Citrix Gateway

Configuring Network Access Control device check for Citrix Gateway virtual server for single factor login

Important

The following section lists steps to configure Intune with Citrix Gateway. For information on configuring the Citrix Gateway application on the Azure portal to obtain Client IDClient Secret, and Tenant ID, refer Azure product documentation.

Citrix ADC Advanced Edition license is required for the following functionality.

To add a Citrix Gateway Virtual Server with nFactor for Gateway deployment

  1. Navigate to Virtual Servers under the Citrix Gateway tree node.

    Virtual servers page

  2. Click Add.

    Add a virtual server

  3. Provide the required information in the Basic Settings area and click OK.

    Set basic settings

  4. Select Server Certificate.

    Select a server cert

  5. Select required server certificate and click Bind.

    Bind server cert

  6. Click Continue.

  7. Click Continue.

  8. Click Continue.

  9. Click the plus icon [+] next to Policies and select Session from the Choose Policy list and select Request from the Choose Type list and click Continue.

  10. Click the plus icon [+] next to Select Policy.

  11. On the Create NetScaler Gateway Session Policy page, provide a name for the Session policy.

  12. Click the plus icon [+] next to Profile and on the Create NetScaler Gateway Session Profile page, provide a name for the Session profile.

  13. On the Client Experience tab, click the check box next to Clientless Access and select Off from the list.

  14. Click the check box next to Plug-in Type and select Windows/Mac OS X from the list.

  15. Click Advanced Settings and select the check box next to Client Choices and set its value to ON.

  16. On the Security tab, click the check box next to Default Authorization Action and select Allow from the list.

  17. On the Published Applications tab, click the check box next to ICA Proxy and select OFF from the list.

  18. Click Create.

  19. Enter NS_TRUE under Expression area on the Create NetScaler Gateway Session Policy page.

  20. Click Create.

  21. Click Bind.

  22. Select Authentication Profile in Advanced Settings.

    Select authentication profile

  23. Click the plus icon [+] and provide a name for the Authentication Profile.

    Authentication profile name

  24. Click the plus icon [+] to create an authentication virtual server.

    Add authentication virtual server

  25. Specify name and IP address type for authentication virtual server under Basic Settings area and click OK. The IP address type can be Non Addressable as well.

    Set basic settings

  26. Click Authentication Policy.

    Authentication policy

  27. Under the Policy Binding view, click the plus icon [+] to create an authentication policy.

    Create authentication policy

  28. Select OAUTH as an Action Type and click the plus icon [+] to create an OAuth action for NAC.

    Select OAuth action type

  29. Create an OAuth action using Client ID, Client Secret, and Tenant ID.

    Client ID, Client Secret, and Tenant ID are generated after configuring the Citrix Gateway application on the Azure portal.

    Ensure that you have an appropriate DNS name server configured on your appliance to resolve and reach https://login.microsoftonline.com/, https://graph.windows.net/, and *.manage.microsoft.com.

    ID and secret for Azure portal

  30. Create authentication policy for OAuth Action.

    Rule:

    http.req.header("User-Agent").contains("NAC/1.0")&& ((http.req.header("User-Agent").contains("iOS") && http.req.header("User-Agent").contains("NSGiOSplugin")) || (http.req.header("User-Agent").contains("Android") && http.req.header("User-Agent").contains("CitrixVPN")))
    

    Authentication policy rule

  31. Click the plus icon [+] to create a nextFactor policy label.

    Create next factor policy label

  32. Click the plus icon [+] to create a login schema.

    Create login schema

  33. Select noschema as an authentication schema and click Create.

    Select authentication schema

  34. After selecting the created login schema, click Continue.

    Click continue

  35. In Select Policy, select an existing authentication policy for user login or click the plus icon + to create an authentication policy. For details on creating an authentication policy, see Configuring advanced authentication policies.

    Select or create an authentication policy

  36. Click Bind.

    Click bind

  37. Click Done.

    Click Done

  38. Click Bind.

    Click Bind

  39. Click Continue.

    Click Continue

  40. Click Done.

    Click Done

  41. Click Create.

    Click Create

  42. Click OK.

    Click OK

  43. Click Done.

    Click Done

To bind authentication login schema to authentication virtual server to indicate VPN plug-ins to send device ID as part of /cgi/login request

  1. Navigate to Security > AAA - Application Traffic > Virtual Servers.

    Virtual servers page

  2. Select the previously selected virtual-server and click Edit.

    Edit a virtual server

  3. Click Login Schemas under Advanced Settings.

    Select login schema

  4. Click Login Schemas to bind.

    Bind login schema

  5. Click [>] to select and bind the existing build in login schema policies for NAC device check.

    Bind login schema policies

  6. Select the required login schema policy appropriate for your authentication deployment and click Select.

    In the previous explained deployment, single factor authentication (LDAP) along with a NAC OAuth Action policy is used, hence lschema_single_factor_deviceid has been selected.

    Select single factor authentication policy

  7. Click Bind.

    Click Bind

  8. Click Done.

    Click Done

Configuring Network Access Control device check for Citrix Gateway virtual server for single factor login