Contents
Duo integrates with your on-premises NetScaler (formerly Citrix Gateway) to add two-factor authentication to any remote access login, complete with inline self-service enrollment and Duo Prompt.
Do any of Duo's configurations for NetScaler support the Duo Universal Prompt?
Only Duo Single Sign-on for NetScaler provides Universal Prompt support for NetScaler or Citrix Gateway logins. RADIUS configurations for NetScaler that feature the traditional Duo Prompt with radius_server_iframe
will reach end of support on December 31, 2024. Customers must migrate NetScaler deployments to Duo Single Sign-On or a RADIUS configuration that does not use the iframe (such as Duo RADIUS Challenge Text Prompt for NetScaler nFactor or RADIUS with Automatic Push) before December 31, 2024 for continued support.
Learn more about options for out-of-scope applications in the Universal Prompt update guide, and review the Duo End of Sale, Last Date of Support, and End of Life Policy.
What is the difference between NetScaler Gateway and Citrix Gateway?
NetScaler Gateway and Citrix Gateway are essentially the same product. Citrix renamed NetScaler Access Gateway to Citrix Gateway in version 12.1. The product was renamed back to NetScaler in 2023. Firmware versions may reflect either branding depending on the release date.
Citrix Access Gateway is a distinct product from NetScaler Gateway and Citrix Gateway. Citrix Access Gateway is an end-of-life product, superseded by NetScaler.
Is Citrix ADC supported?
Citrix Application Delivery Controller or ADC (also known as NetScaler ADC) has a similar login page to NetScaler Gateway. Although we expressly test with NetScaler Gateway, the same instructions should work for Citrix ADC. Be aware of licensing differences between NetScaler Gateway and Citrix ADC for nFactor. As of Citrix Gateway release 13.0-67.x, the "Standard" license also includes nFactor for Gateway/VPN, while Citrix ADC requires an "Advanced" or "Premium" license to use nFactor.
Is the RFWebUI theme supported?
Yes. Duo Authentication Proxy version 3.1.0 added support for showing the Duo browser prompt in the NetScaler RFWebUI theme when using advanced authentication policies and nFactor and when using a basic RADIUS policy and the Duo proxy performs both primary and secondary authentication or secondary authentication only with rewrite rules to hide the second password field. You must specify this theme in your authproxy.cfg file's [radius_server_iframe]
section using the syntax type=citrix_netscaler_rfwebui
.
Note that Citrix retired all themes other than RFWebUI in a v13 release.
Is nFactor supported?
Yes. Duo support for nFactor authentication is available starting with Duo Authentication Proxy v3.1.0 and later, when used with Gateway builds 12.1-51.16 or later.
As of Citrix Gateway release 13.0-67.x, the "Standard" license also includes nFactor for Gateway/VPN. Citrix ADC requires an "Advanced" or "Premium" license to use nFactor. Learn more about nFactor licensing in the Citrix documentation and follow the Duo nFactor instructions.
Gateway appliances with standard licensing may need to enable the "Show unlicensed features" option under System → Licenses to expose the Advanced Authentication Policy items in the configuration menu.
Why am I receiving a blank authentication page with Internet Explorer 11?
A change to IE 11 resulted in incompatibility with some versions of NetScaler. The issue is addressed by NetScaler Gateway versions 9.3.66.x and 10.1.123.x and later. For additional information about the incompatibility, or to see the workaround for NetScaler Gateway versions that do not include the fix, please read IE11 Compatibility got you down? at the Citrix site.
If your NetScaler version is 10.1.123.x or later and IE 11 is displaying a blank authentication page, you may need to force the browser out of "quirks" mode. To do this, add the following line to the beginning of the NetScaler's /netscaler/ns_gui/vpn/index.html file (it may be at /var/ns_gui_custom/ns_gui/vpn/index.html if you're using a custom theme), immediately under the <HEAD> tag.
<META http-equiv="X-UA-Compatible" content="IE=edge">
Finally, ensure that IE is not showing the site in Compatibility View
Does Duo Security support Citrix Receiver or Workspace clients?
Yes, when the NetScaler Gateway is configured with RADIUS listeners for both Citrix Receiver or Workspace clients and Gateway browser access on different ports. This configuration is described in detail in the NetScaler Gateway primary and alternate instructions.
Why might mobile Receiver or Workspace clients have issues authenticating with Duo?
If you deploy Duo using our alternate configuration, iOS and Android Receiver or Workspace users may not authenticate successfully. Per Citrix, it is necessary to perform RADIUS authentication before LDAP in Receiver or Workspace mobile connections. You will need to configure the ordering of your authentication policies as follows:
Primary Authentication:
- Receiver/Workspace - RADIUS
- Browser - LDAP
Secondary Authentication:
- Receiver/Workspace - LDAP
- Browser - RADIUS
Please see the Citrix article for more information and configuration instructions.
Does Duo Security support Citrix Storefront?
Yes, when delivered via NetScaler Gateway or Citrix Gateway. You cannot add Duo RADIUS two-factor authentication directly to Storefront logins.
Why do I receive an HTTP Internal Server Error from the NetScaler if I take four minutes or longer to complete Duo authentication?
NetScaler and Citrix Gateway devices have a hard-coded timeout of about three minutes, which closes the login session when the timeout is reached. This timeout is not currently a configurable option, but that may change in a future NetScaler firmware release.
This is a separate setting from the configurable RADIUS timeout within a NetScaler Gateway device. This issue can happen during authentication or if a user is performing in-line self-enrollment and they exceed the timeout.
When this issue occurs, the following error may be displayed by the Netscaler Gateway:
HTTP/1.1 Internal Server Error 43549
Refer to Radius Challenge Response Timeout Between NetScaler Gateway and Radius Server for more information.
Can you use password concatenation to log on to Storefront via NetScaler using Receiver or Workspace clients?
Password concatenation is when you append a comma followed by a Duo passcode or the name of a Duo factor to the end of your Active Directory password, like "mypass123,123456". If you have configured your Gateway to pass primary authentication on to Storefront, and then enter a concatenated password and passcode in Receiver or Workspace, the login fails. This is because the Gateway is passing the entire password + passcode string to Storefront as your AD password.
If you need to support logins to Storefront from Receiver or Workspace using a passcode we recommend you deploy our alternate NetScaler Gateway configuration. This will add an additional "Passcode" field to the Receiver or Workspace login prompt, where you can enter a passcode or the name of a Duo factor. See our guide for Receiver for more.
Does Duo work with Citrix Web Interface or Citrix Access Gateway?
You may be able to add Duo authentication with our generic RADIUS application and Duo Authentication Proxy. While Duo fully supports the Duo Authentication Proxy, Web Interface and CAG themselves are EOL Citrix products.
Additional Troubleshooting
Need more help? Try searching our Citrix Knowledge Base articles or Community discussions. For further assistance, contact Support.