Posted in : ADFS, NetScaler Av Simon Gottschlag Översätt med Google ⟶
7 years ago
I’m writing this post in English to make it easier for our non-Swedish readers.
I’m going to try and explain how to configure Unified Gateway, without the wizard! I’ll try to let the commands speak for themselves, but feel free to comment if you need me to add some additional information about what I’m doing or why. I’ll be configuring Unified Gateway enabling ICA Proxy, RDP Proxy and AAA protected applications – we would also be able to add SSL VPN using a specific group, but we’ll leave that for another time.
I’ve tried to remove parameters that don’t ”matter”, but if there’s something that doesn’t work, it’s most likely because of that – just comment and I’ll update.
My first step of configuring Unified Gateway is also the easiest part, creating a redirect to https (in my own special way) for traffic coming in on http.
add responder action REA-HTML-HTTPS_REDIRECT respondwith q{"HTTP/1.1 301 Moved Permanently\r\n" + "Location: https://" + HTTP.REQ.HEADER("Host").HTTP_HEADER_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE + "\r\n" + "Strict-Transport-Security: max-age=31536000\r\n" + "Connection: close\r\n" + "Cache-Control: no-cache\r\n" + "Pragma: no-cache\r\n" + "\r\n"} add responder policy REP-HTTPS_REDIRECT-NOOP "CLIENT.SSL.IS_SSL.NOT" NOOP add responder policy REP-HTTPS_REDIRECT "CLIENT.SSL.IS_SSL.NOT" REA-HTML-HTTPS_REDIRECT add responder policylabel REPL-HTTPS_REDIRECT bind responder policylabel REPL-HTTPS_REDIRECT REP-HTTPS_REDIRECT 100 END add cs vserver CS-UGW-TCP80 HTTP <DMZ IP> 80 bind cs vserver CS-UGW-TCP80 -policyName REP-HTTPS_REDIRECT-NOOP -priority 100 -gotoPriorityExpression END -type REQUEST -invoke policylabel REPL-HTTPS_REDIRECT
Now we’re able to redirect everything hitting HTTP to HTTPS with a 301 (Moved Permanently), while still keeping the Host-header, URL and query. I’ve also added the HSTS header, just to be sure.
Next step is configuring some basic AAA settings, and I always try to limit what is allowed by default and then use groups from the AD to allow access to different resources.
set tm sessionParameter -sessTimeout 1 -defaultAuthorizationAction DENY add authentication authnProfile AAA-AUPL-EXT_DEFAULT -authnVsName NSGW-UNIFIED_GATEWAY -AuthenticationHost -AuthenticationDomain
The above authentication profile is using which is my URL to the Unified Gateway, which will be added later.
Now, let’s create an AAA portected web application with form fill, and require users to be members of a specific group. In my case, I’ll use ADFS for the form fill application:
add tm formSSOAction AAA-TFSSO-EXT_ADFS -actionURL "/adfs/ls" -userField UserName -passwdField Password -ssoSuccessRule true -nameValuePair "AuthMethod=FormsAuthentication" -responsesize 15000 -submitMethod POST add tm trafficAction AAA-TPF-EXT_ADFS_LOGOUT -appTimeout 1 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE add tm trafficAction AAA-TPF-EXT_ADFS_LOGIN -appTimeout 1 -SSO ON -formSSOAction AAA-TFSSO-EXT_ADFS -persistentCookie ON -InitiateLogout OFF -kcdAccount NONE add tm trafficPolicy AAA-TPL-EXT_ADFS_LOGOUT "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\") && HTTP.REQ.URL.QUERY.VALUE(\"wa\").EQ(\"wsignout1.0\")" AAA-TPF-EXT_ADFS_LOGOUT add tm trafficPolicy AAA-TPL-EXT_ADFS_LOGIN "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\") && HTTP.REQ.URL.QUERY.VALUE(\"wa\").EQ(\"wsignin1.0\")" AAA-TPF-EXT_ADFS_LOGIN add authorization policy AZP-EXT_ADFS-NOOP EXP_ADV_HOSTHEADER_ADFS DENY add authorization policy AZP-EXT_ADFS "HTTP.REQ.USER.IS_MEMBER_OF(\"ADGroup-UGW-AAA-Grant-ADFS\")" ALLOW add authorization policylabel AZPL-EXT_ADFS bind authorization policylabel AZPL-EXT_ADFS AZP-EXT_ADFS 100 add policy patset PATSET_HOSTHEADER_ADFS bind policy patset PATSET_HOSTHEADER_ADFS -index 1 add policy expression EXP_ADV_HOSTHEADER_ADFS "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"PATSET_HOSTHEADER_ADFS\")" add rewrite action RWA-REQ-EXT_ADFS-XMSPROXY insert_http_header X-MS-Proxy "\"NETSCALER\"" add rewrite action RWA-REQ-EXT_ADFS-PROXYMEX replace HTTP.REQ.URL.PATH_AND_QUERY "\"/adfs/services/trust/proxymex\" + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(\"/adfs/services/trust/mex\").HTTP_URL_SAFE" add rewrite policy RWP-REQ-EXT_ADFS-NOOP "EXP_ADV_HOSTHEADER_ADFS" NOREWRITE add rewrite policy RWP-REQ-EXT_ADFS-XMSPROXY "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs\")" RWA-REQ-EXT_ADFS-XMSPROXY add rewrite policy RWP-REQ-EXT_ADFS-PROXYMEX "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/services/trust/mex\")" RWA-REQ-EXT_ADFS-PROXYMEX add rewrite policylabel RWPL-REQ-EXT_ADFS http_req bind rewrite policylabel RWPL-REQ-EXT_ADFS RWP-REQ-EXT_ADFS-XMSPROXY 100 NEXT bind rewrite policylabel RWPL-REQ-EXT_ADFS RWP-REQ-EXT_ADFS-PROXYMEX 110 END add server ADFS1 <IP> add server ADFS2 <IP> add lb monitor MON-ADFS HTTP -httpRequest "HEAD /adfs/probe" -respCode 200 -LRTM ENABLED -secure NO -destPort 80 add service SVC-ADFS1_SSL ADFS1 SSL 443 -CIP ENABLED X-MS-Forwarded-Client-IP add service SVC-ADFS2_SSL ADFS2 SSL 443 -CIP ENABLED X-MS-Forwarded-Client-IP bind service SVC-ADFS1_SSL -monitorName MON-ADFS bind service SVC-ADFS2_SSL -monitorName MON-ADFS add lb vserver LB-EXT_ADFS SSL 0 -persistenceType SOURCEIP -timeout 30 -cltTimeout 180 bind ssl vserver LB-EXT_ADFS -certkeyName wildcard-certificate bind lb vserver LB-EXT_ADFS -policyName RWP-REQ-EXT_ADFS-NOOP -priority 100 -gotoPriorityExpression END -type REQUEST -invoke policylabel RWPL-REQ-EXT_ADFS add lb vserver LB-EXT_ADFS_AUTH SSL 0 -persistenceType SOURCEIP -timeout 30 -cltTimeout 180 -authentication ON -authnProfile AAA-AUPL-EXT_DEFAULT bind ssl vserver LB-EXT_ADFS_AUTH -certkeyName wildcard-certificate bind lb vserver LB-EXT_ADFS_AUTH -policyName RWP-REQ-EXT_ADFS-NOOP -priority 100 -gotoPriorityExpression END -type REQUEST -invoke policylabel RWPL-REQ-EXT_ADFS bind lb vserver LB-EXT_ADFS_AUTH -policyName AZP-EXT_ADFS-NOOP -invoke policylabel AZPL-EXT_ADFS -priority 100 bind lb vserver LB-EXT_ADFS_AUTH -policyName AAA-TPL-EXT_ADFS_LOGIN -priority 100 -gotoPriorityExpression END -type REQUEST bind lb vserver LB-EXT_ADFS_AUTH -policyName AAA-TPL-EXT_ADFS_LOGOUT -priority 110 -gotoPriorityExpression END -type REQUEST bind lb vserver LB-EXT_ADFS SVC-ADFS1_SSL bind lb vserver LB-EXT_ADFS SVC-ADFS2_SSL bind lb vserver LB-EXT_ADFS_AUTH SVC-ADFS1_SSL bind lb vserver LB-EXT_ADFS_AUTH SVC-ADFS2_SSL
You will find some more information about what needs to be configured on ADFS 3.0 to get this working in another blog post I’ve written (in Swedish, but you’ll find the commands).
Now let’s create another web application (which is using either 401 / WIA authentication or perhaps ADFS / SAML).
add policy patset PATSET_HOSTHEADER_WEBAPP bind policy patset PATSET_HOSTHEADER_WEBAPP -index 1 add policy expression EXP_ADV_HOSTHEADER_WEBAPP "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"PATSET_HOSTHEADER_WEBAPP\")" add authorization policy AZP-EXT_WEBAPP-NOOP EXP_ADV_HOSTHEADER_WEBAPP DENY add authorization policy AZP-EXT_WEBAPP "HTTP.REQ.USER.IS_MEMBER_OF(\"ADGroup-UGW-AAA-Grant-WEBAPP\")" ALLOW add authorization policylabel AZPL-EXT_WEBAPP bind authorization policylabel AZPL-EXT_WEBAPP AZP-EXT_WEBAPP 100 add server WEBAPP1 <IP> add lb monitor MON-WEBAPP HTTP -httpRequest "HEAD /webapp/healthmonitor" -respCode 200 -LRTM ENABLED -secure YES add service SVC-WEBAPP1_SSL WEBAPP1 SSL 443 -CIP ENABLED X-Forwarded-For bind service SVC-WEBAPP1_SSL -monitorName MON-WEBAPP add lb vserver LB-EXT_WEBAPP SSL 0 -persistenceType SOURCEIP -timeout 30 -cltTimeout 180 -authentication ON -authnProfile AAA-AUPL-EXT_DEFAULT bind ssl vserver LB-EXT_WEBAPP -certkeyName wildcard-certificate bind lb vserver LB-EXT_WEBAPP -policyName AZP-EXT_WEBAPP-NOOP -invoke policylabel AZPL-EXT_WEBAPP -priority 100 bind lb vserver LB-EXT_WEBAPP SVC-WEBAPP1_SSL
Now we need to create the NetScaler Gateway and some groups.
# NOTE: Maybe your dnsVserverName is something else set vpn parameter -dnsVserverName LB-DNS -defaultAuthorizationAction DENY add rdp clientprofile RDP-CLIENTPROF-DEFAULT -rdpUrlOverride DISABLE -redirectPrinters DISABLE -videoPlaybackMode DISABLE -multiMonitorSupport DISABLE -rdpFileName rdp-app.rdp -psk <Secret> # NOTE: Using multiple LDAP Actions/Policies to support both UPN and SAM, using both Received and Web add authentication ldapAction NSGW-AS-LDAP -serverIP <IP> -serverPort 389 -secType TLS -passwdChange ENABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN add authentication ldapAction NSGW-AS-LDAP_UPN -serverIP <IP> -serverPort 389 -secType TLS -passwdChange ENABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName userPrincipalName -ssoNameAttribute samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN add authentication ldapAction NSGW-AS-LDAP_NOAUTH -serverIP <IP> -serverPort 389 -secType TLS -passwdChange DISABLED -authentication DISABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN add authentication ldapAction NSGW-AS-LDAP_UPN_NOAUTH -serverIP <IP> -serverPort 389 -secType TLS -passwdChange DISABLED -authentication DISABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName userPrincipalName -ssoNameAttribute samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN add authentication ldapPolicy NSGW-AP-LDAP "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" NSGW-AS-LDAP add authentication ldapPolicy NSGW-AP-LDAP_UPN "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" NSGW-AS-LDAP_UPN add authentication ldapPolicy NSGW-AP-LDAP_NOAUTH "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" NSGW-AS-LDAP_NOAUTH add authentication ldapPolicy NSGW-AP-LDAP_UPN_NOAUTH "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" NSGW-AS-LDAP_UPN_NOAUTH add vpn sessionAction NSGW-SPF-CTX_RECEIVER -transparentInterception OFF -defaultAuthorizationAction DENY -SSO ON -icaProxy ON -wihome "" -ClientChoices OFF -ntDomain EXAMPLE.LOCAL -clientlessVpnMode OFF -storefronturl "" -allowedLoginGroups "ADGroup-UGW-NSGW-Grant-Logon Access" add vpn sessionAction NSGW-SPF-CTX_WEB -transparentInterception ON -defaultAuthorizationAction DENY -SSO ON -icaProxy OFF -wihome "" -ClientChoices OFF -ntDomain EXAMPLE.LOCAL -clientlessVpnMode ON -homepage none -allowedLoginGroups "ADGroup-UGW-NSGW-Grant-Logon Access" add vpn sessionAction NSGW-SPF-CTX_ANY -transparentInterception ON -defaultAuthorizationAction DENY -SSO ON -ClientChoices OFF -clientlessVpnMode ON -ntDomain EXAMPLE.LOCAL -wihome "" -allowedLoginGroups "ADGroup-UGW-NSGW-Grant-Logon Access" add vpn sessionAction NSGW-SPF-RDPPROXY -rdpClientProfileName RDP-CLIENTPROF-DEFAULT add vpn sessionPolicy NSGW-SPL-CTX_RECEIVER "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixVPN && REQ.HTTP.HEADER User-Agent NOTCONTAINS NSGiOSplugin" NSGW-SPF-CTX_RECEIVER add vpn sessionPolicy NSGW-SPL-CTX_WEB "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" NSGW-SPF-CTX_WEB add vpn sessionPolicy NSGW-SPL-CTX_ANY ns_true NSGW-SPF-CTX_ANY add vpn sessionPolicy NSGW-SPL-RDPPROXY ns_true NSGW-SPF-RDPPROXY add vpn vserver NSGW-UNIFIED_GATEWAY SSL -appflowLog DISABLED -tcpProfileName nstcp_default_XA_XD_profile -loginOnce ON bind vpn vserver NSGW-UNIFIED_GATEWAY -staServer "http://CDC1.EXAMPLE.LOCAL" bind vpn vserver NSGW-UNIFIED_GATEWAY -staServer "http://CDC2.EXAMPLE.LOCAL" bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP_NOAUTH -priority 80 bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP_UPN_NOAUTH -priority 90 bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP -priority 100 bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP_UPN -priority 110 bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-CTX_RECEIVER -priority 100 bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-CTX_WEB -priority 100 bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-RDPPROXY -priority 57000 bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-CTX_ANY -priority 58000 bind ssl vserver NSGW-UNIFIED_GATEWAY -certkeyName wildcard-certificate bind vpn vserver NSGW-UNIFIED_GATEWAY -portaltheme RfWebUI add authorization policy AZP-CLS-STOREFRONT "REQ.HTTP.HEADER Host ==" ALLOW add aaa group "ADGroup-UGW-NSGW-Grant-Logon Access" bind aaa group "ADGroup-UGW-NSGW-Grant-Logon Access" -policy AZP-CLS-STOREFRONT -priority 10 # NOTE: You need to upload the icon manually (either with the GUI or SCP) add vpn url BMRK-WEBAPP "Web application" "" -iconURL "/logon/webapp.ico" -ssotype unifiedgateway add aaa group ADGroup-UGW-AAA-Grant-WEBAPP bind aaa group ADGroup-UGW-AAA-Grant-WEBAPP -urlName BMRK-WEBAPP # NOTE: Icon for rdp:// will be the "usual" Desktop that's used by StoreFront add authorization policy AZP-RDP-MGMT1 "REQ.HTTP.HEADER Host == && REQ.HTTP.URL == \'/rdpproxy/mgmt1.example.local\'" ALLOW add vpn url BMRK-RDP-MGMT1 "MGMT1 RDP" "rdp://mgmt1.example.local" add aaa group ADGroup-UGW-RDP-Grant-MGMT1 bind aaa group ADGroup-UGW-RDP-Grant-MGMT1 -policy AZP-RDP-MGMT1 -priority 10 bind aaa group ADGroup-UGW-RDP-Grant-MGMT1 -urlName BMRK-RDP-MGMT1
As last step, let’s add all these vServers into one content switch:
add policy patset PATSET_HOSTHEADER_UGW bind policy patset PATSET_HOSTHEADER_UGW -index 1 add policy expression EXP_ADV_HOSTHEADER_UGW "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"PATSET_HOSTHEADER_UGW\")" add cs action CSA-LB-EXT_ADFS -targetLBVserver LB-EXT_ADFS add cs action CSA-LB-EXT_ADFS_AUTH -targetLBVserver LB-EXT_ADFS_AUTH add cs action CSA-LB-EXT_WEBAPP -targetLBVserver LB-EXT_WEBAPP add cs action CSA-NSGW-UNIFIED_GATEWAY -targetVserver NSGW-UNIFIED_GATEWAY add cs policy CSP-EXT_ADFS-NOOP -rule EXP_ADV_HOSTHEADER_ADFS add cs policy CSP-EXT_ADFS-ANY -rule EXP_ADV_HOSTHEADER_ADFS -action CSA-LB-EXT_ADFS add cs policy CSP-EXT_ADFS_AUTH-ADFSLS -rule "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\")" -action CSA-LB-EXT_ADFS_AUTH add cs policy CSP-EXT_ADFS_AUTH-CGI -rule "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/cgi/\")" -action CSA-LB-EXT_ADFS_AUTH add cs policy CSP-EXT_WEBAPP-NOOP -rule EXP_ADV_HOSTHEADER_WEBAPP add cs policy CSP-EXT_WEBAPP-ANY -rule EXP_ADV_HOSTHEADER_WEBAPP -action CSA-LB-EXT_WEBAPP # NOTE: Policy labels for binding a NetScaler Gateway isn't supported. You can't bind both AAA vServer and NetScaler Gateway vServer to the same content switch. add cs policy CSP-EXT_UGW-ANY -rule "EXP_ADV_HOSTHEADER_UGW || is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix/Store\")" -action CSA-NSGW-UNIFIED_GATEWAY add cs policylabel CSPL-EXT_ADFS SSL bind cs policylabel CSPL-EXT_ADFS CSP-EXT_ADFS_AUTH-ADFSLS 100 bind cs policylabel CSPL-EXT_ADFS CSP-EXT_ADFS_AUTH-CGI 110 bind cs policylabel CSPL-EXT_ADFS CSP-EXT_ADFS-ANY 120 add cs policylabel CSPL-EXT_WEBAPP SSL bind cs policylabel CSPL-EXT_WEBAPP CSP-EXT_WEBAPP-ANY 100 add cs vserver CS-UGW-TCP443 SSL <DMZ IP> 443 -cltTimeout 18000 bind ssl vserver CS-UGW-TCP443 -certkeyName wildcard-certificate bind cs vserver CS-UGW-TCP443 -policyName CSP-EXT_ADFS-NOOP -priority 10 -invoke policylabel CSPL-EXT_ADFS bind cs vserver CS-UGW-TCP443 -policyName CSP-EXT_WEBAPP-NOOP -priority 20 -invoke policylabel CSPL-EXT_WEBAPP bind cs vserver CS-UGW-TCP443 -policyName CSP-EXT_UGW-ANY -priority 63000
Now we’ve got one content switch with NetScaler Gateway (ICA Proxy & RDP Proxy) as well as AAA protected applications, and single sign-on between everything. Configured manually!
When it comes to publishing the same URL internally (if you don’t want to use NetScaler Gateway internally as well), you can move the creating of the bookmark from NetScaler Gateway to XenApp/XenDesktop (described here by Jason Samuel, possible with version 7.11) and use StoreFront on the Content Switch instead of NetScaler Gateway.
Good luck and feel free to leave a comment!
Tags : ADFS, NetScaler, NetScaler Gateway, Unified Gateway
Personlig rådgivning
Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.
Stefan says
Nice post and good configuration. You configure the X-MS-Proxy Header. So the adfs server knows, that traffic flows through a proxy.
But what do you with Microsoft MFA or conditional access rules? I think with this configuration we cannot use those configuration.
Have you tested these configuration for active protocolls like active sync for exchange online accounts? Does it work ?
Simon Gottschlag says
Hi Stefan,
Sorry for the late reply!
We usually configure AAA on the NetScaler for MFA, even if using Azure MFA. If I'm not mistaken, the active protocols won't use /adfs/ls where AAA is configured so they won't be affected by AAA in that case.
Daniel says
Great post, im trying to work through this example to test, but not sure what
Daniel says
Sorry i miss-read, saw the command further down to set this
Add comment