Last updated on April 23, 2024
Overview of MFA for Citrix Gateway
Multi-Factor Authentication (MFA) for Citrix Gateway is an additional layer of security that requires users to provide two authentication factors to gain access to their accounts. The first factor involves the user entering their Active Directory / RADIUS username and password. Once the first factor is completed, a secondary authentication layer kicks in where users must choose from one of the available authentication methods, such as Mobile Push or Email Link. Upon successful completion of both factors, the user will have access to Citrix Gateway. Implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for Citrix Gateway allows for an added level of protection, ensuring that malicious actors are unable to gain access to sensitive information, even when they know the user’s login credentials.
Supported Authentication Methods
Demo Video of MFA for Citrix Gateway
Before your start
You need to install and configure Rublon Authentication Proxy itself before configuring Citrix Gateway to work with it. Please read the Rublon Authentication Proxy documentation and follow the steps in Installation and Configuration sections. Afterwards, follow the Configuration section in this document.
Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like RADIUS, OpenLDAP or Microsoft Active Directory.
Configuration of MFA for Citrix Gateway
Prepare RADIUS Request Server
1. Log in to Netscaler.
2. Select the Configuration tab
3. Go to Citrix Gateway → Policies → Authentication → RADIUS in the menu on the left.
4. Switch to the Servers tab.
5. Click the Add button.

6. Fill in the Create Authentication RADIUS Server form. Refer to the following image and table.

Name | Enter the name of your new Authentication RADIUS Server. This name cannot be changed after the server has been created. |
Server Name / IP Address | Enter the FQDN of your RAP server if you chose Server Name, or the IP of your RAP server if you chose Server IP. |
Port | Enter the port of your RAP server. |
Secret Key | Enter the RAP server Secret. |
Confirm Secret Key | Reenter the RAP server Secret. |
Time-out | Set to 90s. |
7. Click More.
8. Check Send Calling Station ID.
9. You can test your configuration using Test RADIUS Reachability.
10. Click Create to finish creating your new Authentication RADIUS server.
Prepare RADIUS Policy
1. Select the Configuration tab.
2. Go to Citrix Gateway → Policies → Authentication → RADIUS in the menu on the left.
3. Switch to the Policies tab.
4. Click the Add button.
5. Enter the Name for your RADIUS authentication policy, e.g. rap.example.com
6. Select the previously created request server in Server*
7. Set Expression* to ns_true

Prepare users
1. Select the Configuration tab.
2. Go to Citrix Gateway → User Administration → AAA Users.
3. Click the Add button.

4. Enter the User name.
5. Check External Authentication.

6. Click OK to create the user.
7. Click Done to get back to the userlist.
Note
If you would like to change the way of authenticating an existing user, check the user, and click the Edit button. Next, click the pen icon on the right to open the AAA User form.
Modify login method in Virtual Server
1. Select the Configuration tab
2. Go to Citrix Gateway → Virtual Servers.
3. Select an existing Virtual Server or create a new one.
4. Select the Virtual Server of your choice and click Edit.
5. Click + in the Basic Authentication section.

6. Set Choose Policy to RADIUS.
7. Set Choose Type to Primary.

8. Click Continue.
9. Navigate to the Policy Binding section. Select the policy you have created before by clicking Click to select under Select Policy*.
10. Check the previously created SAML server. Click Select.
11. Set Binding Details Priority to 100.
12. Click Bind.

Note
If you have a Local Policy defined in the Basic Authentication section, click on it. Check the binding, and click the Unbind button at the top.
13. Your configuration is complete. You can use Rublon 2FA while logging in to Citrix Gateway.
Log in to Citrix Gateway using MFA for Citrix Gateway
1. Provide your login and password, and click Log On.

2. Check your mailbox for an email from Rublon. Open the email, and click Sign In.


3. You will be successfully logged in to Citrix Gateway.
Troubleshooting
If you encounter any issues with your Rublon integration, please contact Rublon Support.