Smart Access using Adaptive Authentication - Preview

Citrix Cloud customers can provide Smart Access (adaptive access) to Citrix Virtual Apps and Desktops using Adaptive authentication as an IdP to Citrix Workspace.

Smart Access feature allows Citrix ADC or Citrix Gateway to surface all the policy information about the user to Citrix Workspace or Citrix DaaS. The Citrix ADC or the Citrix Gateway appliance can provide device posture (EPA), network location (inside or outside corporate network, geo-location), user attribute like user groups, time of day or a combination of these parameters as part of the policy information. The Citrix Virtual Apps and Desktops administrator can then use this policy information to configure contextual access to Citrix Virtual Apps and Desktops. Citrix Virtual Apps and Desktops can either be enumerated or not based on earlier parameters (access policy). Some user actions can also be controlled like clipboard access, printer redirection, client drive, or USB mapping.

Example use cases:

  1. Administrator can configure the group of apps to be displayed or accessed only from specific network locations like the corporate network.
  2. Administrator can configure the group of apps to be displayed or accessed only from corporate managed devices. For example, EPA scans can check whether the device is a corporate managed or BYOD. Based on the EPA scan result, the relevant apps can be enumerated for the user.

Prerequisites

Understanding the flow of events for Smart Access

  1. User logs in to Citrix Workspace.
  2. User gets redirected to the Adaptive authentication service configured as an IdP.
  3. Adaptive authentication service performs an EPA check along with other checks.
  4. Adaptive authentication service configured as an IdP does the authentication.
  5. Citrix Gateway pushes the tags to the Citrix Graph service. User is redirected to the Citrix Workspace landing page.
  6. Citrix Workspace fetches the policy information for this user session, matches the filter, and evaluates the apps or desktops that must be enumerated.
  7. Configure the access policy on Citrix Virtual Apps and Desktops to restrict the ICA access for users.

Configuration scenario - App enumeration based on device posture scans

Procedure:

Step 1: Ensure that the Citrix Gateway appliance is configured as an IdP. For details, see Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud.

Step 2: Configure Smart Access policies on the Citrix Adaptive Authentication instance.

In the following sample configuration, a different set of applications is enumerated based on domain-joined or non-domain joined logon.

  1. Navigate to Security > AAA-Application Traffic > Policies > Authentication> Advanced Policies> Smart Access > Profiles.

  2. On the Profiles tab, click Add to create a profile named Domainjoined-SmartAccessProfile with the tag as DomainJoined. Similarly create another policy named, NonDomainJoined-SmartAccessProfile with the tag as NonDomainJoined.

    Smart-access-profiles

  3. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Smart Access > Policies.

  4. On the Configure Authentication Smart Access Policy page, Click Add to create a policy named Domainjoined-SmartAccessPol.

  5. On the Configure Authentication Smart Access Policy page, under Action, select the previously created DomainJoined-SmartAccessProfile and click Add.

    Smart-access-policy-configuration

  6. In Expression, type AAA.USER.GROUPS.CONTAINS(“DomainJoinedGroup”) and click OK.

  7. Similarly create another policy named, NonDomainJoined-SmartAccessPol (under Action, select previously created NonDomainJoined-SmartAccessProfile).

    Smart-access-profiles

  8. Bind the smart access policy to the Authentication and authorization virtual server.

Step 3: Citrix Virtual Apps and Desktops configuration

  1. Click Manage on the Citrix DaaS tile.

  2. Navigate to Delivery groups and click Edit Delivery Group.

  3. Right-click the delivery group and select Edit to configure when the apps of that delivery group must be enumerated and allowed to launch.
  4. Click Access Policy and add the required tags. Farm must be always set to Workspace and the filter must have any of the tags that you created, based on the earlier configuration.
  5. Repeat the previous steps to add more tags. When multiple tags are used, if at least one of the tags is present, the Delivery Group is available to the customer.

    `Smart-access-edit-delivery-group`

Note:

  • Ensure that the tags are in upper case.
  • If an administrator removes the configuration of a specific tag on Citrix Gateway, then the tag must be removed from the Web Studio and the Delivery groups as well. Administrator must not reuse the deleted tag names. Admins must always use new tag names.

Upon successful configuration, the Domain-Joined logon enumerates the following apps.

Smart-access-domain-joined-group

Upon successful configuration, the Non-Domain-Joined logon enumerates the following apps.

`Smart-access-non-domain-joined-group`

Step 4: Add an access policy for the smart access tags.

  1. Under Manage, navigate to Policies, and create a policy.
  2. Select the appropriate ICA policy control.
  3. In Assign Policy To, select “access control.”

Smart-access-assign-policy

  1. Assign the smart access tag (in upper case) in access condition.

`Smart-access-assign-to-access-control`

Troubleshooting

- What if no tags are pushed:

Additional changes for high availability setup:

Sometime there might be a delayed file synchronization in a high availability setup. As a result, the keys created when Citrix ADM registration happened is not read on time.

We are looking for the following three files on the secondary.

/var/mastools/conf/agent.conf /var/mastools/trust/.ssh/private.pem /var/mastools/trust/.ssh/public.pem

To address the file-sync issue, perform the following steps to rerun the ‘set cloud’ command on the secondary.

> shell cat /var/mastools/conf/agent.conf
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<mps_agent>
<uuid>temp_str</uuid>
<url>fuji.agent.adm.cloud.com</url>
<customerid>customer_id</customerid>
<instanceid>instance_id</instanceid>
<servicename>MAS</servicename>
<download_service_url>download.citrixnetworkapistaging.net</download_service_url>
<abdp_url>fuji.agent.adm.cloud.com</abdp_url>
<msg_router_url>fuji.agent.adm.cloud.com</msg_router_url>
</mps_agent> Done
> set cloud param -CustomerID customer_id -InstanceID instance_id -Deployment Production
<!--NeedCopy-->
Smart Access using Adaptive Authentication - Preview