Product Documentation

Configuring Network Access Control device check for NetScaler Gateway virtual server for single factor authentication deployment

Important

The following section lists steps to configure Intune with NetScaler Gateway. For information on configuring NetScaler Gateway application on Azure portal to obtain Client IDClient Secret, and Tenant ID, refer Azure product documentation.

NetScaler Enterprise Edition license is required for the following fuctionality.

To add a NetScaler Gateway Virtual Server with nFactor for Gateway deployment:

     1. Navigate to Virtual Servers under NetScaler Gateway tree node.

localized image

     2. Click Add.

localized image

     3. Provide the required information in the Basic Settings area and click OK.

localized image

     4. Select Server Certificate.

localized image

     5. Select required server certificate and click Bind.

localized image

    6.  Click Continue.

7.  Click Continue.

8.  Click Continue.

9.  Click the plus icon [+] next to Policies and select Session from the Choose Policy dropdown and select Request from the Choose Type dropdown and click Continue.

10.  Click the plus icon [+] next to Select Policy.

11.  On the Create NetScaler Gateway Session Policy page, provide name for the Session policy.

  1. Click the plus icon [+] next to Profile and on the Create NetScaler Gateway Session Profile page, provide name for the Session profile.

    13.  On the Client Experience tab, click on the checkbox next to Clientless Access and select Off from the dropdown.

~14.  Click on the checkbox next to Plug-in Type and select Windows/Mac OS X from the dropdown.

    15.  Click on Advanced Settings and select the checkbox next to Client Choices and set its value to ON.

~16.  On the Security tab, click on the checkbox next to Default Authorization Action and select Allow from the dropdown.

~17. On the Published Applications tab, click on the checkbox next to ICA Proxy and select OFF from the dropdown.

  1. Click Create.

~19. Enter NS_TRUE under Expression area on the Create NetScaler Gateway Session Policy page.

~20. Click Create.

21.  Click Bind.

 22. Select Authentication Profile in Advanced Settings.

localized image

     23.  Click on the the plus icon [+] and provide a name for the Authentication Profile.

localized image

    24.  Click the plus icon [+] to create a new authentication virtual server.

localized image

    25.  Specify name and IP address type for authentication vserver under Basic Settings area and click OK. The IP address type can be Non Addressable as well.

localized image

    26.  Click Authentication Policy.

localized image

     27.  Under Policy Binding view, click the plus icon [+] to create a new authentication policy.

localized image

     28.  Select OAUTH as an Action Type and click the plus icon [+] to create new OAuth action for NAC.

localized image

     29.  Create OAuth action using Client ID, Client Secret, and Tenant ID.

     Client ID, Client Secret and Tenant ID are generated after configuring NetScaler Gateway application on Azure portal.

     Ensure that you have appropriate DNS name server configured on your appliance to resolve and reach https://login.microsoftonline.com/ and https://graph.windows.net/.

localized image

30.  Create authentication policy for OAuth Action.

     Rule: http.req.header(“User-Agent”).contains(“NAC/1.0”)&& ((http.req.header(“User-Agent”).contains(“iOS”) &&    http.req.header(“User-Agent”).contains(“NSGiOSplugin”))   (http.req.header(“User-Agent”).contains(“Android”) &&    http.req.header(“User-Agent”).contains(“CitrixVPN”)))

localized image

     31.  Click on the plus icon [+] to create nextFactor policy label.

localized image

     32.  Click on the plus icon [+] to create a new login schema.

localized image

     33.  Select noschema as an authentication schema and click Create.

localized image

     34.  After selecting the created login schema, click Continue.

localized image

     35.  Click the plus icon [+] to create a next Factor policy to be bound for the newly created policy label.

localized image

     36.  After selecting the required authentication action type and the respective action click Create.

localized image

     37.  Click Bind.

localized image

    38.  Click Done.

localized image

     39.  Click Bind.

localized image

     40.  Click Continue.

localized image

     41.  Click Done.

localized image

     42.  Click Create.

localized image

     43.  Click OK.

localized image

     44.  Click Done.

localized image

To bind authentication login schema to authentication vserver in order to indicate VPN plugins to send device ID as part of /cgi/login request.

     1. Navigate to Security > AAA - Application Traffic > Virtual Servers.

localized image

     2. Select the previously selected virtual-server and click Edit.

localized image

     3. Click Login Schemas under Advanced Settings.

localized image

     4. Click Login Schemas to bind.

localized image

     5. Click [>] to select and bind the existing build in login schema policies for NAC device check.

localized image

     6. Select required login schema policy appropriate for your authentication deployment and click Select.

In the above explained deployment, single factor authentication (LDAP) along with NAC OAuth Action policy is used, hence lschema_single_factor_deviceid has been selected.

localized image

     7. Click Bind.

localized image

     8. Click Done.

localized image

Configuring Network Access Control device check for NetScaler Gateway virtual server for single factor authentication deployment

In this article