Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Citrix with Microsoft EMS


Published on

Citrix with Microsoft EMS, Intune, EMS, Azure with Citrix

Published in: Technology
  • Be the first to comment

Citrix with Microsoft EMS

  1. 1. © 2017 Citrix User Group Community Citrix and Microsoft Azure with a hint of mostly Intune EMS
  2. 2. © 2017 Citrix User Group Community About Marius • Cloud Tech lead @ EVRY from the land of the Vikings • Working with mostly DevOps, AWS, Google and Azure • Board member of MYCUGC SIG and Citrix User Group • Blogging and free stuff at
  3. 3. © 2017 Citrix User Group Community So what is this session about?
  4. 4. © 2017 Citrix User Group Community Microsoft EMS with Citrix • Moving away from other endpoints to Windows 10 • Move clients out of infrastructure • More web based applications and adopting higher level of security • Still dependant on Windows applications with Citrix • Moving towards Microsoft Azure • Anytime & Anywhere & Easy Enrollment
  5. 5. © 2017 Citrix User Group Community Architecture and Products Azure Subscription • Log analytics • Citrix OMS modules Microsoft EMS E5 • Azure AD Premium • Azure MFA • Intune • Windows Defender ATP • Cloud App Security Citrix XenDesktop and XenApp • Citrix FAS A Couple of NetScaler’s • NetScaler Unified Gateway NPS with MFA Storefront Citrix FAS Server NetScaler Windows PKI Citrix DDC Citrix VDA Conditional Access Intune Log AnalyticsMFA Citrix User
  6. 6. © 2017 Citrix User Group Community The Magic! Intune  Deploys Citrix Reciever and VPN Client  Deploys VPN Profile for Citrix  Deploys Certificate using SCEP  Conditional Access Policies Azure AD  Handles authentication to Citrix using SAML  Handles MFA as part of Conditional Access NetScaler  Handles SAML Authentication for Unified Gateway  Gateway for end-users
  7. 7. © 2017 Citrix User Group Community Requirements for SSO  Setup AD Certificate Services & Citrix FAS  Configure FAS Server and Group Policy  Configure Storefront with FAS authentication  Add Azure AD Application for Citrix SAML  Setup SAML Authentication rule NetScaler  Assign Application for end-users in Azure AD  Point users to NetScaler Gateway or MyApps
  8. 8. © 2017 Citrix User Group Community Azure AD Application Configuration • Configure Enterprise Application with SAML signup Identifier Entity: Unique name Reply URL: NetScaler Gateway FQDN /cgi/samlauth User Identifier: user.userprincipalname • Publish Application • Add Users & Group to access application - Applications published here allow for native SSO to endusers enrolled with Azure AD Join - NB: Troubleshoot using dsregcmd /status or looking Event Viewer Applications & Services  Microsoft  AAD
  9. 9. © 2017 Citrix User Group Community Storefront and DDC configuration • Configure Storefront Store to allow FAS Authentication PowerShell on Storefront Server & "$Env:PROGRAMFILESCitrixReceiver StoreFrontScriptsImportModules.ps1» $StoreVirtualPath = "/Citrix/Store" $store = Get-STFStoreService -VirtualPath $StoreVirtualPath $auth = Get-STFAuthenticationService -StoreService $store Set- STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory" Set-STFStoreLaunchOptions -StoreService $store - VdaLogonDataProvider "FASLogonDataProvider« PowerShell on Desktop Delivery Controller asnp citrix.* Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true NB: Ensure that Callback is configured and Optimize Storefront to handle reconnects
  10. 10. © 2017 Citrix User Group Community NetScaler configuration • Configure SAML authentication for NetScaler Gateway idP Certificate: From Azure AD Redirect URL: Redirect to Azure AD Single Logout URL: Redirect to Azure AD User Field: userprincipalname Issuer Name: an unique identifier SAML Binding: POST Signature and Digest: SHA 256 • Bind to NetScaler Gateway as Basic Authentication • No need for specific NetScaler licenses
  11. 11. © 2017 Citrix User Group Community Intune configuration • Deploying Citrix Reciver and NetScaler Gateway VPN client NB: Some limitations to software deployments Either MSI based innstallation or PowerShell Scripts PowerShell scripts run every 30 minutes on endpoint Thanks you! Aaron Parker  • Intune deployment of Citrix VPN Profiles Can be defined for Windows 10, iOS and Android Authentication Method either User/Pass or Certificate based Windows requires NetScaler 12.0.56.x
  12. 12. © 2017 Citrix User Group Community Azure AD Conditional Access • Configure access to applications based upon different conditions • Sign-in Risk • Device Platforms • Locations • Client Apps • Device State • Device compliance from WDATP • User risk from Azure AD • Assign Policy to User or Group and enable
  13. 13. © 2017 Citrix User Group Community Security architecture Azure Active Directory Identity Protection • Automated security enforcement of Azure AD based users based upon risk Windows Defender ATP • Automation security remiditation of Endpoints based upon suspicious behaviour Azure ATP • Monitoring of attacks or suspicious activities against Active Directory Cloud App Security • Cloud Access Security Broker to handle access and security policies across SaaS
  14. 14. © 2017 Citrix User Group Community Monitoring components • Using Log Analytics to collect and aggregate on certain events • Using Syslog Collector to get NetScaler logs • Using Custom logs to get Citrix logs from Servers • Performance Counters from Session Hosts • Using OMS Citrix modules • Using Windows 10 Telemetry • For Azure IaaS with Azure Security Center • Forward Alerts to ITSM or using WebHooks
  15. 15. © 2017 Citrix User Group Community So how does it look like?
  16. 16. © 2017 Citrix User Group Community Other deployment options • Using Azure MFA with native Active Directory and NetScaler  Only if using local Active Directory as authentication source  Using NPS Server with MFA Extension to act as Radius Server • Using OAuth and Intune integration in NetScaler to act as a Network Access Control policy  Only if using VPN Connection and to get Device Compliance using Azure AD Graph API  Requires Enterprise NetScaler license • Using Storefront with SAML Authentication against Azure AD and Native Reciever  Allow use of Conditional Access Policies and MFA for even internal access
  17. 17. © 2017 Citrix User Group Community Some final things to consider  Citrix + Azure AD integration easier with NetScaler 12.1  Citrix Analytics vs Conditional Access with Graph API  Conditional Access MFA < Global MFA rules  NAC agents for NetScaler supported on iOS, Android and Windows  Citrix Cloud Gateway Service native support for Azure AD with MFA  OMS Packages from Citrix or consider