Following the recent rise in remote work, various companies, mainly medium to large companies, have begun the implementation of VDI products for security and cost-related reasons.
As a response to this growth and the numerous inquiries received, Soft Giken has now introduced YubiOn Portal to Citrix Virtual Apps and Desktops (formerly known as XenDesktop and XenApp).
But what is the YubiOn Portal, and how does it work?
■ Machine Configuration
The configuration of the machine used was as follows:
①Active Directory Infrastructure Server (AD infrastructure server)
OS:
WindowsServer2022(Datacenter Edition・GUI)
Additional functions:
AD DS
AD CS(not required for this verification)
DNS
②Citrix Virtual Apps and Desktops Server (Citrix Server)
OS:
WindowsServer2019(Datacenter Edition・GUI)
Installed software:
Citrix DeliveryController
Citrix License Server
Citrix StoreFront
Citrix Studio
Licenses:
Citrix Virtual Apps and Desktops Premium(trial)
Concurrent Models (99 licenses)
③Citrix Desktop Delivery Machine (Desktop Delivery Machine)
OS:
WindowsServer2019(Standard Edition・GUI)
Installed software:
Virtual Delivery Agent for Windows OS
④User operation terminal
OS:
Windows10Pro 64bit
Installation software:
Citrix Workspace(downloaded from StoreFront)
※The above machines are built within a single ESXi server.
※The above machines exist within the same AD domain and network.
■ AD Infrastructure Server Setup
First, the setup of an AD infrastructure server is required. As Citrix server-related programs cannot be installed on a domain controller, a basic AD infrastructure must be built on the server itself.
■ Citrix Server Construction
Next, build a Citrix server. For this example, to avoid installation errors with Citrix products, Windows Server 2019 was chosen as the OS on which the AD infrastructure server would be run. However, Windows Server 2022 could also be used.
The installation itself consists of installing and configuring the "Delivery Controller" in the upper left corner of the window, followed by the installation of the "Citrix StoreFront" in the lower-left corner. To do this, simply follow the instruction on the installer screen.
■ Building a Desktop Delivery Machine
Next, construct a desktop distribution machine. In this example, a Virtual Delivery Agents for Windows OS was installed. Select “enable intermediary connections to the server” when prompted for configuration.
While WindowsServer2019 Standard/GUI is selected as the OS in this example, a general-purpose OS such as Windows 11 or Windows 10 would also work, although in that case, it will be treated as a single session OS. Here, Windows Server was chosen as it allows checking the operation of a pattern in which multiple people use a single OS as a multi-session OS.
■ User Operation Terminal Construction
Select any Windows machine on the same network as the servers for this. In this example, a virtual network was set up within a virtual environment, so a Windows 10 terminal was built separately and positioned as a PC within the same virtual network. To be able to access from outside the network, a product such as Citrix Gateway may be required.
■ Configuration of Delivery Controller
After the installation of the Delivery Controller is complete, CitrixStudio should start, and a "Welcome" screen should appear. Next, select "Deliver applications and desktops to users" at the top of the screen to configure various settings.
The setup with the default settings is almost complete. Now, in the section for setting the connection type, select "Do not use machine management". In the machine catalog setup section, select only one desktop distribution machine to add. Please note that the system will be powered off and rebooted twice during this procedure.
■ StoreFront Settings
As in the case of the Delivery Controller, the StoreFront Management Console is launched after installation to configure various settings. Please specify the name of the Citrix server in the "Delivery Controller" field.
■ Using Desktop via StoreFront
Now Citrix products can be used independently of YubiOn Portal. Next, access the StoreFront URL from the user operation terminal.
The StoreFront website assumes that Citrix Workspace is installed on the client side. Therefore, when the above screen appears, agree to download and install Citrix Workspace. (A reboot is required).
If you have installed Citrix Workspace, and it detects that it has been installed correctly, y the StoreFront login screen will be displayed. Log in with the AD user name and password.
After logging in, view the list of available desktops and click to open the Citrix Workspace app, and start the remote connection.
Please keep in mind that the authentication screen, etc., will not be displayed when the Citrix Workspace application is opened.
■ Deployment of YubiOn Portal and its use in the Logon section
Now, install the YubiOn Portal on the desktop delivery machine.
Installation must be done on each desktop distribution machine. Currently, account and YubiKey assignments must also be done per machine.
Enabling mandatory YubiKey logon must be enabled in the policy. If not enabled, the Windows logon portion will be skipped by the Citrix authentication mechanism.
Cached logon, screen lock when YubiKey is removed, etc., will not be available. Both require USB communication with YubiKey, so they cannot be used in environments where USB is not directly connected.
If there are multiple desktop delivery machines, they must have different SIDs YubiOn Portal identifies each terminal based on SID and does not support the situation where multiple terminals have the same SID.
With these points in mind, set up the YubiOn Portal client tool on the desktop delivery machine.
After completing the settings, select a desktop from StoreFront and connect to it, and the Windows logon screen will appear as shown below. However, by installing YubiOn Portal, authentication is required when the desktop is displayed.
Then, when using YubiOn Portal, enter the user name in the upper input box and the password in the lower box, and touch the YubiKey to output the OTP behind the password field and log on.
If a different user than the one who logged on to StoreFront tries to log on, the session will be disabled. It is assumed that the system stops when the logged-on user is different from the StoreFront user.
■ Conclusion
This article covers the deployment of the YubiOn Portal on a desktop delivery machine such as Citrix products. Two-factor authentication will be required when a desktop is opened if the standard deployment method is used.