Mastering NetScaler VPX?
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Configuring NetScaler® AAA

To allow extra security with authentication on the load balancing features, we should use the Citrix NetScaler AAA feature. With the following steps, we can secure a load balancing virtual server with two-factor authentication based on Web Form authentication:

  1. Go to Security | AAA - Application Traffic | Policies | Sessions | Session Profiles, and click on Add.

    Fill in the correct information based on the following explanation:

    • Name: Select a decent name that responds to the AAA Session Profile, for example, AAA-Pro-Session.
    • Session Time-out (mins): The timeout before Citrix NetScaler kills the session.
    • Default Authorization Action: This can be ALLOW or DENY. Select ALLOW.
    • Single Sign-on to Web Applications: Enable this if you want SSON in the backend.
    • Credential Index: Use the primary or secondary authentication policy for SSON.
    • Single Sign-on Domain: This will be the internal domain name from the AD or NDS.
    • HTTPOnly Cookie: Allow only an HTTP session cookie, in which case the cookie cannot be accessed by scripts.
    • Enable Persistent Cookie: You can enable or disable persistent SSO cookies for the traffic management (TM) session. A persistent cookie remains on the user device and is sent with each HTTP request.
    • Persistent Cookie Validity: This is an integer specifying the number of minutes for which the persistent cookie remains valid.
    • KCD Account: Kerberos constrains the delegation account name when using Kerberos authentication.
    • Home Page: This is the web address of the home page that a user is displayed when the authentication vserver is bookmarked and used to log in.
  2. Go to Security | AAA - Application Traffic | Policies | Sessions | Session Policies, and click on Add:
    • Name: Select a decent name that responds to the AAA Session Policy, for example, AAA-Pol-Session.
    • Request Profile: Select the profile created in step 1.
    • Expression: You can bind an expression. In this case, we use ns_true.
  3. Go to Security | AAA - Application Traffic | Virtual Servers, and click on Add. Fill in the correct information based on this explanation:
    • Name: Again, select a decent name that responds to the AAA virtual server, for example, AAA-Srv-TwoFactor.
    • IP Address Type: Select IP address, or non addressable if you want to use the content switching method.
    • Port: This is the AAA virtual server port. The default is 443.
    • Authentication Domain: This would be the domain from the public site, for example, contoso.com.
  4. Bind the certificate.
  5. Bind the session policy created in step 2.
  6. Bind the Basic Authentication Policies, Add LDAP as Primary, and add the RADIUS as Secondary. Click on Continue.
  7. Go to Security | AAA - Application Traffic | Authentication Profile, and click on Add. Fill in the correct information based on the explanations given here:
    • Name: Select a decent name that responds to the AAA virtual server, for example, AAA-AuthPol-TwoFactor
    • Authentication Host: This would be the FQDN where the NetScaler AAA virtual server would respond to, for example, twofactor.contoso.com.
    • Choose Authentication Virtual Server Type: Choose Authentication Virtual Server
    • Authentication Virtual Server: Select the Authentication Virtual Server created in step 3
    • Authentication Domain: This would be the domain from the public site, for example, contoso.com
    • Authentication Level: Fill in the value as 1 if you are using one authentication method, and 2 if you are using two-factor authentication
  8. Open the Load Balancing Virtual Server that you want to protect. Add the Authentication from the right-hand side of the page.
  9. Select Form Based Authentication or 401 Based Authentication. In this case, we're using Form Based Authentication. This is because we wish to use two-factor authentication:
  10. Authentication FQDN: This is the FQDN from the NetScaler AAA virtual server, for example, twofactor.contoso.com.
    • Choose Authentication Virtual Server Type: Choose Authentication Virtual Server
    • Authentication Virtual Server: Select the Authentication Virtual Server created in step 3
    • Authentication Profile: Select the Authentication Policy created in step 7
  11. Now your Load Balancing Virtual Server is protected with the NetScaler AAA security:
上一章目录下一章