SentryBay Armoured Client for Citrix NetScaler Configuration Guide v1.0

Author name

NetScaler / SentryBay Armoured Client for Citrix Configuration

This guide is an example of how the Armoured Client’s browser user-agent string can be detected and routed accordingly. There are many methods of doing this with NetScaler by using either of the following features:

  1. NetScaler Gateway Session Policy
  2. Content Switch
  3. Rewrite
  4. Responder

This guide uses NetScaler Gateway Session Policy as is the easiest and works with all editions of NetScaler and NS Gateway, plus allows the configuration of the end user instructions to easily be controlled and applied in a separate Storefront Store.

If the user successfully authenticates the Session Policy will try to detect the user agent string set in the SentryBay Armoured Client and if it does will route to the normal Storefront Store.

A second Storefront store is configured whereby only web links to internal sites will be present, where the user will find instructions on where to download and install the Armoured Client. It would also be possible to publish un-restricted applications to this store in this scenario where the Armoured Client is not being used, if desirable.

Figure 1 below shows the concept, with the relevant Polices and Profiles as detailed in the remaining sections of this document.

Disclaimer:

The User-Agent string can easily be spoofed so is not a 100% safe security control, but does allow the organisation to easily distribute and run a basic enforcement policy. However, the user must authenticate in the normal way, using existing Access Controls that are configured and enforced on the Citrix NetScaler today by the individual organisation.

A future document will be provided on how to set up client based certificates with the NetScaler and Armoured Client, to further prove authenticity.

 

Figure 1 – NS Gateway Session Policies with 2 StoreFront stores

Armoured Client Detection Policy & Profile

Create and configure a Session Policy and Profile for Users who:

  1. Successfully Authenticated
  2. SentryBay Armoured Client detected

This will be configured to point at the compliant StoreFront store.

Trusted Session Profile

add vpn sessionAction PF_GW_WB_192.168.0.45 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -homePage “https://sf1.ad.XXXXX.com/citrix/uatweb/” -icaProxy ON -wihome “https://sf.ad.XXXXX.com/Citrix/uatweb/” -ClientChoices OFF -ntDomain ad -clientlessVpnMode OFF -storefronturl https://sf.ad.XXXXX.com/Citrix/uatWeb/

Trusted – Session Policy

add vpn sessionPolicy PL_WB_192.168.0.45 “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver” PF_WB_192.168.0.45

Note the spelling of “ArmouredClient” as has been hard coded. In future releases this may change and also we plan to allow this to be a ‘per customer’ setting in the individual build.

Non-Armoured Client Detection Policy & Profile

Create and configure a Session Policy and Profile for Users who:

  1. Successfully Authenticated
  2. SentryBay Armoured Client is NOT detected

The standard Web Session Policy and Profile will catch all other Web Client requests where the user- agent string does NOT contain “ArmouredClient” and be configured to point to a different Storefront store which will have only published link/s to internal web page/s instructing the user how to download and install the Armoured Client.

Note: You will need to create a StoreFront store for Untrusted Sessions which is beyond the scope of this document, but straightforward to do.

Untrusted – Session Policy

add vpn sessionAction PF_WB_192.168.0.45 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -homePage “http://sf1.ad.XXXXX.com/citrix/storeweb/” -icaProxy ON -wihome “https://sf.ad.XXXXX.com/Citrix/storeweb/” -ClientChoices OFF -ntDomain ad -clientlessVpnMode OFF -storefronturl https://sf.ad.XXXXX.com/Citrix/storeWeb/

Set the Web Interface Address in the Session Profile to be the Untrusted Store URL / Name that you have configured in StoreFront.

Untrusted – Session Profile

add vpn sessionPolicy PL_WB_192.168.0.45 “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver” PF_WB_192.168.0.45

Policy Binding to Gateway

Both Session Policies must be bound to the Gateway Virtual Server.

The first policy created which catches the “ArmouredClient” string if present should be bound with a lower priority number (so that it gets processed first).

bind vpn vserver _XD_ag1 -policy PL_WB_192.168.0.45 -priority 110
bind vpn vserver _XD_ag1 -policy PL_WB_192.168.0.45 -priority 110

Testing / Expected User Experience

Finally test by:

  1. Logging on to the Gateway using a normal browser – which once authenticated should direct you to the Non-Compliant StoreFront Store.
  2. Logging on to the Gateway using The SentryBay Armoured Client – which once authenticated should direct you to the Compliant StoreFront Store.

 

If you require further information please do not hesitate to contact SCG via email on info@stadiacg.co.uk or via telephone on +44 (0) 20 7 0399 266 .

 

 

 

Cyber Essentials Plus accreditation achieved! (again)

20 Feb, 2024
We are proud to announce that we have achieved Cyber Essentials Plus certification, the higher-level qualification of the Cyber Essentials scheme. This certification is a government-backed scheme that demonstrates our commitment to protecting our organisation and our clients from cyber threats.

Cloud Migration - Is It For You?

12 Sep, 2023
Maybe. Migrating applications and infrastructure to the cloud offers several benefits that can positively impact organisations in various ways. Stadia has enjoyed bringing the benefits of cloud computing to many of our clients. It isn't necessarily for everyone, but if you haven't migrated some or all of your applications/infrastructure to the cloud, are you missing out? Let's take a look at the various aspects, starting with some of the key benefits: Cost Efficiency: Buying, maintaining, and refreshing your own hardware can be costly. Cloud computing often reduces capital expenditure on physical hardware and datacentres. You pay for resources as you use them, which can lead to cost savings, especially for small and medium-sized businesses. Scalability: Cloud services allow for easy scaling of resources up or down based on demand. This elasticity ensures that your applications can handle sudden spikes in traffic or growth without the need for significant upfront investment in hardware. Automatic Updates: Keen to see the back of those out-of-hours patching rotas? Cloud providers handle hardware and software updates, including security patches and upgrades, reducing the maintenance burden on your IT staff. Flexibility and Agility: Cloud platforms provide a wide range of services and tools that enable rapid development and deployment of applications. This agility allows organisations to respond quickly to changing market conditions and customer needs. Global Reach: Cloud providers have datacentres in multiple regions worldwide. This global presence allows you to deploy applications closer to your users, reducing latency and improving performance for a global customer base. Security: Cloud providers invest heavily in security measures, often surpassing what individual organisations can achieve. They offer features like encryption, identity and access management, and compliance certifications to help protect your data and applications. Reliability and High Availability: Cloud providers offer robust service-level agreements (SLAs) that guarantee high uptime and availability. Redundancy and failover capabilities are built into their infrastructure to minimise downtime. Disaster Recovery: Cloud services make it easier to implement disaster recovery and backup solutions. You can replicate your data and applications across multiple regions or datacentres, ensuring business continuity in case of disasters. Collaboration and Mobility: Cloud-based applications and services can be accessed from anywhere with an internet connection. This promotes remote work and collaboration among geographically dispersed teams.
Share by: