Rublon

Secure Remote Access

By

Last updated on April 23, 2024

Overview of MFA for Citrix Gateway

Multi-Factor Authentication (MFA) for Citrix Gateway is an additional layer of security that requires users to provide two authentication factors to gain access to their accounts. The first factor involves the user entering their Active Directory / RADIUS username and password. Once the first factor is completed, a secondary authentication layer kicks in where users must choose from one of the available authentication methods, such as Mobile Push or Email Link. Upon successful completion of both factors, the user will have access to Citrix Gateway. Implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for Citrix Gateway allows for an added level of protection, ensuring that malicious actors are unable to gain access to sensitive information, even when they know the user’s login credentials.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Demo Video of MFA for Citrix Gateway

Before your start

You need to install and configure Rublon Authentication Proxy itself before configuring Citrix Gateway to work with it. Please read the Rublon Authentication Proxy  documentation and follow the steps in Installation and Configuration sections. Afterwards, follow the Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like RADIUS, OpenLDAP or Microsoft Active Directory.

Configuration of MFA for Citrix Gateway

Prepare RADIUS Request Server

1. Log in to Netscaler.

2. Select the Configuration tab

3. Go to Citrix Gateway → Policies → Authentication → RADIUS in the menu on the left.

4. Switch to the Servers tab.

5. Click the Add button.

6. Fill in the Create Authentication RADIUS Server form. Refer to the following image and table.

NameEnter the name of your new Authentication RADIUS Server. This name cannot be changed after the server has been created.
Server Name / IP AddressEnter the FQDN of your RAP server if you chose Server Name, or the IP of your RAP server if you chose Server IP.
PortEnter the port of your RAP server.
Secret KeyEnter the RAP server Secret.
Confirm Secret KeyReenter the RAP server Secret.
Time-outSet to 90s.

7. Click More.

8. Check Send Calling Station ID.

9. You can test your configuration using Test RADIUS Reachability.

10. Click Create to finish creating your new Authentication RADIUS server.

Prepare RADIUS Policy

1. Select the Configuration tab.

2. Go to Citrix Gateway → Policies → Authentication → RADIUS in the menu on the left.

3. Switch to the Policies tab.

4. Click the Add button.

5. Enter the Name for your RADIUS authentication policy, e.g. rap.example.com

6. Select the previously created request server in Server* 

7. Set Expression* to ns_true

Prepare users

1. Select the Configuration tab.

2. Go to Citrix Gateway → User Administration → AAA Users.

3. Click the Add button.

4. Enter the User name.

5. Check External Authentication.

6. Click OK to create the user.

7. Click Done to get back to the userlist.

Note

If you would like to change the way of authenticating an existing user, check the user, and click the Edit button. Next, click the pen icon on the right to open the AAA User form.

Modify login method in Virtual Server

1. Select the Configuration tab

2. Go to Citrix Gateway →  Virtual Servers.

3. Select an existing Virtual Server or create a new one.

4. Select the Virtual Server of your choice and click Edit.

5. Click + in the Basic Authentication section.

6. Set Choose Policy to RADIUS.

7. Set Choose Type to Primary.

8. Click Continue.

9. Navigate to the Policy Binding section. Select the policy you have created before by clicking Click to select under Select Policy*.

10. Check the previously created SAML server. Click Select.

11. Set Binding Details Priority to 100.

12. Click Bind.

Note

If you have a Local Policy defined in the Basic Authentication section, click on it. Check the binding, and click the Unbind button at the top.

13. Your configuration is complete. You can use Rublon 2FA while logging in to Citrix Gateway.

Log in to Citrix Gateway using MFA for Citrix Gateway

1. Provide your login and password, and click Log On.

2. Check your mailbox for an email from Rublon. Open the email, and click Sign In.

3. You will be successfully logged in to Citrix Gateway.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Access Gateway

Rublon Authentication Proxy – Integrations