NetScaler (formerly Citrix Gateway) enhanced with Two-Factor Authentication

Spread the love



Duo Security offers two-factor authentication for Citrix Gateway through integration with on-premises NetScaler. This includes support for interactive enrollment, passcodes, phone, and push authentication methods. Integration requires setting up two RADIUS policies for primary authentication, one each for browser-based Gateway logins and Receiver or Workspace client connections. The Duo Authentication Proxy handles both primary and secondary authentication.

To set up Duo with Citrix Gateway, administrators need to install the Duo Authentication Proxy on a recommended operating system, such as Windows Server, CentOS, Fedora, Red Hat Enterprise Linux, Ubuntu, or Debian. The Proxy should not be installed on the same server as Active Directory or NPS services. After installation, administrators sign up for a Duo account, configure the Proxy with API hostname, integration key, and secret key, and then start the Proxy service.

For Citrix Receiver or Workspace clients, a separate RADIUS policy is created in the Duo Authentication Proxy configuration with unique port settings. Administrators also need to configure Citrix Gateway or NetScaler with RADIUS policies for Duo authentication. Testing the setup involves logging in to Citrix Gateway and using Duo’s enrollment/login prompt, followed by testing with the Citrix Receiver or Workspace client integration.

Troubleshooting tips and connectivity tools are available for diagnosing any issues. Detailed network diagrams are provided to illustrate the primary authentication flow to Citrix Gateway, Duo Authentication Proxy connection, user authentication process, and access granting. Additionally, advice on setting up allowed hostnames for WebAuthn authentication methods and tips for handling out-of-band factors like Duo Push or phone callbacks are included in the setup instructions.

Article Source
https://duo.com/docs/citrix-netscaler