How to configure EULA page before Gateway login page

Objective This article describes how to configure NetScaler Unified Gateway to display EULA (End User License Agreement) page before allowing/displaying users with Gateway login page. Introduction Enterprises and Corporations require its employees, clients or any user accessing their resources to agree to certain terms and conditions. NetScaler has option to display this agreement/terms & conditions either in the login page or provide a hyperlink in the login page. However, some organizations change their policies and it is quite possible that users don’t get to notice it, if NetScaler is configured in default way. Also, some organizations prefer to first display the agreement in home page and once the users agree to it, they are provided with login page. In this article, it will be shown how to configure NetScaler with a EULA page, which is first displayed when users try to login. On agreeing to it (by clicking I agree button), users are provided with login screen to enter their credentials. nFactor logic will be leveraged to do this configuration. Following nFactor logic will be used.

Note: The left part of the logic (shown in orange) will be shown in this guide and it is assumed that right part of configuration already exists. The right part of the logic shown here is just an example and can be replaced as applicable to deployment scenario. Pre-requisites It is assumed that following configurations are in place.

• VPN Vserver/Gateway and Authentication Vserver configurations • Binding of AAA vserver -> Authentication Profile -> VPN Vserver. • Authentication Policy label with required loginschemas and policies to perform user

authentication As part of this guide, the required policies and policy label configurations will be shown and bound to AAA vserver. Configuration Steps Configurations steps below

1. Navigate to Security->AAA – Application Traffic -> Login Schema -> Profiles -> Add. In the new window, under Authentication Schema, click the edit (pencil button) next to noschema.

Under Login Schema Files, click Login Schema folder and click on any of the built-in schema like OnlyPassword.xml. Click on the download button, to download the schema to your local machine.

2. Now open the downloaded xml file in text editor of your choice on your PC and make the following changes, under Requirements section. <Requirements> <Requirement><Credential><Type>none</Type></Credential><Label><Text>End User License Agreement</Text><Type>heading</Type></Label><Input /></Requirement> <Requirement><Credential><Type>none</Type></Credential><Label><Text>You are accessing Citrix System secure network. Unauthorized access is subject to legal action</Text><Type>plain</Type></Label><Input /></Requirement> <Requirement><Credential><Type>none</Type></Credential><Label><Text>I agree to all policies and understand that by logging in , my traffic is subject to internal monitoring.</Text><Type>plain</Type></Label><Input /></Requirement> <Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>I Agree</Button></Input></Requirement> </Requirements> Note: The text highlighted should be edited as per requirement. End of this article contains a sample schema.

3. On NetScaler GUI, Click back button (next to “Create Authentication Login Schema) or navigate to Security->AAA – Application Traffic -> Login Schema -> Profiles. Click Add and in the new window, provide a Name. Under Authentication Schema, Click on upload button (under noschema).

Note: You may not see the Schema getting updated with your xml file. To do that, click on edit icon next to noschema->Login Schema (under Login schema files). You should find the XML file uploaded here and click on it and click Select or OK. Click OK in next window too. Now the EULA login schema is created.

4. Create a Login Schema policy by navigating to Security->AAA – Application Traffic ->

Login Schema -> Policy -> Add. Choose the login schema profile created earlier.

5. Now navigate to your AAA vserver (Security->AAA – Application Traffic -> Virtual Server -> <your AAA vserver>. Choose Login Schemas from Advanced settings and bind the Login Schema Policy created earlier.

6. Within the same AAA vserver, choose Advanced Authentication Policy (Click on “No Authentication Policy). Click “Add Binding” , Click Add (+) button under Select Policy. Create a new Policy with expression http.REQ.URL.CONTAINS("/nf/auth/doAuthentication.do") as shown. This is an internal reference which every nfactor authentication page will contain.

Click OK once done. In next window, under Select Next Factor, choose your Authentication Policy label and click OK. Here Basic_LDAP is just an example.

Click Close.

Additional Resources Sample EULA Schema <?xml version="1.0" encoding="UTF-8"?> <AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> <Status>success</Status> <Result>more-info</Result> <StateContext></StateContext> <AuthenticationRequirements> <PostBack>/nf/auth/doAuthentication.do</PostBack> <CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement><Credential><Type>none</Type></Credential><Label><Text>End User License Agreement</Text><Type>heading</Type></Label><Input /></Requirement> <Requirement><Credential><Type>none</Type></Credential><Label><Text>You are accessing Citrix System secure network. Unauthorized access is subject to legal action</Text><Type>plain</Type></Label><Input /></Requirement> <Requirement><Credential><Type>none</Type></Credential><Label><Text>I agree to all policies and understand that by logging in , my traffic is subject to internal monitoring.</Text><Type>plain</Type></Label><Input /></Requirement> <Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>I Agree</Button></Input></Requirement> </Requirements> </AuthenticationRequirements> </AuthenticateResponse> How login page looks

Note: the background and other text depends on the theme you have chosen References nfactor concepts: https://support.citrix.com/article/CTX222713 LDAP Authentication: https://support.citrix.com/article/CTX108876 NetScaler: Smart Card Authentication with EULA using nFactor https://support.citrix.com/article/CTX219625