Skip navigation
Documentation

Citrix Gateway - FAQ

Last Updated: September 24th, 2019

Duo integrates with your Citrix Gateway to add two-factor authentication to any VPN login, complete with inline self-service enrollment and Duo Prompt.

Do you support NetScaler Access Gateway?

Yes. NetScaler Gateway and Citrix Gateway are essentially the same product. Citrix renamed NetScaler Access Gateway to Citrix Gateway in version 12.1.

Is the RFWebUI theme supported?

Yes. Duo Authentication Proxy version 3.1.0 added support for showing the Duo browser prompt in the NetScaler RFWebUI theme. You must specify this theme in your authproxy.cfg file's [radius_server_iframe] section using the syntax type=citrix_netscaler_rfwebui. Refer to the complete instructions here.

Why am I receiving a blank authentication page with Internet Explorer 11?

A change to IE 11 resulted in incompatibility with some versions of Citrix NetScaler. The issue is addressed by NetScaler Gateway versions 9.3.66.x and 10.1.123.x and later. For additional information about the incompatibility, or to see the workaround for NetScaler Gateway versions that do not include the fix, please read IE11 Compatibility got you down? at the Citrix site.

If your NetScaler version is 10.1.123.x or later and IE 11 is displaying a blank authentication page, you may need to force the browser out of "quirks" mode. To do this, add the following line to the beginning of the NetScaler's /netscaler/ns_gui/vpn/index.html file (it may be at /var/ns_gui_custom/ns_gui/vpn/index.html if you're using a custom theme), immediately under the <HEAD> tag.

<META http-equiv="X-UA-Compatible" content="IE=edge">

Finally, ensure that IE is not showing the site in Compatibility View

Does Duo Security support Citrix Receiver?

Yes, when the Citrix Gateway is configured with RADIUS listeners for both Citrix Receiver and Gateway browser access on different ports. This configuration is described in detail in the Citrix Gateway primary and alternate instructions.

Why might mobile Receiver clients have issues authenticating with Duo?

If you deploy Duo using our alternate configuration, iOS and Android Receiver users may not authenticate successfully. Per Citrix, it is necessary to perform RADIUS authentication before LDAP in Receiver mobile connections. You will need to configure the ordering of your authentication policies as follows:

Primary Authentication:

  1. Receiver - RADIUS
  2. Browser - LDAP

Secondary Authentication:

  1. Receiver - LDAP
  2. Browser - RADIUS

Please see the Citrix article for more information and configuration instructions.

Does Duo Security support Citrix Storefront?

Yes, when delivered via NetScaler Gateway or Citrix Gateway. You cannot add Duo RADIUS two-factor authentication directly to Storefront logins.

Why do I receive an HTTP Internal Server Error from the NetScaler if I take four minutes or longer to complete Duo authentication?

NetScaler and Citrix Gateway devices have a hard-coded timeout of about three minutes, which closes the login session when the timeout is reached. This timeout is not currently a configurable option, but that may change in a future NetScaler firmware release.

Can you use password concatenation to log on to Storefront via NetScaler using Receiver?

Password concatenation is when you append a comma followed by a Duo passcode or the name of a Duo factor to the end of your Active Directory password, like "mypass123,123456". If you have configured your Gateway to pass primary authentication on to Storefront, and then enter a concatenated password and passcode in Receiver, the login fails. This is because the Gateway is passing the entire password + passcode string to Storefront as your AD password.

If you need to support logins to Storefront from Receiver using a passcode we recommend you deploy our alternate Citrix Gateway configuration. This will add an additional "Passcode" field to the Receiver login prompt, where you can enter a passcode or the name of a Duo factor. See our guide for Receiver for more.

Does Duo work with Citrix Web Interface?

Yes, click here for documentation. Note that while Duo fully supports the Duo Authentication Proxy, Web Interface itself is an EOL product.

Does Duo work with Citrix Access Gateway?

Yes, click here for documentation. Note that while Duo fully supports the Duo Authentication Proxy, CAG itself is an EOL product.

Additional Troubleshooting

Need more help? Try searching our Citrix Knowledge Base articles or Community discussions. For further assistance, contact Support.