Citrix Blogs

Multi-Domain Considerations with NetScaler Gateway and StoreFront

Introduction

Over the past few months, I have worked in several multi-domain customer environments. As you can imagine, there are many considerations when designing the access layer in a multi-domain environment and different design options based on the requirements. Therefore, I want to share some multi-domain design options and considerations regarding NetScaler Gateway and StoreFront in a XenApp and XenDesktop environment.

Since there is a lot to cover, the design considerations will be split into a three-part blog series, which will focus on NetScaler and StoreFront configurations in multi-domain environments in which there are two-way trusts already established and domain credentials are used for authentication. The following topics will not be covered:

In this article, we will focus on NetScaler Gateway multi-domain authentication options. Parts 2 and 3 will cover session policy configurations and internal StoreFront authentication. Let’s get to it.

NetScaler Gateway Authentication

The first consideration with NetScaler Gateway (NSG) for multi-domain environments is how we configure authentication. The end goal is to configure a single NSG vServer for all domains to minimize the number of URLs that have to be communicated to users. With this in mind, we need to have our NSG vServer be aware of all domains (i.e. have authentication policies from all domains bound to it). This can be performed in the following ways:

Let’s look at the pros and cons of each of these options:

Authentication Policy Bind Method Advantages Considerations
Cascade Authentication Simpler configuration: the authentication policies can simply be bound to the NSG vServer using “ns_true” as the expression.

Less user input: the user does not need to provide the domain.

Authentication duration: the amount of time it takes a user to login has the potential to increase as more authentication policies are required.

Account lockouts: if two or more domains have different user accounts configured with the same usernames, but different passwords, the domain that is higher in the list might experience account lockouts due to repeated, failed authentication attempts. Having users log in with userPrincipalName (UPN) can mitigate this risk.

Specifying a domain: different URLs Simpler configuration: does not require adding a domain drop down menu.

Less user input: The user does not need to provide the domain during authentication

Additional URLs: managing multiple DNS records and providing users from different domains with different URLs can result in additional management overhead. Note that in this configuration each NSG URL would have to be added to StoreFront as a separate NSG object.

Incompatible with Receiver client: since Native Receiver uses the URL of the default NSG appliance configured in the StoreFront store (as described in this article), this configuration would not work if using Native Receiver to authenticate and connect externally.

Specifying a domain: drop down menu with rewrite policies Fewer URLs: eliminates the need for multiple URLs.

Simpler configuration than nFactor: requires adding a rewrite policy and modifying the authentication policy expressions.

Incompatible with Receiver client: since Receiver does not support Rewrites, this configuration would not work if using Native Receiver to authenticate and connect externally.

Additional user input: this configuration requires another input from the user upon logon.

Specifying a domain: drop down menu with nFactor Fewer URLs: eliminates the need for multiple URLs.

More flexibility: provides much more flexibility to address different authentication requirements.

Incompatible with Receiver client: since Receiver does not support nFactor authentication, this configuration would not work if using Native Receiver to authenticate and connect externally.

Additional user input: this configuration requires another input from the user upon logon.

Key Takeaways

Below are some key takeaways from the different authentication options discussed.

I hope this was helpful. In Part 2 of this series (coming soon), we will be covering session policy configurations for multi-domain environments.


Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know! tech-content-feedback@citrix.com

Exit mobile version