Posted in : ADFS, NetScaler

4 years ago

I’m writing this post in English to make it easier for our non-Swedish readers.
I’m going to try and explain how to configure Unified Gateway, without the wizard! I’ll try to let the commands speak for themselves, but feel free to comment if you need me to add some additional information about what I’m doing or why. I’ll be configuring Unified Gateway enabling ICA Proxy, RDP Proxy and AAA protected applications – we would also be able to add SSL VPN using a specific group, but we’ll leave that for another time.
I’ve tried to remove parameters that don’t ”matter”, but if there’s something that doesn’t work, it’s most likely because of that – just comment and I’ll update.
My first step of configuring Unified Gateway is also the easiest part, creating a redirect to https (in my own special way) for traffic coming in on http.

add responder action REA-HTML-HTTPS_REDIRECT respondwith q{"HTTP/1.1 301 Moved Permanently\r\n" + "Location: https://" + HTTP.REQ.HEADER("Host").HTTP_HEADER_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE + "\r\n" + "Strict-Transport-Security: max-age=31536000\r\n" + "Connection: close\r\n" + "Cache-Control: no-cache\r\n" + "Pragma: no-cache\r\n" + "\r\n"}
add responder policy REP-HTTPS_REDIRECT-NOOP "CLIENT.SSL.IS_SSL.NOT" NOOP
add responder policy REP-HTTPS_REDIRECT "CLIENT.SSL.IS_SSL.NOT" REA-HTML-HTTPS_REDIRECT
add responder policylabel REPL-HTTPS_REDIRECT
bind responder policylabel REPL-HTTPS_REDIRECT REP-HTTPS_REDIRECT 100 END
add cs vserver CS-UGW-TCP80 HTTP <DMZ IP> 80
bind cs vserver CS-UGW-TCP80 -policyName REP-HTTPS_REDIRECT-NOOP -priority 100 -gotoPriorityExpression END -type REQUEST -invoke policylabel REPL-HTTPS_REDIRECT

Now we’re able to redirect everything hitting HTTP to HTTPS with a 301 (Moved Permanently), while still keeping the Host-header, URL and query. I’ve also added the HSTS header, just to be sure.
 
Next step is configuring some basic AAA settings, and I always try to limit what is allowed by default and then use groups from the AD to allow access to different resources.

set tm sessionParameter -sessTimeout 1 -defaultAuthorizationAction DENY
add authentication authnProfile AAA-AUPL-EXT_DEFAULT -authnVsName NSGW-UNIFIED_GATEWAY -AuthenticationHost ugw.example.com -AuthenticationDomain example.com

The above authentication profile is using ugw.example.com which is my URL to the Unified Gateway, which will be added later.
 
Now, let’s create an AAA portected web application with form fill, and require users to be members of a specific group. In my case, I’ll use ADFS for the form fill application:

add tm formSSOAction AAA-TFSSO-EXT_ADFS -actionURL "/adfs/ls" -userField UserName -passwdField Password -ssoSuccessRule true -nameValuePair "AuthMethod=FormsAuthentication" -responsesize 15000 -submitMethod POST
add tm trafficAction AAA-TPF-EXT_ADFS_LOGOUT -appTimeout 1 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE
add tm trafficAction AAA-TPF-EXT_ADFS_LOGIN -appTimeout 1 -SSO ON -formSSOAction AAA-TFSSO-EXT_ADFS -persistentCookie ON -InitiateLogout OFF -kcdAccount NONE
add tm trafficPolicy AAA-TPL-EXT_ADFS_LOGOUT "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\") && HTTP.REQ.URL.QUERY.VALUE(\"wa\").EQ(\"wsignout1.0\")" AAA-TPF-EXT_ADFS_LOGOUT
add tm trafficPolicy AAA-TPL-EXT_ADFS_LOGIN "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\") && HTTP.REQ.URL.QUERY.VALUE(\"wa\").EQ(\"wsignin1.0\")" AAA-TPF-EXT_ADFS_LOGIN
add authorization policy AZP-EXT_ADFS-NOOP EXP_ADV_HOSTHEADER_ADFS DENY
add authorization policy AZP-EXT_ADFS "HTTP.REQ.USER.IS_MEMBER_OF(\"ADGroup-UGW-AAA-Grant-ADFS\")" ALLOW
add authorization policylabel AZPL-EXT_ADFS
bind authorization policylabel AZPL-EXT_ADFS AZP-EXT_ADFS 100
add policy patset PATSET_HOSTHEADER_ADFS
bind policy patset PATSET_HOSTHEADER_ADFS adfs.example.com -index 1
add policy expression EXP_ADV_HOSTHEADER_ADFS "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"PATSET_HOSTHEADER_ADFS\")"
add rewrite action RWA-REQ-EXT_ADFS-XMSPROXY insert_http_header X-MS-Proxy "\"NETSCALER\""
add rewrite action RWA-REQ-EXT_ADFS-PROXYMEX replace HTTP.REQ.URL.PATH_AND_QUERY "\"/adfs/services/trust/proxymex\" + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(\"/adfs/services/trust/mex\").HTTP_URL_SAFE"
add rewrite policy RWP-REQ-EXT_ADFS-NOOP "EXP_ADV_HOSTHEADER_ADFS" NOREWRITE
add rewrite policy RWP-REQ-EXT_ADFS-XMSPROXY "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs\")" RWA-REQ-EXT_ADFS-XMSPROXY
add rewrite policy RWP-REQ-EXT_ADFS-PROXYMEX "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/services/trust/mex\")" RWA-REQ-EXT_ADFS-PROXYMEX
add rewrite policylabel RWPL-REQ-EXT_ADFS http_req
bind rewrite policylabel RWPL-REQ-EXT_ADFS RWP-REQ-EXT_ADFS-XMSPROXY 100 NEXT
bind rewrite policylabel RWPL-REQ-EXT_ADFS RWP-REQ-EXT_ADFS-PROXYMEX 110 END
add server ADFS1 <IP>
add server ADFS2 <IP>
add lb monitor MON-ADFS HTTP -httpRequest "HEAD /adfs/probe" -respCode 200 -LRTM ENABLED -secure NO -destPort 80
add service SVC-ADFS1_SSL ADFS1 SSL 443 -CIP ENABLED X-MS-Forwarded-Client-IP
add service SVC-ADFS2_SSL ADFS2 SSL 443 -CIP ENABLED X-MS-Forwarded-Client-IP
bind service SVC-ADFS1_SSL -monitorName MON-ADFS
bind service SVC-ADFS2_SSL -monitorName MON-ADFS
add lb vserver LB-EXT_ADFS SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30 -cltTimeout 180
bind ssl vserver LB-EXT_ADFS -certkeyName wildcard-certificate
bind lb vserver LB-EXT_ADFS -policyName RWP-REQ-EXT_ADFS-NOOP -priority 100 -gotoPriorityExpression END -type REQUEST -invoke policylabel RWPL-REQ-EXT_ADFS
add lb vserver LB-EXT_ADFS_AUTH SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30 -cltTimeout 180 -authentication ON -authnProfile AAA-AUPL-EXT_DEFAULT
bind ssl vserver LB-EXT_ADFS_AUTH -certkeyName wildcard-certificate
bind lb vserver LB-EXT_ADFS_AUTH -policyName RWP-REQ-EXT_ADFS-NOOP -priority 100 -gotoPriorityExpression END -type REQUEST -invoke policylabel RWPL-REQ-EXT_ADFS
bind lb vserver LB-EXT_ADFS_AUTH -policyName AZP-EXT_ADFS-NOOP -invoke policylabel AZPL-EXT_ADFS -priority 100
bind lb vserver LB-EXT_ADFS_AUTH -policyName AAA-TPL-EXT_ADFS_LOGIN -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver LB-EXT_ADFS_AUTH -policyName AAA-TPL-EXT_ADFS_LOGOUT -priority 110 -gotoPriorityExpression END -type REQUEST
bind lb vserver LB-EXT_ADFS SVC-ADFS1_SSL
bind lb vserver LB-EXT_ADFS SVC-ADFS2_SSL
bind lb vserver LB-EXT_ADFS_AUTH SVC-ADFS1_SSL
bind lb vserver LB-EXT_ADFS_AUTH SVC-ADFS2_SSL

You will find some more information about what needs to be configured on ADFS 3.0 to get this working in another blog post I’ve written (in Swedish, but you’ll find the commands).
 
Now let’s create another web application (which is using either 401 / WIA authentication or perhaps ADFS / SAML).

add policy patset PATSET_HOSTHEADER_WEBAPP
bind policy patset PATSET_HOSTHEADER_WEBAPP webapp.example.com -index 1
add policy expression EXP_ADV_HOSTHEADER_WEBAPP "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"PATSET_HOSTHEADER_WEBAPP\")"
add authorization policy AZP-EXT_WEBAPP-NOOP EXP_ADV_HOSTHEADER_WEBAPP DENY
add authorization policy AZP-EXT_WEBAPP "HTTP.REQ.USER.IS_MEMBER_OF(\"ADGroup-UGW-AAA-Grant-WEBAPP\")" ALLOW
add authorization policylabel AZPL-EXT_WEBAPP
bind authorization policylabel AZPL-EXT_WEBAPP AZP-EXT_WEBAPP 100
add server WEBAPP1 <IP>
add lb monitor MON-WEBAPP HTTP -httpRequest "HEAD /webapp/healthmonitor" -respCode 200 -LRTM ENABLED -secure YES
add service SVC-WEBAPP1_SSL WEBAPP1 SSL 443 -CIP ENABLED X-Forwarded-For
bind service SVC-WEBAPP1_SSL -monitorName MON-WEBAPP
add lb vserver LB-EXT_WEBAPP SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30 -cltTimeout 180 -authentication ON -authnProfile AAA-AUPL-EXT_DEFAULT
bind ssl vserver LB-EXT_WEBAPP -certkeyName wildcard-certificate
bind lb vserver LB-EXT_WEBAPP -policyName AZP-EXT_WEBAPP-NOOP -invoke policylabel AZPL-EXT_WEBAPP -priority 100
bind lb vserver LB-EXT_WEBAPP SVC-WEBAPP1_SSL

 
Now we need to create the  NetScaler Gateway and some groups.

# NOTE: Maybe your dnsVserverName is something else
set vpn parameter -dnsVserverName LB-DNS -defaultAuthorizationAction DENY
add rdp clientprofile RDP-CLIENTPROF-DEFAULT -rdpUrlOverride DISABLE -redirectPrinters DISABLE -videoPlaybackMode DISABLE -multiMonitorSupport DISABLE -rdpFileName rdp-app.rdp -psk <Secret>
# NOTE: Using multiple LDAP Actions/Policies to support both UPN and SAM, using both Received and Web
add authentication ldapAction NSGW-AS-LDAP -serverIP <IP> -serverPort 389 -secType TLS -passwdChange ENABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapAction NSGW-AS-LDAP_UPN -serverIP <IP> -serverPort 389 -secType TLS -passwdChange ENABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName userPrincipalName -ssoNameAttribute samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapAction NSGW-AS-LDAP_NOAUTH -serverIP <IP> -serverPort 389 -secType TLS -passwdChange DISABLED -authentication DISABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapAction NSGW-AS-LDAP_UPN_NOAUTH -serverIP <IP> -serverPort 389 -secType TLS -passwdChange DISABLED -authentication DISABLED -ldapBase "DC=example,DC=local" -ldapBindDn "service.netscaler@example.local" -ldapBindDnPassword <Secret> -ldapLoginName userPrincipalName -ssoNameAttribute samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 8 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapPolicy NSGW-AP-LDAP "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" NSGW-AS-LDAP
add authentication ldapPolicy NSGW-AP-LDAP_UPN "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" NSGW-AS-LDAP_UPN
add authentication ldapPolicy NSGW-AP-LDAP_NOAUTH "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" NSGW-AS-LDAP_NOAUTH
add authentication ldapPolicy NSGW-AP-LDAP_UPN_NOAUTH "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" NSGW-AS-LDAP_UPN_NOAUTH
add vpn sessionAction NSGW-SPF-CTX_RECEIVER -transparentInterception OFF -defaultAuthorizationAction DENY -SSO ON -icaProxy ON -wihome "https://storefront.example.com/Citrix/StoreWeb" -ClientChoices OFF -ntDomain EXAMPLE.LOCAL -clientlessVpnMode OFF -storefronturl "https://storefront.example.com" -allowedLoginGroups "ADGroup-UGW-NSGW-Grant-Logon Access"
add vpn sessionAction NSGW-SPF-CTX_WEB -transparentInterception ON -defaultAuthorizationAction DENY -SSO ON -icaProxy OFF -wihome "https://storefront.example.com/Citrix/StoreWeb" -ClientChoices OFF -ntDomain EXAMPLE.LOCAL -clientlessVpnMode ON -homepage none -allowedLoginGroups "ADGroup-UGW-NSGW-Grant-Logon Access"
add vpn sessionAction NSGW-SPF-CTX_ANY -transparentInterception ON -defaultAuthorizationAction DENY -SSO ON -ClientChoices OFF -clientlessVpnMode ON -ntDomain EXAMPLE.LOCAL -wihome "https://storefront.example.com/Citrix/StoreWeb" -allowedLoginGroups "ADGroup-UGW-NSGW-Grant-Logon Access"
add vpn sessionAction NSGW-SPF-RDPPROXY -rdpClientProfileName RDP-CLIENTPROF-DEFAULT
add vpn sessionPolicy NSGW-SPL-CTX_RECEIVER "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixVPN && REQ.HTTP.HEADER User-Agent NOTCONTAINS NSGiOSplugin" NSGW-SPF-CTX_RECEIVER
add vpn sessionPolicy NSGW-SPL-CTX_WEB "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" NSGW-SPF-CTX_WEB
add vpn sessionPolicy NSGW-SPL-CTX_ANY ns_true NSGW-SPF-CTX_ANY
add vpn sessionPolicy NSGW-SPL-RDPPROXY ns_true NSGW-SPF-RDPPROXY
add vpn vserver NSGW-UNIFIED_GATEWAY SSL 0.0.0.0 -appflowLog DISABLED -tcpProfileName nstcp_default_XA_XD_profile -loginOnce ON
bind vpn vserver NSGW-UNIFIED_GATEWAY -staServer "http://CDC1.EXAMPLE.LOCAL"
bind vpn vserver NSGW-UNIFIED_GATEWAY -staServer "http://CDC2.EXAMPLE.LOCAL"
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP_NOAUTH -priority 80
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP_UPN_NOAUTH -priority 90
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP -priority 100
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-AP-LDAP_UPN -priority 110
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-CTX_RECEIVER -priority 100
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-CTX_WEB -priority 100
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-RDPPROXY -priority 57000
bind vpn vserver NSGW-UNIFIED_GATEWAY -policy NSGW-SPL-CTX_ANY -priority 58000
bind ssl vserver NSGW-UNIFIED_GATEWAY -certkeyName wildcard-certificate
bind vpn vserver NSGW-UNIFIED_GATEWAY -portaltheme RfWebUI
add authorization policy AZP-CLS-STOREFRONT "REQ.HTTP.HEADER Host == storefront.example.com" ALLOW
add aaa group "ADGroup-UGW-NSGW-Grant-Logon Access"
bind aaa group "ADGroup-UGW-NSGW-Grant-Logon Access" -policy AZP-CLS-STOREFRONT -priority 10
# NOTE: You need to upload the icon manually (either with the GUI or SCP)
add vpn url BMRK-WEBAPP "Web application" "https://webapp.example.com" -iconURL "/logon/webapp.ico" -ssotype unifiedgateway
add aaa group ADGroup-UGW-AAA-Grant-WEBAPP
bind aaa group ADGroup-UGW-AAA-Grant-WEBAPP -urlName BMRK-WEBAPP
# NOTE: Icon for rdp:// will be the "usual" Desktop that's used by StoreFront
add authorization policy AZP-RDP-MGMT1 "REQ.HTTP.HEADER Host == ugw.example.com && REQ.HTTP.URL == \'/rdpproxy/mgmt1.example.local\'" ALLOW
add vpn url BMRK-RDP-MGMT1 "MGMT1 RDP" "rdp://mgmt1.example.local"
add aaa group ADGroup-UGW-RDP-Grant-MGMT1
bind aaa group ADGroup-UGW-RDP-Grant-MGMT1 -policy AZP-RDP-MGMT1 -priority 10
bind aaa group ADGroup-UGW-RDP-Grant-MGMT1 -urlName BMRK-RDP-MGMT1

 
As last step, let’s add all these vServers into one content switch:

add policy patset PATSET_HOSTHEADER_UGW
bind policy patset PATSET_HOSTHEADER_UGW ugw.example.com -index 1
add policy expression EXP_ADV_HOSTHEADER_UGW "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"PATSET_HOSTHEADER_UGW\")"
add cs action CSA-LB-EXT_ADFS -targetLBVserver LB-EXT_ADFS
add cs action CSA-LB-EXT_ADFS_AUTH -targetLBVserver LB-EXT_ADFS_AUTH
add cs action CSA-LB-EXT_WEBAPP -targetLBVserver LB-EXT_WEBAPP
add cs action CSA-NSGW-UNIFIED_GATEWAY -targetVserver NSGW-UNIFIED_GATEWAY
add cs policy CSP-EXT_ADFS-NOOP -rule EXP_ADV_HOSTHEADER_ADFS
add cs policy CSP-EXT_ADFS-ANY -rule EXP_ADV_HOSTHEADER_ADFS -action CSA-LB-EXT_ADFS
add cs policy CSP-EXT_ADFS_AUTH-ADFSLS -rule "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\")" -action CSA-LB-EXT_ADFS_AUTH
add cs policy CSP-EXT_ADFS_AUTH-CGI -rule "EXP_ADV_HOSTHEADER_ADFS && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/cgi/\")" -action CSA-LB-EXT_ADFS_AUTH
add cs policy CSP-EXT_WEBAPP-NOOP -rule EXP_ADV_HOSTHEADER_WEBAPP
add cs policy CSP-EXT_WEBAPP-ANY -rule EXP_ADV_HOSTHEADER_WEBAPP -action CSA-LB-EXT_WEBAPP
# NOTE: Policy labels for binding a NetScaler Gateway isn't supported. You can't bind both AAA vServer and NetScaler Gateway vServer to the same content switch.
add cs policy CSP-EXT_UGW-ANY -rule "EXP_ADV_HOSTHEADER_UGW || is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix/Store\")" -action CSA-NSGW-UNIFIED_GATEWAY
add cs policylabel CSPL-EXT_ADFS SSL
bind cs policylabel CSPL-EXT_ADFS CSP-EXT_ADFS_AUTH-ADFSLS 100
bind cs policylabel CSPL-EXT_ADFS CSP-EXT_ADFS_AUTH-CGI 110
bind cs policylabel CSPL-EXT_ADFS CSP-EXT_ADFS-ANY 120
add cs policylabel CSPL-EXT_WEBAPP SSL
bind cs policylabel CSPL-EXT_WEBAPP CSP-EXT_WEBAPP-ANY 100
add cs vserver CS-UGW-TCP443 SSL <DMZ IP> 443 -cltTimeout 18000
bind ssl vserver CS-UGW-TCP443 -certkeyName wildcard-certificate
bind cs vserver CS-UGW-TCP443 -policyName CSP-EXT_ADFS-NOOP -priority 10 -invoke policylabel CSPL-EXT_ADFS
bind cs vserver CS-UGW-TCP443 -policyName CSP-EXT_WEBAPP-NOOP -priority 20 -invoke policylabel CSPL-EXT_WEBAPP
bind cs vserver CS-UGW-TCP443 -policyName CSP-EXT_UGW-ANY -priority 63000

 
Now we’ve got one content switch with NetScaler Gateway (ICA Proxy & RDP Proxy) as well as AAA protected applications, and single sign-on between everything. Configured manually!
When it comes to publishing the same URL internally (if you don’t want to use NetScaler Gateway internally as well), you can move the creating of the bookmark from NetScaler Gateway to XenApp/XenDesktop (described here by Jason Samuel, possible with version 7.11) and use StoreFront on the Content Switch instead of NetScaler Gateway.
Good luck and feel free to leave a comment!

Tags : ADFS, NetScaler, NetScaler Gateway, Unified Gateway

Comments

Stefan says

Nice post and good configuration. You configure the X-MS-Proxy Header. So the adfs server knows, that traffic flows through a proxy.
But what do you with Microsoft MFA or conditional access rules? I think with this configuration we cannot use those configuration.
Have you tested these configuration for active protocolls like active sync for exchange online accounts? Does it work ?

Simon Gottschlag says

Hi Stefan,
Sorry for the late reply!
We usually configure AAA on the NetScaler for MFA, even if using Azure MFA. If I'm not mistaken, the active protocols won't use /adfs/ls where AAA is configured so they won't be affected by AAA in that case.

Daniel says

Great post, im trying to work through this example to test, but not sure what
EXP_ADV_HOSTHEADER_ADFS should be....

Daniel says

Sorry i miss-read, saw the command further down to set this

Add comment

Your comment will be revised by the site if needed.