To allow extra security with authentication on the load balancing features, we should use the Citrix NetScaler AAA feature. With the following steps, we can secure a load balancing virtual server with two-factor authentication based on Web Form authentication:
Go to Security | AAA - Application Traffic | Policies | Sessions | Session Profiles, and click on Add.
Fill in the correct information based on the following explanation:
Name: Select a decent name that responds to the AAA Session Profile, for example,
AAA-Pro-Session
.Session Time-out (mins): The timeout before Citrix NetScaler kills the session.
Default Authorization Action: This can be
ALLOW
orDENY
. SelectALLOW
.Single Sign-on to Web Applications: Enable this if you want SSON in the backend.
Credential Index: Use the primary or secondary authentication policy for SSON.
Single Sign-on Domain: This will be the internal domain name from the AD or NDS.
HTTPOnly Cookie: Allow only an HTTP session cookie, in which case the cookie cannot be accessed by scripts.
Enable Persistent Cookie: You can enable or disable persistent SSO cookies for the traffic management (TM) session. A persistent cookie remains on the user device and is sent with each HTTP request.
Persistent Cookie Validity: This is an integer specifying the number of minutes for which the persistent cookie remains valid.
KCD Account: Kerberos constrains the delegation account name when using Kerberos authentication.
Home Page: This is the web address of the home page that a user is displayed when the authentication vserver is bookmarked and used to log in.
Go to Security | AAA - Application Traffic | Policies | Sessions | Session Policies, and click on Add:
Name: Select a decent name that responds to the AAA Session Policy, for example,
AAA-Pol-Session
.Request Profile: Select the profile created in step 1.
Expression: You can bind an expression. In this case, we use
ns_true
.
Go to Security | AAA - Application Traffic | Virtual Servers, and click on Add. Fill in the correct information based on this explanation:
Name: Again, select a decent name that responds to the AAA virtual server, for example,
AAA-Srv-TwoFactor
.IP Address Type: Select IP address, or non addressable if you want to use the content switching method.
Port: This is the AAA virtual server port. The default is
443
.Authentication Domain: This would be the domain from the public site, for example,
contoso.com
.
Bind the certificate.
Bind the session policy created in step 2.
Bind the Basic Authentication Policies, Add
LDAP
as Primary, and add theRADIUS
as Secondary. Click on Continue.Go to Security | AAA - Application Traffic | Authentication Profile, and click on Add. Fill in the correct information based on the explanations given here:
Name: Select a decent name that responds to the AAA virtual server, for example,
AAA-AuthPol-TwoFactor
Authentication Host: This would be the FQDN where the NetScaler AAA virtual server would respond to, for example,
twofactor.contoso.com
.Choose Authentication Virtual Server Type: Choose
Authentication Virtual Server
Authentication Virtual Server: Select the
Authentication Virtual Server
created in step 3Authentication Domain: This would be the domain from the public site, for example,
contoso.com
Authentication Level: Fill in the value as 1 if you are using one authentication method, and 2 if you are using two-factor authentication
Open the Load Balancing Virtual Server that you want to protect. Add the Authentication from the right-hand side of the page.
Select Form Based Authentication or 401 Based Authentication. In this case, we're using Form Based Authentication. This is because we wish to use two-factor authentication:
Authentication FQDN: This is the FQDN from the NetScaler AAA virtual server, for example,
twofactor.contoso.com
.Choose Authentication Virtual Server Type: Choose
Authentication Virtual Server
Authentication Virtual Server: Select the
Authentication Virtual Server
created in step 3Authentication Profile: Select the
Authentication Policy
created in step 7
Now your Load Balancing Virtual Server is protected with the NetScaler AAA security: