Duo two-factor authentication with NetScaler Gateway
June 28, 2016 5 Comments
I been seeking an alternative for second factor authentication with Citrix NetScaler for a while, just sick of RSA and all its complexity and upgrades and tokens, etc. During my search for another method I was directed to Duo and was immediately excited about it. Duo combines modern two-factor authentication with advanced endpoint security solutions to protect users from account takeovers and data breaches.
Duo integrates with Citrix NetScaler Gateway to add two-factor authentication with Radius and back-end authentication services for LDAP.
Screenshots below are from my Apple Watch and iPhone using the “Push” option
Environment:
- Citrix NetsScaler 11.0Build 63.16.nc
- StoreFront 3.5
To integrate Duo with your NetScaler Gateway, you will need to install a local proxy service on a server within your network. Before proceeding, you should locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports Windows and Linux systems (in particular, we recommend Windows Server 2008 R2 or later, Red Hat Enterprise Linux 6 or later, CentOS 6 or later, or Debian 6 or later).
Then you’ll need to:
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate Citrix NetScaler in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname.
Install the Duo Authentication Proxy
The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).
- Download the Duo Authentication Proxy for Windows.
- On the Windows system you have chosen to host the Duo Authentication Proxy, launch the proxy installer and follow the on-screen prompts.
The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:
| Platform | Default Configuration Path |
|---|---|
| Windows (64-bit) | C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg |
| Windows (32-bit) | C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg |
| Linux | /opt/duoauthproxy/conf/authproxy.cfg |
Your Auth Proxy config will look something like this.
[ad_client]
host=IP Address of your LDAP server (I use an LDAP VIP on NetScaler)
service_account_username=An LDAP Service account (Read only)
service_account_password=LDAP_Password
search_dn=dc=domain,dc=com (you can specify an OU, etc, but pointing to your root makes it easier and you can then select a user group.)[radius_server_iframe]
type=citrix_netscaler
ikey=Your Duo integration key
skey=Your Duo secret key
api_host=Your Duo API hostname
failmode=safe
client=ad_client
radius_ip_1=IP address of NetScaler (NSIP) or Subnet IP address (SNIP) if you have a pair
radius_secret_1=Radius Shared Key between your NetScaler and Auth Proxy server
port=1812[radius_server_auto]
ikey=Your Duo integration key
skey=Your Duo secret key
api_host=Your Duo API hostname
failmode=safe
client=ad_client
radius_ip_1=IP address of NetScaler (NSIP) or Subnet IP address (SNIP) if you have a pair
radius_secret_1=Radius Shared Key between your NetScaler and Auth Proxy server
port=18120[cloud] (This section is to allow LDAP synch from the Duo Admin console to your LDAP environment
ikey=Your Duo integration key for the Authentication Proxy (not NetScaler)
skey=Your Duo secret key for the Authentication Proxy (not NetScaler)
api_host=Your Duo API hostname for the Authentication Proxy (not NetScaler)
Done, now lets do some NetScaler work. The steps below will create a new NetScaler Gateway which will score an A+ with SSLLABS.COM
1. Create your DUO Radius Policy and Server, in the sample below I am using ns_true which will allow all traffic. You can certainly get creative and configure headers with Citrix Receiver information such as “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver”
add authentication radiusAction duo_ctx_web_srv -serverIP YOUR_AUTH_PROXY_SERVER -serverPort 1812 -authTimeout 60 -radKey “Radius Shared Key between your NetScaler and Auth Proxy server” -encrypted -encryptmethod ENCMTHD_3 -accounting ON
add authentication radiusPolicy duo_ctx_web_pol ns_true duo_ctx_web_srv
2. Create your new Custom Cipher group, then bind the Ciphers to it.
add ssl cipher custom_ciphers
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName SSL3-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName SSL2-DES-CBC3-MD5
bind ssl cipher custom_ciphers -cipherName SSL3-EDH-DSS-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName SSL3-EDH-RSA-DES-CBC3-SHA
3. Create your Strict Transport Security Rewrite policy
add rewrite action rw_action_sts_header insert_http_header Strict-Transport-Security “\”max-age=157680000\””
add rewrite policy rw_pol_sts_config TRUE rw_action_sts_header
4. Create your SSL redirect from HTTP
add responder action http_to_https redirect “\”https://\” + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE” -responseStatusCode 302
add responder policy http_to_https_pol HTTP.REQ.IS_VALID http_to_https RESETadd service ns_redirect_dummy 127.0.0.1 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
5. Create your HTTP NetScaler Gateway VIP and bind the HTTP to HTTPS redirect responder
add lb vserver remote_ns_gtw_redirect HTTP YOUR_IP_ADDRESS 80 -persistenceType NONE -cltTimeout 180
bind lb vserver remote_ns_gtw_redirect ns_redirect_dummy
bind lb vserver remote_ns_gtw_redirect -policyName http_to_https_pol -priority 100 -gotoPriorityExpression END -type REQUEST
6. Create your NetScaler Gateway
add vpn vserver remote_ns_gtw SSL YOUR_IP_ADDRESS 443 -maxAAAUsers 9045 -downStateFlush DISABLED -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -appflowLog ENABLED
set ssl vserver remote_ns_gtw -dh ENABLED -dhFile “/nsconfig/ssl/dhkey2048.key” -ssl3 DISABLED
bind vpn vserver remote_ns_gtw -staServer “http://YOUR_STA_SERVER:180”
bind vpn vserver remote_ns_gtw -staServer “http://YOUR_OTHER_STA_SERVER:180”
bind vpn vserver remote_ns_gtw -portaltheme X1
7. Bind your DUO Radius Policy and Server (The sample below binds an already existing StoreFront 3.5 Session Policy) – NOTICE THE 120 REWRITE POLICY (rw_pol_sts_config) This is done as I later bind 2 additional Rewrite policies to automatically select the “I accept the Terms & Conditions” checkbox and enable the “Log On” button
bind vpn vserver remote_ns_gtw -policy duo_ctx_web_pol -priority 100
bind vpn vserver remote_ns_gtw -policy web_sf35_policy -priority 100
bind vpn vserver remote_ns_gtw -policy rw_pol_sts_config -priority 120 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver remote_ns_gtw -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _noCacheRest -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
8. Bind your SSL certificate and custom Ciphers to your NetScaler Gateway
bind ssl vserver remote_ns_gtw -cipherName custom_ciphers
bind ssl vserver remote_ns_gtw -certkeyName wildcard
9. Bind the ECC curves, they are required for PFS w/ ECDHE ciphers
bind ssl vserver remote_ns_gtw -eccCurveName P_256
bind ssl vserver remote_ns_gtw -eccCurveName P_384
bind ssl vserver remote_ns_gtw -eccCurveName P_224
bind ssl vserver remote_ns_gtw -eccCurveName P_521
10. Set up Rewrite policies to automatically select the “I accept the Terms & Conditions” checkbox and enable the “Log On” button. In the end you will have 3 Rewrite policies enabled. One for selecting the checkbox automatically, the other for enabling the “Log On” button, and finally one to enable HSTS/STS which you will need to achieve the A+ score.
bind vpn vserver remote_ns_gtw -policy ns_gtw_eula_checked_pol -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind vpn vserver remote_ns_gtw -policy ns_gtw_LogonAutoEnable_rw_pol -priority 110 -gotoPriorityExpression END -type RESPONSE
11. Set up for firewal NATs and ACL, for this example I am using Cisco
object network obj-YOUR_IP (DMZ I hope :))
host YOUR_IPnat (dmz,outside) static YOUR_EXTERNAL_IP
object network obj-YOUR_IPaccess-list EXT-INBOUND extended permit tcp any4 host YOUR_IP eq www
access-list EXT-INBOUND extended permit tcp any4 host YOUR_IP eq https
That is it! Hope this helps
Disclaimer:
I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.
Daniel Ruiz - Blog 
This is just absolutely magical Daniel. Thank you so much for sharing.
If you are ever looking for a gig please ping me as we can use someone like yourself to guide our IT remote connectivity department
Wow Daniel. We are doing a POC and we got lost on the NetScaler part.
Thank you so much for putting this up.
A+ SSL and kick @ss second factor in one post? Daniel you want a job with us? I work at a large bank in NYC.
I know you from Citrix Synergy in LA.
Thanks for the post
There’s an alternative setup option also if you want to use Duo and still have the Netscaler handle LDAP authentication (to allow for AD password reset, AD group based session policies, etc). The alternative setup is described here.
https://duo.com/docs/citrix_netscaler-alt
Very nice Chris. Thanks for the link!