Citrix NetScaler Gateway: Alternate Instructions

Duo integrates with your Citrix NetScaler Gateway to add two-factor authentication to VPN logins. Duo Security supports inline self-service enrollment and Duo Prompt when logging on to the NetScaler Gateway using a web browser. For Citrix Receiver connections, Duo Security supports passcodes, phone, and push authentication.

Overview

To add Duo two-factor authentication to your NetScaler Access Gateway you'll configure two RADIUS authentication policies — one that provides Duo's interactive enrollment and authentication prompts to browser-based Access Gateway logins, and a second one that responds to Receiver client logins with an automatic authentication request via push notification to a mobile device or a phone call.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

Why an Alternate Configuration?

This alternate configuration allows your Citrix NetScaler Gateway to handle primary authentication, which enables additional features such as AD password resets. Learn more about the differences between the two Citrix NetScaler deployment configurations.

First Steps

You should already have a working primary authentication configuration for your NetScaler Gateway users before you begin to deploy Duo.

To integrate Duo with your NetScaler Gateway, you will need to install a local proxy service on a machine within your network. This Duo proxy server also acts as a RADIUS server — there's usually no need to deploy a separate RADIUS server to use Duo.

Before proceeding, you should locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports Windows and Linux systems (in particular, we recommend Windows Server 2012 R2 or later, Red Hat Enterprise Linux 7 or later, CentOS 7 or later, or Debian 7 or later).

Then you'll need to:

Sign up for a Duo account.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate Citrix NetScaler in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. See Getting Started for help.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Install the Duo Authentication Proxy

The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).

Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe. Note that the actual filename will reflect the version e.g. duoauthproxy-3.0.0.exe. View checksums for Duo downloads here.
Launch the Authentication Proxy installer on the target Windows server as a user with administrator rights and follow the on-screen prompts.

Ensure that Perl, Python 2.6 or 2.7 (including development headers and libraries), and a compiler toolchain are installed. On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install these by running (as root):
```
$ yum install gcc make python-devel libffi-devel perl zlib-devel
```
On Debian-derived systems, install these dependencies by running (as root):
```
$ apt-get install build-essential python-dev libffi-dev perl zlib1g-dev
```
Download the most recent Authentication Proxy for Unix from https://dl.duosecurity.com/duoauthproxy-latest-src.tgz. Depending on your download method, the actual filename may reflect the version e.g. duoauthproxy-3.0.0-src.tgz. View checksums for Duo downloads here.

Extract the Authentication Proxy files and build it as follows:

$ tar xzf duoauthproxy-latest-src.tgz
$ cd duoauthproxy-version-src
$ make

Install the authentication proxy (as root):
```
$ cd duoauthproxy-build
$ ./install
```
Follow the prompts to complete the installation. The installer creates a user to run the proxy service and a group to own the log directory and files. You can accept the default user and group names or enter your own.

If you ever need to uninstall the proxy, run /opt/duoauthproxy/uninstall.

Configure the Proxy

After the installation completes, you will need to configure the proxy.

The Duo Authentication Proxy configuration file is named authproxy.cfg, and located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:

Platform	Default Configuration Path
Windows (64-bit)	C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
Windows (32-bit)	C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg
Linux	/opt/duoauthproxy/conf/authproxy.cfg

The configuration file is formatted as a simple INI file. Section headings appear as:

[section]

Individual properties beneath a section appear as:

name=value

The Authentication Proxy may include an existing authproxy.cfg with some example content. For the purposes of these instructions, however, you should delete the existing content and start with a blank text file. We recommend using WordPad or another text editor instead of Notepad when editing the config file on Windows.

Configure the Proxy for Duo Only Authentication

At the top of your authproxy.cfg, create a [duo_only_client] section. This section has no additional parameters to configure.

[duo_only_client]

When using the [duo_only_client] configuration, the Authentication Proxy will ignore primary credentials and perform Duo factor authentication only.

Configure the Proxy for Your Citrix NetScaler

Next, you need to set up the Authentication Proxy to work with your Citrix NetScaler. To do so, create a radius_server_iframe section using the Duo Citrix NetScaler application with the following properties:

type citrix_netscaler

api_host Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)

ikey Your NetScaler integration key

skey Your NetScaler secret key

failmode

Either safe or secure:

failmode	Description
safe	In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure	In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

client

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with the "client" section you created earlier.

duo_only_client

Do not perform primary authentication. Make sure you have a [duo_only_client] section configured..

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

radius_ip_1 The IP address of your (first) Citrix NetScaler

radius_secret_1 A secret to be shared between the proxy and your (first) Citrix NetScaler

radius_ip_X (Optional) IP addresses of additional Citrix NetScalers (specified as radius_ip_2, radius_ip_3, etc.)

radius_secret_X (Optional) Secrets shared with additional Citrix NetScalers (specified as radius_secret_2, radius_secret_3, etc.)

port (Optional) Port on which to listen for incoming RADIUS Access Requests. Default: 1812

Configure the Proxy for Citrix Receiver

Next, you need to set up the Authentication Proxy to work with Citrix Receiver. To do so, create a radius_server_duo_only section using the Duo Citrix NetScaler application settings with the following properties:

api_host Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)

ikey Your NetScaler integration key

skey Your NetScaler secret key

failmode

Either safe or secure:

failmode	Description
safe	In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure	In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

radius_ip_1 The IP address of your (first) Citrix NetScaler

radius_secret_1 A secret to be shared between the proxy and your (first) Citrix NetScaler

radius_ip_X (Optional) IP addresses of additional Citrix NetScalers (specified as radius_ip_2, radius_ip_3, etc.)

radius_secret_X (Optional) Secrets shared with additional Citrix NetScalers (specified as radius_secret_2, radius_secret_3, etc.)

port (Optional) Port on which to listen for incoming RADIUS Access Requests. Default: 1812

Note

The RADIUS port for the Citrix Receiver radius_server_duo_only section should not be the same RADIUS port used by the NetScaler in the radius_server_iframe section of the authproxy.cfg file. For example, if port 1812 is specified for radius_server_iframe, you might use port 18120 for radius_server_duo_only.

A completed config file, using duo_only_client so the NetScaler is the primary authenticator, should look something like:

[duo_only_client]
 
[radius_server_iframe]
type=citrix_netscaler
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
client=duo_only_client
radius_ip_1=5.6.7.8
radius_secret_1=thisisaradiussecret
port=1812
 
[radius_server_duo_only]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisaradiussecret
port=18120

Make sure to save your configuration file when done.

Note

View video guides for proxy deployment at the Authentication Proxy Overview or see the Authentication Proxy Reference Guide for additional configuration options.

Start the Proxy

Open an Administrator command prompt and run:

net start DuoAuthProxy

Alternatively, open the Windows Services console (services.msc), locate "Duo Security Authentication Proxy Service" in the list of services, and click the Start Service button.

If the service starts successfully, Authentication Proxy service output is written to the authproxy.log file, which can be found in the log subdirectory.

If you see an error saying that the "service could not be started", open the Application Event Viewer and look for an Error from the source "DuoAuthProxy". The traceback may include a "ConfigError" that can help you find the source of the issue.

Stop and restart the Authentication Proxy service by either clicking the Restart Service button in the Windows Services console or issuing these commands from an Administrator command prompt:

net stop DuoAuthProxy & net start DuoAuthProxy

Open a root shell and run:

# /opt/duoauthproxy/bin/authproxyctl start

To ensure the proxy started successfully, run:

# /opt/duoauthproxy/bin/authproxyctl status

Authentication Proxy service output is written to the authproxy.log file, which can be found in the log subdirectory.

To stop and restart the Authentication Proxy, open a root shell and run:

# /opt/duoauthproxy/bin/authproxyctl restart

If you modify your authproxy.cfg configuration after initial setup, you'll need to stop and restart the Duo Authentication Proxy service or process for your change to take effect.

Configure Your Citrix NetScaler Gateway

Before integrating with Duo, make sure your Citrix NetScaler Gateway has a working Virtual Server with your preferred primary factor.

Additionally, check your NetScaler Gateway web portal theme. The inline, browser-based Duo Prompt is compatible with the "Default" (aka "Caxton"), "Green Bubbles", and "X1" NetScaler themes (as well as custom themes based on one of those built-in themes). The "RFWebUI" theme introduced in NetScaler 11.1 cannot display the Duo Prompt. If you're using the "RFWebUI" theme, please change the theme on your NetScaler Gateway globally or per virtual server to a compatible theme before configuring Duo authentication. Learn more about customizing the NetScaler Gateway User Portal.

Configure Secondary Factor

Log in to the Citrix NetScaler administrative interface.
Navigate to NetScaler Gateway → Virtual Servers in the left panel of the administrative interface.
Select your existing NetScaler Gateway Virtual Server, and then click Open.
In the Configure NetScaler Gateway Virtual Server dialog, select the Authentication tab.
Select Secondary and then click Insert Policy.
In the Configure Authentication Policy page, enter the following information:

Name Citrix WebPortal (or some descriptive name)


Name	Citrix WebPortal (or some descriptive name)

Below that, add an expression with the following details:

Expression Type	General
Flow Type	REQ
Protocol	HTTP
Qualifier	HEADER
Operator	NOTCONTAINS
Value*	CitrixReceiver
Header Name*	User-Agent

Configure Auth Server

Next, click the New button next to Server section, and enter the following information:

Name	Duo Auth Proxy
IP Address	The IP address of your Duo Authentication Proxy.
Port	The port configured for radius_server_iframe on the Duo Authentication Proxy
Time-out (seconds)	60
Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Confirm Secret Key	The RADIUS secret shared with your Duo Authentication Proxy

Configure Auth Server

Click OK to add the RADIUS server.
Click OK to save the new authentication policy. Next create an additional authentication policy for Citrix Receiver. Under Authentication Policies on this page, select Secondary and then click Insert Policy.
In the Configure Authentication Policy page, enter the following information:

Name CitrixReceiver (or some descriptive name)

Below that, add an expression with the following details:

Expression Type	General
Flow Type	REQ
Protocol	HTTP
Qualifier	HEADER
Operator	CONTAINS
Value*	CitrixReceiver
Header Name*	User-Agent

Configure Auth Server

Next, click the New button next to Server section, and enter the following information:

Name	Duo CitrixReceiver (or some descriptive name)
IP Address	The IP address of your Duo Authentication Proxy.
Port	The port configured for radius_server_duo_only on the Duo Authentication Proxy
Time-out (seconds)	60
Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Confirm Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Send Calling Station ID	Check this box in order to send the IP address of Citrix Receiver clients to Duo

Configure Auth Server

Click Create to add the RADIUS server.
Click OK to save the new authentication policy.
Verify your new authentication policies and then click OK to apply changes made to the Virtual Server.
Click the save icon to save all of the changes made to the running config.

Log in to the Citrix NetScaler administrative interface.
Navigate to NetScaler Gateway → Virtual Servers in the left panel of the administrative interface.
Select your existing NetScaler Gateway Virtual Server, and then click Edit.
On the "VPN Virtual Server" page, click the plus sign (+) next to Authentication to add a new authentication policy.
On the "Choose Type" page, select the RADIUS policy and Secondary type from the drop-down menus and click Continue.
On the next "Choose Type" screen, click the plus sign (+) next to the "Policy Binding" → "Select Policy" box.
On the "Create Authentication RADIUS Policy" page, enter a name for the policy (like CitrixWebPortal), and then click the plus sign (+) next to the "Server" box to create a new RADIUS server for Duo authentication for web browser clients.

On the "Create Authentication RADIUS Server" page, enter the information for your Duo Authentication Proxy server:

Name	CitrixWebPortal (or another descriptive name)
Server Name or IP Address	The hostname or IP address of your Duo Authentication Proxy server.
Port	The port configured for radius_server_iframe on the Duo Authentication Proxy (1812 in the example)
Time-out (seconds)	60
Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Confirm Secret Key	The RADIUS secret shared with your Duo Authentication Proxy

Create RADIUS server for iframe

Click Create to add the Duo CitrixWebPortal RADIUS server and return to the "Create Authentication RADIUS Policy" page.

Click the Expression Editor link on the "Create Authentication RADIUS Policy" page to add an expression with the following details:

Expression Type	General
Flow Type	REQ
Protocol	HTTP
Qualifier	HEADER
Operator	NOTCONTAINS
Value*	CitrixReceiver
Header Name*	User-Agent

Expression for Web Browsers

When the Server and Expression information is correct click Create to save the new CitrixWebPortal policy and return to the "Choose Type" page.
On the "Choose Type" page, make sure the new RADIUS authentication policy you just created is selected. Set the Priority under "Binding Details" to 100 and click Bind.
Binding the new authentication policy returns you to the "VPN Virtual Server" page. Click the plus sign (+) next to Authentication again to add a second new authentication policy.
On the "Choose Type" page, select the RADIUS policy and Secondary type from the drop-down menus and click Continue.
On the next "Choose Type" screen, click the Add Binding button.
Click the plus sign (+) next to the "Policy Binding" → "Select Policy" box.
On the "Create Authentication RADIUS Policy" page, enter a name for the policy (like CitrixReceiver), and then click the plus sign (+) next to the "Server" box to create a new RADIUS server for Duo authentication for Citrix Receiver clients.

On the "Create Authentication RADIUS Server" page, enter the information for your Duo Authentication Proxy server:

Name	Duo CitrixReceiver (or some descriptive name)
Server Name or IP Address	The hostname or IP address of your Duo Authentication Proxy server.
Port	The port configured for radius_server_duo_only on the Duo Authentication Proxy (18120 in the example)
Time-out (seconds)	60
Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Confirm Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Send Calling Station ID	Check this box in order to send the IP address of Citrix Receiver clients to Duo

Create RADIUS server for auto

Click Create to add the Duo CitrixReceiver RADIUS server and return to the "Create Authentication RADIUS Policy" page.

Click the Expression Editor link on the "Create Authentication RADIUS Policy" page to add an expression with the following details:

Expression Type	General
Flow Type	REQ
Protocol	HTTP
Qualifier	HEADER
Operator	CONTAINS
Value*	CitrixReceiver
Header Name*	User-Agent

Expression for Receiver

When the Server and Expression information is correct click Create to save the new CitrixReceiver policy and return to the "Choose Type" page.
On the "Choose Type" page, make sure the new RADIUS authentication policy you just created is selected. Set the Priority under "Binding Details" to 110 and click Bind.
Verify that your new policies for Receiver and browser clients are both listed and are bound in the correct order. Click Close to save the new policy configuration.
Verify that you have two RADIUS policies for Secondary Authentication and click Done.
Save all of the changes made to the running config.

Log in to the Citrix NetScaler administrative interface.
Navigate to NetScaler Gateway → Virtual Servers in the left panel of the administrative interface.
Select your existing NetScaler Gateway Virtual Server, and then click Edit.
On the "VPN Virtual Server" page, click the plus sign (+) next to Basic Authentication to add a new authentication policy.
On the "Choose Type" page, select the RADIUS policy and Secondary type from the drop-down menus and click Continue.
On the next "Choose Type" screen, click the plus sign (+) next to the "Policy Binding" → "Select Policy" box.
On the "Create Authentication RADIUS Policy" page, enter a name for the policy (like CitrixWebPortal), and then click the plus sign (+) next to the "Server" box to create a new RADIUS server for Duo authentication for web browser clients.

On the "Create Authentication RADIUS Server" page, enter the information for your Duo Authentication Proxy server:

Name	CitrixWebPortal (or another descriptive name)
Server Name or IP Address	The hostname or IP address of your Duo Authentication Proxy server.
Port	The port configured for radius_server_iframe on the Duo Authentication Proxy (1812 in the example)
Time-out (seconds)	60
Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Confirm Secret Key	The RADIUS secret shared with your Duo Authentication Proxy

Create RADIUS server for iframe

Click Create to add the CitrixWebPortal RADIUS server and return to the "Create Authentication RADIUS Policy" page.

Click the Expression Editor link on the "Create Authentication RADIUS Policy" page to add an expression with the following details:

Expression Type	General
Flow Type	REQ
Protocol	HTTP
Qualifier	HEADER
Operator	NOTCONTAINS
Value*	CitrixReceiver
Header Name*	User-Agent

Expression for Web Browsers

When the Server and Expression information is correct click Create to save the new CitrixWebPortal policy and return to the "Choose Type" page.
On the "Choose Type" page, make sure the new RADIUS authentication policy you just created is selected. Set the Priority under "Binding Details" to 100 and click Bind.
Binding the new authentication policy returns you to the "VPN Virtual Server" page. Click the plus sign (+) next to Authentication again to add a second new authentication policy.
On the "Choose Type" page, select the RADIUS policy and Secondary type from the drop-down menus and click Continue.
On the next "Choose Type" screen, click the Add Binding button.
Click the plus sign (+) next to the "Policy Binding" → "Select Policy" box.
On the "Create Authentication RADIUS Policy" page, enter a name for the policy (like CitrixReceiver), and then click the plus sign (+) next to the "Server" box to create a new RADIUS server for Duo authentication for Citrix Receiver clients.

On the "Create Authentication RADIUS Server" page, enter the information for your Duo Authentication Proxy server:

Name	CitrixReceiver (or another descriptive name)
Server Name or IP Address	The hostname or IP address of your Duo Authentication Proxy server.
Port	The port configured for radius_server_duo_only on the Duo Authentication Proxy (18120 in the example)
Time-out (seconds)	60
Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Confirm Secret Key	The RADIUS secret shared with your Duo Authentication Proxy
Send Calling Station ID	Check this box in order to send the IP address of Citrix Receiver clients to Duo

Create RADIUS server for auto

Click Create to add the CitrixReceiver RADIUS server and return to the "Create Authentication RADIUS Policy" page.

Click the Expression Editor link on the "Create Authentication RADIUS Policy" page to add an expression with the following details:

Expression Type	General
Flow Type	REQ
Protocol	HTTP
Qualifier	HEADER
Operator	CONTAINS
Value*	CitrixReceiver
Header Name*	User-Agent

Expression for Receiver

When the Server and Expression information is correct click Create to save the new CitrixReceiver policy and return to the "Choose Type" page.
On the "Choose Type" page, make sure the new RADIUS authentication policy you just created is selected. Set the Priority under "Binding Details" to 110 and click Bind.
Verify that your new policies for Receiver and browser clients are both listed and are bound in the correct order. Click Close to save the new policy configuration.
Verify that you have two RADIUS policies for Secondary Authentication and click Done.
Save all of the changes made to the running config.

Modify the sign-in page

Let's customize the sign-in page to hide the unnecessary secondary password field.

Create the custom theme directory as described in the Citrix document Creating a Custom Theme for the Logon Page. To gain shell access, SSH in to your Citrix NetScaler then type shell, then enter the commands.

Example:
```
$ mkdir /var/ns_gui_custom; cd /netscaler; tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
```
In the Citrix NetScaler administrative interface, navigate to NetScaler Gateway → Global Settings in the left panel of the administrative interface. Click Change global settings.
Click the Client Experience tab and change the UI Theme dropdown option to Custom. Click OK to apply the change.

Edit /var/ns_gui_custom/ns_gui/vpn/index.html to add the two Duo modifications to the beginning of the file as shown here (changes are between the "DUO modification" and "end DUO modification" comments):

<!-- DUO modification -->
<!DOCTYPE html>
<!-- end DUO modification -->
<HTML><HEAD><TITLE>NetScaler Gateway</TITLE>
<link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/vnd.microsoft.icon">
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- DUO modification -->
<META http-equiv="X-UA-Compatible" content="IE=edge">
<!-- end DUO modification -->
<META content=noindex,nofollow,noarchive name=robots>
<LINK href="/vpn/images/caxtonstyle.css" type=text/css rel=STYLESHEET>
<script type="text/javascript" src="/vpn/resources.js"></script>
<script type="text/javascript" language="javascript">

Edit /var/ns_gui_custom/ns_gui/vpn/login.js to make the following modifications to the ns_showpwd() function within the js file:

• Add var DUO_ENABLED = true; on a new line before the var pwc = ns_getcookie("pwcount"); line.

• Append the string && !DUO_ENABLED to both instances of pwc == 2.

The edited ns_showpwd() function should look like this if using the Default (Caxton) theme (changes are between the "// DUO modification" and "// end DUO modification" comments):

function ns_showpwd()
{
    // DUO modification
    var DUO_ENABLED = true;
    // end DUO modification
    var pwc = ns_getcookie("pwcount");
    document.write('<TR><TD align=right style="padding-right:10px;white-space:nowrap;"><SPAN class=CTXMSAM_LogonFont>' + _("Password"));
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) { document.write('&nbsp;1'); }
    // end DUO modification
    document.write(':</SPAN></TD>');
    document.write('<TD colspan=2 style="padding-right:8px;"><input class=CTXMSAM_ContentFont type="Password" title="' + _("Enter password") + '" name="passwd" size="30" maxlength="127" style="width:100%;"></TD></TR>');
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) {
    // end DUO modification
    document.write('<TR><TD align=right style="padding-right:10px;white-space:nowrap;"><SPAN class=CTXMSAM_LogonFont>' + _("Password2") + '</SPAN></TD> <TD colspan=2 style="padding-right:8px;"><input class=CTXMSAM_ContentFont type="Password" title="' + _("Enter password") + '" name="passwd1" size="30" maxlength="127" style="width:100%;"></TD></TR>');
    }
    UnsetCookie("pwcount");
}

If using the Green Bubble (Receiver) theme, the edited ns_showpwd() function should look like this (changes are between the "// DUO modification" and "// end DUO modification" comments):

function ns_showpwd()
{
    // DUO modification
    var DUO_ENABLED = true;
    // end DUO modification
    var pwc = ns_getcookie("pwcount");
    document.write('<div class="field CredentialTypepassword"><div class="left"><label class="label plain"><SPAN>' + _("Password"));
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) { document.write('&nbsp;1'); }
    // end DUO modification
    document.write(':</SPAN></label></div>');
    document.write('<div class="right"><input class="prePopulatedCredential"  autocomplete="off" spellcheck="false" type="Password" title="' + _("Enter password") + '" name="passwd" size="30" maxlength="127"></div></div>');
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) {
    // end DUO modification
    document.write('<div class="field CredentialTypepassword"><div class="left"><label class="label plain"><SPAN>' + _("Password2") + '</SPAN></label></div><div class="right"><input class="prePopulatedCredential"  autocomplete="off" spellcheck="false" type="Password" title="' + _("Enter password") + '" name="passwd1" size="30" maxlength="127"></div></div>');
    }
    UnsetCookie("pwcount");
}

Create the custom theme directory as described in the Citrix document Creating a Custom Theme for the Logon Page. To gain shell access, SSH in to your Citrix NetScaler then type shell, then enter the commands.

Example:
```
$ mkdir /var/ns_gui_custom; cd /netscaler; tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
```
In the Citrix NetScaler administrative interface, navigate to NetScaler Gateway → Global Settings in the left panel of the administrative interface. Click Change global settings.
Click the Client Experience tab and change the UI Theme dropdown option to Custom. Click OK to apply the change.

Edit /var/ns_gui_custom/ns_gui/vpn/index.html to add two Duo modifications to the beginning of the file as shown here (changes are between the "DUO modification" and "end DUO modification" comments):

<!-- DUO modification -->
<!DOCTYPE html>
<!-- end DUO modification -->
<HTML><HEAD><TITLE>NetScaler Gateway</TITLE>
<link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/vnd.microsoft.icon">
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- DUO modification -->
<META http-equiv="X-UA-Compatible" content="IE=edge">
<!-- end DUO modification -->
<META content=noindex,nofollow,noarchive name=robots>
<LINK href="/vpn/images/caxtonstyle.css" type=text/css rel=STYLESHEET>
<script type="text/javascript" src="/vpn/resources.js"></script>
<script type="text/javascript" language="javascript">

Edit /var/ns_gui_custom/ns_gui/vpn/login.js to make the following modifications to the ns_showpwd_default() and function ns_showpwd_greenbubble() functions within the js file:

• Add var DUO_ENABLED = true; on a new line before the var pwc = ns_getcookie("pwcount"); line.

• Append the string && !DUO_ENABLED to both instances of pwc == 2.

The edited ns_showpwd() and functions should look like this (changes are between the "// DUO modification" and "// end DUO modification" comments):

function ns_showpwd_default()
{
    // DUO modification
    var DUO_ENABLED = true;
    // end DUO modification
    var pwc = ns_getcookie("pwcount");
    document.write('<TR><TD align=right style="padding-right:10px;white-space:nowrap;"><SPAN class=CTXMSAM_LogonFont>' + _("Password"));
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) { document.write('&nbsp;1'); }
    // end DUO modification
    document.write(':</SPAN></TD>');
    document.write('<TD colspan=2 style="padding-right:8px;"><input class=CTXMSAM_ContentFont type="Password" title="' + _("Enter password") + '" name="passwd" size="30" maxlength="127" style="width:100%;"></TD></TR>');
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) {
    // end DUO modification
    document.write('<TR><TD align=right style="padding-right:10px;white-space:nowrap;"><SPAN class=CTXMSAM_LogonFont>' + _("Password2") + '</SPAN></TD> <TD colspan=2 style="padding-right:8px;"><input class=CTXMSAM_ContentFont type="Password" title="' + _("Enter password") + '" name="passwd1" size="30" maxlength="127" style="width:100%;"></TD></TR>');
    }
    UnsetCookie("pwcount");
}

function ns_showpwd_greenbubble()
{
    // DUO modification
    var DUO_ENABLED = true;
    // end DUO modification
    var pwc = ns_getcookie("pwcount");
    document.write('<div class="field CredentialTypepassword"><div class="left"><label class="label plain"><SPAN>' + _("Password"));
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) { document.write('&nbsp;1'); }
    // end DUO modification
    document.write(':</SPAN></label></div>');
    document.write('<div class="right"><input class="prePopulatedCredential"  autocomplete="off" spellcheck="false" type="Password" title="' + _("Enter password") + '" name="passwd" size="30" maxlength="127"></div></div>');
    // DUO modification
    if ( pwc == 2 && !DUO_ENABLED ) {
    // end DUO modification
    document.write('<div class="field CredentialTypepassword"><div class="left"><label class="label plain"><SPAN>' + _("Password2") + '</SPAN></label></div><div class="right"><input class="prePopulatedCredential"  autocomplete="off" spellcheck="false" type="Password" title="' + _("Enter password") + '" name="passwd1" size="30" maxlength="127"></div></div>');
    }
    UnsetCookie("pwcount");
}

Create the custom theme directory as described in the Citrix document Creating a Custom Theme for the Logon Page. To gain shell access, SSH in to your Citrix NetScaler then type shell, then enter the commands.

Example:
```
$ mkdir /var/ns_gui_custom; cd /netscaler; tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
```
Copy the CSS theme for your chosen base design (Green Bubbles or Default) to a "Custom" folder as shown on the Citrix page Customizing the User Portal: Manually creating a custom portal configuration page.

Default Theme Example:
```
$ cp -r /var/netscaler/logon/themes/Default /var/netscaler/logon/themes/Custom
```
Green Bubbles Theme Example:
```
$ cp -r /var/netscaler/logon/themes/Greenbubble /var/netscaler/logon/themes/Custom
```
In the Citrix NetScaler administrative interface, navigate to NetScaler Gateway → Global Settings in the left panel of the administrative interface. Click Change global settings.
Click the Client Experience tab and change the UI Theme dropdown option to Custom. Click OK to apply the change.
Make a backup copy of /var/ns_gui_custom/ns_gui/vpn/js/gateway_login_form_view.js and edit to add the following modifications to the rdx.gateway_login_form_view.prototype.make_view = function() function within the js file:

• Add var DUO_ENABLED = true; on a new line before the if (pwc ==2) line.

• Append the string && !DUO_ENABLED to the instance of pwc == 2.

The edited portion of /var/ns_gui_custom/ns_gui/vpn/js/gateway_login_form_view.js should look like this (changes are between the "// DUO modification" and "// end DUO modification" comments):
```
password2.appendTo(left_pass2);^M
enter_passwd2.appendTo(right_pass2);^M
var pwc = ns_getcookie("pwcount");^M
^M
// DUO modification
var DUO_ENABLED = true;
// end DUO modification
// DUO modification
if (pwc ==2 && !DUO_ENABLED)^M
// end DUO modification
{^M
        form.append(field_pass2);^M
}^M
```

With a Rewrite Policy

Rewrite policies can be bound to individual NetScaler Gateway virtual servers instead of globally to all virtual servers. Ensure that the Rewrite feature is enabled on your NetScaler by going to System → Settings → Configure Basic Features and verifying that the "Rewrite" feature is checked in the NetScaler administrative interface.

SSH in to your Citrix NetScaler.

Enter the following commands to create rewrite actions that will hide the second password field:

add rewrite action rw_act_insert_var_DUO_ENABLED insert_before_all "HTTP.RES.BODY(120000).SET_TEXT_MODE(IGNORECASE)" "\"var DUO_ENABLED = true;\"" -pattern "if (pwc ==2"

add rewrite action rw_act_insert_DUO_ENABLED insert_after_all "HTTP.RES.BODY(120000).SET_TEXT_MODE(IGNORECASE)" "\" && !DUO_ENABLED\"" -pattern "if (pwc ==2"

Next, enter the following commands to create rewrite policies that apply the actions created in step #2 to the gateway_login_form_view.js file:

add rewrite policy rw_pol_insert_var_DUO_ENABLED "HTTP.REQ.URL.CONTAINS(\"gateway_login_form_view.js\")" rw_act_insert_var_DUO_ENABLED

add rewrite policy rw_pol_insert_DUO_ENABLED "HTTP.REQ.URL.CONTAINS(\"gateway_login_form_view.js\")" rw_act_insert_DUO_ENABLED

In the Citrix NetScaler administrative interface, navigate to NetScaler Gateway → Virtual Servers. Click on the virtual server where you added Duo secondary authentication to access its properties page.
Scroll down to the Policies section and click the plus sign (+) to add the Duo rewrite policies.
On the "Choose Type" page, select Rewrite from the "Choose Policy" drop-down and Response from the "Choose Type" dropdown. Click Continue.
On the next "Choose Type" page, click on the "Select Policy" Click to select field in the "Policy Binding" section of the page. This shows you the list of rewrite policies you created from the shell earlier. Select the rw_pol_insert_var_DUO_ENABLED policy and click the Select button to return to the "Choose Type" page.
When back on the "Choose Type" page, change the "Goto Expression" to NEXT. You usually do not need to change the "Priority" from the default value assigned. Click the Bind button to bind the first rewrite policy to your virtual server.
Click the plus sign (+) in the "Policies" section again to bind the second Duo rewrite policy. Once again, select Rewrite from the "Choose Policy" drop-down and Response from the "Choose Type" dropdown and then click Continue.
On the "Policy Binding page, click the Add Binding button. Click on the "Select Policy" Click to select field to bring up the list of policies. Select the rw_pol_insert_DUO_ENABLED policy and click the Select button to return to the "Policy Binding" page.
When back on the "Policy Binding" page, leave the "Goto Expression" set to END. You usually do not need to change the "Priority" from the default value assigned, just make sure that it has a greater number than the priority vaule assigned to the first bound policy (e.g. if the first one was priority 100 the second policy priority should be 110). Click the Bind button to bind the second rewrite policy to your virtual server.
Now you should see both "DUO_ENABLED" rewrite policies listed in the correct order (rw_pol_insert_var_DUO_ENABLED before rw_pol_insert_DUO_ENABLED). Click Close to finish.
Verify that you have two additional Rewrite policies listed under "Response Policies" and click Done.
Save all of the changes made to the running config.

With JS File Editing

This method requires applying a custom theme at the global level, so it applies the Duo customizations to all your NetScaler Gateway virtual servers.

Create the custom theme directory as described in the Citrix document Customizing the User Portal - A Note on Older Portal Customizations. To gain shell access, SSH in to your Citrix NetScaler then type shell, then enter the commands.

Example:
```
$ mkdir /var/ns_gui_custom; cd /netscaler; tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
```

Copy the CSS theme for your chosen base design (X1, Green Bubbles, or Default) to a "Custom" folder.

Default Theme Example:

$ cp -r /var/netscaler/logon/themes/Default /var/netscaler/logon/themes/Custom

Green Bubbles Theme Example:

$ cp -r /var/netscaler/logon/themes/Greenbubble /var/netscaler/logon/themes/Custom

X1 Theme Example:

$ cp -r /var/netscaler/logon/themes/X1 /var/netscaler/logon/themes/Custom

In the Citrix NetScaler administrative interface, navigate to NetScaler Gateway → Global Settings in the left panel of the administrative interface. Click Change Global Settings.
Click the Client Experience tab and change the UI Theme dropdown option to Custom. Click OK to apply the change.
Make a backup copy of /var/ns_gui_custom/ns_gui/vpn/js/gateway_login_form_view.js and edit to add the following modifications to the form.append(title,field_username,field_pass); section within the js file:

• Add var DUO_ENABLED = true; on a new line before the if (pwc ==2) line.

• Append the string && !DUO_ENABLED to the instance of pwc == 2.

The edited portion of /var/ns_gui_custom/ns_gui/vpn/js/gateway_login_form_view.js should look like this (changes are between the "// DUO modification" and "// end DUO modification" comments):
```
field_pass.append(left_pass,right_pass);
password1.appendTo(left_pass);
enter_passwd_dummy.appendTo(right_pass);
enter_passwd.appendTo(right_pass);
field_pass2.append(left_pass2,right_pass2);
password2.appendTo(left_pass2);
enter_passwd2_dummy.appendTo(right_pass2);
enter_passwd2.appendTo(right_pass2);
// DUO modification
var DUO_ENABLED = true;
// end DUO modification
// DUO modification
if (pwc ==2 && !DUO_ENABLED)^M
// end DUO modification
{
    form.append(field_pass2);
}
```

Test Your Setup

To test your setup, browse to the URL you normally use to log in to your Citrix NetScaler Gateway. After you complete primary authentication, the Duo enrollment/login prompt appears.

Citrix NetScaler Authentication Prompt

To test your setup with the Citrix Receiver app, enter your username and password, then enter the name of an out-of-band factor or a passcode generated by Duo Mobile or SMS in Receiver's "Passcode" field. You may choose from the following factor names:

push	Perform Duo Push authentication You can use Duo Push if you've installed Duo Mobile and added your account to it
phone	Perform phone callback authentication
sms	Send a new batch of SMS passcodes Your authentication attempt will be denied. You can then authenticate with one of the newly-delivered passcodes.

You can also specify a number after the factor name if you have more than one device enrolled. So you can enter phone2 or push2 if you have two phones enrolled.

Note: Users of the Citrix Receiver mobile app on iOS and Android may have issues connecting with this configuration. Please see the FAQ for additional instructions.

Troubleshooting

Need some help? Take a look at the Citrix NetScaler Frequently Asked Questions (FAQ) page or try searching our Citrix NetScaler Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

Primary authentication initiated to Citrix NetScaler Gateway
Primary authentication using Active Directory or RADIUS
Citrix NetScaler Gateway sends authentication request to Duo Security’s authentication proxy
Duo authentication proxy connection established to Duo Security over TCP port 443
Secondary authentication via Duo Security’s service
Duo authentication proxy receives authentication response
Citrix NetScaler Gateway access granted

Documentation