Using Device Certificates for Authentication
A device certificate verifies that a user device is allowed to connect to the internal network. Citrix Gateway supports device certificates that enable you to bind the device identity to a public key.
Note: You must install Citrix Gateway 10.1, Build 120.1316.e or newer to configure device certificates.
You can use any of the following as the device identity:
- MAC address of the network interface card installed on the device
- Device identifier
- Identification that is unique to the device
When users log on, you can require only the device certification as part of the authentication process. You can also require the device certificate when using pre-authentication or advanced endpoint analysis policies.
Citrix Gateway needs to verify the device certificate before the endpoint analysis scan runs or before the logon page appears. If you configure endpoint analysis, the endpoint scan runs to verify the user device. When the device passes the scan and after Citrix Gateway verifies the device certificate, users can the log on to Citrix Gateway.
If you install two or more device certificates on Citrix Gateway, users need to select the correct certificate when they start to log on to Citrix Gateway or before the endpoint analysis scan runs.
When you create the device certificate, it must be an X.509 certificate.
For more information about creating device certificates, see the following:
- Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS) on the Microsoft web site.
- Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority on the Microsoft System Center web site.
- How to request a certificate from a Microsoft Certificate Authority using DCE/RPC and the Active Directory Certificate profile payload on the Apple support web site.
- iPad / iPhone Certificate Issuance on the Ask the Directory Services Team Microsoft support blog.
- Setting Up Network Device Enrollment Service on the Windows IT Pro web site.
After you create the device certificate, you install the certificate on Citrix Gateway by using the procedure for Importing and Installing an Existing Certificate to Citrix Gateway. After you install the certificate, you bind the certificate to the virtual server.
To enable and bind device certificates on a virtual server
After you install device certificates on Citrix Gateway, you need to enable the certificates for the relevant virtual server to activate them in your configuration.
- In the configuration utility, in the navigation pane, expand Citrix Gateway and then click Virtual Servers.
- In the details pane, click a virtual server and then click Edit.
- In the main VPN Virtual Server details pane, click the pencil icon then expand More.
- Select Enable Device Certificate.
- In the selection dialog that appears, select Add then click a device certificate to enable. Click the plus icon next to the chosen device certificate and then click OK.