Table of Contents
Azure Multi-Factor Authentication Server with Citrix NetScaler can be very powerful in protecting your infrastructure. NetScaler can use LDAP (or Active Directory) to authenticate users, but to add an extra layer of security we can use Multi-Factor Authentication (MFA).Ã‚Â The user will receive a notification in the Microsoft Authenticator app, or a phone call from Azure, when trying to log into for example NetScaler Gateway, after entering their username and password. NetScaler will authenticate the user using Azure and MFA Server.
In this blog I will show you how this can be done. On my NetScaler I have setup full SSL VPN, and will configure the virtual server to authenticate using Azure MFA. I have setup a dedicated Windows 2016 Server on-premise to run MFA Server. On premise MFA Server is the choice if you want to secure VPN’s, IIS based web applications or other on premise applications using LDAP or RADIUS authentication.
Deliverables of this post:
- Citrix NetScaler SSL VPN using MFA authentication.
- Setup MFA Server on premise.
Requirements for the configuration:
- CitrixÃ‚Â NetScaler 11.1Ã‚Â (www.citrix.com).
- Windows 2016 Server.
- Azure subscription.
- SSL VPN already configured on NetScaler (see this post).
- Valid SSL certificate.
- Active Directory for user authentication.
- A hostname for the MFA Server, in my case https://mfa.vikash.nl. This must match your SSL certificate.
Setup Azure Active Directory
We have to link our on premise active directory to Azure AD, and sync the users to Azure. SoÃ‚Â we start by setting up Azure Active Directory. Log into Azure Classic Portal:Ã‚Â https://manage.windowsazure.com.
Log into Azure classic portal and navigate toÃ‚Â Active Directory in the left column. Click onÃ‚Â MULTI-FACTOR AUTH PROVIDERS and then click onÃ‚Â CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER.
Give it a name, select the usage model and clickÃ‚Â CREATE.
Select the provider you just created, and click onÃ‚Â MANAGE on the bottom of the page.
A new browser window will open, and you will be redirected to the Azure Multi-Factor Authentication website to download the MFA Server software. Click onÃ‚Â DOWNLOADS.
Then click onÃ‚Â Download to start the download. Save the setup file on your Windows Server where you want to install the MFA Server software. Leave this page open.
Setup MFA Server
Switch to your Windows Server and start the installation of MFA Server. It will install some runtime libraries, click on Install.
Click onÃ‚Â Next.
Click onÃ‚Â Finish after the installation is complete.
The Configuration Wizard starts. Select the checkbox Skip using the Authentication Configuration Wizard.Ã‚Â We will configure MFA manually.Ã‚Â Click then onÃ‚Â Next.
Activate MFA Server
Now we have to link and authenticate our new MFA Server to Azure MFA. Go back to theÃ‚Â Downloads Server page, and click onÃ‚Â Generate New Activation Credentials. They are only valid for 10 minutes.
Go back to your MFA Server, where you will be prompted to activate the MFA Server. Enter theÃ‚Â Email andÃ‚Â Password you got in the step above, and click onÃ‚Â Activate.
Click onÃ‚Â OK on theÃ‚Â Join Group window.
Click onÃ‚Â No when asked of you want to run the wizard.
You will see the status of your MFA Server. It should sayÃ‚Â Online.
Import users to Azure
We have to import the on premise users to Azure. I will connect MFA Server to my Active Directory using a specific account (service account). This is the same service account I am using to connect my NetScaler to my Active Directory.
Go toÃ‚Â Directory Integration and selectÃ‚Â Use specific LDAP configuration. Then click onÃ‚Â Edit.
Enter the service account details. Set the Queries and Authentications toÃ‚Â Simple and click onÃ‚Â Test.
Click onÃ‚Â OK on the connection successful dialogue.
Then click onÃ‚Â OK to close the Edit LDAP Configuration window.
Go toÃ‚Â Company Settings and enableÃ‚Â Use LDAP unique identifier attribute for matching usernames.
Now MFA Server is setup to read the Active Directory users. Let’s import them. Go toÃ‚Â Users and click onÃ‚Â Import from LDAP.
Navigate to the container where your users are. You can then select specific users, or just select the container and then import. Check the boxÃ‚Â Add new users and alsoÃ‚Â Enabled to enable users where theÃ‚Â Phone Number is already in Active Directory. Click onÃ‚Â Import.
It will tell you how many users were imported.Ã‚Â Click onÃ‚Â OK.
Test AzureÃ‚Â user connection
Now that we have the users in Azure, it is time to test! Let’s see if the MFA Server can communicate with Azure for a specific user we imported.
Go toÃ‚Â Users and select a user. Click onÃ‚Â Test.
You will get a popup asking you for password. Enter the password, and selectÃ‚Â LDAP Bind. Click onÃ‚Â Test.
MFA Server will now connect and authenticate the user on Azure.
The user will get a phone call from Azure. Tap onÃ‚Â Accept.
To accept the authentication you have to tap the #Ã‚Â key.
Back on the MFA Server you will now get anÃ‚Â Authentication successful message. Click onÃ‚Â OK.
Configure NetScaler to use MFA
Before we can configure NetScaler, we have to setup a few things on the MFA Server to allow communications from the NetScaler.
Allow LDAP communication from NetScaler
We have to allow LDAP communication for NetScaler on the MFA Server. Go goÃ‚Â LDAP Authentication and enableÃ‚Â Enable LDAP Authentication. Click onÃ‚Â Add.
Enter the NSIP of the NetScaler and give it a name. Check the boxÃ‚Â Require Multi-Factor Authentication user match. Click onÃ‚Â OK.
Import LDAP service account
Now go toÃ‚Â Users and import the service account you will be using to communicate from the NetScaler to the MFA Server when doing LDAP searches. This user has to be disabled, so make sure theÃ‚Â phone number field is empty. Otherwise each time NetScaler queries the MFA Server for LDAP searches, MFA will also call the service account user.
Automatic user synchronization
Enable automatic synchronization between Active Directory users and Azure. This way you won’t have to manually add or remove users to Azure (as long as they are in the correct container). Ã‚Â Go toÃ‚Â Directory Integration, click on the tabÃ‚Â Synchronization and selectÃ‚Â Enable synchronization with LDAP. Configure the interval as you like.
Add MFA as LDAP Server on NetScaler
Log into you NetScaler management interface. Navigate toÃ‚Â System -> Authentication -> LDAP -> Servers. Click onÃ‚Â Add.
Enter a name, and specify the IP address of you MFA Server as LDAP server. Then enter the information of the service account we will use to authenticate NetScaler to the MFA Server. Make sure to set theÃ‚Â Time-out to a time in which the user has to accept the MFA request, either using phone call or the authenticator mobile app. In my case the user has 3 minutes to complete the authentication. Then click onÃ‚Â Test Connection. If everything went fine, the green box will appear.
Scroll to the bottom of the page and click onÃ‚Â Create.
You should now see the MFA Server in your list of LDAP Servers on the NetScaler.
Add LDAP policy for MFA Server on NetScaler
Navigate toÃ‚Â System -> Authentication -> LDAP -> Polcies and click onÃ‚Â Add.
Give it a name, and make sure to select your MFA LDAP Server. EnterÃ‚Â ns_true in the expression box and clickÃ‚Â Create.
Enable MFA Authentication for NetScaler Gateway
In aÃ‚Â previous postÃ‚Â I setup NetScaler Gateway for SSL VPN. I will modify that to use MFA for authentication. It is the same concept for other NetScaler Gateway Virtual Servers you have.
Navigate toÃ‚Â NetScaler Gateway -> NetScaler Gateway Virtual Servers. Select your virtual server and click onÃ‚Â Edit.
Scroll down to theÃ‚Â Basic Authentication section and select your LDAP Policy.
Select the already existing LDAP policy to unbind it. Click onÃ‚Â Unbind.
Click onÃ‚Â Yes to confirm.
Now we can bind the MFA LDAP Policy we created earlier. Click onÃ‚Â Add Binding.
Make sure it the MFA LDAP policy is selected and then click onÃ‚Â Bind.
Then click onÃ‚Â Close.
Scroll down to the page and click onÃ‚Â Done.
Time for testing
Browse to your NetScaler Gateway page. In my case that is: https://vpn.vikash.nl/. Log in using a user which is enabled for MFA. Click onÃ‚Â Log On.
After clicking on Log On the page will not refresh. Remember theÃ‚Â Time-Out value we adjusted earlier? This is the time this page will wait for you to authenticate. Azure will now call the user on the phone number supplied. Click onÃ‚Â Accept.
Tap on theÃ‚Â # key to accept the authentication request.
Then the browser page will refresh, because the NetScaler will receive a successful authentication message from the MFA Server.
You can see this happening whenÃ‚Â you enableÃ‚Â authentication debugging the NetScaler.
The next step is toÃ‚Â Setup Azure MFA User Portal for Self Service.