Citrix NetScaler
configuration guide v1.5
October 2018
1 A quick installation guide with Citrix NetScaler
Step 2. Run the configuration utility;
Step 4. Open Active Directory Users and Computers
Step 5. Go back to the SMSPassword configuration tool.
5.1 SMSPassword A100 dispatcher
5.2 External SMS dispatcher mode
Step 6. Configure your NetScaler.
Step 7. Configure your firewall
2 – Load balanced setup with NetScaler
Things to consider before starting:
To enable load balancing by using the NetScaler configuration utility
Step 1 Setting up the A100 SMS dispatchers
Step 2 Installing the SMSPassword servers
Step 3 Installing the SMSPassword service
Step 4 Configure the NetScaler
General Disclaimer and Copyright Notice
1 A quick installation guide with Citrix NetScaler
For a minimal setup we need at least one server to run the SMSPassword service. This can be an existing server. You have to consider the port that the SMSPassword service uses. Port 1812 is for RADIUS traffic. If this port is currently in use on the server, you can choose to find another server. You could also configure RADIUS to use a different port.
For now we will assume you’ve chosen for an installation on a fresh new server;
Prepare a windows server;
-Create a (virtual) windows server (2008/2012/2016/2019) standard edition will be enough.
-Configure a fixed IP number
-Add the computer to the domain
-Disable the firewall/UAC
-Install .NET feature/framework 4.0 or better.
Step 1. Run setup.exe
Choose your destination folder, after installing;
Step 2. Run the configuration utility;
To begin, configure verbose logging. This’ll help you diagnose any problems during this initial phase. Don’t forget to disable this once configuration is done.
On the Radius tab, under Radius Client IP, enter your NetScaler NSIP address.
Make up a new password and enter it in the shared secret field. Make sure this password is saved in a place where other system administrators can find it. You will need this password later! You cannot recover the password from this tool, so it’s very important to save it somewhere. (KeePass etc.)
Step 3. On the Active Directory tab.
Fill in your full Domain DNS name (gourami.local). Leave the two other fields (Group, Phone number attribute) default: SMSPassword and mobile.
Step 4. Open Active Directory Users and Computers
Create a new group called ‘SMSPassword’.
Make it a global security group. Everyone who is going to use SMSPassword two-factor authentication has to be added to this group. Nesting is supported.
Make sure your test user has filled in the ‘mobile’ property and is member of the ‘SMSpassword’ group.
Step 5. Go back to the SMSPassword configuration tool.
Under the tab Configuration, under ‘SMS’, configure your SMS dispatcher mode.
5.1 SMSPassword A100 dispatcher
If you use the SMSPassword A100 SMS dispatcher, follow the included manual.
5.2 External SMS dispatcher mode
This can be an external dispatcher like BulkSMS or MessageBird. Enter the correct URL and fill in your account’s username and password. Send a test SMS to see if your configuration is correct.
Also make sure that you can reach the URL on the computer running SMSPassword. It might be necessary to open some firewall ports.
Save your settings by pressing the save config button. A file called smspassword.cfg is created in the same folder as the executable.
Step 6. Configure your NetScaler.
-Log on to your Citrix NetScaler, and go to ‘System’, ‘Authentication’, ‘Basic Policies’, and then ‘Radius’.
-Press ‘Add’ to add an authentication policy.
-In the Name field enter: smspassword_ap
-Next to server, press Add
-In the box ‘Create Authentication RADIUS Server’, type as name: smspassword
-In the IP address use your fixed IP address of the server running the SMSPassword service.
-Fill in the shared secret created in step 2. Twice…
-Press Test Connection: A green box should pop up saying everything is okay. If not, retrace your steps.
-The rest should be like this; Password encoding: Pap, port and timeout 1812 and 100. These should be default.
-Press Create
-Go back to the configure authentication Policy box,
-Under ‘Expression’, select the second drop down, go all the way down, and select the ‘ns_true’ value.
-Press create
-Bind you radius policy to your where you need it; for example your NetScaler Gateway Virtual Server;
Don’t forget to save your changes.
Step 7. Configure your firewall
If you have a firewall in your environment, you’ll need to open some ports:
-From the NetScaler to all servers running the SMSPassword service, port 1812 has to be open for radius traffic. Unless you have chosen to run the Radius service on a different port.
-The computer running the SMSPassword service should be able to contact your SMS dispatcher service.
2 – Load balanced setup with NetScaler
When setting up a load balanced configuration you need to remember a lot of IP addresses. To make things easier for you, we created a network drawing. Below you find a filled in example. In this manual we are going to use the IP addresses as shown in the drawing below.
Filled in example network drawing
It’s highly recommended that you fill in the empty network drawing before you start configuring everything. This will give you a good idea of what you are doing, and makes configuring a redundant SMSPassword setup even easier. Below you find the empty network drawing. Print this out, and fill in the green fields.
Template network drawing, print out and fill in
Things to consider before starting:
- Load balancing Radius is supported from NetScaler 9.2 and higher.
- In this tutorial we assume that everything is in one open network. Most production environments are not. Please, consider firewalls and subnets in your setup. Ask your network manager.
- Ensure the load balancing feature is enabled in NetScaler;
To enable load balancing by using the NetScaler management interface
- In the configuration pane, expand System, and then click Settings.
- In the settings screen, under Modes and Features, click Configure Basic Features.
- In the Configure Basic Features screen, select the Load Balancing check box, and then click OK.
Step 1 Setting up the A100 SMS dispatchers
Configure the two A100 SMS dispatchers as described in the separate manual. It’s recommended that you use a small sticker, and write ‘SMSPassword dispatcher A’ on the device designated as NodeA, and write ‘SMSPassword dispatcher B’ on the device designated as NodeB.
Fill in the correct time zone for each SMS dispatcher.
SMSPassword dispatcher A:
- Network Configuration, IP Address: 192.168.2.107
- Fill in the correct subnet mask
- Enter the correct time zone, Preference, Time Zone
- Choose you reboot time different from the other dispatchers
- We use 192.168.2.131 as SMS server. This is the server running the actual SMSPassword service
- As SMS server port we use 44444
- Client ID is 11
- We used ‘sms’ as password
SMSPassword dispatcher B:
- Is given IP adress 192.168.2.108
- Fill in the correct subnet mask
- Enter the correct time zone, Preference, Time Zone
- Choose you reboot time different from the other dispatchers
- We use 192.168.2.132 as SMS server. This is the server running the actual SMSPassword service.
- As SMS server port we use 44444
- Client ID is 11
- We used ‘sms’ as password.
As described in the A100 manual, test to see if you can send SMS messages from both nodes.
Step 2 Installing the SMSPassword servers
Find two servers that meet the requirements for SMSPassword. These can be two existing servers. For example, the Storefront servers. Make sure that your RADIUS port (1812 by default) is not already in use. In this example we used new servers so there is no chance of a port conflict.
Configure the servers to have static IP addresses:
For SMSPassword NodeA: 192.168.2.131
For SMSPassword NodeB: 192.168.2.132
The windows firewall can block ports; in our configuration example we completely disabled the windows firewall. You can also open the ports you need (default is 1812).
Make sure you can reach the SMS A100 dispatcher from every node.
From the SMSPassword NodeA server you should: ping 192.168.2.107
From the SMSPassword NodeB server you should: ping 192.168.2.108
Make sure you join each of the servers to the domain.
Step 3 Installing the SMSPassword service
Install the software and run the configuration utility;
Both nodes should configure the NetScaler subnet IP as radius client. By default, NetScaler uses the NSIP to communicate with Radius. However when you use a load balancing virtual server, NetScaler uses the SNIP as the Radius client IP.
In this example we are going to use a load balancing virtual server, so fill in the NetScaler subnet IP as the Radius Client IP:
In this example, we use ‘sms’ as Radius Shared Secret. You are free to use any password you like. Please make sure you document it for future use. Also, make sure to configure the same Radius Shared Secret in the NetScaler, in your Radius connector.
You should configure the same Active Directory information on both nodes:
It’s best practice to use the same setting for the one-time password on both nodes.
On SMSPassword NodeA service we are going to configure the SMS device like so:
Consult the network drawing; SMSPassword NodeA is using SMS dispatcher A. So, for this node, we are going to use the SMS dispatcher 192.168.2.107. In our example it sends using UDP port 44444. And, for this test we used ‘sms’ as password.
It’s recommended to send a test SMS. Please consider the notation of the number. Some network operators expect a full international number.
On SMSPassword NodeB service we are going to configure the SMS device like so:
Consult the network drawing; SMSPassword NodeB is using SMS dispatcher B. So, for this node, we are going to use the SMS dispatcher 192.168.2.108. In our example it sends using UDP port 44444. And, for this test we used ‘sms’ as password.
It’s recommended to send a test SMS. Please consider the notation of the number. Some network operators expect a full international number.
When you are done configuring both the SMSPassword nodes, make sure you install and start the service on both nodes.
Step 4 Configure the NetScaler
Please notice that radius load balancing is supported from NetScaler 9.2 and higher.
Make sure you have enabled the load balancing feature of the NetScaler.
The first thing to do is to add the two SMSPassword servers in the NetScaler. Under configuration, go to Traffic Management → Load Balancing → Servers. Add our two SMSPassword servers with the IP addresses chosen earlier, as shown in the picture below.
Save the configuration.
Make sure you can reach both of the SMSPassword servers from the NetScaler, by pinging them from the commandline of the NetScaler. If happens often that firewalls block this because the NetScalers are often in a DMZ.
Create a custom monitor, go to Traffic Management → Load Balancing → Monitors, and click Add. Name the monitor SMSPassword_RadiusMonitor as shown below.
! Some users reported better results when using a 10 second interval, with a response time-out of 6 seconds.
As username fill in: smspasswordmonitor
(this has match exactly and thus lower case!)
Password: smspasswordpassword
Radius key: in this example we use ‘sms’, but you should use your own Radius Shared Secret.
In the Response Codes section, type 3, and hit the plus sign.
3 stands for access-reject responses.
Press create to create the monitor.
Add a Load Balancing Virtual Server
Go to Traffic Management, Virtual Servers and select ‘add’.
As name use SMSPassword_LB_VS
As IP address use 192.168.2.213 (see network drawing)
Press OK.
Under Services and Service Groups click on No Load Balancing Virtual Server ServiceGroup Binding and click on Add.
Name: SMSPassword_SG
Protocol: Radius
Press OK.
Click on No Service Group Member, followed by Server Based, and Add and select both Nodes from the list.
Under Port, fill in port ‘1812’, and press Create.
Under Advanced Settings press the plus sign on the Monitors setting, and bind the SMSPassword_RadiusMonitor we created earlier.
Press Done. And if required, bind the new Service Group we just created by selecting it and pressing Bind and then Close. Don’t forget to save the running configuration so far.
Under Advanced Settings on the right, click on Method and select the ROUNDROBIN option
Now add the setting Persistence from the Advanced Settings, and configure it as follows:
Persistence: Rule
Timeout: 5
Expression: CLIENT.UDP.RADIUS.USERNAME
Press OK.
You can test the monitor by stopping the SMSPassword service on one of the nodes, and check to see if it shows as down in the NetScaler. If the member state doesn’t show as ‘up’/green, check the firewall.
Add the radius server;
Go to System → Authentication → Basic Policies → RADIUS, and select the servers tab. Add a radius server.
As name use SMSPassword_LBVS_Radius
IPadress: 192.168.2.213
Port: 1812
Secret key (Radius Shared Secret): ‘sms’
Confirm secret key(Radius Shared Secret): ‘sms’
Password encoding: pap
Timeout: 300
Accounting: OFF
Add the radius authentication policy:
Go to System → Authentication → Basic Policies → RADIUS, and select the Policies tab. Add an authentication policy.
Use as name: SMSPassword_Radius_AuthPol
Select as type: Radius
Server: Select the SMSPassword_Radius_LBVS
Add as expression: ns_true
Press create (ignore the warning). Save the NetScaler config.
Now go to your NetScaler Gateway virtual server under ‘NetScaler Gateway’, ‘Virtual Servers’. Open your gateway virtual server, under ‘Basic Authentication’, select the current authentication policy (likely LDAP). Click on ‘Add binding’, select the RADIUS policy and click ‘Bind’. Now, unbind the previous policy, so that the Radius policy is the only policy active, and click ‘Close’.
Save your configuration.
Test your configuration by logging on to your NetScaler.
General Disclaimer and Copyright Notice
Disclaimer
Whilst every care has been taken by SMSPassword Software to ensure that the information contained in this document is correct and complete, it is possible that this is not the case. SMSPassword Software provides the information “as is”, without any warranty for its soundness, suitability for a different purpose or otherwise. To the maximum extent permitted by applicable law, SMSPassword Software is not liable for any damage which has occurred or may occur as a result of or in any respect related to the use of this information. SMSPassword Software may change or terminate this document at any time without further notice and shall not be responsible for any consequence(s) arising therefrom. Subject to this disclaimer, SMSPassword is not responsible for any contributions by third parties to this information.
Copyright Notice
Copyright © on software and all Materials 1998-2015 SMSPassword Software. SMSPassword and the SMSPassword Logo are either registered trademarks or service marks of SMSPassword in Europe, the United States and other countries. All other product and company names mentioned may be trademarks and/or service marks of their respective owners.