Citrix and Microsoft Integrate NetScaler Unified Gateway with Microsoft EMS
Last year, Citrix and Microsoft began working together to create new solutions. One result of this activity is the integration of NetScaler Unified Gateway with Microsoft EMS. It allows IT administrators to define access control policies based on the state of the end-user’s mobile device. These policies check each end-user’s mobile device before a user session is established to determine if the device is registered with Microsoft Intune and whether it complies with the organization’s security policies and only then grants or denies access. Below is a diagram of the work of this solution. I will tell about what it is and how it works in this material.
To begin with briefly about the decisions themselves. Citrix introduces a gateway for secure network access, while Microsoft introduces a platform for managing applications and data in the data center and cloud. The components of the solution:
If companies already use NetScaler Gateway for Citrix XenApp and / or XenDesktop and plan to connect Microsoft EMS, then they should pay attention to the new version of NetScaler Gateway with the Unified prefix. Companies will receive a single entry point, end-to-end authentication, ease of use and security.
Microsoft EMS and NetScaler Unified Gateway together form an intelligent system that offers an additional layer of protection for local resources through preliminary verification of the end device. What does this mean: the devices from which employees try to access corporate systems, even before establishing a VPN connection, will be verified in Microsoft Intune (Microsoft's service for managing mobile devices and applications, which is part of the EMS platform). In order for a smartphone or tablet to access local resources, it must be registered in the Microsoft Intune service.
Administrators can set access control policies for local resources, including MS Exchange, SharePoint and any other applications, based on the status of the mobile device of the end user. Thus, the device of everyone who wants to connect will be checked before the session is installed to determine whether a particular device is registered in the Microsoft Intune service and whether it complies with the company’s security policies. While this check is in progress, the mobile user will have only conditional access, and the system will collect information and based on it will decide whether to grant full access or block it. As a result, the company receives additional protection for local resources.
In addition to providing conditional access to corporate resources, this solution can scan mobile devices and determine if there are any risk factors, such as a “hacked” state (the ability to obtain root rights), outdated antivirus databases, or installed malware. Based on the results of the audit, appropriate measures are taken. This ensures security and centralized management of technology previously registered with Microsoft Intune.
If you use MS Intune, as well as other systems for managing mobile devices (for example, XenMobile), you can avoid leakage of important data and delete it from your phone or tablet if an employee lost it. In addition, it is possible to manage devices and configure them remotely (for example, a Wi-Fi profile), which greatly simplifies the administration and control of corporate data.
Another feature that you should pay attention to is the enhanced user experience: administrators can transfer policies and configuration settings to mobile devices without the need for adjustments that do not need to be done manually by end users. The solution supports iOS and Android platforms. The user interface is the same for both platforms.
In addition, NetScaler Unified Gateway offers policy-based nFactor Authentication. System administrators can choose any mechanisms, including RADIUS, Kerberos, etc. technologies, for authentication of end users. For example, you can check the user's membership in the AD group, and based on this membership, add or not the next authentication factor, or in case of unsuccessful attempt, offer other methods of user verification. It is also possible to personalize the authentication portal depending on the requirements of the company. If there is integration with Intunes - based, for example, on the user's membership in the AD group, you can determine whether he has access to the sensitive data of the company, and if so, then request one more option for one-time passwords (OTP).
I would also like to dwell on such an opportunity as end-to-end control: NetScaler Unified Gateway using the Gateway Insight function provides complete and end-to-end control, as well as monitoring access of all users to local applications. This functionality is simply necessary for administrators involved in supporting such an infrastructure. Detailed monitoring allows you to track users whose applications they want to access, as well as the errors they encounter.
Entering a username / password on a mobile device each time is not the most exciting activity, especially several times. Safe in the modern world - does NOT mean inconvenient! For all applications, the Citrix NetScaler Unified Gateway enables remote access and one-time user authentication. When integrated with Microsoft EMS in NetScaler, this functionality is also implemented. Thanks to OAuth technology, which is supported by Citrix Netscaler, a user, having authenticated with Intune once, can build an SSL VPN tunnel to Netscaler, and then, using Singl-Sign-ON, credentials will be forwarded to an application, for example, to Sharepoint.
Companies using NetScaler or NetScaler Unified Gateway for Citrix XenApp / XenDesktop or for one-time user identification (for all applications in the data center or cloud) can also use these solutions to support MDM functionality in Microsoft EMS.
NetScaler Unified Gateway can be useful not only for those who switch to Microsoft EMS, but also for those who want to provide secure access to corporate resources. It can be a company from any industry: banks, telecom operators, various entrepreneurs and many others. The gateway provides trustworthy remote access to XenApp and XenDesktop, as well as all corporate web, SaaS, and Citrix applications. Thanks to NetScaler Unified Gateway, you can eliminate the need for a separate virtual private network with SSL encryption with remote access for corporate and cloud applications, which reduces overall costs and ensures the convenience of users.
To begin with briefly about the decisions themselves. Citrix introduces a gateway for secure network access, while Microsoft introduces a platform for managing applications and data in the data center and cloud. The components of the solution:
- Citrix NetScaler Unified Gateway provides secure access and one-time user authentication for all applications.
- The solution Microsoft Enterprise Mobile + Security (EMS) is designed to help companies manage and protect users, devices, applications and data in a wide distribution of mobile and cloud technologies.
If companies already use NetScaler Gateway for Citrix XenApp and / or XenDesktop and plan to connect Microsoft EMS, then they should pay attention to the new version of NetScaler Gateway with the Unified prefix. Companies will receive a single entry point, end-to-end authentication, ease of use and security.
Microsoft EMS and NetScaler Unified Gateway together form an intelligent system that offers an additional layer of protection for local resources through preliminary verification of the end device. What does this mean: the devices from which employees try to access corporate systems, even before establishing a VPN connection, will be verified in Microsoft Intune (Microsoft's service for managing mobile devices and applications, which is part of the EMS platform). In order for a smartphone or tablet to access local resources, it must be registered in the Microsoft Intune service.
Administrators can set access control policies for local resources, including MS Exchange, SharePoint and any other applications, based on the status of the mobile device of the end user. Thus, the device of everyone who wants to connect will be checked before the session is installed to determine whether a particular device is registered in the Microsoft Intune service and whether it complies with the company’s security policies. While this check is in progress, the mobile user will have only conditional access, and the system will collect information and based on it will decide whether to grant full access or block it. As a result, the company receives additional protection for local resources.
In addition to providing conditional access to corporate resources, this solution can scan mobile devices and determine if there are any risk factors, such as a “hacked” state (the ability to obtain root rights), outdated antivirus databases, or installed malware. Based on the results of the audit, appropriate measures are taken. This ensures security and centralized management of technology previously registered with Microsoft Intune.
If you use MS Intune, as well as other systems for managing mobile devices (for example, XenMobile), you can avoid leakage of important data and delete it from your phone or tablet if an employee lost it. In addition, it is possible to manage devices and configure them remotely (for example, a Wi-Fi profile), which greatly simplifies the administration and control of corporate data.
Another feature that you should pay attention to is the enhanced user experience: administrators can transfer policies and configuration settings to mobile devices without the need for adjustments that do not need to be done manually by end users. The solution supports iOS and Android platforms. The user interface is the same for both platforms.
In addition, NetScaler Unified Gateway offers policy-based nFactor Authentication. System administrators can choose any mechanisms, including RADIUS, Kerberos, etc. technologies, for authentication of end users. For example, you can check the user's membership in the AD group, and based on this membership, add or not the next authentication factor, or in case of unsuccessful attempt, offer other methods of user verification. It is also possible to personalize the authentication portal depending on the requirements of the company. If there is integration with Intunes - based, for example, on the user's membership in the AD group, you can determine whether he has access to the sensitive data of the company, and if so, then request one more option for one-time passwords (OTP).
I would also like to dwell on such an opportunity as end-to-end control: NetScaler Unified Gateway using the Gateway Insight function provides complete and end-to-end control, as well as monitoring access of all users to local applications. This functionality is simply necessary for administrators involved in supporting such an infrastructure. Detailed monitoring allows you to track users whose applications they want to access, as well as the errors they encounter.
Entering a username / password on a mobile device each time is not the most exciting activity, especially several times. Safe in the modern world - does NOT mean inconvenient! For all applications, the Citrix NetScaler Unified Gateway enables remote access and one-time user authentication. When integrated with Microsoft EMS in NetScaler, this functionality is also implemented. Thanks to OAuth technology, which is supported by Citrix Netscaler, a user, having authenticated with Intune once, can build an SSL VPN tunnel to Netscaler, and then, using Singl-Sign-ON, credentials will be forwarded to an application, for example, to Sharepoint.
Companies using NetScaler or NetScaler Unified Gateway for Citrix XenApp / XenDesktop or for one-time user identification (for all applications in the data center or cloud) can also use these solutions to support MDM functionality in Microsoft EMS.
NetScaler Unified Gateway can be useful not only for those who switch to Microsoft EMS, but also for those who want to provide secure access to corporate resources. It can be a company from any industry: banks, telecom operators, various entrepreneurs and many others. The gateway provides trustworthy remote access to XenApp and XenDesktop, as well as all corporate web, SaaS, and Citrix applications. Thanks to NetScaler Unified Gateway, you can eliminate the need for a separate virtual private network with SSL encryption with remote access for corporate and cloud applications, which reduces overall costs and ensures the convenience of users.