Symantec VIP Integration Guide For Citrix NetScaler
Symantec VIP Integration Guide for Citrix NetScaler
Symantec VIP Integration Guide for Citrix NetScalerTable of ContentsUsing Symantec VIP with Citrix NetScaler. 4System requirements. 4VIP supported features.4Authentication workflows.5Workflows for RADIUS Authentication using User ID – Security Code. 5Workflows for RADIUS Authentication using User ID – LDAP Password – Security Code.7Integrating the Symantec VIP integration module with Citrix NetScaler. 9Adding a Validation server.9Configuring the Citrix NetScaler device for VIP Enterprise Gateway. 10Adding LDAP Authentication Server and Policy for enabling first-factor authentication.10Adding the LDAP Authentication Server. 11Adding the LDAP Authentication Policy. 11Configuring RADIUS Authentication using User ID - Security Code.11Step 1. Adding the RADIUS Authentication Policy and Server.11Step 2. Configuring NetScaler Gateway Virtual Server.13RADIUS Authentication using User ID - LDAP Password - Security Code.13Step 1. Adding the Authentication Policy and Server. 14Step 2. Configuring NetScaler Gateway Virtual Server.17Testing the Integration.17Authentication Method 1: User ID – Security Code. 18Hardware and VIP Access Credential Authentication. 18SMS/Voice Authentication.19VIP Access Push Authentication. 20Authentication Method 2: User ID – LDAP Password – Security Code. 20Hardware and VIP Access Credential Authentication. 20SMS/Voice Authentication.21VIP Access Push Authentication. 22Integrating VIP JavaScript with Citrix NetScaler.23Prerequisites. 23Configuring VIP JavaScript with VIP components.23Self Service Portal configuration. 24Integrating the VIP JavaScript code with your Citrix NetScaler device. 24Integrating JavaScript with Citrix NetScaler 10.x. 24Task 1: Generating JavaScript code from VIP Manager.25Task 2: Updating the Citrix NetScaler Sign-in page.25Integrating JavaScript with Citrix NetScaler 11.0. 252
Symantec VIP Integration Guide for Citrix NetScalerCitrix NetScaler 11.0 configured with User ID – Security Code Validation server.26Citrix NetScaler 11.0 configured with User ID – LDAP Password – Security Code Validation server. 27Integrating JavaScript with Citrix NetScaler 11.1/12.1. 28Citrix NetScaler 11.1 configured with User ID – Security Code Validation server.28Citrix NetScaler 11.1/12.1 configured with User ID - LDAP Password - Security Code Validation server. 30Citrix NetScaler 12.1 configured with User ID - Security Code Validation server using nFactor authenticationwith VIP Integration Code for JavaScript. 30Testing the JavaScript integration. 33Advanced configurations for online authentication.34Configuring native nFactor authentication support for VIP. 34nFactor authentication support considerations. 34Configuring VIP to natively support nFactor authentication. 34Test nFactor authentication support.36Supporting selective two-factor authentication for a specific set of users.37Customizing the logon page for Citrix NetScaler 11.0.39Customizing the logon page for Citrix NetScaler 10.x. 39Troubleshooting issues and solutions. 40Copyright statement. 413
Symantec VIP Integration Guide for Citrix NetScalerUsing Symantec VIP with Citrix NetScalerTraditional user name and password authentication is no longer enough to meet today's evolving security threats andregulatory requirements. However, users demand an easy-to-use authentication solution. Corporate data and applicationsecurity requires stronger, smarter authentication which also offers greater ease of use.Symantec VIP is a cloud-based authentication service that enables enterprises to securely access online transactions,meet compliance standards, and reduce fraud risk. VIP provides an additional layer of protection beyond the standarduser name and password. VIP offers a wide variety of additional authentication capabilities, including: Two factor authentication – dynamic, one-time-use security codes that are generated by a VIP credential in the formof mobile apps, desktop software, security tokens, and security cards. Out-of-band authentication – dynamic, one-time-use security codes that are delivered by phone call, by SMS textmessage or email, or by push notifications to a registered mobile device.VIP is based on OATH open standards, an industry-wide consortium working with other groups to promote widespreadstrong authentication. Because Symantec hosts the service, enterprises engage one solution to support multipleenterprise, partner, and customer-facing applications that require strong authentication. This guide helps administratorsprepare for VIP integration by providing a comprehensive outline for planning, decision making, and task prioritization for asuccessful deployment.Users generate a security code on a VIP credential that they register with Symantec’s VIP Service. They use that securitycode, along with their user name and password, to gain access to the resources that are protected by the Citrix NetScalerdevice.Refer to the following topics to learn more about the integration requirements and how the integration works: System requirements VIP supported features Authentication workflowsSystem requirementsThe integration environment that is described in this document is based on the following software:Table 1: System requirementsProductDescriptionPartner ProductCitrix NetScaler 9.x, 10.x, 11.0, 11.1, 12.1VIP Enterprise GatewayVersion 9.8 or laterAuthentication Methods Supported User ID – Security Code User ID – LDAP Password – Security Code Intelligent Authentication (IA)/PushVIP supported featuresTable lists the VIP Enterprise Gateway features that are supported with Citrix NetScaler.4
Symantec VIP Integration Guide for Citrix NetScalerTable 2: VIP supported featuresVIP featureSupportFirst-factor authenticationAD/LDAP password through VIP Enterprise GatewayYesVIP PINNoSecond-factor authenticationVIP PushYesSMSYesVoiceYesSelective strong authenticationEnd user-basedYesRisk-basedYesGeneral authenticationMulti-domainYesAnonymous user nameYesLegacy authentication provider integration (delegation)YesAD password resetYesIntegration methodVIP JavaScriptYesVIP LoginNoRADIUSYesAuthentication workflowsThe VIP integration module for Citrix NetScaler supports strong authentication in the following authentication methods.Refer to the appropriate topic for information about authentication workflows: RADIUS Authentication using User ID – Security Code Workflows for RADIUS Authentication using User ID – Security CodeRADIUS Authentication using User ID – LDAP Password – Security CodeWorkflows for RADIUS Authentication using User ID – LDAP Password – Security CodeWorkflows for RADIUS Authentication using User ID – Security CodeThe following diagram illustrates the workflow for RADIUS authentication using User ID - Security Code for VIP EnterpriseGateway.5
Symantec VIP Integration Guide for Citrix NetScalerTable 3: Workflow descriptionStepDescription1The user enters a user name, password, and a security code on the browser or plug-in based logon screen.2As the first part of the two-factor authentication process, the Citrix NetScaler device sends the user name and passwordto the User Store. For example, the User Store can be AD/LDAP.If the User Store authenticates the user name and password, it returns the group permission details to the CitrixNetScaler device with the authentication response.3As the second part of the two-factor authentication process, the Citrix NetScaler device sends the user name andsecurity code to VIP Enterprise Gateway for authentication.4The VIP Enterprise Gateway Validation server authenticates the user name and security code with VIP Service.VIP Service sends an authentication response to VIP Enterprise Gateway.6
Symantec VIP Integration Guide for Citrix NetScalerStepDescription5If VIP Service successfully authenticates the user name and security code, then VIP Enterprise Gateway returns anAccess-Accept Authentication response to the Citrix NetScaler device.6Based on the Access-Accept Authentication response, the Citrix NetScaler device gives the user access to the protectedresources.Workflows for RADIUS Authentication using User ID – LDAP Password –Security CodeThe following diagram illustrates the workflow for RADIUS authentication using User ID - LDAP Password - Security Codefor VIP Enterprise Gateway.7
Symantec VIP Integration Guide for Citrix NetScalerTable 4: Workflow descriptionStepDescription1The user enters a user name, password, and a security code on the browser or plug-in based logon screen.2The Citrix NetScaler device sends the user name, password, and security code to VIP Enterprise Gateway.3As the first part of the two-factor authentication process, the VIP Enterprise Gateway Validation server authenticates theuser name and password against your User Store. For example, your User Store can be AD/LDAP.If the User Store authenticates the user name and password, the authentication response includes the group permissiondetails.4As the second part of the two-factor authentication process, VIP Enterprise Gateway authenticates the user name andsecurity code with VIP Service.5If VIP Service successfully authenticates the user name and security code, then VIP Enterprise Gateway returns anAccess-Accept Authentication response to the Citrix NetScaler device.6Based on the Access-Accept Authentication response, the Citrix NetScaler device gives the user access to the protectedresources.8
Symantec VIP Integration Guide for Citrix NetScalerIntegrating the Symantec VIP integration module with CitrixNetScalerComplete the following general steps to integrate the Symantec VIP integration module with Citrix NetScaler:Table 5: Procedures for integrating Symantec VIP with Citrix NetScalerStepTask1Add the Validation server.Adding a Validation server2Configure the Citrix NetScaler device for Symantec VIP Enterprise Gateway.Configuring the Citrix NetScaler device for VIP Enterprise Gateway3Test the integration.Testing the IntegrationOnce you have integrated the Symantec VIP integration module with Citrix NetScaler, continue with the procedures forintegrating the VIP JavaScript with Citrix NetScaler.See Integrating VIP JavaScript with Citrix NetScaler.Adding a Validation serverComplete the following steps to create a Validation server:1. Log on to VIP Enterprise Gateway and click the Validation tab.2. Click Add Server. The Add RADIUS Validation server dialog box isdisplayed.3. Configure the RADIUS validation parameters:FieldActionVendorSelect Citrix Systems from the drop-down list.Application NameSelect the vendor’s application that you use, Citrix NetScaler.9
Symantec VIP Integration Guide for Citrix NetScalerFieldAuthentication ModeActionSelect the mode that you want to use for first and second-factor authentication. UserID – Security code: In this authentication mode, your User Store such as AD/LDAPvalidates the first-factor (user name and password). VIP Enterprise Gateway validatesthe second-factor (user name and security code) with VIP Service. Ensure that your firstfactor validation works before selecting this authentication mode. UserID – LDAP Password – Security code: In this authentication mode, VIP EnterpriseGateway validates the first-factor (user name and password) with your User Store,such as AD/LDAP. VIP Enterprise Gateway validates the second-factor (user name andsecurity code) with VIP Service.Optionally, if you want to authorize the user according to the LDAP Groups, then you mustconfigure the LDAP–RADIUS mapping in the Validation server.4. Click Continue to add the Validation server.Configuring the Citrix NetScaler device for VIP Enterprise GatewayComplete the following procedures to configure the NetScaler device for your authentication method. See the NetScalerproduct documentation for specific details.NOTEThe screen examples within these procedures have been captured from Citrix NetScaler VPX (version NS 11.0).See the product documentation for your version of the NetScaler device for specific procedures.Table 6: Steps for configuring the Citrix NetScaler device for VIP Enterprise GatewayStepTask1Add an LDAP Authentication server and authentication policy.Adding LDAP Authentication Server and Policy for enabling first-factor authentication2Configure RADIUS authentication for the authentication method you require: Configuring RADIUS Authentication using User ID - Security Code RADIUS Authentication using User ID - LDAP Password - Security Code3Test the integration.Testing the IntegrationAdding LDAP Authentication Server and Policy for enabling first-factorauthenticationBefore you can integrate the VIP Integration Code with Citrix NetScaler device for second-factor authentication, you mustenable first-factor authentication. Complete the following steps to add an LDAP Authentication server and authenticationpolicy to enable first-factor authentication: Adding the LDAP Authentication Server Adding the LDAP Authentication Policy10
Symantec VIP Integration Guide for Citrix NetScalerAdding the LDAP Authentication ServerPerform the following steps to add the LDAP Authentication Server:1. In the navigation pane, expand System Authentication and select LDAP.2. From the Servers tab, click Add.3. In the Create Authentication Server dialog box, type a name for the server in the Name field (For example,NetScaler AD).4. In the Server section, enter the following: IP address for the LDAP server Port Time-out value in seconds5. Under Connection Settings, enter the Base DN, Administrator Bind DN, and Administrator Password. Confirm yourAdministrator Password.6. Under Other Settings, enter the Server Logon Name Attribute, Search Filter, Group Attribute, and Sub AttributeName.7. For Security Type, select Plain Text, and select the Authentication and User Required fields check boxes.8. Click Create.Adding the LDAP Authentication PolicyPerform the following steps to add the LDAP Authentication Policy:1. From the Policies tab, click Add.2. In the Create Authentication Policy dialog box, type a name for the policy in the Name field.3. Select the authentication server that you created previously (For example, NetScaler AD).4. Under Expression, you can add your own expression according to the policy.NOTEFor test purposes only, ns true was added as the Expression. Add the appropriate policy according to yourenterprise requirements.5. Click Create.Configuring RADIUS Authentication using User ID - Security CodeConfiguring RADIUS authentication for User ID - Security Code requires two steps: Step 1. Adding the RADIUS Authentication Policy and Server Step 2. Configuring NetScaler Gateway Virtual ServerStep 1. Adding the RADIUS Authentication Policy and Server1. In the navigation pane, expand System Authentication and select RADIUS. If you use Citrix NetScaler 12.1,expand System Authentication Basic Policyand select RADIUS.2. From the Policy tab, click Add. The Create Authentication RADIUS Policy page is displayed.3. In the Create Authentication Policy box, type a name for the policy in the Name field.4. From the Server drop-down list, select the option to add VIP RADIUS server.11
Symantec VIP Integration Guide for Citrix NetScaler5. In the Create Authentication RADIUS Server dialog box, type a name for the server in the Name field.6. In the Server section, specify values for each of the following parameters:FieldActionIP AddressEnter the IP address of the Validation Server.PortEnter the port number of the Validation Server.Time-outEnter a value in seconds.Note: If you integrate out-of-band authentication (SMS, Voice, or Push), set the Time-outfield to a minimum value of 60 seconds to avoid authentication failures.Secret KeyEnter the secret key and confirm it. Be sure that the Secret Key and the VIP RADIUS SharedSecret Key are the same.12
Symantec VIP Integration Guide for Citrix NetScaler7. Click Create to create the RADIUS Server.8. In the Create Authentication RADIUS Policy page, under Expression, you can add your own expression according tothe policy.NOTEFor test purposes only, ns true is added as the Expression. Add the appropriate policy according to yourenterprise requirements.9. Click Create.Step 2. Configuring NetScaler Gateway Virtual Server1. In the navigation pane, expand NetScaler Gateway Virtual Servers, and click Add to new virtual server or Openthe existing virtual server.2. Ignore Step 2 to Step 4 if the LDAP server is already configured as the primary authentication server.3. Under the Authentication section, click the option.4. From the Choose Policy drop-down list, select LDAP as the Policy and Primary as the Type, and click Continue.5. Click Bind to select your LDAP policy and then click Insert.6. Under the Authentication section, click the option.7. From the Choose Policy drop-down list, select RADIUS as the Policy and Secondary as the Type, and clickContinue.8. Click Bind to select your RADIUS policy and then click Insert.9. Click OK.RADIUS Authentication using User ID - LDAP Password - Security CodeConfiguring RADIUS authentication for User ID - LDAP Password - Security Code requires two steps:13
Symantec VIP Integration Guide for Citrix NetScaler Step 1. Adding the Authentication Policy and Server Step 2. Configuring NetScaler Gateway Virtual ServerStep 1. Adding the Authentication Policy and Server1. In the navigation pane, expand System Authentication, and select RADIUS. If you use Citrix NetScaler 12.1,expand System Authentication Basic Policyand select RADIUS.2. From the Policy tab, click Add. The Create Authentication RADIUS Policy page is displayed.3. In the Create Authentication Policy box, type a name for the policy in the Name field.4. From the Server drop-down list, select the option to add VIP RADIUS server.5. In the Create Authentication Policy dialog box, type a name for the policy in the Name field.6. From the Server field, select the server that you created previously (For example, VIP Server 1).7. In the Create Authentication Server dialog box, type a name for the server in the Name field.14
Symantec VIP Integration Guide for Citrix NetScaler8. In the Server section, specify values for each of the following parameters:FieldActionIP AddressEnter the IP address of the Validation Server.PortEnter the port number of the Validation Server.Time-outEnter a value in seconds.Note: If you integrate out-of-band authentication (SMS, Voice, or Push), set the Time-out fieldto a minimum value of 60 seconds to avoid authentication failures.Secret KeyEnter the secret key and confirm it. Be sure that the Secret Key and the VIP RADIUS SharedSecret Key are the same.9. Click Details to expand the advanced configuration and enter a value in the Group Attribute Type field. The valuemust match the RADIUS Mapping Attribute value that you entered when configuring the RADIUS–LDAP mapping inthe VIP Enterprise Gateway Validation server. Ignore this step if you do not want to authorize a user based on theLDAP group.15
Symantec VIP Integration Guide for Citrix NetScalerNOTEIn this example, the Validation server RADIUS Mapping Attribute is selected as Class. The Class value of25 was entered as the Group Attribute Type in the Citrix authentication server. Refer to the RFC for theRADIUS attribute numeric value.10. On the Create Authentication RADIUS Policy page, under Expression, you can add your own expression according tothe policy.NOTEFor test purposes only, ns true was added as the Expression. Add the appropriate policy according to yourenterprise requirements.16
Symantec VIP Integration Guide for Citrix NetScaler11. Click Create.Step 2. Configuring NetScaler Gateway Virtual Server1. In the navigation pane, expand NetScaler Gateway Virtual Servers.2. Click Open the existing virtual server. If any other server is configured as the primary server, remove it.3. Under the Authentication section, click the option.4. From the Choose Policy drop-down list, select RADIUS as the Policy and Primary as the Type, and click Continue.5. Click Bind to select your RADIUS policy and then click Insert.6. Click OK.Testing the IntegrationThis section describes the procedures for testing the integration of Citrix NetScaler with Symantec VIP. An authenticationmethod can integrate the following verification mechanisms: Hardware and VIP Access Credential: In this method, the security code that you generate on your hardware or VIPAccess credential is used with your user name and password to access the protected resources. SMS/Voice: If you have configured out-of-band (OOB) authentication in the VIP Enterprise Gateway Validation server and in VIP Manager, then a security code is sent to your registered mobile device over SMS or Voice. You must usethis security code besides the user name and password to access the protected resources.VIP Access Push: For users who have installed VIP Access on their registered mobile devices, VIP Service sends aVIP Push notification message to the mobile device. The user must tap Allow on the device to perform the secondfactor authentication and complete the sign-in.To test the integration, you can access Citrix Access Gateway in the following ways: Browser-based logon Plug-in-based logonEach authentication method contains instructions to access Citrix Access Gateway.Refer to the following topics for details on testing the integration, based on the authentication method and verificationmechanism:17
Symantec VIP Integration Guide for Citrix NetScalerTable 7: Procedures for testing the integration based on authentication method and verification mechanismAuthentication MethodAuthentication Method 1: User ID – Security CodeAuthentication Method 2: User ID – LDAP Password – SecurityCodeVerification Mechanism Hardware and VIP Access Credential AuthenticationSMS/Voice AuthenticationVIP Access Push AuthenticationHardware and VIP Access Credential AuthenticationSMS/Voice AuthenticationVIP Access Push AuthenticationAuthentication Method 1: User ID – Security CodeRefer to the appropriate topic for details on testing a User ID - Security Code integration with the following verificationmechanisms: Hardware and VIP Access Credential Authentication SMS/Voice Authentication VIP Access Push AuthenticationHardware and VIP Access Credential Authentication1. Access the logon page as follows: For browser-based logon: Access the Citrix Access Gateway Virtual Server (For example, https://mycitrix.com).The following page is displayed: For plug-in-based logon: Double-click the Access Gateway Plug-in icon. The Citrix Access Gateway window isdisplayed.18
Symantec VIP Integration Guide for Citrix NetScaler2. Enter the user name and password.NOTEFor details on customization, refer to the appropriate topic:Customizing the logon page for Citrix NetScaler 11.0Customizing the logon page for Citrix NetScaler 10.x3. Update the Security Code (or Secondary password) field as follows: For browser-based logon: Enter the security code that you generate on your hardware or VIP Access credential. For plug-in-based logon: Right-click for advanced options to enable the Secondary password field, and then enterthe security code that you generate on your hardware or VIP Access credential.4. Click Log On for browser-based logon (or click Connect for plug-in-based logon). After successful authentication, youcan access the protected resources.SMS/Voice Authentication1. Access the logon page as follows: For browser-based logon: Access the Citrix Access Gateway Virtual Server (For example, https://mycitrix.com).The logon page is displayed. For plug-in-based logon: Double-click the Access Gateway Plug-in icon. The Citrix Access Gateway window isdisplayed.19
Symantec VIP Integration Guide for Citrix NetScaler2. Enter the user name and password.3. Update the Security Code (or Secondary password) field as follows: For browser-based logon: Enter Push or Send. For plug-in-based logon: Right-click for advanced options to enable the Secondary password field, and then enterPush or Send.NOTEThe keywords Push and Send are not case-sensitive.4. Click Log On for browser-based logon (or click Connect for plug-in-based logon). If the credentials are correct, youreceive a security code over SMS or Voice on your registered mobile device and the Challenge page is displayed.5. In the Enter Your Security Code field, enter the security code that you received on your device.6. Click Submit for browser-based logon (or click Send Response for plug-in-based logon). After successfulauthentication, you can access the protected resources.VIP Access Push Authentication1. Access the logon page as follows: For browser-based logon: Access the Citrix Access Gateway Virtual Server (For example, https://mycitrix.com).The logon page is displayed. For plug-in-based logon: Double-click the Access Gateway Plug-in icon. The Citrix Access Gateway window isdisplayed.2. Enter the user name and password.3. Update the Security Code (or Secondary password) field as follows: For browser-based logon: Enter Push or Send. For plug-in-based logon: Right-click for advanced options
2 As the first part of the two-factor authentication process, the Citrix NetScaler device sends the user name and password to the User Store. For example, the User Store can be AD/LDAP. If the User Store authenticates the user name and password, it returns the group permission details to the Citrix NetScaler device with the authentication response.
Step 1: Install Symantec VIP desktop app on your PC If you already have Symantec VIP installed on your PC, you can move on to Step two: Set up Symantec VIP in Universal ID. 1. Visit the Symantec VIP website. 2. Click Download. Under VIP Access for Computer, select your Operating System (Windows or
VIP Access Desktop Application . A new six-digit security code is generated every 30 seconds. MAT users may install up to three Symantec VIP Access applications to their desired devices. A different Symantec Credential ID is assigned for each Symantec VIP application
4. VIP Enterprise Gateway returns an Access Accept Authentication response to Symantec Privileged Access Manager. 5. As the second part of the two-factor authentication process, Symantec Privileged Access Manager sends username and the password to the AD/LDAP directory configured in Symantec Privileged Access Manager. 6
Symantec VIP Overview About this guide This document includes a high-level description of VIP Authentication Service and how it can be used. It describes the VIP Authentication Service, its planning recommendations, uses, and deployment methods. This document also describes the VIP Authentication Service components, and architecture.
Alternative Symantec VIP Access App, aka a Mobile Soft Token . Hard tokens are City National's standard token device. However, you may opt to use the Symantec Mobile App available in the iPhone and Android App Stores. Instruct users to download the free Symantec VIP Access Mobile App. Within the App Store, search for Symantec VIP Access and .
3 The VIP Enterprise Gateway validation server instructs VIP Service to send a push to the credential associated with the user. 4 If the user has a VIP Access for Mobile credential that is enabled for VIP Access Push authentication, a push sign-in request is sent to the mobile device. The user taps Allow/
3. Symantec Endpoint Protection Manager 4. Symantec Endpoint Protection Client 5. Optional nnFortiClient EMS For licenses to Symantec Endpoint Protection, please contact Symantec’s respective sales team. NOTE: This guide is pertinent to the integration between the relevant portions of the FortiGate, the FortiClient, and Symantec Endpoint .
Symantec VIP Access Installation Guide Prepared: 08 Nov 2015 Version: 1.0 4 3 Installing the software token on smartphones a) Search for “Symantec VIP Access” in Google Play or Apple App Store. b) Download and install the application on the smart phone. c) File Size: 529KBPage Count: 10
