Citrix Gateway customers can use micro VPN with Microsoft Endpoint Manager (Intune). Citrix micro VPN integration with Microsoft Endpoint Management enables your apps to access on-premises resources.
Citrix micro VPN technology provides an on-demand VPN that reduces data transfer costs and simplifies security, as the VPN tunnel isn’t always active. Instead, it’s only active when needed, which reduces risk and optimizes the performance of the device for a better user experience. This also helps improve mobile battery life. The micro VPN technology from Citrix provides mobile users with secure access to internal business resources while providing them with the best user experience.
What’s changed?
Microsoft’s rapid development of their cloud platform see’s new services being rolled out all the time. Inevitably that also means other services are retired. Microsoft announced some time ago that the Microsoft Azure AD Graph was to be retired. The official statement from Microsoft is as follows.
Azure Active Directory (Azure AD) Graph is deprecated and will be retired at any time after June 30, 2023, without advance notice, as we announced in September, 2022. Though we reserve the right to turn it off after June 30, 2023, we want to ensure all customers migrate off and discourage applications from taking production dependencies on Azure AD Graph. Investments in new features and functionalities will only be made in Microsoft Graph and we'll only make security-related fixes to Azure AD Graph. However, the Azure AD Graph licensing assignment APIs will be retired on March 31, 2023 as recently announced
Citrix NetScalers use the Azure Active Directory Graph to integrate their micro VPN technology and therefore the configuration must be updated to continue service.
How does this impact Citrix micro VPN?
The offical documentation for setting up this technology with Microsoft Endpoint Manager can be found here https://docs.citrix.com/en-us/citrix-gateway/current-release/microsoft-intune-integration/setup-gateway-for-microvpn-integration-with-intune.html. This guide takes you through the prerequisites and guides you through the setup both from a Citrix NetScaler (ADC), Azure AD and Intune perspective. Great right, its all documented it must be correct?… wrong!
Issue 1
Let me start with the prerequisites. Microsoft are retiring the Azure AD Graph, and although this works for existing deployments, new setups cannot add those permissions as Microsoft have already removed that ability. This means you have to use the Microsoft Graph instead. However that means you need a NetScaler which supports the Microsoft Graph. Citrix didn’t add that support until version 13.0 of the NetScalers meaning you cannot use, 12.1.50.x or later, 12.0.59.x or later, as the documentation from Citrix suggests.
The scripts to configure the NetScaler in section Configure Citrix Gateway for micro VPN have already been updated to use https://graph.microsoft.com so that’s only going to work on those newer NetScaler’s as well.
Issue 2
The next issue comes with the Enterprise App which they tell you to grant in Grant Azure Active Directory (AAD) application permissions. That’s an Enterprise App which Citrix themselves publish with the app id of b6a53a76-5d50-499e-beb3-c8dbdad5c40b. This application has the Azure AD Graph permissions on it still which is fine, they need to support exisiting configurations with older NetScaler’s. However, Citrix have failed to add any Microsoft Graph permissions to it, thus this Enterprise App will never work with a new setup, because Microsoft wont allow you to grant those older permissions in your tenant anymore. The upshot of this is you would be stuck with a NetScaler in the OAuth Status of “Graph” and never move to the “Complete” status.
So you think, great I’ll setup my own Enterprise Application and let my NetScaler use that instead. Wrong again!
Citrix do provide some guidance on this here https://docs.citrix.com/en-us/citrix-gateway/current-release/microsoft-intune-integration/configuring-a-gateway-application-on-the-azure-portal.html. However, while this does allow the NetScaler to move into the OAuth Status of “Complete”, it wasn’t through much trial and error to get that app setup correct. At the time of writing, the documentation isn’t very clear and they get the simplest of things wrong, like the URL for Azure AD Graph which they list as https://graph.windows.com but its always been https://graph.windows.net which in my mind, if you cannot get the simple bits right, how can I trust the rest of the guide.
Issue 3
So now we have managed to get our NetScaler 13.1 configured with a OAuth Status of “Complete” we’re done right? Just need to deploy the configuration to our apps using Microsoft Endpoint Manager. You would think wouldn’t you?
We tried this and the first thing the app did was ask the user to grant permissions to an Enterprise App. Hang on didn’t we just setup our own to make all of this work with the Microsoft Graph and grant permissions on behalf of our users? Yes we did, however the Intune SDK which the app has to be wrapped in wants you to use another Enterprise App for Citrix micro VPN. Looking closely at the app id of this app its our lovely friend b6a53a76-5d50-499e-beb3-c8dbdad5c40b. Yep, that same Enterprise App which we know we cannot grant the Azure AD Graph permissions too, that doesn’t have any Microsoft Graph permissions at all.
Time to log a support case
At this point we have gone full circle. Time to open a Citrix support case, surely they can fix it and tell us where we have gone wrong. Turn’s out no, not many of the Citrix support engineers know much about Citrix’s micro VPN or how it interop’s with Azure.
After many months back and forth with support, we have been put in contact with the product managers. These are the guys that control the products development. I can only assume they think its broken too.
The upgrade to support Microsoft Graph API with the 13.0 and later NetScalers which Citrix did in preparation for this change in API which Microsoft are forcing, doesn’t seem to fully tested. I’m speculating the NetScaler’s were using the Azure AD Graph, but the apps they tested with were using the Enterprise App they publish and thus it worked because they already had the older API permissions granted.
I’m fairly sure the documents I’ve linked in this blog will need an update but there is also potential for a hotfix which needs to be applied to the NetScaler’s themselves to get this working.
Wrapping Up
In conclusion, right now, don’t bother with Citrix micro VPN, it’s broken, Citrix know it, and cannot give a time scale on a fix. A great alternative to micro VPN for mobile devices is Citrix SSO. iOS setup instructions can be found here https://docs.citrix.com/en-us/citrix-gateway/citrix-gateway-clients/set-up-sso-for-ios-users.html and Android setup instructions can be found here https://docs.citrix.com/en-us/citrix-gateway/citrix-gateway-clients/setup-citrix-sso-in-microsoft-intune-android-enterprise-environment.html. If you don’t already have a VPN setup on your Citrix Gateway then you will also need to configure that which can be done by following this guide https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-full-vpn-setup.html.
We know this one works as it uses the same technology as Citrix Secure Access for Windows and Mac. Yes you will need a PKI and NDES to get the certs delivered to the device from Intune, but at least it works.
I’ll update this blog post if we ever get a resolution, but until then thank you for reading and I hope this saves you some time, as me and my colleges have wasted enough for us all.
