Guide to Deploying NetScaler as an Active Directory Federation Services Proxy Enables seamless authentication for Office 365 use cases.
Recently, more enterprises are migrating to a cloud-based application deployment model. Thanks to cloud-based services such as Microsoft Office 365, this migration has accelerated. Cloud-based app deployment provides significant added value, but at the same time, it changes the underlying infrastructure for the enterprise. One of the critical services enterprise IT teams worry about is authentication for users connecting from within and outside the organization.
When migrating to the cloud, enterprises want to ensure the user experience does not change. However, seamless access to services hosted outside the enterprise data center requires a new component in app deployment design. No one wants the Active Directory password to travel on the wire outside the data center. Therefore, federation becomes a natural and proven alternative. Referring to primarily to Microsoft services, Active Directory Federation Services (ADFS) is the solution you are looking for. The ADFS security token service extends the single sign-on, (SSO) experience for Active Directory-authenticated clients to resources outside the enterprise data center.
Microsoft ADFS 2.0 server farm allows internal users to access external cloud-hosted services. But the moment external users are brought into the mix, they must be given a way to connect remotely and access cloud-based services through federated identity. This is where an ADFS proxy plays a major role – giving external users SSO access to both internal federation-enabled resources as well as cloud resources such as Office 365. The purpose of the ADFS proxy server is to receive and forward requests to ADFS servers that are not accessible from the Internet. The ADFS proxy plays critical role in remote user connectivity and application access. Citrix ADC, formerly NetScaler has been playing similar roles – remote user connectivity and application access – for more than a decade. Citrix ADC has the right technology to enable secure connectivity, authentication and handling of federated identity, and thus it becomes the preferred solution for replacing an existing ADFS proxy or supporting a new ADFS implementation. Most enterprises want to reduce the footprint in the DMZ, and hence, they appreciate the fact that, in addition to its traditional functions, Citrix ADC can serve as ADFS proxy. This approach avoids the need to deploy an additional component in the DMZ.
Packet flow of how the ADFS proxy helps with external user access:
In most use cases you will run ADFS and the ADFS proxy farm, which would require load balancing and scale with high availability. If you are using the Citrix ADC, formerly NetScaler ADC for load balancing of your ADFS proxy farm and other key services, only one additional step is needed to set up Citrix ADC as a replacement for the ADFS proxy farm. This means Citrix ADC does not just play the ADC role, but also assumes ownership of the processes performed by the ADFS proxy for external user access scenario.
Citrix ADC is a proven remote access solution for the DMZ. Admin can use the AAA for Traffic Management (AAA-TM) feature of Citrix ADC to fulfill the ADFS proxy use case while other product security features add to the overall value of this solution.
Packet flow of how Citrix ADC as ADFS proxy helps with internal/external user access:
Here both internal and external users can go through the Citrix ADC path with the only difference being that external users are required to pre-authenticate with the Citrix ADC AAA-TM module. For this access scenario, the AAA-TM vserver must be set up on Citrix ADC for pre-authentication. Internal users can be directly load balanced to the ADFS server farm.
Benefits of using Citrix ADC as ADFS proxy