Author Archives: Trevor

Configuring Citrix NetScaler with Symantec’s Validation and ID Protection Service

Posted on by

 

I was recently tasked with testing a two factor authentication product called Symantec’s Validation and ID Protection service with NetScaler. I won’t go into too much detail of Symantec VIP but you can get a good insight by viewing Symantec’s site on the product http://www.symantec.com/products/videos.jsp?pcid=pcat_security&pvid=vip_1
What I will mention is that the product is similar to the RSA two factor method to which you will need a token ID number to authenticate with but without the pain of carrying around a token ID generator. The Symantec’s product does have a token ID needed to authenticate but it is software based so you can install the token ID generator onto your iPad, Blackberry, or personal computer. So in the end you eliminate the method of carrying a separate device that generates a token ID. I’ll show you what the application for VIP looks like a little later.

Items needed:

  • Windows based server for the VIP application back end software
  • NetScaler/Access Gateway

I will not show how to setup the Symantec VIP Server but rather focus on the NetScaler setup. I am writing this based on a scenario that the company security team has approached you  (you being the NetScaler/Citrix administrator) to configure two factor authentication on your NetScaler using the only information from the security guys which is the IP address of the VIP server and a shared secret.

Preliminary Information

The Symantec documentation only assumes one will use Web Interface or Windows based computers and not mobile devices such as iPad or Android devices. So I have gathered the necessary resources needed to configure the mobile devices that use the Citrix Receiver (or non Windows) for our Symantec VIP test.

Just as an FYI Symantec’s Documentation shows the following as the configuration order.

  1. Install and Configure VIP Enterprise Gateway
  2. Configure the Citrix NetScaler Device with VIP Enterprise Gateway
  3. Authenticate Users via the Access Gateway or Client

 

NetScaler Configuration – Adding the RADIUS Authentication Server

I am going to assume that you already have SmartAccess configured and working in your environment which means you already have a working NetScaler with a SSL cert and XenApp/XenDesktop in play. First we need to add a  secondary authentication server. In my case a second server is called NetScaler_UO

  1. From the Servers tab, click Add.
  2. In the Create Authentication Server dialog box, type a name for the server in the Name field (for example, "NetScaler_UO"
  3. Select RADIUS as the Authentication Type, and in the Server section, specify values for each parameter:
    1. IP Address: Enter the IP Address of the Validation Server or Symantec VIP server
    2. Port: Enter the port number of the Validation Server (by default is 1812)
    3. Time-out: Enter a value in seconds (leave default)

The results looks like this:

image
 
4.    Under the Details section, enter the RADIUS Shared Secret Key and confirm it. Remember this is the shared key given to you by the security guys.

image

Add the RADIUS Authentication Policy

For these steps we will refer to the Citrix article http://support.citrix.com/article/CTX125364. Remember that the Symantec guides assume everyone will use a Windows PC to connect. The Citrix article allows the Citrix mobile receiver to work with mobile devices as well.

Configuring Access Gateway Enterprise Edition for Two Factor Authentication with iPad and iPhone:

5.    In the Access Gateway Configuration Utility, go to Access Gateway > Policies > Authentication and create an authentication policy for LDAP and RSA for mobile devices and non-mobile devices. This is necessary to avoid a logic condition that could allow users to bypass the RADIUS Authentication.
6.    Create an LDAP policy for the Mobile Devices. To bind this policy to only mobile devices, use the following expression:   REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver:

 
7.    Create a RADIUS policy for the Mobile Devices. To bind this policy to only mobile devices, use the expression below: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver:

 
8.    Create an LDAP policy for non-mobile devices. To bind this policy to only non-mobile devices, use the expression that follows: REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver:

 
9.    Create a Radius policy for non-mobile devices. To bind this policy to only non-mobile devices, use the following expression: REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver:

 
10.    Go to the properties of the Access Gateway Virtual Server and go to the Authentication tab. On the Primary Authentication Policies, add the vip_mobile policy as top priority and the ldap_nonmobile policy as secondary priority:
 

11.    On the Secondary Authentication Policies, add the ldap_mobile Policy as top priority, followed by the vip_nonmobile Policy.
 
Customize the Web Interface Logon

Now that everything is configured you should notice that NetScaler login will have three form field but the the labels are not user friendly as the default after our configuration is username, password 1, and password 2. In our case we are using a username, password, and a Token ID to login.  One can customize the fields based on this article http://support.citrix.com/article/CTX126206 so the end result looks like this:

Citrix Access Gateway
 
The Symantec VIP software

The final piece to this puzzle is using a Token ID to login. (Well that is not entirely true as your security guys would of setup a Symantec/VeriSign login site to register your AD credentials to associate to a profile, but I’ll let the Symantec and security guys explain that one). One can install the VIP software on your iPad, Windows PC, or Blackberry. In my case I carry a Blackberry so I decided to install the VIP software on my BB and use this as my Token ID generator since I carry it everywhere I go.

In the screen cap below you will notice a number beginning with VSMT that will need to be registered. Here is the iPad version found in the App Store:

Capture
BlackBerry version found in BB World:

Capture

If you are using an IOS device such as an iPad you need to select the Security Token and Domain when creating your account:

Capture

When authenticating to your Web Interface you need to enter in the Symantec VIP token ID:

Capture

 

So far I find it very easy to work with regards to authenticating. We have been testing Symantec VIP FOR the better part of two months and it has worked like clockwork. We will see once it is introduced to the masses how easy it will be to manage and maintain users on a regular basis.

 

>trevor

EdgeSight in the Real World

Posted on by

When I was a Citrix consultant one thing I tried to keep in mind when architecting a solution was to always keep it simple for the customer. Meaning that one should only put a solution in place based on the in house expertise that is there to support the infrastructure. In other words just because you purchase a XenDesktop  or XenApp platinum license that you shouldn’t try and install every technology that comes with the license or at least initially. All too often we had seen implementations sold to the customer (by other vendors of course) that was too much too soon and the end result was a delayed project that could not get to production due to time a costs. Just because you can do it does not mean you should do it.

One of the items that I always waited to put into play with an initial implementation phase of any project was EdgeSight. Especially for I.T. shops that were “newbie” Citrix administrators. I remember being called into a customer’s site after the original vendor had exhausted it’s time trying to get a XenApp project into production. The customer was not too happy with the complexity of all that was surrounding the XenApp implementation which included items such as AppSense and EdgeSight. The customer wanted to scrap EdgeSight altogether but  in the end I convinced them to keep EdgeSight but put it in play once XenApp was fully in working and in production. Over time after they learned how XenApp worked EdgeSight was able to further give them insight into the environment.

Ok, Enough of the Chatter, Give me the example!

Fast forward to my current gig where I recently was tasked to trouble shoot a remote location as they have been reporting  “response time” issues that had been going on for some time, years actually. Naturally I love a challenge. The users are still using full desktops (keep in mind Citrix is still relatively new in our company), local file servers, and remote domain controllers. The complaints were the usual issues of browsing files were slow, remote connections to servers were slow, logging on is slow at times, and many more. What had been established is local servers are not resource taxed and  the network people swear there is hardly any bandwidth being utilized. The first thing I decided to do is install EdgeSight Endpoint agents on the computers in the remote locations. This exposed a few items right away

One of the glaring items I found is identify a network delay but it was happening for a specific process. With the tools that were in place there was nothing that could dig down to the application layer this effetely prior to installing the ES agent. The one process happened to be lsass.exe which had issues at times talking to the domain controller. As you can see in the screen cap below the lsass.exe process was experiencing a large delay in communicating with the domain controller where other processes on the same endpoint were not having any issues:

image

We can also pinpoint which domain controller is involved:

image

The EdgeSight data exposed that the domain controller was not responding to lsass.exe requests in a timely fashion. The domain controller happens to be in the data center across the WAN. However since other processes were able to communicate to other servers that were also in the same remote data center without issue revealed that either the remote domain controller is under powered or a local domain controller is needed.

I will published more “real life” EdgeSight examples that will show how powerful EdgeSight is when using it as a tool to monitor and troubleshoot. Remember, EdgeSight does not just have to be for Citrix related products.

>trevor

Yet Another Citrix Blog!

Posted on by

Here we go with yet another blog about Citrix or related topics. I realize there is enough of these sites in our world but I still insist on adding another one. You see I recently made a life change from Citrix Sales consulting and being an “expert” on Citrix solutions to working in an I.T. shop. Amazing how the word expert leaves your repertoire the moment you are not on the sales side of the fence and part of a private I.T. environment. So now I have many sales reps trying to sell me items and guide me on things that I was pretty good at selling myself. I guess that is a reality that I face but I still consider myself rather schooled on Citrix and the fine suite of products that is available.

Over the next while I will document some of the issues and challenges about my life in I.T. as a Citrix administrator. The company I joined has a small Citrix implementation (that I implemented before I was hired ironically) and it is going to grow to something that I think will be fun to work on. We have platinum XenDesktop licensing and I already have configured a small XenDesktop environment. At the moment we almost have every piece of Citrix technology in play and if it isn’t here, people seem to be interested in listening to what I have to pitch. I feel like I am still “solutioning” and white-boarding and that is what really keeps me interested. I love to whiteboard and talk and the fact that I can support and maintain the product is really a bonus.

One main thing I look forward to is when one is architecting solutions for other companies one does not always get to test and try the products in a full production world. That is always the unknown but I am fortunate enough to get the best of both worlds. I feel that this will make me even a more seasoned “Citrix Guy”.

>trevor