locked
Netscaler as ADFS proxy with adfs 3.0 and MFA RRS feed

  • Question

  • Hi all, 

    i am aware that netscaler can replace adfs proxy with adfs 3.0 when the forms-based authentication method is used. however i want to make sure if certificate authentication or Azure MFA are selected as MFA methods on ADFS, would netscaler still work. 

    what about DRS, are there any concerns/incompatibilities?

    in summary, do I lose anything if I use NetScaler instead of ADFS proxy?

    thanks


    MM

    Tuesday, November 24, 2015 8:18 PM

Answers

  • Just to add to what Pierre wrote:

    - the WAP provides context-based information that allows you to identitfy where the request is coming from (Internal v External), as a claim is injected by the WAP into requests that pass thru it... this is the policy-based access he refers to..

    - you can do MFA from the Netscaler using RADIUS but this is ultimately a non-federated "transaction" where you'll end up doing MFA on the Netscaler and then using KCD to animate the AD identity in the backend. While promoting the Netscaler as an AD FS proxy is fine for browser-based access, it will present problems as you mentioned, where other endpoints come into play (e.g. DRS as a web services endpoint).. this is not a Citrix-specific issue, but also potentially applies to other gateways that can't handle rich/active clients.

    FWIW, I'd stick to using the WAP :-)

    Regards,

    Mylo


    http://blog.auth360.net

    Thursday, December 3, 2015 10:27 PM
  • In order to fully replace an ADFS proxy, the Netscaler has the implement all the specifications described here:

    To my knowledge, it isn't the case. So it might be a question to ask to the Citrix folks.

    Azure MFA can be use on Netscaler. But this is a classic radius integration and not an ADFS integration.

    The WAP server plays an important role in ADFS deployments because it enable you to manage different authentication policy. Say when the user is coming directly to the ADFS server, it is playing the Windows Integrated Authentication. When the user is connected through the WAP server, then it is form based authentication. If you don't use the WAP, you have to use the same authentication policy for everyone. And because you most likely still want SSO for internal user, this policy will be Windows Integrated Authentication. And if you want to make that work through a 3rd party reverse proxy, it has to be configured to perform Kerberos Constraint Delegation on behalf the user. And I personally don't know what Netscaler is capable of.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, November 25, 2015 6:06 PM

All replies

  • In order to fully replace an ADFS proxy, the Netscaler has the implement all the specifications described here:

    To my knowledge, it isn't the case. So it might be a question to ask to the Citrix folks.

    Azure MFA can be use on Netscaler. But this is a classic radius integration and not an ADFS integration.

    The WAP server plays an important role in ADFS deployments because it enable you to manage different authentication policy. Say when the user is coming directly to the ADFS server, it is playing the Windows Integrated Authentication. When the user is connected through the WAP server, then it is form based authentication. If you don't use the WAP, you have to use the same authentication policy for everyone. And because you most likely still want SSO for internal user, this policy will be Windows Integrated Authentication. And if you want to make that work through a 3rd party reverse proxy, it has to be configured to perform Kerberos Constraint Delegation on behalf the user. And I personally don't know what Netscaler is capable of.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, November 25, 2015 6:06 PM
  • Just to add to what Pierre wrote:

    - the WAP provides context-based information that allows you to identitfy where the request is coming from (Internal v External), as a claim is injected by the WAP into requests that pass thru it... this is the policy-based access he refers to..

    - you can do MFA from the Netscaler using RADIUS but this is ultimately a non-federated "transaction" where you'll end up doing MFA on the Netscaler and then using KCD to animate the AD identity in the backend. While promoting the Netscaler as an AD FS proxy is fine for browser-based access, it will present problems as you mentioned, where other endpoints come into play (e.g. DRS as a web services endpoint).. this is not a Citrix-specific issue, but also potentially applies to other gateways that can't handle rich/active clients.

    FWIW, I'd stick to using the WAP :-)

    Regards,

    Mylo


    http://blog.auth360.net

    Thursday, December 3, 2015 10:27 PM
  • I understand the NetScaler can handle both passive & active clients from v11 via Kerberos/NTLM.

    See here: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/guide-to-deploying-netscaler-as-an-active-directory-federation-services-proxy.pdf

    a. Examples of active protocol apps – Outlook, Lync
    b. Examples of passive protocol apps – Outlook web app, browsers


    Tuesday, June 21, 2016 1:44 AM