NetScaler As ADFS Proxy Deployment Guide - Citrix
Deployment GuideGuide to DeployingNetScaler as an ActiveDirectory FederationServices ProxyEnabling seamless authentication forOffice 365 use casescitrix.com
Deployment GuideDeploying NetScaler as an ADFS ProxyTable of ContentsIntroductionADFS proxy deploymentMicrosoft recommendations for third-party ADFS proxiesDeployment scenario and access flow with NetScaler as ADFS proxyBenefits of using NetScaler as ADFS proxyConfiguration and setup detailsSection A: Active clients / internal user configuration flowSection B: Passive user configuration flowConclusioncitrix.com345566720262
Deployment GuideDeploying NetScaler as an ADFS ProxyRecently, more enterprises are migrating to a cloud-basedapplication deployment model. Thanks to cloud-based servicessuch as Microsoft Office 365, this migration has accelerated.Cloud-based app deployment provides significant added value,but at the same time, it changes the underlying infrastructure forthe enterprise. One of the critical services enterprise IT teamsworry about is authentication for users connecting from withinand outside the organization.When migrating to the cloud, enterprises want to ensure the user experience does not change.However, seamless access to services hosted outside the enterprise data center requires a newcomponent in app deployment design. No one wants the Active Directory password to travelon the wire outside the data center. Therefore, federation becomes a natural and provenalternative. Referring to primarily to Microsoft services, Active Directory Federation Services(ADFS) is the solution you are looking for. The ADFS security token service extends the singlesign-on, (SSO) experience for Active Directory-authenticated clients to resources outside theenterprise data center.An ADFS server farm allows internal users to access external cloud-hosted services. But themoment external users are brought into the mix, they must be given a way to connect remotelyand access cloud-based services through federated identity. This is where an ADFS proxy plays amajor role – giving external users SSO access to both internal federation-enabled resources aswell as cloud resources such as Office 365. The purpose of the ADFS proxy server is to receiveand forward requests to ADFS servers that are not accessible from the Internet.The ADFS proxy plays critical role in remote user connectivity and application access. Citrix NetScaler has been playing similar roles – remote user connectivity and application access –for more than a decade. NetScaler has the right technology to enable secure connectivity,authentication and handling of federated identity, and thus it becomes the preferred solutionfor replacing an existing ADFS proxy or supporting a new ADFS implementation. Most enterpriseswant to reduce the footprint in the DMZ, and hence, they appreciate the fact that, in additionto its traditional functions, NetScaler can serve as ADFS proxy. This approach avoids the needto deploy an additional component in the DMZ.citrix.com3
Citrix Confidential – Internal Use OnlyDeployment GuideDeploying NetScaler as an ADFS Proxytraditional functions, NetScaler can serve as ADFS proxy. This approach avoids the need to deploy an additionalcomponent in the DMZ.2.ADFS proxy deploymentADFS proxy deploymentPacket flow of how the ADFS proxy helps with external user access:Packetflow ofhowthe ADFShelpswith external1. Externaluseraccessesinternal proxyor externalapplicationsenabled byuserADFS.access:1. 2.Externaluser accessesinternalor externalapplicationsUser is redirectedto the applicablefederationservice forauthentication.enabled by ADFS.Userredirected to theinternal federationfederation service.2. 3.Userisisredirectedto enterprise’sthe applicableservice for eDMZand is presentedwith a service.sign-on page.3. User is redirected to the enterprise’s internalfederation5. ADFS proxy takes inputs from the external user and connects to the ADFS farm.4. User is connected to the ADFS proxy in the DMZ and is presented with a sign-on page.6. ADFS proxy presents external user credentials to the ADFS farm.5. 7.ADFSproxy takes inputs from the external user and connects to the ADFS farm.ADFS server authenticates the external user with enterprise Active Directory.6. 8.ADFSproxyexternaluserwithcredentialsto theADFSfarm.ADFSserver presentsreturns authorizationcookiea signed securitytokenand claims.7. 9.ADFSserverauthenticateswithuser.enterprise Active Directory.ADFSproxy sendsthe token and theclaimexternalinformationuserto externalUserserverconnectsreturnsto the federationservice wherethe tokenandaclaimsare verified.8. 10.ADFSauthorizationcookiewithsignedsecurity token and claims.11. Based on validation, the federation service provides the user with a new security token.9. ADFS proxy sends the token and claim information to external user.12. The external user provides the new authorization cookie with security token to the resource for access.10. User connects to the federation service where the token and claims are verified.11. Based on validation, the federation service provides the user with a new security token.12. The external user provides the new authorization cookie with security token to theresource for access.In most use cases you will run ADFS and the ADFS proxy farm, which would require load balancingand scale with high availability. If you are using the NetScaler ADC for load balancing of yourADFS proxy farm and other key services, only one additional step is needed to set up NetScaleras a replacement for the ADFS proxy farm. This means NetScaler does not just play the ADC role,but also assumes ownership of the processes performed by the ADFS proxy for external useraccess scenario.NetScaler is a proven remote access solution for the DMZ. We can use the AAA for TrafficManagement (AAA-TM) feature of NetScaler to fulfill the ADFS proxy use case while otherproduct security features add to the overall value of this solution.citrix.com4
Deployment GuideDeploying NetScaler as an ADFS ProxyMicrosoft recommendations for third-party ADFS proxiesMicrosoft Requirement and RecommendationsNetScaler CompetancyProxy must not modify Response bodyYesProxy must pass through all HTTP headers to back- end STSYesProxy must not issue HTTP 302 responsesYesAll requests must be passed through to ADFS farmYesAll external requests must be rerouted to back-end STSYesProxy must persist to same STS for multi-legged NTLM auth flowPersistencyAll requests to ADFS must be rerouted to same URL on back-end STSYesProxy must pass through all query string parametersYesProxy may provide form based loginAAA-TMProxy may use credentials to perform NTLM auth on ADFSSSOProxy may also perform two factor auth as neededAAA-TMFor Office 365 access scenarios, Proxy must provide additional infoYesCitrix Confidential –scenarioInternal UseandOnly access flow with NetScaler as ADFS proxyDeploymentPacket flow of how NetScaler as ADFS proxy helps with internal/external user access:1.Internal/externaluseraccessto Office365applicationuseris enabledPacketflow of how NetScaleras ADFSproxyhelps withinternal/externalaccess: by ADFS.Internal/external user access to Office 365 application is enabled by ADFS.2. 1.Useris redirected to the applicable federation service for authentication.2. User is redirected to the applicable federation service for authentication.3. User is redirected to the enterprise’s internal federation service.3. User is redirected to the enterprise’s internal federation service.4. 4.Internaluser is load balanced to the ADFS farm.Internal user is load balanced to the ADFS farm.5. 5.Externalconnectsto NetScalerAAA-TMExternal useruser connectsto NetScalerAAA-TM logonpage. logon page.Userauthenticated againstservice.Active Directorysimilar authentication6. 6.UserisisauthenticatedagainstActive orDirectoryor similarauthentication eros/NTLM)totheADFSfarm.7. Post authentication, NetScaler does SSO (Kerberos/NTLM) to the ADFS farm.ADFS server validates SSO credentials and returns STS token.8. 8.ADFSserver validates SSO credentials and returns STS token.9. External user connects to the federation service where the token and claims are verified.9. External user connects to the federation service where the token and claims are verified.10. Based on validation, the federation service provides the user with a new security token.10. 11.Basedonuservalidation,the federationserviceuserforwitha new security token.Externalprovides authorizationcookie withsecurityprovidestoken to thetheresourceaccess.11. External user provides authorization cookie with security token to the resource for access.Here both internal and external users can go through the NetScaler path with the only difference being thatexternal users are required to pre-authenticate with the NetScaler AAA-TM module. For this access scenario, theAAA-TM vserver must be set up on NetScaler for pre-authentication. Internal users can be directly load balancedto the ADFS server farm.citrix.com5
Deployment GuideDeploying NetScaler as an ADFS ProxyHere both internal and external users can go through the NetScaler path with the only differencebeing that external users are required to pre-authenticate with the NetScaler AAA-TM module.For this access scenario, the AAA-TM vserver must be set up on NetScaler for pre-authentication.Internal users can be directly load balanced to the ADFS server farm.Benefits of using NetScaler as ADFS proxy1. Caters to both load balancing and ADFS proxy needs2. Works with both internal and external user access scenarios3. Supports rich methods for pre-authentication?4. Provides an SSO experience for end users5. Supports both active and passive protocolsa. Examples of active protocol apps – Outlook, Lyncb. Examples of passive protocol apps – Outlook web app, browsers6. Hardened device for DMZ-based deployment7. Adds value with additional core ADC featuresa. Content Switchingb. SSL offloadc. Rewrited. Respondere. Rate Limitf. SecurityNote that for active protocol-based scenarios, users connect to Office 365 and provide theircredentials. Microsoft Federation Gateway contacts the ADFS service on behalf of the activeprotocol client and submits their credentials. Post authentication, the ADFS service providesFederation Gateway with a token, which in turn is submitted to Office 365 to provide client access.For active protocol-based use cases, clients typically authenticate on NetScaler using 401 NTLM.The configuration section below describes how to set up NetScaler for both active and passiveprotocol-based use cases.Configuration and setup detailsThis guide provides the configuration workflow for active clients (Section A) as well as passiveclients (Section B). Deployments covering both active and passive clients can follow section Aand B sequentially for configuration flow.The configuration given below is for external users. For internal users, use NetScaler as a loadbalancing vserver for the ADFS farm. If internal users have to be authenticated at by NetScaler,Section A configuration will suffice for both passive and active clients.citrix.com6
Deployment GuideDeploying NetScaler as an ADFS ProxySection A: Active clients / internal user configuration flow1. Create content switching vserver, bind SSL Certkey, bind CA certificate.Citrix Confidential – Internal Use Onlycitrix.com7
Deployment GuideDeploying NetScaler as an ADFS ProxyCitrix Confidential – Internal Use OnlyCitrix Confidential – Internal Use Only2. Create AAA vserver, bind SSL certificate, bind negotiate policy, bind session policy for Kerberos SSO. Thisvserver can be set to a private IP address as it is not accessed externally.citrix.com8
Deployment GuideDeploying NetScaler as an ADFS Proxy2. Create AAA vserver, bind SSL certificate, bind negotiate policy, bind session policy forKerberos SSO. This vserver can be set to a private IP address as it is not accessed externally.Now bind the server and CA certificate to this vserver as showed in step 1.Please ensure that the proper DNS server is configured, which is required for client-sideNTLM authentication as well as Kerberos SSO. If you have a single DNS server, create aNameserver pointing to it. In the below configuration we are binding multiple DNS serversas services to the load balancing vserver.citrix.com9
Deployment GuideDeploying NetScaler as an ADFS ProxyCreate a negotiate action policy and bind it to the AAA vserver.citrix.com10
Deployment Guidecitrix.comDeploying NetScaler as an ADFS Proxy11
Deployment Guidecitrix.comDeploying NetScaler as an ADFS Proxy12
Deployment GuideDeploying NetScaler as an ADFS ProxyBind the session policy to the AAA vserver.citrix.com13
Deployment GuideDeploying NetScaler as an ADFS Proxy3. Create a default load balancing vserver that will send 401:Negotiate/NTLM response toauthenticate the user and perform Kerberos SSO to the backend.citrix.com14
Deployment GuideDeploying NetScaler as an ADFS ProxyCitrix Confidential – Internal Use Onlycitrix.com15
Deployment GuideDeploying NetScaler as an ADFS Proxy4. Create a load balancing vserver, which will simply pass the requests to the backend and convert therequestURL afromto /adfs/services/trust/proxymex.4. Createload/adfs/services/trustbalancing vserver, whichwill simply pass the requests to the backend andconvert the request URL from /adfs/services/trust to /adfs/services/trust/proxymex.citrix.com16
Deployment GuideDeploying NetScaler as an ADFS ProxyCitrix Confidential – Internal Use OnlyBind server and CA certificate to the newly created vserver.Bind server and CA certificate to the newly created vserver.citrix.com17
Deployment GuideDeploying NetScaler as an ADFS ProxyCitrix Confidential – Internal Use Only5. 5.Createcontentswitchingpolicypolicyfor tentswitchingfor onmetadata/2007-06/federationmetadata.xml to go to the proxy server without xml to go to the proxy serverauthentication.! without any authentication.citrix.com18
Deployment GuideDeploying NetScaler as an ADFS Proxy6. Set the load balancing vserver with authentication enabled as the default vserver for thecontent switching vserver.citrix.com19
Deployment GuideDeploying NetScaler as an ADFS ProxySection B: Passive user configuration flowNote: we will use the same content switching vserver created in Section A but have differentrules corresponding to passive clients.1. Create AAA vserver, set authentication domain and bind LDAP policy.a. Create a KCD Account for Kerberos impersonation and a session policy for SSO.citrix.com20
Deployment GuideDeploying NetScaler as an ADFS ProxyCitrix Confidential – Internal Use OnlyBind SSL server and CA certificate to the vserver.Bind SSL server and CA certificate to the vserver.2. Createa KCD foraccountforKerberos impersonationandandensurethat DNSand NTP servers are2. Createa KCD accountKerberosimpersonationand ensure that DNSNTP serversare configuredproperly.Createa sessionpolicy andbind ait tothe nd bind it to the AAA vserver.citrix.com21
Deployment Guidecitrix.comDeploying NetScaler as an ADFS Proxy22
Deployment GuideDeploying NetScaler as an ADFS Proxy3. Create a load balancing vserver to handle requests /adfs/ls/auth/integrated (for ADFS 2.0)or /adfs/ls/wia (for ADFS3.0). Enable that vserver for form-based authentication.citrix.com23
Deployment GuideDeploying NetScaler as an ADFS ProxyCitrix Confidential – Internal Use Only4. Create a content switching action and policy and bind it to the content switching vserver.citrix.com24
Deployment GuideDeploying NetScaler as an ADFS ProxyCitrix Confidential – Internal Use Only7.Conclusioncitrix.com25NetScaler is a proven solution for fast, reliable, high-availability and secure app delivery in remote access usecases. Extending these capabilities to include functioning as ADFS proxy increases the total value NetScaler
Deployment GuideLarge-Scale NATConclusionNetScaler is a proven solution for fast, reliable, high-availability and secure app delivery in remoteaccess use cases. Extending these capabilities to include functioning as ADFS proxy increases thetotal value NetScaler delivers to the enterprise. It becomes single gateway point for all enterpriseuser access, including remote access to Office 365. Beyond its core functionality, NetScaler helpsto improve the end-user experience and the scalability and stability of the whole deployment.Furthermore, the same NetScaler appliance can also be used for other remote access use cases,given that it is deployed in the DMZ. There is great value in consolidating all such remote accessand authentication use cases through a single NetScaler ADC appliance.Corporate HeadquartersFort Lauderdale, FL, USAIndia Development CenterBangalore, IndiaLatin America HeadquartersCoral Gables, FL, USASilicon Valley HeadquartersSanta Clara, CA, USAOnline Division HeadquartersSanta Barbara, CA, USAUK Development CenterChalfont, United KingdomEMEA HeadquartersSchaffhausen, SwitzerlandPacific HeadquartersHong Kong, ChinaAbout CitrixCitrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services toenable new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people withinstant access to apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25years of innovation, making IT simpler and people more productive. With annual revenue in 2013 of 2.9 billion, Citrix solutions are in useat more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.comCopyright 2015 Citrix Systems, Inc. All rights reserved. Citrix and NetScaler are trademarks of Citrix Systems, Inc. and/or one of itssubsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may betrademarks of their respective companies.0115/PDFcitrix.com26
In most use cases you will run ADFS and the ADFS proxy farm, which would require load balancing and scale with high availability. If you are using the NetScaler ADC for load balancing of your ADFS proxy farm and other key services, only one additional step is needed to set up NetScaler as a replacement for the ADFS proxy farm.
ADFS 2.0: ADFS 3.0: Enable Signed SAML Assertions for the Relying Party Trust (Cisco Identity Service) For a Multi-domain Configuration for Federated ADFS Federated ADFS Configuration Primary ADFS Configuration ADFS Automatic Certificate Rollover Kerberos Authentication (Integrated Windows Authentication)
Automation mit NetScaler - AutoScale Cloud Orchestration Internet 1. NetScaler is auto-provisioned M M M 56783. NetScaler monitoring engine auto4. NetScaler triggers 2. NetScaler monitors servers for CPU, Memory, Latency, Throughput . On successful AutoScale, . NetScaler automatic
Figure 1. Device choices - dedicated NetScaler MPX HA pair for Tenant 1, NetScaler MPX cluster for Tenant 2 and NetScaler SDX serving Tenants 3-N Instances The second NetScaler multi-tenancy building block is the instance. With instances, administrators can con (gure a single physical appliance to operate as multiple independent NetScaler ADCs.
NOTE: NetScaler Gateway is one of the more common used features within Citrix NetScaler. Either it can be used as a feature on the NetScaler VPX/MPX or we can buy the NetScaler Gateway VPX/MPX, which only licensed to do NetScaler Gateway. So for instance if we are using Citrix Receiver for remote access, it will connect directly to
NetScaler VPX In this exercise, you will access the NetScaler MAS management console and integrate the NetScaler NS_VPX_01 for management and reporting with NetScaler MAS. The initial NetScaler MAS configuration settings will be reviewed and additional post-setup configuration changes will be applied.
ADFS SAML secures their applications before they are migrated to a single SecureAuth platform, which greatly simplifies administration. Integrating with ADFS using SecureAuth two-factor authentication (2FA) can be challenging when pure federation protocols, such as SAML or WS-Federated, are employed. The ADFS VAM was created to enable
Configure SAML 2.0 for Shufflrr using ADFS A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
writing requires a clear line of thought, use of evidence or examples to illustrate your reflections, and an analytical approach. You are aiming to strike a balance between your personal perspective, and the requirements of good academic practice and rigorous thinking. This means: developing a perspective, or line of reasoning
