Category: ICG

Do you want to add Microsoft Entra ID Auth in front of the IGEL WebUMS console when accessed from the internet? Read how you can use Microsoft Entra ID authentication and MFA in front of the WebUMS by leveraging your NetScaler capabilities!

By Fredrik Brattstig @virtualbrat

If you been following IGEL, you know that IGEL has released the IGEL COSMOS platform, and made changes to the management interface by adding a web-based console for the day-to-day tasks (features are being added recurring) for UMS administrators. And you also know that IGEL have a new device connector that handles the communication traffic between IGEL OS 12 endpoints in the field and the IGEL UMS server. The device connector (device connector handles the communication between IGEL OS 12 endpoints and the IGEL UMS), and the WebUMS share the same webserver engine, and they both share the same port, which by default is 8443. To reach the UMS you generally hit http://your.ums.fqdn:8443/webapp. The UMS currently support either local admins or Active Directory admins to login to the UMS console and the WebUMS. This is fine for internal network access, but I would like to add Microsoft Entra ID (Azure AD) authentication in front of my UMS when the WebUMS console is used from the internet. In my case, I will use a NetScaler to provide me with a Entra ID login, before I allow browser access to the WebUMS when it’s accessed from external networks, and I will setup a IGEL Cloud Gateway to handle the communication between the IGEL OS endpoints and the IGEL UMS server.
The NetScaler can additionally protect the web application WebUMS provides, by putting anther authentication layer in front of the original web application. And by pure luck 😎, that layer can be Azure Entra ID Authentication, that also includes Microsoft MFA (Multi Factor Authentication). Let’s have a look at a video of the authentication flow before I explain what I did, and why:

Schematic drawing of the IGEL UMS connections from IGEL OS endpoints and WebUMS access

And here is the video of the login flow accessing the WebUMS from external endpoints:

As seen in the video, as soon as I try to connect to the WebUMS from the internet, my NetScaler that sits in front of the UMS server will redirect my web traffic to EntraID web authentication and my tenant that I configured my NetScaler for, the NetScaler has a load balancer vserver set up that will not accept traffic before I have a EntraID authenticated user and can present a ticket for authorization.
On my EntraID tenant, i have created a Citrix ADC SAML Connector for Microsoft Entra ID enterprise application and configured accordingly. The enterprise application can be structured to only allow logins from certain users and/or groups in EntraID. On the NetScaler I added a rule where I specify what users are authorized to traverse the NetScaler (after successful EntraID authentication), tied as a AAA User to the Authentication vserver.

To configure Entra ID and my NetScaler I followed this guide as a template: https://learn.microsoft.com/en-us/entra/identity/saas-apps/citrix-netscaler-tutorial
(For this blog, I stopped at the section of configuring Kerberos authentication, as that was not needed for my use case).

This is one way to add another security layer on-top of the WebUMS, or any other webapp. There are probably multiple ways of achieving the same goal, and can probably be applied to other technology vendors too, this is all wa way to show that the NetScaler can be used for other things that just as a ICA reverse proxy.

Eventually one day IGEL WebUMS can use the ticket that EntraID provides after a login, to enable Single SignOn to the WebUMS console. Keep refreshing the virtualbrat.com website for a new blog when this is possible!

Thats it for today!
/Fred