Product Documentation

Using Device Certificates for Authentication

A device certificate verifies that a user device is allowed to connect to the internal network. Citrix Gateway supports device certificates that enable you to bind the device identity to a public key.

Note: You must install Citrix Gateway 10.1, Build 120.1316.e or newer to configure device certificates.

You can use any of the following as the device identity:

  • MAC address of the network interface card installed on the device
  • Device identifier
  • Identification that is unique to the device

When users log on, you can require only the device certification as part of the authentication process. You can also require the device certificate when using pre-authentication or advanced endpoint analysis policies.

Citrix Gateway needs to verify the device certificate before the endpoint analysis scan runs or before the logon page appears. If you configure endpoint analysis, the endpoint scan runs to verify the user device. When the device passes the scan and after Citrix Gateway verifies the device certificate, users can the log on to Citrix Gateway.

If you install two or more device certificates on Citrix Gateway, users need to select the correct certificate when they start to log on to Citrix Gateway or before the endpoint analysis scan runs.

When you create the device certificate, it must be an X.509 certificate.

For more information about creating device certificates, see the following:

After you create the device certificate, you install the certificate on Citrix Gateway by using the procedure for Importing and Installing an Existing Certificate to Citrix Gateway. After you install the certificate, you bind the certificate to the virtual server.

To enable and bind device certificates on a virtual server

After you install device certificates on Citrix Gateway, you need to enable the certificates for the relevant virtual server to activate them in your configuration.

  1. In the configuration utility, in the navigation pane, expand Citrix Gateway and then click Virtual Servers.
  2. In the details pane, click a virtual server and then click Edit.
  3. In the main VPN Virtual Server details pane, click the pencil icon then expand More.
  4. Select Enable Device Certificate.
  5. In the selection dialog that appears, select Add then click a device certificate to enable. Click the plus icon next to the chosen device certificate and then click OK.

Using Device Certificates for Authentication