Citrix Blogs

Enforcing a User Consent Banner at NetScaler Gateway with Smart Card

Many of our customers, including the US Department of Defense, are mandated to include consent banners for users accessing any computing system. This blog will walk you through the steps required to configure and enforce a user consent banner prior to smart card authentication for ICA users accessing NetScaler Gateway.

Before reading further, I highly recommend you read my previous article — Reducing PIN Prompts with NetScaler Gateway and Smart Cards — as I will be using this architecture as a basis for this blog. I also recommend you read my colleague’s article — How to Easily Host a Multi-Auth Landing Page on NetScaler Gateway — as it has similar configurations that will familiarize you with how to make a basic Responder Policy web page. This configuration also relies on Optimal Gateway Routing at StoreFront to separate out the Authentication Gateway from the ICA Proxy Gateway so check here if you are unfamiliar.

I’ll also caveat that this is mainly geared at organizations mandating smart card authentication at NetScaler Gateway. This blog can easily be adapted to work with a single, non-smart card Gateway.

Architecture Summary

To baseline we’ll start with the diagram from my previous NetScaler Smart Card article linked above.

We will be using the two Virtual Servers (vServer 1 and vServer 2) on the external network to apply Responder Polices which enforce a consent banner. An HTTP cookie will be used to track the users acceptance of a consent banner. To enforce this, we’ll be checking for the existence of the cookie before allowing the user to authenticate at vServer 1. If they do not have the cookie, they will be presented with a consent banner from vServer 2 before they are allowed to authenticate. One difference in the architecture I will propose, is that users will be browsing to the ICA proxy Gateway first, rather than the access front-end Gateway. This is to prevent users from being prompted for smart card authentication prior to accepting the consent banner.

To facilitate this, the user flow will follow this process:

  1. The user browses to the ICA Proxy Gateway (vServer 2) which is not configured to ask for SSL client certificates. A Responder Policy checks for the existence of the acceptance cookie. It does not exist, so the user is presented with the consent banner web page. This is a small change from my previous article where users browse to the access front-end (vServer 1) first.
  2. The user clicks ‘Accept’ which executes a JavaScript function to set the acceptance cookie and force a reload of the web page.
  3. The consent banner page is reloaded, and the Responder Policy checks again for the cookie. This time it exists so the user is HTTP 302 redirected to the access front-end (vServer 1).
  4. A Responder Policy on the  access front-end (authentication) Gateway checks for the acceptance cookie. The user has the appropriate cookie and the Responder Policy does nothing. They are now able to authenticate into the system. If the user attempts to browse directly to the authentication Gateway without consenting to the access policy page (no browser cookie), the Responder Policy will redirect them to the ICA Proxy Gateway housing the consent web page.

Components and Lab Configuration

To demonstrate this, I will be using the following components:

Three NetScaler Gateway Virtual Servers for authentication, ICA proxy, and StoreFront callback (as in the diagram above) will be used.

Caveats

Creating the Responder Actions

To accomplish our goals, we will be creating three separate Responder Policy and Responder Action pairs to attach to our Gateway vServers. Navigate to AppExpert > Responder > Actions and create three Actions with configurations similar to the following (ignore the NOOP policy):

The Eula-Responder-Action is where you will configure your consent banner web code. You can either upload an HTML file or paste text into the NetScaler GUI. I recommend using text as this is easier to edit and will sync with any paired NetScaler in a High Availability pair. Here is some basic consent page HTML you can use to test (the important bits are in bold):

<!DOCTYPE html>
<script>

function acceptEula()
{ document.cookie=”acceptEula=True;domain=stg.home;path=/”;
location.reload(true); }
</script>

<html lang=”en”>
<head>
<meta http-equiv=”X-UA-Compatible” content=”IE=edge”>
<title>Consent Banner</title>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″/>
</head>
<body>
<p>You are accessing a controlled system.</p><p>By using this system you consent to the following conditions:</p>
<ul><li>Condition 1</li><li>Condition 2</li><li>Condition 3</li><li>Condition 4</li>
<p>
<button onClick=”acceptEula()”>Accept</button>

</body>
</html>

This simple page displays some placeholder text and then creates a button that calls our acceptEula() JavaScript function once the users clicks. The JavaScript code then sets the acceptEula cookie with my parent domain path (modify this for your environment) and forces a reload of the current page.

Create the Responder Policies

Now we can create our Responder Policies and link them to the appropriate Actions. Navigate to AppExpert > Responder > Policies and create three Policies with the following Expressions and Action links.

The Expressions check if the acceptEula cookie either exists or does not exist. Each Policy can take the appropriate Action based upon the result of the Expression.

Binding to NetScaler Gateway

Now that you have created and linked your Policies and Actions, you can bind them to your Gateway vServers. Navigate to NetScaler Gateway > Virtual Servers and bind as follows:

On your ICA Proxy Gateway bind the following Policies:

Note: The redirect Policy must be a lower priority then the EULA Policy to work. To work the ICA Only setting on this Gateway must be Disabled or the Responder Policies will not activate!

On your Authentication Gateway bind the following:

You can bind these by editing your Gateway server, scrolling down to Policies, and selecting the ‘+’ symbol to add a new Policy binding. Once there select Responder and Request and the type.

Then select Add Binding and add the appropriate Policies.

Summary

These configurations should give you a basis to enforce a consent banner for all users accessing a NetScaler Gateway system. Ensure that you test and validate these settings before modifying your production NetScaler Gateway servers. I would also highly recommend working with your internal web development team to make an appropriately branded consent page. Please feel free to use the comments below if you have any questions. For additional guidance, or a more customized solution, our Citrix Consulting team is always available.

Nick Czabaranek
Lead Architect US Public Sector Consulting


Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know! tech-content-feedback@citrix.com

Exit mobile version