Duo integrates with your on-premises NetScaler (formerly Citrix Gateway) to add two-factor authentication to any remote access login, complete with inline self-service enrollment and Duo Prompt.
Only Duo Single Sign-on for Citrix NetScaler provides Universal Prompt support for NetScaler or Citrix Gateway logins. RADIUS configurations for NetScaler that feature the traditional Duo Prompt with radius_server_iframe
will reach end of life on September 30, 2024. Customers must migrate NetScaler deployments to Duo Single Sign-On or a RADIUS configuration that does not use the iframe (such as configuring radius_server_auto
for both web and client access) before that date for continued Duo authentication.
Learn more about options for out-of-scope applications in the Universal Prompt update guide, and review the Duo End of Sale, Last Date of Support, and End of Life Policy.
Yes. NetScaler Gateway and Citrix Gateway are essentially the same product. Citrix renamed NetScaler Access Gateway to Citrix Gateway in version 12.1. The product was renamed back to NetScaler in 2023.
Citrix Application Delivery Controller or ADC (formerly NetScaler ADC) has a similar login page to Citrix Gateway. Although we expressly test with Citrix Gateway, the same instructions should work for Citrix ADC. Be aware of licensing differences between Citrix Gateway and Citrix ADC for nFactor. As of Citrix Gateway release 13.0-67.x, the "Standard" license also includes nFactor for Gateway/VPN, while Citrix ADC requires an "Advanced" or "Premium" license to use nFactor.
Yes. Duo Authentication Proxy version 3.1.0 added support for showing the Duo browser prompt in the NetScaler RFWebUI theme when using advanced authentication policies and nFactor and when using a basic RADIUS policy and the Duo proxy performs both primary and secondary authentication or secondary authentication only with rewrite rules to hide the second password field. You must specify this theme in your authproxy.cfg file's [radius_server_iframe]
section using the syntax type=citrix_netscaler_rfwebui
.
Note that Citrix will retire all themes other than RFWebUI in a v13 release.
Yes. Duo support for nFactor authentication is available starting with Duo Authentication Proxy v3.1.0 and later, when used with Gateway builds 12.1-51.16 or later.
As of Citrix Gateway release 13.0-67.x, the "Standard" license also includes nFactor for Gateway/VPN. Citrix ADC requires an "Advanced" or "Premium" license to use nFactor. Learn more about nFactor licensing in the Citrix documentation and follow the Duo nFactor instructions.
Gateway appliances with standard licensing may need to enable the "Show unlicensed features" option under System → Licenses to expose the Advanced Authentication Policy items in the configuration menu.
A change to IE 11 resulted in incompatibility with some versions of Citrix NetScaler. The issue is addressed by NetScaler Gateway versions 9.3.66.x and 10.1.123.x and later. For additional information about the incompatibility, or to see the workaround for NetScaler Gateway versions that do not include the fix, please read IE11 Compatibility got you down? at the Citrix site.
If your NetScaler version is 10.1.123.x or later and IE 11 is displaying a blank authentication page, you may need to force the browser out of "quirks" mode. To do this, add the following line to the beginning of the NetScaler's /netscaler/ns_gui/vpn/index.html file (it may be at /var/ns_gui_custom/ns_gui/vpn/index.html if you're using a custom theme), immediately under the <HEAD> tag.
<META http-equiv="X-UA-Compatible" content="IE=edge">
Finally, ensure that IE is not showing the site in Compatibility View
Yes, when the Citrix Gateway is configured with RADIUS listeners for both Citrix Receiver or Workspace clients and Gateway browser access on different ports. This configuration is described in detail in the Citrix Gateway primary and alternate instructions.
If you deploy Duo using our alternate configuration, iOS and Android Receiver or Workspace users may not authenticate successfully. Per Citrix, it is necessary to perform RADIUS authentication before LDAP in Receiver or Workspace mobile connections. You will need to configure the ordering of your authentication policies as follows:
Primary Authentication:
Secondary Authentication:
Please see the Citrix article for more information and configuration instructions.
Yes, when delivered via NetScaler Gateway or Citrix Gateway. You cannot add Duo RADIUS two-factor authentication directly to Storefront logins.
NetScaler and Citrix Gateway devices have a hard-coded timeout of about three minutes, which closes the login session when the timeout is reached. This timeout is not currently a configurable option, but that may change in a future NetScaler firmware release.
Password concatenation is when you append a comma followed by a Duo passcode or the name of a Duo factor to the end of your Active Directory password, like "mypass123,123456". If you have configured your Gateway to pass primary authentication on to Storefront, and then enter a concatenated password and passcode in Receiver or Workspace, the login fails. This is because the Gateway is passing the entire password + passcode string to Storefront as your AD password.
If you need to support logins to Storefront from Receiver or Workspace using a passcode we recommend you deploy our alternate Citrix Gateway configuration. This will add an additional "Passcode" field to the Receiver or Workspace login prompt, where you can enter a passcode or the name of a Duo factor. See our guide for Receiver for more.
Yes, click here for documentation. Note that while Duo fully supports the Duo Authentication Proxy, Web Interface itself is an EOL product.
Yes, click here for documentation. Note that while Duo fully supports the Duo Authentication Proxy, CAG itself is an EOL product.
Need more help? Try searching our Citrix Knowledge Base articles or Community discussions. For further assistance, contact Support.