Citrix Netscaler Gateway 12
Contents
Introduction
This article covers how to adjust an integration between pinsafe protocol and Citrix Netscaler Gateway 12.
Swivel can provide Two Factor authentication with SMS, Token, and Mobile Phone Client and strong Single Channel Authentication with TURing or Pinpad, or in the Taskbar using RADIUS. For all the methods which do not require an image at the article [[1]] covers them.
To use the Single Channel Image such as the TURing Image, the Swivel server must be made accessible. The client requests the images from the Swivel server, and is usually configured using Network Address Translation, often with a proxy server. The Swivel virtual or hardware appliance is configured with a proxy port to allow an additional layer of protection. The Netscaler can be configured using its load balancing bridging feature to allow a Swivel Severs IP to provide Single Channel images, such as TURing and PINpad. Both the authentication methods need an image for which there are a set of rules to be applied. This document covers the application of those rules through the NS command line.
Integration Architecture
Swivel Secure → Radius → Nas → Netscaler → login page → AD → login customised page
Turing Image Integration
You can customise the labels from the web console. Under NetScaler Gateway, select Portal Themes, then the theme you are using, and Edit. On the right, click Logon Page, and the text can be edited there.
Default Theme
Below there are a set of rewrite and responder actions & policies that need to be installed. Before you install them, edit the file and change the URL in the responder action near the bottom to the correct URL for your TURing. You don't need the "SCImage" part - that will be added automatically. To install the rules, you need to open a command prompt on the NetScaler. You can just paste the entire file contents into the shell window. Once you have installed them, they have to be bound to a virtual server. There isn’t a script for that as it will be different for each installation. It's easiest to do this in the netscaler’s web admin console.
Rewrite Rules
add rewrite action ReAct_Pinsafe_AppendEULA replace_all "HTTP.RES.BODY(1000000)" "\"form.append(eula_section,field_login,pinsafe_button,pinsafe_image)\"" -search "text(\"form.append(eula_section,field_login)\")"
add rewrite action ReAct_Pinsafe_Append replace_all "HTTP.RES.BODY(1000000)" "\"form.append(field_login,pinsafe_button,pinsafe_image)\"" -search "text(\"form.append(field_login)\")"
add rewrite action ReAct_pinsafe.js insert_after_all "HTTP.RES.BODY(12000)" q{"<script type=\"text/javascript\" src=\"/vpn/pinsafe.js\"></script>"} -search q{text("<script type=\"text/javascript\" src=\"/vpn/login.js\"></script>")}
add rewrite action ReAct_Pinsafe_ButtonVar insert_after_all "HTTP.RES.BODY(1000000)" q{"\r\n var pinsafe_button=$(\"\").addClass('field').addClass('buttons');\r\nvar pinsafe_image=$(\"\");\r\n"} -search q{text("var field_login=$(\"\").addClass('field').addClass('buttons');")}add rewrite action ReAct_Pinsafe_ButtonInput insert_after_all "HTTP.RES.BODY(1000000)" q|"//pinsafe: create button input\r\nvar Pinsafe = $(\"<input type='button' onclick='showTuring()' value='Get Code'></input>\").attr({'id':'Get_Code','value':'Get Code','class':'custombutton login_page'}).appendTo(right_pinsafebutton); \r\n"+"//pinsafe: create turing image \r\nvar PinsafeImg = $(\"
<img id=imgTuring name=imgTuring style='padding-top:10px; padding-right:10px' height='97' width='360px' align='right' />\").appendTo(right_pinsafeimage);\r\n"| -search q|text("var Login = $(\"<input type='submit'></input>\").attr({'id':'Log_On','value':'Log On','class':'custombutton login_page','disabled':'disabled'}).appendTo(right_loginbutton);")|
add rewrite action ReAct_Set_Username_Blur replace_all "HTTP.RES.BODY(100000)" q|".focus(function(){loginFieldCheck();}).blur(function(){showTuring();})"| -search q|text(".focus(function(){loginFieldCheck();})")|
add rewrite policy RePol_Pinsafe_ButtonVar "HTTP.REQ.URL.EQ(\"/vpn/js/gateway_login_form_view.js\")" ReAct_Pinsafe_ButtonVar
add rewrite policy RePol_Pinsafe_LeftRightVar "HTTP.REQ.URL.EQ(\"/vpn/js/gateway_login_form_view.js\")" ReAct_Pinsafe_LeftRightVar
add rewrite policy RePol_Pinsafe_ButtonInput "HTTP.REQ.URL.EQ(\"/vpn/js/gateway_login_form_view.js\")" ReAct_Pinsafe_ButtonInput
add rewrite policy RePol_Pinsafe_AppendEULA "HTTP.REQ.URL.EQ(\"/vpn/js/gateway_login_form_view.js\")" ReAct_Pinsafe_AppendEULA
add rewrite policy RePol_Pinsafe_Append "HTTP.REQ.URL.EQ(\"/vpn/js/gateway_login_form_view.js\")" ReAct_Pinsafe_Append
add rewrite policy RePol_Set_Username_Blur "HTTP.REQ.URL.EQ(\"/vpn/js/gateway_login_form_view.js\")" ReAct_Set_Username_Blur
add rewrite policy RePol_pinsafe.js "HTTP.REQ.URL.EQ(\"/vpn/index.html\")" ReAct_pinsafe.js
add responder action ResAct_pinsafe.js respondwith "\"HTTP/1.1 200 OK\r\n\r\n\"+\"var pinsafeUrl = \\\"https://pinsafens.swivelsecure.com:8443/proxy/\\\";\n\"+\"\nfunction showImage(sUrl) {\n\tsUser = document.getElementById(\\\"Enter user name\\\").value;\n\tif (sUser==\\\"\\\") {\n\t\tdocument.getElementsByName(\\\"login\\\").focus();\n\t} else {\n \"+\"\n\t\t// Find the image using Mozilla compatible approach…\n\t\tvarImg = document.getElementById(\\\"imgTuring\\\");\n \"+\"\n\t\t//Set the image src\n\t\tvarImg.src = sUrl + \\\"\?username=\\\" + sUser + \\\"&random=\\\" + Math.round(Math.random()*100000);\n \"+\"\n\t}\n}\n\"+\"\nfunction showTuring() {\n\tshowImage(pinsafeUrl + \\\"SCImage\\\");\n}\n\"+\"\nfunction sendMessage() {\n\tshowImage(pinsafeUrl + \\\"DCMessage\\\");\n}\"\n"
add responder policy ResPol_pinsafe.js "HTTP.REQ.URL.EQ(\"/vpn/pinsafe.js\")" ResAct_pinsafe.js