Step by Step Guide to implement SMS authentication to Citrix Access Gateway™ Enterprise Edition
1 Summary
This is the complete installation guide for securing the authentication to your Citrix Access Gateway™ Enterprise Edition with Nordic Edge One Time Password Server 3, delivering strong authentication via SMS to your mobile phone. You will be able to test the product with your existing Citrix Access Gateway™ Enterprise Edition and LDAP user database, without making any changes that affect existing users. The guide will also allow you to make the complete installation efficiently, using a maximum of 1 hour. Nordic Edge provides several methods for delivering one time passwords, like the mobile client Pledge, e-mail, tokens, mobile clients, prefetch, Yubikey etc. – however in this test we are only going to use SMS.
This is a step-by-step guide that covers the entire Nordic Edge OTP Server installation from A to Z. It is based on the scenario that you are running your Citrix Access Gateway™ Enterprise Edition against Active Directory, and that you install the One Time Password Server on a Windows Server. The One Time Password Server is platform independent and works with all other LDAP user databases, like eDirectory, Sun One, Open LDAP etc. If you are not running Active Directory or Windows and if you have any questions regarding the slight differences in the installation process, you are most welcome to contact us at support@nordicedge.se and we will take you through the entire process.
Table of Contents
- Table of Contents
- 2 Prerequisites
- 3 Getting started
- 4 Installation
- 5 Configuring the One Time Password Server
- 5.1 Start the OTP Configurator
- Start the OTP Configurator by clicking on the left button – “Configuration”
- 5.2 Configure the One Time Password Server
- 5.3 Configure RADIUS
- 5.4 Configure databases
- 5.5 Configure LDAP Host Settings
- 5.6 Configure the LDAP database settings
- 5.7 Configure search filter
- 5.8 Test LDAP Authentication
- 6 Configure the SSL-VPN client settings.
- 7 Configure Delivery Method
- 8 Restart the One Time Password Server as Windows Service
- 9 Add mobile phone number with Microsoft Management Console
- 10 CONFIGURING CITRIX ACCESS GATEWAY™ ENTERPRISE EDITION
- To use the Nordic Edge OTP Server, you have to configure a RADIUS authentication server, bind the server in a policy and then use this policy in the SSL-VPN Virtual Server.
- 10.1 Adding the authentication server
- 10.2 Adding the authentication policy
- 10.3 Virtual Server configuration
- 10.4 Test the configuration
- 11 Purchase
- If you want to purchase the product, you are more than welcome to contact us at e-mail sales: sales@nordicedge.se. phone: +46 8 122 07 500 fax: +46 8 122 07 508.
- 12 Technical questions
- If you have any technical questions, please contact us at support@nordicedge.se
2 Prerequisites
You will need to have done a basic installation of Citrix Access Gateway Enterprise Edition (NetScaler Application Switch 9.x). As this guide only show you how to enable SMS password functionality for secure login
you will need to have a server available, for example a XenServer virtual machine with Windows Server 2003 installed with Ethernet in bridge mode. The server needs to have an ip-address configured and must also be able to reach your DNS-servers, your Citrix Access Gateway™ Enterprise Edition solution and the Active Directory. Since the software is quite small and easy to remove, you can also use any existing server in your network.
Definitions
Important information regarding communication
The One Time Password Server is a software that you can place on any server in your internal network or DMZ.
– The One Time Password Server needs to be able to communicate (Outbound traffic) with your LDAP or JDBC User Database. Default port for LDAP and Secure LDAP is TCP port 389 / 636.
– SSL-VPN solution needs to be able to communicate (Outbound traffic) with the One Time Password Server with Radius, UDP port 1812 or 1645 (Outbound traffic)
– If you want to use the Nordic Edge SMS Gateway, the One Time Password Server needs to be able to communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.
In this test-scenario you will want to communicate with RADIUS port 1812 or 1645 and use our Nordic Edge
SMS Gateway.
3 Getting started
3.1 Register and download the software
Go to http://www.nordicedge.com and click "PRODUCTS" under "One Time Password Server" choose "Download"
Enter your contact details and choose OTP Server. Click "Send" to receive the software.
You will receive an e-mail a link for downloading the software. A 30 days evaluation license will be sent via e-mail when you download the software.
Download the 32 or 64 bit version depending on your platform.
4 Installation
4.1 Start the installation
Start the installation on the server where you want to install the One Time Password Server
Please note that if you are installing on a Windows 2008 Server you need to right click on the otp3install.exe using explorer and click on “Run as Administrator”.
Leave it default on yes and click “Done”
5 Configuring the One Time Password Server
5.1 Start the OTP Configurator
Start the OTP Configurator by clicking on the left button – “Configuration”
5.2 Configure the One Time Password Server
On the Server page you can set the length of the one time password and for how long it should be valid. Default is 5 minutes.
You can also set a default country prefix, which means that you will not need to state it in the mobile attribute.
For more information regarding the optional setting please see One Time Password Server 3 – Administration manual
For now, leave this page as default and go on to the next part – Configure RADIUS.
5.3 Configure RADIUS
Change to the RADIUS tab and configure the RADIUS port you want to use to communicate with your SSL-VPN server. In this example we are using RADIUS port 1812.
Click Save config.
5.4 Configure databases
In this setup we are going to use the LDAP database Microsoft Active Directory
Change to the Databases tab and click on the LDAP Database button.
5.5 Configure LDAP Host Settings
For our configuration we are going to use the active directory installed on the same server as the One Time Password Server. We will use the internal IP-address (127.0.0.1) as host address.
We will use the standard LDAP port nb (389) to communicate with Active Directory.
For Admin DN we are going to use the Administrator to search for users in the Active Directory. For now the user only need read rights to the user object but be aware that you later might want to use options like disable accounts and use the Pledge Enrollment concept for the Pledge Mobile Client. In examples like these the Admin DN need rights to modify the disable account attribute and to store oath-keys at optional user attributes.
Configure your LDAP host settings and click test. You should now get a messages saying “LDAP connection success”
Next step is to configure the LDAP database settings.
5.6 Configure the LDAP database settings
The BASE DN is the search base for where your users contains. Click on the button with three dots at the right side of the Base DN field to browse your LDAP Database.
Click on the Organization Unit or Organization where your store your users objects and click OK.
5.7 Configure search filter
Next step is to configure the search filter for letting the One Time Password search for the right object classes and attribute according to Microsoft Active Directory.
Click on the “Sample Button” and choose the filter template for MS Active Directory and click OK twice.
5.8 Test LDAP Authentication
Click on the Test LDAP Authentication button and type in the userid for a user you want to try to authenticate.
Type in the password
If everything is correctly configured you will get a success message.
6 Configure the SSL-VPN client settings.
Since we are configuring the One Time Password Server to act as RADIUS-server. The actual SSL-VPN server / appliance box is considered a client to the One Time Password Server.
In this step we are going to configure the settings for the SSL-VPN client.
In the left pane click on ”Clients”
Type in a name for your SSL-VPN server and the ipaddress to your SSL-VPN server.
Type in the RADIUS shared secret (this must match the shared secret in Access Gateway).
Choose the Active Directory you configured earlier as User Database.
Click Save
7 Configure Delivery Method
The Delivery Methods object category is used to enable and configure one or more delivery methods that the OTP Server can use to send the one-time passwords.
One Time Password Server offers various methods like SMS, Oath Tokens, Instant Messaging, HTTP, Yubikey.
In this example we will use SMS as Method and the Nordic Edge SMS-service as SMS-provider.
In the evaluating phase we offer customer to use our Nordic Edge SMS-service free of charge in 30 days from the activation of the Demo Account.
In the left Pane, click “Deliver Methods” and then Nordic Edge SMS. In the right pane enable Nordic Edge SMS Gateway.
To Request a demo account click “Request a demo account”.
Click “Yes”
You should now get a success message and the Username and Password for the Nordic Edge SMS-gateway has automatically been filled in. Click OK and Save Config.
8 Restart the One Time Password Server as Windows Service
In the server panel for click “Shutdown”
In Windows Control Panel, open Administrative Tools / Services
Find the NordicEdge OTPServer Service, right click on that service and click “Start”.
9 Add mobile phone number with Microsoft Management Console
Add mobile phone number to your test users mobile phone attribute by starting the Microsoft MMC and select the user that you want to use for testing and enter the mobile phone number in the Mobile attribute.
10 CONFIGURING CITRIX ACCESS GATEWAY™ ENTERPRISE EDITION
To use the Nordic Edge OTP Server, you have to configure a RADIUS authentication server, bind the server in a policy and then use this policy in the SSL-VPN Virtual Server.
In this example, we already added a Virtual Server for remote access and bound a Session policy to it. There are multiple ways to add a SSL-VPN Virtual Server. You can for example do this with the SSL-VPN wizard that will guide you through this process. For a detailed discussion on how to configure a SSL-VPN server, please review the Access Gateway Administration Guide.
10.1 Adding the authentication server
First step is to add an authentication server. Goto Access Gateway –> Policies –> Authentication and choose the Servers tab. Use the “Add” button in the lower part of the GUI.
Name: Give the server a suitable name
Choose the Authentication type “RADIUS”. This choice will show all the fields you need to configure the communication with the RADIUS server.
Enter the IP address and port of the Nordic Edge OTP Server. Raise the server time-out to 25 seconds. This allows the RADIUS server to respond with an alternative attribute to Access Gateway if the operator fails to deliver the OTP SMS.
Enter the shared secret key and confirm it (this must match the shared secret in OTP Server). Leave other settings as default.
Repeat the above if you want to add another RADIUS server. However, only one will be used in this example.
After the servers are added, an overview will be found in the “Servers” tab.
10.2 Adding the authentication policy
Goto Access Gateway –> Policies –> Authentication and choose the tab “Policies”. Use the “Add” button in the lower part of the GUI.
Name: Give the policy a suitable name
Choose the Authentication type “RADIUS”. This will give access to the RADIUS server configured earlier.
Add a policy that will need to be true for it to be triggered after being bound to the SSL VPN Virtual Server. For authentication servers, this is almost always the built in expression “True value”. Press the “Add Expression” to add the chosen expression to your policy. For a detailed description on how to build expressions, please see the NetScaler Command Reference Guide.
Repeat the above if you want to add another RADIUS server. However, only one will be used in this example.
After the policies are added, an overview will be found in the “Policies” tab.
10.3 Virtual Server configuration
Goto Access Gateway –> Virtual Servers and open up the one you want to enable for SMS authentication.
Choose the tab “Authentication”. You can bind policies as “Primary” only or both “Primary” and “Secondary”. In this example we will bind the RADIUS policy as “Primary”. Click Insert Policy, in the drop down menu choose the policy created earlier (Nordic Edge OTP Server). Click “Ok” to accept your changes.
It is now time to try the new authentication server by logging in to your Access Gateway SSL-VPN.
10.4 Test the configuration
Navigate to the Access Gateway Virtual Server log on page. Enter the Microsoft Active Directory user name and password used earlier to configure the OTP server. After entering your credentials, press “Log On” to continue.
A Flash SMS will be delivered to your mobile phone containing the One Time Password.
Enter the One Time Password and click on “Submit”.
You will now be logged in, and depending on the configured Session policy, your VPN connection can be a full SSL-VPN tunnel, a clientless session or a connection to the Web Interface allowing Secure Gateway access. This can be controlled in a way to let the connecting user make the connection type choice, or it can be enforced by the administrator.
11 Purchase
If you want to purchase the product, you are more than welcome to contact us at e-mail sales: sales@nordicedge.se. phone: +46 8 122 07 500 fax: +46 8 122 07 508.
12 Technical questions
If you have any technical questions, please contact us at support@nordicedge.se
Thank you for showing interest in our product!
The Nordic Edge One Time Password Server Team
|
Product Information |
|
|
Name |
Citrix Systems |
|
Web Site |
www.citrix.com |
|
Product Name |
Citrix Access Gateway Enterprise Edition |
|
Version & Platform |
NetScaler Application Switch 9.3 |
|
Product Description |
Citrix Access Gateway™ Enterprise Edition is the best solution for demanding remote access deployments, providing the highest scalability, performance, and manageability of any SSL VPN. Access Gateway Enterprise Edition optimizes remote access application delivery by providing high-capacity SSL acceleration, TCP protocol optimization, high-throughput compression, and integrated static and dynamic application caching. This unique combination of capabilities allows administrators to reduce the ongoing cost of secure remote access and improve end-user experience.
The Citrix NetScaler Application Switch is a full-featured networking system that combines Layer 4-7 load balancing and content switching with a full complement of application acceleration and security features. An ideal replacement for aging load balancers and other traditional point solutions, the Application Switch reduces network complexity and overall operational costs. |
|
Product Category |
· Perimeter Defense (Firewalls, VPNs and Intrusion Detection) · Secure Remote Access (SSL VPN / Secure Gateway) |
|
Product Information |
|
|
Partner Name |
Nordic Edge |
|
Web Site |
www.nordicedge.se |
|
Product Name |
Nordic Edge One Time Password Server |
|
Version & Platform |
Nordic Edge One time Password Server, version 3, on Windows, OS X, Solaris or Linux, Mac. |
|
Product Description |
Nordic Edge™ One Time Password Server adds extra security to protect your company’s information and applications. When logging in to an application, your username, password and one-time password must be stated. The one-time password is sent via SMS, e-mail or chat. This one-time password will be verified and only then will the user be authenticated to the application. Nordic Edge™ One Time Password Server have ready integrations with Citrix Access Gateway, Citrix Web Interface, Microsoft Outlook Web Access (OWA), Microsoft IIS, Microsoft ISA 2006, Microsoft IAG, Novell GroupWise Web Access, Novell Access Manager, CA SiteMinder, IBM Lotus Notes/Domino, RADIUS clients (VPN and RAS for example Juniper, Check Point and Cisco). Other applications can easily be integrated using our API's or web services. |
|
Product Category |
· Authentication servers |
