Introduced at the end of 2015, this agent integrated both the Citrix NetScaler and Citrix StoreFront as a standard agent to RSA Authentication Manager. It supersedes the older RSA SecurID Ready Implementation Guide, last modified 29 September 2015, that configured the NetScaler as a RADIUS client to Authentication Manager, but which required an LDAP password logon in addition to the RSA SecurID passcode or RBA logon.
As of Q2 2016, only Citrix StoreFront 3.0 is supported by RSA Authentication Manager. StoreFront 3.5 and 3.6 are not supported and probably will not work because the Delegated Forms Authentication (DFA) used in Citrix has changed.
Make sure the Citrix StoreFront and NetScaler gateways are working with password logon.
Configure Citrix StoreFront for DFA and LDAP password.
Install and successfully test the RSA Authentication Agent 1.0 for Citrix StoreFront. Get tokencode/passcode/fixed passcode logon working before attempting to get RBA to work. Use a fixed passcode if you do not have tokens.
Configure the StoreFront to allow an RSA passcode authentication through DFA.
Test StoreFront logon with the fixed passcode, which includes enabling DFA on the virtual server that publishes the StoreFront.
Install the RBA Helper application on the StoreFront Windows Server, use the Citrix NetScaler 11 with DFA integration script.
Make sure Citrix StoreFront works through the NetScaler's gateways with AD or LDAP password logons.
Confirm that Citrix Storefront works with DFA and with an AD or LDAP password.
Exclude specific network adapters from auto-registration, and
Maintain the primary IP address of the agent.
There should be no need to use the node secret load utility because test authentication should create the node secret.
Follow the steps in Chapter 5 of the Installation and Administration Guide to enable Citrix Delegated Forms Authentication because DFA is a prerequisite for extending the RSA Authentication Agent for Citrix StoreFront to authenticate users with either RSA SecurID or RBA. Chap. 5 p.39 includes:
Enabling DFA and configuring it to use RSA SecurID.
Given that the online Citrix docs include obsolete – and potentially misleading – references to the AA RSA RBA solution, we recommend following the instructions in the .rtf installed on StoreFront to enable DFA. This is described in the second half of step 2 on page 42: “Citrix provides similar information in a document installed on Citrix StoreFront servers. See <ProgramFiles>\Citrix\Receiver StoreFront\Management\Cmdlet\DFAServerFPReadMe.rtf.
Configure DFA to use RSA SecurID authentication by using the PowerShell command (also described on page 42 ("Set-DSDFAProperty -ConversationFactory“SecurIDAuthentication”).
Use the StoreFront MMC to enable Passthrough from the NetScaler on the published store.
The last step for just the passcode logon is to Enable DFA on the virtual server that publishes StoreFront, Add a DFA authentication policy and configure the action of the policy with the details of the StoreFront server set when enabling DFA (the ClientID and the passphrase). At this point, authentication to the StoreFront with an RSA SecurID passcode through the virtual server URL should be successful.
Next, add RBA by installing the RBA helper application and downloading the redirect script for the RBA agent. Be sure to choose Citrix NetScaler 11 with DFA not Citrix NetScaler 10.
Also try clearing the domain passthrough if you are browsing the website URL from inside the network, but not getting prompted for an RSA passcode
To turn on the RBA Helper Application debug is a registry setting. Set HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktop Common\Logging\Components\RBAHelper to 1.
If you need to email any .htm or .js files such as the integration script, you might need to rename the .js or .html extensions to .txt then zip them before you attach them to an email, so that the mail filters do not strip them out