Configuring Network Access Control device check for NetScaler Gateway virtual server for single factor authentication deployment

December 19, 2019

Contributed by: C S

Important:

The following section lists steps to configure Intune with NetScaler Gateway. For information on configuring NetScaler Gateway application on the Azure portal to obtain Client ID, Client Secret, and Tenant ID, refer Azure product documentation.

NetScaler Enterprise Edition license is required for the following functionality.

To add a NetScaler Gateway Virtual Server with nFactor for Gateway deployment

Navigate to Virtual Servers under the NetScaler Gateway tree node.
Click Add.
Provide the required information in the Basic Settings area and click OK.
Select Server Certificate.
Select required server certificate and click Bind.
Click Continue.
Click Continue.
Click Continue.
Click the plus icon [+] next to Policies and select Session from the Choose Policy list and select Request from the Choose Type list and click Continue.
Click the plus icon [+] next to Select Policy.
On the Create NetScaler Gateway Session Policy page, provide name for the Session policy.
Click the plus icon [+] next to Profile and on the Create NetScaler Gateway Session Profile page, provide name for the Session profile.
On the Client Experience tab, click the check box next to Clientless Access and select Off from the list.
Click the check box next to Plug-in Type and select Windows/Mac OS X from the list.
Click Advanced Settings and select the check box next to Client Choices and set its value to ON.
On the Security tab, click the check box next to Default Authorization Action and select Allow from the list.
On the Published Applications tab, click the check box next to ICA Proxy and select OFF from the list.
Click Create.
Enter NS_TRUE under Expression area on the Create NetScaler Gateway Session Policy page.
Click Create.
Click Bind.
Select Authentication Profile in Advanced Settings.
Click the plus icon [+] and provide a name for the Authentication Profile.
Click the plus icon [+] to create an authentication virtual server.
Specify name and IP address type for authentication virtual server under Basic Settings area and click OK. The IP address type can be Non Addressable as well.
Click Authentication Policy.
Under Policy Binding view, click the plus icon [+] to create an authentication policy.
Select OAUTH as an Action Type and click the plus icon [+] to create OAuth action for NAC.
Create OAuth action using Client ID, Client Secret, and Tenant ID.

Client ID, Client Secret and Tenant ID are generated after configuring NetScaler Gateway application on Azure portal.

Ensure that you have an appropriate DNS name server configured on your appliance to resolve and reach https://login.microsoftonline.com/, https://graph.windows.net/, and *.manage.microsoft.com.

Create authentication policy for OAuth Action.

Rule: http.req.header(“User-Agent”).contains(“NAC/1.0”)&& ((http.req.header(“User-Agent”).contains(“iOS”) && http.req.header(“User-Agent”).contains(“NSGiOSplugin”))

(http.req.header(“User-Agent”).contains(“Android”) && http.req.header(“User-Agent”).contains(“CitrixVPN”)))

localized image

Click the plus icon [+] to create nextFactor policy label.
Click the plus icon [+] to create a login schema.
Select noschema as an authentication schema and click Create.
After selecting the created login schema, click Continue.
Click the plus icon [+] to create a next Factor policy to be bound for the newly created policy label.
After selecting the required authentication action type and the respective action click Create.
Click Bind.
Click Done.
Click Bind.
Click Continue.
Click Done.
Click Create.
Click OK.
Click Done.

Navigate to Security > AAA - Application Traffic > Virtual Servers.
Select the previously selected virtual-server and click Edit.
Click Login Schemas under Advanced Settings.
Click Login Schemas to bind.
Click [>] to select and bind the existing build in login schema policies for NAC device check.
Select required login schema policy appropriate for your authentication deployment and click Select.

In the above explained deployment, single factor authentication (LDAP) along with NAC OAuth Action policy is used, hence lschema_single_factor_deviceid has been selected.
Click Bind.
Click Done.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configuring Network Access Control device check for NetScaler Gateway virtual server for single factor authentication deployment

December 19, 2019

Contributed by: C S

Configuring Network Access Control device check for NetScaler Gateway virtual server for single factor authentication deployment

To add a NetScaler Gateway Virtual Server with nFactor for Gateway deployment

To bind authentication login schema to authentication virtual server to indicate VPN plug-ins to send device ID as part of /cgi/login request

Configuring Network Access Control device check for NetScaler Gateway virtual server for single factor authentication deployment

In this article