Combine Duo with NetScaler and thwart identity attacks? Yes, please!
Introduction
Imagine you’re hanging out in front of the TV and your phone starts to ding. It’s a push notification for MFA, but you aren’t logging in. That’s worrisome. Now imagine it’s one of your workforce’s users in the recliner, and their attention is so divided, they hastily grab their phone and hit approve to silence it. Now a bad actor is in your environment. These are the types of attacks that are happening in the wild, and the types of real-world behaviors those in charge of security for their organizations face.
Customers using older Duo integrations with NetScaler are struggling to protect against modern-day identity attacks such as the one above. It’s time for something better. Guarding against increasingly sophisticated identity attacks is a must, but it often comes at the cost of usability. Certainly, no one wants to add complexity to NetScaler logins, or any application for that matter. What if easy implementation and a better user experience, all wrapped up in Duo’s most advanced capabilities that help protect against modern identity attacks, were available today? Well, we have great news for you. It is!
With a long existing partnership and integration, Duo has been protecting NetScaler logins with multi-factor authentication, device trust, and posture assessment for many years. Identity threats, growing in sophistication, convinced us it was time to step up our game. Duo laid the groundwork towards this in 2022 with the delivery of the Universal Prompt. Universal Prompt set out to build a platform that protects against modern attack techniques such as MFA phishing and session hijacking, all while improving the end user experience. Enter the Duo Web Integration for NetScaler complete with the Universal Prompt.
What did we do, and why did we do it?
NetScaler, in striving to provide a very flexible solution, offers support for many authentication standards such as SAML, which Duo supports with Duo SSO. There are some great reasons why you’d want to use SSO, however, integrating through SAML requires additional elements to be deployed to preserve single sign-on capabilities throughout the Citrix stack. If it’s preferred to preserve the architecture without those additional components, using RADIUS for MFA was a good option. The RADIUS integration between Duo and NetScaler allowed consumers to keep primary authentication in place and use Duo as secondary authentication, while preserving Citrix’s single sign-on capabilities. Remember that whole need for enhanced security though? RADIUS wasn’t providing it.
Duo strived not just to match, but to beat the simplicity of our original NetScaler integration when setting out to modernize and provide better security. Enter, OAuth. If you’re not familiar with OAuth, you can learn more here. With OAuth, Duo can implement a more flexible, secure, simpler integration. Our partners at NetScaler agreed and we all set to task integrating using OAuth, again allowing primary authentication to remain untouched while making the second factor integration easier and more secure. I’d be remiss not to mention OAuth is the native mechanism for integrating the Duo Universal Prompt with many applications, not just NetScaler.
What exact benefits does it offer?
Use of this new integration provides all Duo customers an easier way to integrate and simplifies their deployment by removing the requirement to use the Duo Authentication Proxy and RADIUS integration. This results in NetScaler talking directly to the Duo cloud service and customers keeping their current benefits of device trust and industry leading MFA. This is just the tip of the iceberg. Phishing? Reduced with the use of Duo verified and proximity push. The real magic comes when customers utilize the Duo Advantage or Premier tiers. What does this provide? It opens a myriad of security controls which are critical in protecting users from today’s advanced identity attacks. Use of the Universal prompt within Duo Advantage and Premier provide risk-based authentication, device health checks, user location controls and continuous identity protection with Cisco Identity Security. By combining identity visibility and protecting users from phishing, password spray attacks and so much more, NetScaler is turned into a force of identity protection just by integrating with Duo.
What if I want to use a SAML IdP Instead?
Plenty of customers have successfully used SAML to authenticate users into their Citrix environments. Using Duo as an IdP and the primary authentication source for NetScaler allows for additional benefits such as passwordless authentication or single sign-on with other applications. Should you have the appetite for or have already implemented Citrix infrastructure to support SAML with Citrix single sign-on, using Duo is a great option. If you have a different SAML IdP configured with Duo as the MFA, that’s another great way to protect your NetScaler users with the security benefits of Duo.
Next steps
All existing customers can see immediate benefits by implementing the Duo Web Integration for NetScaler. For the ultimate in end user protection and defense from advanced identity attacks, customers can upgrade to Duo Advantage edition. For those who have not yet experienced Duo, start your trial today.