Celestix HOTPin and Citrix XenApp (Web Interface v6) (Radius) Integration Guide Introduction This document describes how to integrate a Citrix XenApp (Web Interface) with Celestix HOTPin two-factor Authentication solution. The Citrix XenApp (Web Interface) provides - Secure Remote Access to the applications in the internal corporate network. Celestix HOTPin provides two-factor, strong authentication for remote Access solutions (such as Microsoft Unified Access Gateway, Juniper SSL VPN and etc.), without the complication of deploying hardware tokens or smartcards. Two-Factor authentication is provided by the use of your Smart Phone to receive the onetime passcode. HOTPin is designed as an easy to deploy and use technology. It integrates directly into Microsoft‟s Active Directory and negates the need for additional User Security databases. HOTPin consists of two core elements: a Radius Server and Authentication server. The Authentication server is directly integrated with Active Directory in real time. HOTPin Server can be configured in such a way that allows the User to enter their user name, password and One Time 6 numbers Passcode received upon their mobile phone. This authentication request is passed via the Radius protocol to the HOTPin Radius server where it carries out a Two-Factor authentication. HOTPin utilizes a user-friendly web GUI for configuration. All notes within this integration guide refer to this type of approach. The equipment used for the integration process is listed below: Citrix • Citrix XenApp (Web Interface) ver. 6.x HOTPin • • • Windows 2008 server R2 64bit Active Directory installed or connection to Active Directory via LDAP protocol. HOTPin Software v3.5 Integration Overview Celestix HOTPin enables two-factor strong authentication for Citrix XenApp Web Interface. HTTP (TCP: 80) or HTTPS (TCP: 443) Citrix XenApp Web Interface Management RADIUS (UDP: 1645) TCP: 3100 Celestix HOTPin Server LDAP (TCP: 389) Or lDSPS (TCP: 636) Active Directory Pre-Requisites It is assumed that the following servers are setup and operational. • • Citrix XenApp Server HOTPin Server 3.5 (HOTPin server can be installed on one of the Servers in XenApp environment) Configuring RADIUS in HOTPin Server 3.5 • • • • • • • • • • From a client computer on your network, login to the HOTPin web UI via https://ServerName IP Address:8098 Click on HOTPin at the top of the menu and select NPS RADIUS. Click on RADIUS Clients. Add a new RADIUS and check “Enable this RADIUS client”. Key in the following informaiton: Friendly name IP address Generate a Shared Secret Key. Cut and paste this Key using a text editor and save it as radius_secret.txt. Click Save. Configuring Citrix XenApp Web Interface • • Login to the Server that runs Citrix XenApp Web Interface Management. On the Windows Start menu, click All Programs > Citrix > Management Consoles > Citrix Web Interface Management. • In the left pane of the Citrix Web Interface Management console, click XenApp Web Sites and select your site in the results pane. In the Action pane, click Authentication Methods and select the Explicit check box. • • • Click Properties and select Two-Factor Authentication. In the drop-down Two-factor setting, select RADIUS. • • Click on Add… Enter the IP address of the HOTPin server. Set the RADIUS port used by the HOTPin server. (default value is 1812). • • • • • Press Ok to save configuration. Go to c:\\Inetpub\wwwroot\Citrix\XenApp\conf. Copy or move the file radius_secret.txt that created earler into this foler. Restart IIS. Go to c:\\Inetpub\wwwroot\Citrix\XenApp\Web.xml Add IP Address as follow: <add key="RADIUS_NAS_IP_ADDRESS" value="Radius IP Address" /> Go to c:\\Inetpub\wwwroot\Citrix\XenApp\conf\WebInterface Add these lines: RADESessionURL=auto RadiusRequestTimeout=30 RadiusServers=Radius IP Address Testing the Citrix Web Interface It is assumed that the HOTPin client has been installed on a smart phone like iPhone. • Login to Citrix Web interface via http://XenAppServer IP address/ • Enter the exiting Username and Password. On your smart phone, open the HOTPin client and press Next code to obtain a one-time code. NOTE: If you enable New Pin in HOTPin Server, you have to key in [Your PIN] followed by [OTP] in the password field for the first time. • If the login is successful, you will see the following interface.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project