As we settle into our work-from-home routines, one consideration for many organizations that issue devices to employees and contractors is how those devices will check in to the Microsoft Key Management Service (KMS) server. Many organizations have already announced that remote work will extend to the fall or the end of the year. For organizations that use a KMS server to activate Windows OS or Office, endpoints need to check in once every 180 days. Organizations that started teleworking in March can expect a deadline to check in around September. Instead of asking employees to come into the office to connect their device to the internal network or shell out for a VPN solution, you can use your existing Citrix ADC to create an SSL VPN gateway that only allows access to the KMS server for activation.

In this blog, I’ll show you how to add a Citrix Gateway VPN service to an existing ADC deployment for client device KMS activation. Before we get started, here’s what you’ll need:

  • External facing IP address
  • DNS entry for the VPN gateway
  • SSL certificate for the VPN gateway
  • AD group for VPN users
  • Firewall rules open from ADC SNIP to KMS server for port TCP 1688
  • Deployment tool to push out the Citrix Gateway plug-in

Configuring the SSL VPN Gateway

AAA Group

First, we’ll create an AAA group that defines the VPN users and restricts access only to the KMS server with session and authorization policies. When you create the AAA group, give it a name that matches the group name in Active Directory of the VPN users.

You can find AAA Groups under Citrix Gateway > User Administration.

After you create the AAA group, add a session policy and an authorization policy and bind them to the AAA group.

Session Policy/Profile

The session policy will define the settings for user connections. In the AAA group, click the Policies tab and then the + sign to create a new session policy and profile. Create the profile first by clicking Add under Profile*.

Configure the profile with the following settings:

Network Configuration

This setting allows administrators to force the SSL VPN connection to close, and the user must log in again. Because we are running a script to activate KMS after a connection is made, the VPN connection can be forcefully ended after a set time.

Client Experience

Under Advanced Settings, the Show VPN Plug-in icon with Receiver option should be checked to prevent the Citrix Workspace app/Receiver icon from being combined with the Citrix Gateway plug-in icon. When the plug-in icon is combined into Citrix Workspace app/Receiver it makes it more difficult for the user to log off of VPN.

Security

When the Default Authorization Action is set to DENY, access to all network resources is restricted. Authorization policies will need to be created to define the network resources that users can access. In the next section, we’ll create an authorization policy that only allows access to KMS servers.

Published Applications

Once the session profile is completed, select the newly created profile in the session policy configuration. By default, the Active Directory group used when creating the AAA group will have this policy applied. If users in your VPN group have access to multiple gateways such as an ICA proxy gateway, then you want to restrict this AAA group to just the VPN gateway. To restrict access of the AAA group to the SSL VPN gateway, use the REQ.IP.DESTIP== command and use the IP address of the SSL VPN gateway. Otherwise, you can use the true or ns_true depending on if you are using Default Syntax or Classic Syntax.

Authorization Policy

Next, create an authorization policy to add to the AAA group. Click the Authorization Policies tab on the AAA Groups page.

Because we set the Default Authorization Action to DENY in the session profile, we have to specify what is allowed. In the example below, I am allowing only port 1688, which is the port that KMS activates over by using the expression CLIENT.TCP.DSTPORT.EQ(1688). You can restrict it even further by limiting it to port and subnet or port and destination IP address.

Bind the authorization policy to the AAA group. When completed the AAA group should have two policies bound.

SSL VPN Gateway

Now, we are ready to create the SSL VPN gateway. Create the gateway using the external facing IP address. You can create the virtual server under Citrix Gateway > Virtual Servers.

When creating the gateway, make sure ICA Only is unchecked.

Bind a server SSL certificate to the gateway. For authentication, either Basic Authentication or Advanced Authentication are valid options. The same authentication options used to configure ICA proxy gateways also work for SSL VPN gateways such as LDAP, RADIUS, SAML, and smartcard; nFactor is supported in the Citrix Gateway plug-in from ADC 12.1 build 49 and up.

Because the authorization and session policies are already applied through the AAA group, those do not need to be added again to the gateway virtual server. Lastly, if you want to change the SNIP that the ADC will use to communicate to the KMS server, you will need to add a Network Profile to the gateway.

In the Profiles section of the gateway virtual server, you will see an option to add a new Net Profile.

In the dropdown under IPAddress, select the IP address of the SNIP you want to use. Under Source Port Range add the port 1688.

The configuration of the SSL VPN virtual server is now complete.

Other Considerations

Endpoint Analysis Scan

Optionally, you can enhance security by using Citrix ADC’s Endpoint Analysis (EPA) scans feature to ensure the devices pass certain requirements before being presented with the VPN gateway for authentication. This way organizations can use pre-authentication policies to restrict access to only corporate issued or government furnished equipment (GFE) devices.

Examples of EPA scan requirements include domain check, antivirus installed, numeric and non-numeric registry keys, and Windows update. The pre-authentication policy can be configured to scan for multiple of these items before allowing the user to proceed. Users that do not pass the EPA scan can be placed in a quarantine group that administrators can use to display a webpage explaining why the user’s device is not compliant.

Plug-in Deployment

There are a couple options for deploying the Citrix Gateway plug-in. Users can download the plug-in directly from the VPN gateway. However, this requires the user to have administrative permissions on the device. Another option is to deploy through a third-party deployment software tool. If you are using EPA scans, the EPA plug-in may need to be installed. Note that on the 12.1 build 55.18 ADC testing, EPA scans worked with only the Citrix Gateway plug-in installed.

Connectivity

Finally, make sure that your SSL VPN gateway has firewalls open and connectivity to the KMS server. By default, the VPN gateway will use the ADC SNIP to communicate with the KMS server. As mentioned in the SSL VPN Gateway section, you can use Net Profiles to change which SNIP the KMS activation traffic leaves out of. You can also assign static Intranet IP addresses and allow that subnet to connect to the internal resources.

Customizations

For a clean home page after login, edit the Portal Theme and uncheck the following three options:

To customize the home page further, edit homepage2.html located in /netscaler/portal/templates. Note that if you go with this approach, you may have to replace the page each time after an ADC reboot/upgrade or you can use rc.netscaler to automate that process.  Another option is to use a responder policy so that when the VPN connection is established and homepage2.html goes to load, it will instead load the responder HTML page.  You can do this by creating a responder policy bound to the gateway virtual server with the expression HTTP.REQ.URL.CONTAINS(“homepage2.html”) and using the action respondwithhtmlpage to use the code of the custom HTML page.

Below I have an example of a simple home page where the user can easily click Activate Windows to run the KMS activation script and then click Log Off when complete to log out of VPN. Make sure to deploy the script to the location the HTML button link is pointing to.

Download the example HTML page.

Conclusion

To recap, this SSL VPN gateway allows client devices external to the internal network to activate with an internal KMS server. With EPA scan configured, client devices that pass the EPA scan will be presented with the VPN gateway logon page. Once authenticated, only the KMS port will be allowed in through the SSL VPN gateway. Once a user is connected, you can run a script to force the KMS check-in. While this blog was geared towards KMS activation, the same logic can be applied if your organization wants to set up a VPN gateway and restrict access to any other service, protocol, or security tool that requires a check-in (i.e. RDP, FTP, SSH, antivirus, DLP).


Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more Tech Bytes and subscribe.

Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.