual server.
Configure and Bind the Login Schema

1. Browse to Configuration > AAA – Application Traffic > Login Schema, open the Profiles tab
and click Add.
-- 23 -
NetScaler Gateway
2. Enter a Name and click the Authentication Schema edit icon.
3. Click to open the LoginSchema folder, scroll down to SingleAuth.xml and click Select.
-- 24 -
NetScaler Gateway
4. Click More to show advanced options. Enter 1 in the User Credential Index field, enter 2 in the
Password Credential Index field, mark the checkbox to Enable Single Sign On Credentials
and click Create.
5. Browse to Configuration > Security > AAA – Application Traffic > Login Schema and click
Add to add a new Login Schema policy.
-- 25 -
NetScaler Gateway
6. Enter a Name, select your Authentication Login Schema profile from the Profile drop-down menu,
enter a Rule and click Create.
7. Browse to Configuration > Security > AAA – Application Traffic > Virtual Servers and click to
edit your AAA virtual server.
-- 26 -
NetScaler Gateway
8. Under Advanced Settings menu, click + Login Schemas.
9. Highlight your Authentication Login Schema policy from the list and click Select.
10. Click Bind to bind the policy and then Done to save the changes.
-- 27 -
NetScaler Gateway
Configure and Bind the Authentication Policy

1. Browse to Configuration > Security > AAA – Application Traffic > Policies > Authentication
> Advanced Policies > Policy and click Add.
2. Enter a Name, select LDAP from the Authentication Type drop-down menu and click + to add a
new Action.
3. Configure the Authentication LDAP server settings and click Create.
-- 28 -
NetScaler Gateway
4. Enter true in the Expression field and click Create.
5. Browse to Configuration > Security > AAA – Application Traffic > Policies > Authentication
> Advanced Policies > PolicyLabel and click Add.
-- 29 -
NetScaler Gateway
6. Enter a Name, select Login Schema and click Continue.
7. Click + to create a new policy.
-- 30 -
NetScaler Gateway
8. Enter a Name and click + to create a new Action.
9. Configure the Authentication SAML Server settings and click Create.
 Enter a name in the Name field.

 Select the RSA Cloud IdP signing certificate from the IDP Certificate Name drop-down menu.
 Enter the RSA Cloud IdP Single Sign On Service URL into the Redirect URL field.
 Enter sAMAccountName into the User Field.
 Enter a value into the Issuer Name. This will serve as the SP Entity ID.
Note: Due to a defect in the NetScaler web administration console, you may not be able to add a
certificate without including the private key (which RSA does not provide). In this case you will need to
install the certificate using the NetScaler shell. Run the command “add ssl certKey mycert -cert
"/nsconfig/ssl/mycert.cer”.
-- 31 -
NetScaler Gateway
10. Enter true in the Expression field and click Create.
11. Choose END from the Goto Expression drop-down menu and click Bind.
12. Click Done to save the Authentication PolicyLabel.
-- 32 -
NetScaler Gateway
Bind the Advanced Authentication Policy to the AAA Virtual Server.

1. Browse to Configuration > Security > AAA – Application Traffic > Virtual Servers and click to
edit your AAA virtual server.
2. In the Advanced Authentication Policy section, click No Authentication Policy.
-- 33 -
NetScaler Gateway
3. Configure the Policy Binding and click Bind and then Done to save your changes.
 Select your AD/LDAP policy from the Select Policy drop-down menu.
 Select NEXT from the Goto Expression drop-down menu
 Select your SAML policylabel from the Select Next Factor drop-down menu.
Configure and Bind the AAA Authentication Profile
1. Browse to Configuration > Security > AAA – Application Traffic > Authentication Profile
and click Add.
-- 34 -
NetScaler Gateway
2. Enter Name, Authentication Host, select your AAA virtual server from the Authentication
Virtual Server drop-down menu and click Create.
Note: The value entered into the Authentication Host field is trivial but required. It is optional when
configuring via shell.
3. Browse to Configuration > NetScaler Gateway > Virtual Servers and edit your NetScaler
Gateway virtual server.
-- 35 -
NetScaler Gateway
4. Click + Authentication Profile from the Advanced Settings menu.
5. Select your nfactor authentication profile from the Authentication Profile drop-down menu and
click OK and Done to complete the virtual server configuration.
Configure and Bind the Traffic Policy

1. Browse to Configuration > NetScaler Gateway > Policies > Traffic and click Add.
-- 36 -
NetScaler Gateway
2. Enter a Name for the traffic policy and click + to add a new Request Profile.
3. Configure the NetScaler Gateway Traffic Profile and click Create.
 Enter a Name for the traffic profile.

 Enter HTTP.REQ.USER.ATTRIBUTE(1) into the SSO User Expression field.
 Enter HTTP.REQ.USER.ATTRIBUTE(2) into the SSO Password Expression field.
-- 37 -
NetScaler Gateway
5. Browse to Configuration > NetScaler Gateway > Virtual Servers and click to edit your virtual
server.
6. Scroll down to Policies and click + to add a new policy.
-- 38 -
NetScaler Gateway
7. Select Traffic from the Choose Policy drop-down menu and click Continue.
8. Choose your traffic policy from the Select Policy drop-down menu and click Bind.
Your NetScaler Gateway virtual server is now configured for LDAP authentication with step-up to RSA
Cloud Authentication Service with LDAP credential pass-through to StoreFront.
-- 39 -
NetScaler Gateway
Bind the SecurID Access Authentication Policy

To integrate NetScaler Gateway with RSA SecurID Access, you must bind the authentication policy to
your virtual server. If SSO to StoreFront is not needed, then this is very straight-forward. Simply bind
your SecurID Access authentication policy to either primary or secondary type. If SSO into StoreFront is
needed, then additional considerations must be made. Review the cases below to determine how
authentication policies should be bound.
RSA Cloud Authentication Service Cases:

VPN access
Primary Authentication Policy: Bind Cloud Authentication Service (RADIUS or SAML) policy
Secondary Authentication Policy: Not required
Session Policy: Not required
Remote access to StoreFront (RADIUS)
Primary Authentication Policy: Bind Cloud Authentication Service (RADIUS) policy
Secondary Authentication Policy: Not required. Do not bind an AD policy as Cloud Authentication
Service’s first prompt is for AD credentials.
Session Policy: Set SSO credential index set to primary
Remote access to StoreFront (nFactor policy using AD and Cloud IdP)
Primary Authentication Policy: none
Secondary Authentication Policy: none
RSA Authentication Manager Cases:

VPN access
Primary Authentication Policy: Bind Authentication Manager (RADIUS) policy
Session Policy: Not required
Remote access to StoreFront (RADIUS)
Primary Authentication Policy: Bind Authentication Manager (RADIUS) policy
Secondary Authentication Policy: Bind Active Directory (LDAP) policy
Session Policy: Set SSO credential index set to secondary
Remote access to StoreFront (DFA + RSA Agent for StoreFront)
Primary Authentication Policy: Bind DFA policy
Session Policy: Set SSO credential index to primary
-- 40 -
NetScaler Gateway
NetScaler Gateway and click to edit the NetScaler Gateway Virtual Server.
2. Click the + to bind a Basic Authentication policy.
3. Select RADIUS or SAML Policy and Primary or Secondary Type and click Continue.
-- 41 -
NetScaler Gateway
4. Choose the authentication policy to bind and click Select.
5. Click the > icon to Select Policy.
6. Choose your authentication policy and click Select.
-- 42 -
NetScaler Gateway
7. Set the Priority and click Bind.
8. Repeat the steps in this section to bind failover / replica server instances. Change the Priority value
to reflect the order in which server instances should be tried.
9. Click Done when finished.
-- 43 -
NetScaler Gateway
Configure Risk-Based Authentication

There are two ways to configure Citrix NetScaler with risk-based authentication: one which uses a
RADIUS authentication policy and one which uses a DFA authentication policy and RSA Authentication
Agent for Citrix StoreFront. The RADIUS integration approach is suitable for VPN cases and the DFA +
agent approach is suitable for cases where remote access into Citrix StoreFront is needed. Both cases
require that Citrix NetScaler be enabled with RSA SecurID authentication before adding risk-based
authentication.
RADIUS
This solution requires that the following components have already been installed and configured:
 Citrix NetScaler configured with:
 Virtual server
 Primary RADIUS policy with no other authentication policies
RBA Integration Overview

 Configure and upload RBA script and customized pages
 Configure NetScaler Gateway responder policy
Configure and upload RBA script and customized pages
1. Download the am_integration.js integration script from the NetScaler’s Authentication Agent in the
RSA Security Console and copy it to the /netscaler/ns_gui/vpn/ directory on the NetScaler
Gateway.
2. Add a new file with the filename index_rba.html in the /netscaler/ns_gui/vpn/ directory on
NetScaler Gateway and insert the following text.
<FORM method="post" action="/cgi/login" name="vpnForm"/>
<input id="Enter user name" name="login" />
</FORM>
<script type="text/javascript" language="javascript"
src="am_integration.js"></script>
<script type="text/javascript" language="javascript">
window.onload=redirectToIdP();
</script>
3. Execute the following shell commands on the device to copy these two files to the customization
directory:
> shell
> cd /netscaler/ns_gui/vpn
> cp am_integration.js /var/customizations/am_integration.js.mod
> cp index_rba.html /var/customizations/index_rba.html.mod
Note: Create the /var/customizations/ directory if it does not

already exist.
4. If the /nsconfig/rc.netscaler file does not yet exist, create it:

> touch /nsconfig/rc.netscaler
-- 44 -
NetScaler Gateway
5. Add the following lines to rc.netscaler. These commands will instruct the NetScaler Gateway to re-
copy your modified files into the vpn directory during each boot sequence:
> echo cp /var/customizations/am_integration.js.mod
/netscaler/ns_gui/vpn/am_integration.js >> /nsconfig/rc.netscaler
> echo cp /var/customizations/index_rba.html.mod

/netscaler/ns_gui/vpn/index_rba.html >> /nsconfig/rc.netscaler
6. Make a note of your RBA target URL.

https://virtual_server_hostname/vpn/index_rba.html
DFA + RSA Agent for StoreFront approach

This solution requires that the following components have already been installed and configured:
 Citrix NetScaler configured with
 Virtual server
 Primary DFA policy with no other authentication policies
 Citrix StoreFront with DFA server enabled
 RSA Authentication Agent for Citrix StoreFront
Note: Refer to the RSA Authentication Agent for Citrix StoreFront

Installation and Administration guide for information on RSA
Authentication Agent for more information on these subjects.
RBA Integration Overview

 Install RSA Risk-Based Authentication Helper
 Configure and upload RBA script and customized pages
 Configure NetScaler Gateway responder policy
Install RSA Risk-Based Authentication Helper application
Install the RSA Risk-Based Authentication Helper web application (RBA Helper) according to the
instructions in the RSA Authentication Agent for Citrix StoreFront Installation and Administration guide.
The only requirement for this solution is that the web application must be reachable from the end user’s
browser.
Two options for accomplishing this are:
1. Install the RSA RBA Helper on a web server (or web servers) in the DMZ along-side the NetScaler
Gateway virtual server.
2. Install the RSA RBA Helper on the StoreFront server in the protected network and expose it using an
SSL bridge configured on the NetScaler Gateway.
-- 45 -
NetScaler Gateway
Configure and upload RBA script and customized pages

1. Logon to the RSA Authentication Manager Security Console and download the
Citrix_NetScaler_11_12_DFA risk-based authentication integration script (am_integration.js) file.
Important: Download the RBA integration script from the agent

host record which corresponds to the Citrix StoreFront agent.
2. Rename the am_integration.js file to am_integration_servername.js (where servername

matches the NetScaler virtual server’s hostname). Open the script the file using a text editor and
modify the following variables according to the instructions included in the script file.
netscalerUrl
netscalerRbaLogonUrl
rbaHelperUrl
cookieDomain
cookiePath
3. Create a new file, name it index_servername_rba.html (where servername matches the
NetScaler virtual server’s hostname) and add the text below. This customized page will redirect the
user to RSA Authentication Manager’s RBA logon page.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Authenticating...</title>
</head>
<body>
<script src="am_integration_servername.js" type="text/javascript"></script>
<script type="text/javascript">
createAndSubmitFormToRBAServer();
</script>
</body>
</html>
4. Save a copy of the /var/netscaler/logon/LogonPoint/index.html file, name it

rba_logon.html and make the changes described below. This customized page will used by the
RBA Helper to invoke authentication to Citrix StoreFront.
1. Replace line 4 with:
<title>Authenticating...</title>
2. Insert the highlighted text on its own line following the <body> tag.
<body>
<script type="text/javascript" src="/logon/LogonPoint/am_integration_servername.js"></script>
3. Insert the highlighted text on its own line above the </body> tag.
<script>
window.onload=receiveCredentialsFromRBA();
</script>
</body>
5. Upload am_integration_servername.js, index_servername_rba.html and rba_logon.html to

the /var/netscaler/logon/LogonPoint directory on the NetScaler.
Note: If your NetScaler is deployed in an HA pair, these files will

need to be uploaded to both the primary and secondary instances.
-- 46 -
NetScaler Gateway
6. Execute the following shell commands on the device to copy these files to the customization
directory:
> shell
> cd /netscaler/logon/LogonPoint
> cp am_integration_servername.js /var/customizations/am_integration_servername.js.mod
> cp index_servername_rba.html /var/customizations/index_servername_rba.html.mod
> cp rba_logon.html /var/customizations/rba_logon.html.mod
Note: Create the /var/customizations/ directory if it does not

already exist.
7. If the /nsconfig/rc.netscaler file does not yet exist, create it:

> touch /nsconfig/rc.netscaler
8. Add the following lines to rc.netscaler. These commands will instruct the NetScaler Gateway to re-
copy your modified files into the vpn directory during each boot sequence:
> echo cp /var/customizations/am_integration_servername.js.mod
/netscaler/logon/LogonPoint/am_integration_servername.js >> /nsconfig/rc.netscaler
> echo cp /var/customizations/index_severname_rba.html.mod

/netscaler/logon/LogonPoint/index_servername _rba.html >> /nsconfig/rc.netscaler
> echo cp /var/customizations/rba_logon.html.js.mod

/netscaler/logon/LogonPoint/rba_logon.html >> /nsconfig/rc.netscaler
9. Take note of the RBA target logon page:

https://nsvirtualserver.mycompany.tld/logon/LogonPoint/index_servername_rba.html
-- 47 -
NetScaler Gateway
Configure and bind Responder policy

AppExpert > Responder and click on the Responder Policy Manager.
2. Configure the Bind Point and click Continue.
3. Click the + icon to create a new responder policy.
-- 48 -
NetScaler Gateway
4. Click the + icon to create a new Action.
5. Enter the Name, select Redirect from the Type drop-down menu, add the RBA target URL into the
Expression field and click Create.
-- 49 -
NetScaler Gateway
6. Enter the Expression and click Create.

HTTP.REQ.HOSTNAME.EQ("virtualserver_fqdn")&&HTTP.REQ.URL.EQ("index.html")
7. Check the Policy Binding settings and click Bind.
-- 50 -
NetScaler Gateway
8. Click Done to complete the configuration.
-- 51 -
NetScaler Gateway
Login Screenshots
Login screen:
User-defined New PIN:
System-generated New PIN:
-- 52 -
NetScaler Gateway
Next Tokencode:
Authentication Method Selection:
-- 53 -
NetScaler Gateway
Certification Checklist for RSA SecurID Access

Certification Environment Details:
RSA Authentication Manager 8.2 SP1, Virtual Appliance
Citrix NetScaler 12.0 VPX
RSA Cloud Authentication Service Date Tested: February 20th, 2018

REST RADIUS
Authentication Method
Client Client
RSA SecurID - ✔
LDAP Password - ✔
Authenticate Approve - ✔
Authenticate Tokencode - ✔
Device Biometrics - ✔
SMS Tokencode - ✔
Voice Tokencode - ✔
FIDO Token -
RSA Authentication Manager Date Tested: February 20th, 2018

REST UDP TCP RADIUS
Authentication Method
Client Agent Agent Client
RSA SecurID - - - ✔
RSA SecurID Software Token Automation - - - ✔
On Demand Authentication - - - ✔
Risk-Based Authentication - ✔
✔ = Passed, X = Failed, - = N/A
-- 54 -

Citrix NetScalerGateway12 RSA SecurID Access PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Citrix NetScalerGateway12 RSA SecurID Access PDF

Uploaded by

Copyright:

Available Formats

<Partner Name>

RSA SECURID® ACCESS

Citrix NetScaler Gateway 12.0

Peter Waranowski, RSA Partner Engineering

Collect Device Assurance and User Behavior ✔

Supported Authentication Methods by Integration Point

Citrix NetScaler Gateway integration with RSA Cloud Authentication Service

Citrix NetScaler Gateway integration with RSA Authentication Manager

RSA SecurID Access Configuration

8. On the Portal Display page, select Display in Portal.

SAML via RSA Cloud (IdP)

2. Click Add a Relying Party.

4. Choose your Authentication settings and clicks Next Step.

8. Click Publish Changes. Your application is now enabled for SSO.

RSA Authentication Manager Configuration

Important: Authentication Manager must be able to resolve the IP

Partner Product Configuration

Configure an Authentication Policy

3. Configure the Authentication SAML Server settings and click OK.

NetScaler RADIUS Policy Configuration

2. Click + to add a new Server.

 Name: Enter a name to reference this RADIUS server object.

NetScaler DFA Policy Configuration

2. Enter a Name and click the + to add a new Action.

3. Configure the DFA Server settings and click Create.

4. Enter an expression in the Rule field and click Create.

nFactor (LDAP to RSA Cloud IdP)

3. Click to add a Server Certificate.

Configure and Bind the Login Schema

2. Enter a Name and click the Authentication Schema edit icon.

8. Under Advanced Settings menu, click + Login Schemas.

Configure and Bind the Authentication Policy

3. Configure the Authentication LDAP server settings and click Create.

4. Enter true in the Expression field and click Create.

6. Enter a Name, select Login Schema and click Continue.

7. Click + to create a new policy.

8. Enter a Name and click + to create a new Action.

9. Configure the Authentication SAML Server settings and click Create.

 Enter a name in the Name field.

10. Enter true in the Expression field and click Create.

12. Click Done to save the Authentication PolicyLabel.

Bind the Advanced Authentication Policy to the AAA Virtual Server.

2. In the Advanced Authentication Policy section, click No Authentication Policy.

4. Click + Authentication Profile from the Advanced Settings menu.

Configure and Bind the Traffic Policy

3. Configure the NetScaler Gateway Traffic Profile and click Create.

 Enter a Name for the traffic profile.

4. Enter ns_true into the Expression field and click Create.

6. Scroll down to Policies and click + to add a new policy.

Bind the SecurID Access Authentication Policy

RSA Cloud Authentication Service Cases:

RSA Authentication Manager Cases:

2. Click the + to bind a Basic Authentication policy.

4. Choose the authentication policy to bind and click Select.

5. Click the > icon to Select Policy.

6. Choose your authentication policy and click Select.

7. Set the Priority and click Bind.

Configure Risk-Based Authentication

RBA Integration Overview

Note: Create the /var/customizations/ directory if it does not

4. If the /nsconfig/rc.netscaler file does not yet exist, create it:

> echo cp /var/customizations/index_rba.html.mod

6. Make a note of your RBA target URL.