Scale out MFA quickly with Citrix One Time Password (OTP)

Scale out MFA quickly with Citrix One Time Password (OTP)

By Brian Wagner
Posted in Infrastructure, Security, Support
On March 20, 2020

This is a tough time for many of our customers. We’ve been busy helping everyone expand their remote access capabilities to deliver secure apps and desktops to users working from home around the globe.

While Citrix has been able to do a good job keeping up with the orders and license fulfillment, and many other vendors have been quick to offer options to help analyze and scale out other aspects of the environment, such as firewalls and VDI infrastructure capacity planning, some vendors haven’t kept up with the increased demand.

We’ve seen multi-factor authentication challenges arise for our customers. They may have had a solution in place which supported a percentage of the user population that regularly worked remotely, but not enough licenses to support the entire user population working remotely.

To help our customers scale out multi-factor authentication rapidly, Gotham has found success with Citrix’s native OTP and push authentication capability built into Citrix ADC and Citrix Cloud. This is a free service for Citrix ADC Premium customers. If you’re a Citrix ADC Enterprise customer, you can still use OTP, just not push authentication.

So, how does it work?

Users need to enroll into the solution. To do this, users generally access the Citrix Gateway Virtual Server with a /manageotp virtual directory (https://access.customer.com/manageotp). If possible, we keep this page only internally available or leverage endpoint analysis policies to ensure the registration is coming from a trusted source.

The users will authenticate with username and password, and then they can add their device.

The ADC offers them a QR code:

Which they enroll in the Citrix SSO app (iOS and Android):

Once enrolled, they go to the main page (https://access.customer.com) and authenticate. The device is sent a push notification, and once approved, the logon proceeds.

Requirements include:

  • Citrix Cloud account (free to set up at https://us.cloud.com)
  • Configuration of an API account in Citrix Cloud
  • Integration with the Push Authentication service on the NetScaler
    1. Requires outbound internet access and name resolution from the ADC
  • LDAPS account with write allowed for an AD attribute
  • Possibly a new IP/FQDN for a parallel gateway with this configuration. This would allow existing users provisioned for the primary MFA solution to stay the course. New users can be sent to this gateway for Citrix OTP/Push.
    1. Optionally, existing gateway can be integrated with nFactor to allow for both options. This requires customization and a bit of downtime to implement.

Contact your Account Manager at Gotham Technology Group to discuss how OTP can help you scale MFA during these interesting times.

 

Brian Wagner

Brian Wagner

Brian has over ten years’ experience in the planning, design, and implementation of technology solutions. He supervises technical specialists at projects, and has spoken at many technical seminars. Brian is an application integration specialist with experience configuring over 1,000 applications to work in multi-user environments, and manages Gotham’s thin client and server consolidation practices.