This is based upon a session that I presented at Citrix User Group Ireland and you can view the SlideShare presentation here –> https://www.slideshare.net/mariussandbu/citrix-with-microsoft-ems but the session was about, how can we leverage Citrix with EMS ( Enterprise Mobility and Security) and also shows the configuration for Citrix FAS together with Azure AD.
Now the focus on this post in purely about having Azure AD with Azure AD Joined Devices (Not Hybrid) and authentication is happening in Azure AD and not On-premises, but there are some supported workloads or topologies further down.
I have previously written about setting up SSO between Azure AD and Citrix FAS (Which is one of the core components to setting up a simple way to get SSO to an on-premises environment (http://msandbu.org/setting-up-citrix-sso-with-windows-10-and-azure-ad-join/) and also how to tune Storefront to get SSO working properly especially in cases where the end-users close the browsers it self (http://msandbu.org/citrix-fas-with-azure-ad-and-error-404-not-found/)
This allows end-users to access Citrix as part of Azure AD using, for instance, the My Apps Portal. (Or end-users can continue to use NetScaler Gateway as their application portal but Azure AD portal can be easily accessed from Windows 10 Azure AD Joined devices.
If customers are moving towards Azure AD, it also means that computer objects and user objects are stored in Azure Active Directory, and it therefore also requires some other tools to handle security as well and some other features as well such as Printing.
Moving Clients out to Azure AD brings a lot of security benefits, because now we don’t have a large Kerberos domain where we might have 10,000+ of clients which have direct communication with each other and able to communicate with fileservers / print-servers and able to communicate directly with the Active Directory Domain Controllers, where it makes it easier for an end-client to spread ransomware across.
With EMS we also have other services such as (Which I will come back to in another blog post)
- Azure AD (Allows us to monitor Azure AD users and take actions against suspicious activities)
- Cloud App Security (Allows us to secure end-users and data across SaaS using a Cloud Access Security Broker)
- Windows Defender ATP (Allows us to monitor the end-user device for suspicious activity and take actions against the device)
- Azure ATP (Allows us to monitor against suspicious activity against Active Directory)
- Intune (Allows us to deploy policies and compliance rules against end-users devices)
Of course in the middle of this is Conditional Access, which allows us to use data from both Azure AD and Windows Defender ATP to determine if an end-user should be allowed access to a certain application. If we can also trigger that all traffic to a specific SaaS application should only go through Cloud App Security such as a forward web-proxy. So how do these features work with Citrix? Using Azure AD and FAS we can only connect to Citrix using Receiver for Web.
NB: If you are using Azure MFA and enabled that for all users, this will effectivly override Conditional Access Rules
So what other aspects of Citrix can we manage or configure using Microsoft EMS?
We can now manage VPN deployment of VPN profiles in Microsoft Intune, which allows us to deploy for instance a Always-ON VPN Profile directly to Intune managed devices. This was previously only available for iOS and Android, but is now supported on Windows 10 as well as long as we have NetScaler 12.0.57 endpoint client installed to be able to read the configuration.
And also since Citrix is supported running VPN in Microsoft Azure it allows us to easily build a new modern workspace client with VPN together with Citrix in Microsoft Azure. And using authentication with Certificate and using SCEP protocol on Intune as well we can easily have a process where we deploy a fully new endpoint to end-users. Also with us defining Auto Triggered VPN as well, we can connect a VPN profile directly to a desktop application that we have running on Desktop. (https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-profile-options)
When it comes to application deployment via Intune, we have two options that work we can either deploy applications using the native built-in which only supports MSI based deployments, which works great with the NetScaler Gateway plugin, this is, of course, an issue with Citrix Receiver since that is an exe file, luckily Aaron Parker made a Citrix Reciever installer which can be used through the PowerShell (https://github.com/aaronparker/Intune/tree/master/Apps)
Now there are also other supported workloads which I’ve not described in detail but we have.
- Netscaler with Azure MFA using NPS with Extension ( You can read more about it here –> https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn but this is only useful if you want to replace your current MFA provider through a RADIUS provider against the NetScaler and should not be combined with Conditional Access.
- NetScaler with Intune and Graph API NAC access. This requires that we have an Enterprise license, but it allows the NetScaler to check for end device compliance trough Intune before they are allowed to authenticate with a NetScaler Gateway (Note this works with the NetScaler VPN configuration) and you can think of this as a replacement of OPSWAT or Endpoint Scan (https://docs.citrix.com/en-us/netscaler-gateway/12/microsoft-intune-integration/configuring-network-access-control-device-check-for-netscaler-gateway-virtual-server-for-single-factor-authentication-deployment.html)
- Storefront with Native Receiver and Azure AD SAML Authentication. As mentioned earlier native receiver doesn’t work well with Azure AD authentication as long as it is on the outside, but Citrix Receiver works with SAML Authentication when it is on the Inside and this can be configured to be setup with Azure AD and MFA using Conditional Access. This is useful if you want to have two-factor authentication on the inside for certain users, such as the business executives.
Now, of course, this is some of the steps involved in setting up a simple SSO mechanism and building up VPN to reach those legacy applications. In the next posts I will focus a bit more on building up a security policy which combines WDATP with Conditional Access.