NVIDIA vGPU Licensing

Through various recent projects, I had to work through the clutter of information regarding NVIDIA vGPU licensing.

Here is a small summary of this information.

NVIDIA vGPU Architecture

Under the control of the NVIDIA GPU Virtual Manager, running in the hypervisor, the NVIDIA Physical GPU can operate multiple virtual GPU devices (vGPUs), that can be assigned directly to the Guest VM.

Diagram showing the high-level architecture of NVIDIA vGPU

The Guest VMs use the NVIDIA virtual vGPUs in the same way as a physical GPU would come from the hypervisor by direct passed through. The NVIDIA Driver loaded into the guest VM provides Direct GPU Access for high-performance operations. The NVIDIA Virtual GPU Manager paravirtualized interface performs the non-performance management operations for the NVIDIA Driver.

Continue reading “NVIDIA vGPU Licensing”

Microsoft Azure MFA Cloud Service in Citrix ADC Version 12

To complete my previous article, I also directly implemented and tested Microsoft Azure MFA Cloud Service in my test lab. In this post I go straight to the ToDo’s for implementation. For more information on MFA and the differences between Local and Cloud, please read my previous post.

It is important that all my information has the status of March 2019 and since it is the cloud, it will soon be obsolete again.

Microsoft Azure MFA Cloud in Citrix ADC Version 12
Continue reading “Microsoft Azure MFA Cloud Service in Citrix ADC Version 12”

Microsoft Azure MFA Server in Citrix ADC Version 12

Update:

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

https://www.microsoft.com/en-us/download/details.aspx?id=55849

During one of my current projects, I launched a PoC for two-factor authentication based on Microsoft Azure MFA. Azure multi-factor authentication requires users to verify and confirm their signups using a mobile app, phone call, or text message. You can use it with Azure AD or the local AD.

It is important that all my information has the status of March 2019 and because it is the cloud, quite quickly become obsolete again.

Microsoft Azure MFA Server in Citrix ADC Version 12

Multi-Factor Authentication

The safety of the two-stage check is at level approach. The multiple authentication factors poses a major challenge for attackers. Even if an attacker can find out the user’s password, this is useless unless he or she is also proficient in the additional authentication method. This works by requesting at least two of the following authentication methods:

  • Something you know (usually a password)
  • Something you have (a familiar device that can not be easily duplicated, like a phone)
  • Something that you are (biometrically)
Continue reading “Microsoft Azure MFA Server in Citrix ADC Version 12”

Citrix ADC Version 12 as AD FS Proxy

This article is about creating an AD FS Proxy from Citrix ADC (version 12). The AD FS Proxy is used to authenticate e.g. external SaaS applications or websites via AD FS. The following should be achieved by the AD FS Proxy:

  • URL / DoS Protection
  • Suitable external authentication (MFA, Forms instead of Kerberos)
  • Account Lockout Protection
  • Availability (Load Balancing)

What is AD FS ?

Active Directory Federation Services (AD FS) is a feature in the Windows Server operating system that allows identity information to be shared outside of the corporate network. Users can access applications (e.g. Office365, Salesforce.com, etc.) without being prompted to provide credentials again. These applications can be hosted locally, in the cloud, or even by other companies. The user accounts can be managed by the administrator in a single location, the Active Directory.

A normal deployment of AD FS for external clients consists of AD FS Proxy and AD FS Server. The AD FS Server is a member of the domain and perform the authentication. The AD FS Proxy is usually located in a separate network zone (DMZ) so that it can be reached externally and forward the requests inwards.

Continue reading “Citrix ADC Version 12 as AD FS Proxy”

Citrix ADC Version 12 as initial IdP for Office365

This article is about setting up SAML authentication for Office365 through the Citrix ADC (version 12). The Citrix ADC serves as IdP and Office365 as SP. So that you do not have to enter your user name a hundred times, this is prevented by an initial IdP (SSO).

Terminology

In short, the important upcoming terms explained.

SAML

SAML (Security Assertion Markup Language) provides a common platform for web-based access to multiple, autonomous services without the need to reenter multiple credentials. Authentication takes place via an encrypted session cookie, transparent in the background. This session cookie, which is provided with an expiration date, is given to the user in the browser by an authentication service (Identity Provider – IdP) and can then subsequently use all connected services (Service Provider – SP) in the browser.

Continue reading “Citrix ADC Version 12 as initial IdP for Office365”