Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2615
Views
0
Helpful
1
Replies

ISE Posturing + CITRIX XenDesktop

amadoriale
Level 1
Level 1

‎06-24-2020 06:45 AM - edited ‎06-24-2020 06:45 AM

Complicated (to me) question - due possibly to me not knowing the solution well enough:

 

we have a customer with a sizable Citrix infrastructure. They are allowing clients' connection to the XenDesktop infrastructure via public interface through a Netscaler. AAA is done directly on AD (no NAC, plain NPS).

 

Question: is there a way via ISE to run posturing on remote clients and forbid them from authenticating in case they're found to be in a non-compliant state? It's obvious that XenServer will need to AAA to ISE, and ISE can posture clients that are inside the network, and outside via AnyConnect module, but does AnyConnect ABSOLUTELY REQUIRE to be connected via VPN to run the posturing, or can it run it and communicate posturing results to the FMC nonetheless even if not connected? 

 

Easy part is the fact that customer would like to have DUO integrated with Citrix - but that is easy, I know already that it can be done.

 

Or could ISE service be published through a public IP resolvable via FQDN and the posturing be done continuously as if the client was on premise?

 

Please let me know if any of this makes sense, or if there is a much simpler solution which I ignore.

 

Thank you very much!

 

 

0 Helpful
1 Reply 1

yogesh2009
Level 1
Level 1

‎06-25-2020 11:43 AM - edited ‎06-25-2020 11:49 AM

I did not understand how fmc came into the picture here.DO you want to send user identity to fmc ?

Coming back to the original question,I dont think you can have nps auth the user and then ise do the posture.

You need to do both on ise and vpn is not required.

0 Helpful
Customers Also Viewed These Support Documents