A while ago I was discussing a valid migration scenario between an existing Citrix Deployment to VMware Horizon with my buddy Henry Heres. One of the steps is to migrate the external portal from Citrix (Unified) Gateway to VMware WS One Access.
As seen before, discussing these kind of scenarios with Henry is like planting a seed and pouring a gallon of Pokon on top of it. So, we decided to do a Cross reference Blog. I will show the flow, the blog(s) made by Henry will show how to do the real magic.
This will be a divided in to two blogs describing the 2 steps! This blog is Step 1.
for Step 2: Using VMware WS One Access as the Portal, click on the following link:
Step 1: Using VMware Access as IDP to the Citrix Unified Gateway.
The Why:
By implementing this in step 1 we can migrate the authentication to VMware Workspace One Access.
This gives us as an example the possibility to migrate the MFA solution to the VMware Authenticator, implement the access policies and migrate the applications to use Access as IDP.
There is one requirement though, Citrix FAS needs to be implemented. Why? Well, the user is going to login by using SAML so there is no password to pass to the VDA. As result a certificate is used to login to the Windows OS (similar to TrueSSO).I've seen this in place already in multiple occasions when for example ADFS is still used(and yes you can use ADFS as the IDP but not in scope for this blog). Mainly we still see an LDAPS connection with additional MFA like Radius. I added the link to how to implement Citrix FAS.
In both scenario's WS One access is configured to use Password (Cloud Deployment) plus additional authentication. This is not a necessity for step 1, just to give the user the same experience when implementing step 2.
The Flow:
The user will make a connection to the NetScaler Gateway
Netscaler will respond to authenticate to WS One Access since that is the configured IDP
The user is redirected to WS One Access
The credentials are validated to the VMware Access Connector
The User Auth service on the VMware Access connector will validate to an On Prem Active Directory controller
The SAML Token will be passed on to the users device
With this SAML token the user can logon to the Netcaler Gateway
A connection will be made to the configured StoreFront address
Storefront will enumerate the resources on the XML Service on a Citrix Delivery Controller and show the available desktops or apps to the user
When the user clicks on a desktop or app a ICA file will be generated and downloaded by the user
In the meantime, a request will be send to Citrix FAS to generate a certificate
The certificate is generated on the designated Certificate Authority and cached on the FAS server
When the Citrix Receiver or Workspace App connects to the gateway the secure ticket will be validated to the Secure Ticket Authority (STA) service
The connection to the VDA will be made
At the same time the VDA will request the cached user certificate
The VDA will validate the certificate to Active Directory
The Magic:
I will handover this one to Ern.. eh.. Henry. He wrote a beautiful blog how to configure VMware Access as the IDP:
In addition to, here is an article how to configure Citrix FAS:
Next time: Part Deux! Migrating the portal to VMware WS One Access!
This one will use the virtual app service to enumerate the Citrix Resources and the end users will use WS One Access to access the Citrix Resources! (And by extend you can make the transisition to Horizon if you want to..)
Stay Tuned!