Citrix

Produktdokumentation



Ganzes Dokument herunterladen

SSO and Proxy Considerations for MDX Apps

Jan. 12, 2017

XenMobile integration with NetScaler enables you to provide users with single sign-on (SSO) to all backend HTTP/HTTPS resources. Depending on your SSO authentication requirements, you can configure user connections for an MDX app to use Secure Browse, which is a type of clientless VPN, or Full VPN Tunnel. If NetScaler isn't the best way to provide SSO in your environment, you can set up an MDX app with policy-based local password caching. This article explores the various SSO and proxy options, with a focus on Secure Web. The concepts apply to other MDX apps.

The following flow chart summarizes the decision flow for SSO and user connections.

localized image

NetScaler Authentication Methods

This table provides some general information about the authentication methods supported by NetScaler.

Authentication option

Configuration requirement summary

SAML Authentication

When you configure NetScaler for Security Assertion Markup Language (SAML), users can connect to web applications that support the SAML protocol for single sign-on. NetScaler Gateway supports the identity provider (IdP) single sign-on for SAML web applications.

Configure SAML SSO in the NetScaler Traffic profile. Configure the SAML iDP for the requested service.

NTLM Authentication

NetScaler performs this automatically if SSO to web applications is enabled in the session profile.

Enable SSO in the NetScaler Session or Traffic profile.

Kerberos Impersonation

XenMobile supports Kerberos for Secure Web only.

When you configure NetScaler for Kerberos SSO, NetScaler uses impersonation when a user’s password is available to NetScaler. Impersonation means that NetScaler leverages user credentials to get the ticket needed to gain access to service(s), such as Secure Web.

Configure the NetScaler Worx Session policy to allow it to identify the Kerberos Realm from your connection.

Configure on NetScaler a Kerberos Constrained Delegation (KCD) account that has no password and is bound to a traffic policy on your XenMobile gateway.

For those and other configuration details, see the Citrix blog, WorxWeb and Kerberos Impersonation SSO.

Kerberos Constrained Delegation

XenMobile supports Kerberos for Secure Web only.

When you configure NetScaler for Kerberos SSO, NetScaler uses constrained delegation when a user's password is not available to NetScaler. With constrained delegation, NetScaler uses a specified administrator account to get tickets on behalf of users and services.

Configure a KCD account in Active Directory with the required permissions and a KDC account on NetScaler.

Enable SSO in the NetScaler Traffic profile.

Configure the back-end Website for Kerberos authentication.

For those and other configuration details, see the Citrix blog, Configuring Kerberos Single Sign-on for WorxWeb.

Form Fill Authentication

When you configure NetScaler for Form-based single sign-on, users can log on one time to access all protected applications in your network.

Applies to apps that use Secure Browse or Full VPN modes.

Configure Form-based SSO in the NetScaler Traffic profile.

Digest HTTP Authentication

NetScaler performs this automatically if you enable SSO to web applications in the session profile.

Applies to apps that use Secure Browse or Full VPN modes.

Enable SSO in the NetScaler Session or Traffic profile.

Basic HTTP Authentication

NetScaler performs this automatically if you enable SSO to web applications in the session profile.

Applies to apps that use Secure Browse or Full VPN modes.

Enable SSO in the NetScaler Session or Traffic profile.

Secure Browse, Full VPN Tunnel, or Full VPN Tunnel with PAC

In addition to the following table that describes the user connection types for Secure Web, also see this Secure Web article in the Citrix documentation, Configuring User Connections.

User connection type

Description

Full VPN Tunnel

Connections that tunnel to the internal network can use a full VPN tunnel, configured by the Secure Web Preferred VPN mode policy. Citrix recommends Full VPN tunnel for connections that use client certificates or end-to-end SSL to a resource in the internal network. Full VPN tunnel handles any protocol over TCP. You can use full VPN tunnel with Windows and Mac computers as well as iOS and Android devices.

In Full VPN Tunnel mode, NetScaler does not have visibility inside an HTTPS session.

Secure Browse

Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as Secure Browse. This is the default configuration specified for the Secure Web Preferred VPN mode policy. Citrix recommends Secure Browse for connections that require single sign-on (SSO).

In Secure Browse mode, NetScaler breaks the HTTPS session into two parts: Client-to-NetScaler and NetScaler-to-back-end resource server. In this manner, NetScaler has full visibility into all transactions between the client and server, enabling it to provide SSO.

You can also configure proxy servers for Secure Web when used in secure browse mode. For details, see the blog XenMobile WorxWeb Traffic Through Proxy Server in Secure Browse Mode.

Full VPN Tunnel with PAC

You can use a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment for Secure Web on iOS and Android devices. XenMobile supports proxy authentication if provided by NetScaler. A PAC file contains rules that define how web browsers select a proxy to access a given URL. PAC file rules can specify handling for both internal and external sites. Secure Web  parses PAC file rules and send the proxy server information to NetScaler Gateway. NetScaler Gateway is unaware of the PAC file or proxy server.

For authentication to HTTPS web sites, the Secure Web MDX policy, Enable web password caching, enables Secure Web to authenticate and provide SSO to the proxy server through MDX.

 

NetScaler Split Tunneling

When planning your SSO and proxy configuration, you must also decide whether to use NetScaler split tunneling. Citrix recommends that you use NetScaler split tunneling only if needed. This section provides a high-level look at how split tunneling works: NetScaler determines the traffic path based on its routing table. When NetScaler split tunneling is on, Secure Hub distinguishes internal (protected) network traffic from Internet traffic, based on the DNS suffix and Intranet applications, and tunnels only the internal network traffic through the VPN tunnel. When NetScaler split tunneling is off, all traffic goes through the VPN tunnel.

  • If you prefer to monitor all the traffic due to security considerations, turn off NetScaler split tunneling so that all traffic goes through the VPN tunnel.
  • If you use Full VPN Tunnel with PAC, you must disable NetScaler Gateway split tunneling. If split tunneling is on and you configure a PAC file, the PAC file rules override the NetScaler split tunneling rules. A proxy server configured in a traffic policy does not override NetScaler split tunneling rules.

By default, an MDX app uses NetScaler split tunnel settings if the Network access policy is set to Tunneled to the internal network, which is the default setting for Secure Web. The Network access policy default differs for some other XenMobile Apps.

NetScaler Gateway also has a micro VPN reverse split tunnel mode. This configuration supports an exclusion list of IP addresses that aren't tunneled to the NetScaler, but are instead sent by using the device's Internet connection. For more information about reverse split tunneling, see Configuring Split Tunneling in the NetScaler Gateway documentation.

As of XenMobile 10.3.5, XenMobile includes a Reverse split tunnel exclusion list. If you don't want certain websites to tunnel through NetScaler Gateway, you can add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes that connect by using the local area network (LAN) instead. This list applies only to Secure Browse mode with NetScaler Gateway configured for reverse split tunneling.

Back to Top