Citrix Endpoint Management Integration - AWS
14
1 FortiNAC Citrix Endpoint Management Device Integration Version: 8.3, 8.4, 8.5, 8.6, 8.7, 8.8 Date: April 6, 2021 Rev: E
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Citrix Endpoint Management Integration - AWS
1
FortiNAC
Citrix Endpoint Management Device Integration
Version: 8.3, 8.4, 8.5, 8.6, 8.7, 8.8
Date: April 6, 2021
Rev: E
2
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET KNOWLEDGE BASE
http://kb.fortinet.com
FORTINET BLOG
http://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
http://support.fortinet.com
FORTINET COOKBOOK
http://cookbook.fortinet.com
NSE INSTITUTE
http://training.fortinet.com
FORTIGUARD CENTER
http://fortiguard.com
FORTICAST
http://forticast.fortinet.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
3
Contents Overview ............................................................................................................................................... 4
What it Does ...................................................................................................................................... 4
How it Works ..................................................................................................................................... 4
Requirements .................................................................................................................................... 5
Considerations ................................................................................................................................... 5
Integration ............................................................................................................................................ 6
Configure Citrix Endpoint Management .......................................................................................... 6
Configure FortiNAC .......................................................................................................................... 6
Portal Configuration ...................................................................................................................... 6
Events and Alarm Mappings ......................................................................................................... 7
Policies ........................................................................................................................................... 8
MDM Services ................................................................................................................................ 9
Validate ............................................................................................................................................... 11
Mobile Devices with Supported Operating Systems ...................................................................... 11
Mobile Devices with Unsupported Operating Systems .................................................................. 11
Troubleshooting .................................................................................................................................. 12
Related KB Articles ......................................................................................................................... 12
Debugging ........................................................................................................................................ 12
FortiNAC Commands .................................................................................................................. 12
Appendix ............................................................................................................................................. 13
Host/Device Registration Process ................................................................................................... 13
4
Overview The information in this document provides guidance for configuring the Citrix Endpoint
Management device to be managed by FortiNAC. This document details the items that must be
configured.
This implementation list assumes that Citrix Endpoint Management is in place and managing
mobile devices. The list below outlines the requirements for integrating Citrix Endpoint
Management and FortiNAC.
Note: As much information as possible about the integration of this device with FortiNAC is
provided. However, the hardware vendor may have made modifications to the device’s firmware
that invalidate portions of this document. If having problems configuring the device, contact the
vendor for additional support.
What it Does
When a connection is established between FortiNAC and Citrix Endpoint Management, mobile
devices connecting to the network can be registered in FortiNAC based on information stored in
the Citrix Endpoint Management database.
How it Works
FortiNAC and the Citrix Endpoint Management system work together by sharing data via an API
to secure the network. FortiNAC leverages the data in the Citrix Endpoint Management database
and registers hosts using that data as they connect to the network. The Citrix system is
periodically polled to update records for those devices that are registered in FortiNAC. This
integration speeds up the registration process and eliminates the need to install both the FortiNAC
agent and the Citrix Endpoint Management Agent on a mobile device.
FortiNAC performs a lookup of the user based on the user ID from the Citrix system. If the user authenticates to a directory or is in the local database, then the host is registered to that user. Otherwise, the host is registered as a device.
Mobile devices registered using the Citrix database are assigned NAC-Default as the role unless the user has a different role set. If the user has a role, the device inherits the user’s role.
Additional fields that are specific to MDM Services have been added to the host record and can be used as a filter in User/Host Profiles. For details see section User/Host Profiles of the Administration Guide.
If a device connects to the network and no Citrix Agent is detected, the FortiNAC captive portal displays a message indicating that no agent has been detected. Links to the appropriate site to download the agent are displayed. Some sample links are pre-configured, however, the Portal Content Editor must be edited to add the links that allow the different device types and operating systems to download the appropriate agent.
For full details, see Host/Device Registration Process.
5
Requirements
Citrix Endpoint Management is already in place and managing mobile devices.
Each managed device must have the Citrix Endpoint Management Agent installed. Refer to
the Citrix Endpoint Management documentation for instructions.
Each managed device must be running an Operating System supported by Citrix Endpoint
Management. Otherwise, the device becomes a rogue and goes through the regular
registration process. Below is the list of supported Operating Systems:
o Apple iOS
o Android
o Windows Phone 8
o Windows 8
o Windows Mobile
o Symbian
FortiNAC Minimum version: 8.3
Considerations
Application inventory cannot be retrieved for devices registered based on information from
Citrix Endpoint Management.
6
Integration
Configure Citrix Endpoint Management
1. Configure a System Administrator user to be used by FortiNAC for authentication when requesting data.
2. Record the following account information (this will be used when modeling the device in FortiNAC).
Server URL - The URL for the API to which FortiNAC must connect to request data. This will be a unique URL based on your MDM system.
Note: Requires the server name (Example: https://services.m3.mycompany.com)
Identifier - A type of key used to identify FortiNAC to the MDM server.
User ID - User name of the account used by FortiNAC to log into the MDM system when requesting data.
Password - Password for the account used by FortiNAC to log into the MDM system when requesting data.
Configure FortiNAC
Portal Configuration
1. Modify the Portal Configuration content to redirect mobile devices to Citrix if the device
does not have an MDM Agent installed.
a. Navigate to System > Portal Configuration > Content Editor > Global >
Settings.
b. Select Use Configured MDM.
c. Expand Registration and click MDM Registration.
d. Edit the fields as necessary (see table below). For additional details on Portal
configuration, see the following sections of the Administration Guide:
Registration portion of the Content fields section
Portal content editor
e. Click Apply Settings.
7
MDM Registration Content Field Descriptions
Window Title Text label displayed in the title of the browser window. If multiple tabs are
being used, the title also displays on the appropriate tab.
This is a text-only field. No HTML or special characters, such as newlines,
may be used. Attempting to include such content may produce unexpected
results.
Title Text title for the first paragraph in the login page. Displays above the text
entered in the Introduction property.
This is a mixed text field. HTML may be included, but may not always be
rendered.
Left Column
Content
Text displayed in the left column of the page.
This is an HTML field. HTML may be freely entered in this field.
Header Text displayed above the links to the MDM apps. This is an HTML field.
HTML may be freely entered in this field.
Content The main body text for the MDM Providers. This text should include all links
to the MDM apps for each operating system. For example, if the user is
connecting to the network with an iPhone, there must be a link to the page in
the iTunes store where the Apple MDM agent can be downloaded.
This is an HTML field. HTML may be freely entered in this field.
2. Confirm the domains for the web sites added to the MDM Registration Content field are
listed in the Allowed Domains view. This will enable hosts in the isolation network to
download the MDM agent. See section Allowed Domains of the Administration Guide for
more details.
a. Navigate to System > Settings > Control > Allowed Domains.
b. To add a domain, click Add Domain.
c. Click OK.
d. Once all the domains have been added, click Save Settings.
Events and Alarm Mappings Events associated with the MDM integration can be enabled and mapped to alarms. Refer to
sections Enable and disable events and Map events to alarms in the Administration Guide for
details.
Events include:
MDM Host Created
MDM Host Destroyed
MDM Poll Failure
MDM Poll Success
MDM Host Compliance Failed
MDM Host Compliance Passed
8
Hosts can be marked "at risk" when the host is not in Compliance with a Citrix policy by using an
Alarm mapped to the MDM Host Compliance Failed event.
Policies
1. Configure a User/Host Profile for each type of Network Access. For example, it may be
desired to place all Apple devices on VLAN 10 and all Android devices on VLAN 11. To do
this, two User/Host Profiles (one for Apple and one for Android) must be created. Refer to
section User/Host Profiles of the Administration Guide.
Managed by MDM FortiNAC registered the host based on
data from MDM database.
Compliant FortiNAC gathered endpoint
compliance information from the MDM
server and marks the host as compliant
with MDM policies or not. Note: Does
not list vulnerabilities.
Passcode enabled Indicates if there is a passcode required
to access the endpoint.
Data Encryption Indicates whether data encryption is
enabled on the endpoint.
Compromised This is an additional field separate from
whether it’s complaint, if the MDM
marks the endpoint as compromised.
2. Configure a Network Access Policy for each VLAN you wish to configure and associated it
with a User/Host Profile to determine who is placed in each VLAN. See section Network
Access Policies of the Administration Guide.
9
MDM Services
1. Configure a MDM Service in order to establish communication between FortiNAC and the
Citrix MDM system.
Important: Proxy communication is not supported.
Note: If there is more than one FortiNAC with an NCM, it is only necessary to configure
the MDM integration on one of the FortiNAC Servers. The host records will be propagated
on demand to the other FortiNAC Servers.
a. Navigate to System > Settings > System Communication > MDM Services.
b. Click Add.
c. For MDM Vendor, select XenMobile from the drill-down menu.
d. Fill in the remaining fields with the information collected from the MDM in step 2 of
section Configure Citrix Endpoint Management.
e. Click on the check boxes to enable the desired options (click the “?” for more details
on each option):
On Demand Registration
Revalidate Health Status on Connect
o Note: This setting is disabled by default. When enabled, the MDM
may not be able to manage the rate of queries from FortiNAC,
causing performance issues. Instead of enabling Revalidate
Health Status On Connect, select Enable Automatic
Registration Polling to occur once a day, which will also retrieve
Health Status, but with less frequency.
Remove Hosts from MDM Server
Application Updating
o Note: This setting is disabled by default. When enabled, the MDM
may not be able to manage the rate of queries from FortiNAC,
causing performance issues.
Automatic Registration Polling
f. Click OK.
10
2. Click the Test Connection button to validate communication. If unexpected results occur,
see Troubleshooting.
3. Click Poll Now to poll the MDM immediately. If unexpected results occur, see
Troubleshooting.
11
Validate
Mobile Devices with Supported Operating Systems
1. Connect a mobile device that is running one of the supported Operating Systems (see
Requirements for a listing) to the MDM. Ensure the MDM agent is not installed.
2. In FortiNAC Administration UI, navigate to Hosts > Host View and search for the device’s
MAC address – the device’s host record should appear and its adapter record should reflect
the device being assigned to the isolation network.
3. Open browser on the mobile device - browser should be redirected to the Captive Portal page
that directs the user to install the MDM agent.
4. Download and install the agent - host record should update and display as either a
registered host to a user (if user record already exists in FortiNAC) or as a device.
5. FortiNAC should then re-provision the mobile device's network access to the appropriate
VLAN or policy dependent upon the Network Access Policy defined.
If unexpected results occur, see Troubleshooting.
Mobile Devices with Unsupported Operating Systems
1. Connect a mobile device that is not running one of the supported Operating Systems (see
Requirements for a listing) to the MDM.
2. In FortiNAC Administration UI, navigate to Hosts > Host View and search for the device’s
MAC address – the device’s host record should appear as a Rogue and its adapter record
should reflect the device being assigned to the isolation network.
3. If a Device Profiling Rule is not configured to register the device, open browser on the
mobile device - browser should be redirected to the Registration Captive Portal page (not
the MDM Registration page).
4. Register via normal means.
5. FortiNAC should then re-provision the mobile device's network access to the appropriate
VLAN or policy dependent upon the Network Access Policy defined.
If unexpected results occur, see Troubleshooting.
12
Troubleshooting Issue: Test Connection fails.
Solution:
1. Click on the MDM Service Model.
2. Click Modify and verify each of the entries match those in the MDM.
3. Verify FortiNAC can ping the MDM from CLI.
4. Contact Support if further assistance is needed.
Related KB Articles
Refer to the applicable KB article(s):
Troubleshooting MDM registration issues
MDM Poll Failures Due to Invalid Characters
Troubleshooting policies
Debugging
FortiNAC Commands
Enable debugging feature (prints to /bsc/logs/output.master): CampusMgrDebug –name MdmManager true
CampusMgrDebug –name XenMobileServer true
Disable debugging feature CampusManagerDebug –name <value> false
Note: Debugs disable automatically upon restart of FortiNAC control and management processes.
13
Appendix
Host/Device Registration Process
When Citrix Endpoint Management and FortiNAC are integrated the registration process for hosts
is as follows:
1. A host connects to the network and is detected by FortiNAC.
2. If the host is running an operating system that is not supported by Citrix, it becomes a
rogue and goes through the regular registration process, either through the captive portal or
Device Profiler or any other registration method configured in FortiNAC.
3. If the host is running one of the operating systems listed below, FortiNAC checks to see if
the Citrix Agent is installed. This requires that On-Demand registration be enabled in the
MDM Service record for the Citrix integration with FortiNAC. See MDM Services below.
Apple iOS
Android
Windows Phone 8
Windows 8
Windows Mobile
Symbian
4. Hosts without an MDM Agent are sent to the captive portal where the user is asked to
download and install an MDM agent before connecting to the production network. Links to
the sites where agents can be downloaded must be configured by an Admin user under
Content Editor > Global > Settings > Use Configured MDM and Content Editor >
Registration > MDM Registration.
5. If the host has the Citrix Agent installed, FortiNAC connects to Citrix, retrieves the host
data from the Citrix database and registers the host in FortiNAC. FortiNAC performs a
lookup of the user based on the user ID from the Citrix system. If the user authenticates to
a directory or is in the local database, then the host is registered to that user. Otherwise,
the host is registered as a device.
6. Based on the User/Host Profile that matches the host, a Network Access Policy is applied
and the host is placed in the appropriate VLAN.
7. Settings selected for the MDM Service that controls the connection between Citrix and
FortiNAC determine when Citrix is polled for updated information.
14
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions,
and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and
other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance
metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may
change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
