Bring your own Citrix Gateway to Citrix Cloud...or not
Adding basic Citrix Gateway functionality to a Citrix Cloud implementation is literally a one-button option, but what about when you have more complex requirements?
Until recently, anything but rudimentary authentication requirements meant that you couldn’t adopt Citrix Cloud or that you had to bring your own Citrix Gateway (formerly NetScaler Gateway) and StoreFront for use with Citrix Cloud.
For those who need just basic Gateway functionality, Citrix Cloud is a fabulous solution; after all, it doesn’t get much easier than a simple on/off button. When deploying an on-premises Gateway, admins must factor the time, cost, and effort associated with deploying two devices for high availability, applying upgrades, obtaining and updating an SSL certificate, failover and disaster recovery, modifying configurations, and other activities. For admins who only need basic Gateway functionality, it’s easy to see why the elimination of Gateway from the on-premises infrastructure becomes a key decision point for moving to Citrix Cloud.
However, many enterprises have complex authentication requirements such as multi-factor authentication; federation; and the integration of third-party identity providers like Google, Okta, and Ping. These advanced requirements are currently being addressed by Citrix, making Citrix Cloud a near-term viable solution for a larger number of enterprises.
Recently, Time-based One-Time Password (TOTP) became generally available in Citrix Cloud, and several authentication-related features have just gone into tech preview. Let’s delve into these options.
Depending on your definition of multi-factor authentication (MFA), this option may be available today. Specifically, TOTP became generally available earlier in Q2. For many organizations, requiring a user to enter a code generated on their smartphone satisfies the requirement for a secondary authentication mechanism that provides security beyond just a password.
Citrix Cloud with TOTP eliminates the need for Citrix Gateway on-premises and is an easy, straightforward option available in the Authentication pane of the Citrix Cloud admin interface. However, if your definition of MFA is more complex, such as integration with RSA virtual tokens, this capability is not satisfied with TOTP.
AAA / IdP
Authentication, Authorization, and Accounting, more commonly known as AAA, is a feature of on-premises Citrix Gateway. The primary use case from the standpoint of user access to Citrix resources are advanced Windows authentication mechanisms, third-party identity providers (Google, Okta, and Ping), RADIUS MFA, conditional access policies, and many others. (Also remember that the exception is Azure Active Directory. For a long time now, you’ve been able to integrate it directly into Citrix Cloud without the on-premises Gateway, enabling some of these more advanced authentication scenarios.)
Citrix just released into tech preview the ability to use an on-premises Citrix Gateway as the identity provider (IdP) for Citrix Cloud. This functionality requires that the Citrix Gateway continue to be maintained by the enterprise; however, Citrix manages Workspace, the cloud version of StoreFront.
The on-premises Citrix Gateway appliance and Citrix Cloud communicate with each other based on the OAuth IdP policy configuration within the Gateway. From the user perspective, the login page presents basic username and password prompts, so the user won’t know or care about the details concerning the identity provider.
Cloud-enabled Federated Authentication Service
For those who have been using Citrix Federated Authentication Service (FAS) in conjunction with on-premises Citrix Gateway to enable users to connect to resources by means of a virtual smartcard, this authentication requirement no longer makes it difficult to move to Citrix Cloud. At Citrix Synergy last month, Citrix demonstrated the new Cloud-enabled FAS functionality, which likewise is starting tech preview.
Up until now, FAS implementations were a bit tricky because numerous configurations were required. The new Cloud-enabled FAS functionality still has a few moving parts, e.g., configuration of a GPO and integration with the Microsoft Certification Authority (CA), but the configuration is more streamlined.
Cloud-enabled FAS eliminates the need for on-premises Citrix Gateway appliances and StoreFront servers. However, FAS and CA servers are still required as part of the enterprise-maintained resources for security.
Long-standing Citrix Cloud features
Azure Active Directory and standard Active Directory are standard authentication options presented in Citrix Cloud. By default, Citrix Cloud automatically employs Global Server Load Balancing (GSLB) functionality for users based on their geographical location; optionally, you can designate a primary resource location if AD is centralized in one region. In addition, Web App Firewall and Application Delivery Management (formerly NetScaler Management and Analytics System – MAS) are optional features.
Much more than vanilla enterprise authentication requirements have been or will be addressed in the coming months based on new features and functionality of Citrix Cloud. I’m most excited about Cloud-enabled FAS and TOTP because these features enable enterprises to use Citrix Cloud to support all of the Citrix infrastructure components, including the Gateway functionality. Eliminating on-premises Citrix Gateway management and maintenance makes the jump to Citrix Cloud more appealing from a cost perspective as well.
The new Gateway IdP functionality is beneficial for helping enterprises migrate to Citrix Cloud. However, a hybrid infrastructure based on on-premises Gateway is necessary. Although Gateway IdP can be used with Workspace, this type of deployment still requires the management and maintenance of the on-premises Gateway device.