Best practices and example configurations for Citrix NetScaler.
1. Intro
1.1. What’s this?
In this documents i will share all my NetScaler best practices and guidelines.
This is not a "no-brainer" copy & paste guide. Double check every configuration line before you paste it in your NetScaler.
Custom configurations (like binding of ssl certificates) are not part of this document.
1.2. Build HTML
All content is written in ASCII Doc. You can convert the content to HTML via asciidoctor. A Makefile is included in this repository. Just run the following command to build it.
make all
Ruby and the asciidoctor gem need to be installed. A RPM package for Enterprise Linux (RHEL, CentOS, Fedora) is available trough EPEL.
yum install rubygem-asciidoctor.noarch
A HTML version of this documentation is also available on GitHub Pages.
The asciidoc source is available on GitHub.
1.3. Contribute
Feedback and suggestion for improvement are appreciated. Just create a issue on GitHub. You can also send me an Pull requests to suggest changes.
1.4. Available Guides
-
Best Practices
-
SSL Hardening
-
SSH Hardening
-
Exchange 2016
-
NetScaler Gateway (ICA only)
-
NetScaler Gateway (Smartaccess)
-
XenMobile
-
Sharefile
-
SMS Passcode
2. Best Practices
2.1. Layer 3 mode
Layer 3 mode is enabled by default. This enables IP fowarding and is only required in a few situations (e.g. if you need to fowrard Client IPs in different procotols than HTTP with the feature "USIP").
If you don’t need this Layer 3 mode should be disabled for security reasons.
disable mode L3mode
2.2. External auth for nsroot
External auth for nsroot is enabled by default. If not needed this should be disabled for security reasons.
set system user nsroot -externalAuth DISABLED
2.3. Optmize HTTP/TCP
These are a combination of the Citrix best practices from CTX121149 and my personal experience.
# configure timeout (GUI, SSH) to 10 minutes
set system parameter -timeout 600 -doppler DISABLED
# tips from CTX121149
set ns tcpProfile nstcp_default_profile -WS ENABLED -SACK ENABLED -nagle ENABLED
set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED -markHttp09Inval ENABLED -markConnReqInval ENABLED
set ns tcpParam -WS ENABLED -SACK ENABLED -nagle ENABLED
# drop invalid HTTP requests
set ns httpParam -dropInvalReqs ON -markHttp09Inval ON -markConnReqInval ON
# enable X-Forwarded-For header globaly, set Cookie version to v1
set ns param -cip ENABLED X-Forwarded-For -cookieversion 1
3. Basics
3.1. Share CPU ressources on a VPX
You may want to re-enable the sharing of CPU resources (yielding) on your VPX. Yielding is disabled by default on NetScaler 12.0 and onwards.
set ns vpxparam -cpuyield YES
3.2. Timezone
If not already done you should also configure your local timezone:
set ns param -timezone "GMT+01:00-CET-Europe/Berlin"
3.3. Basic Features
This is an example for enabling the most used features. This depends by the installed license and your individual needs.
Here are some examples.
NetScaler Gateway Platform license
enable ns feature SSL SSLVPN REWRITE RESPONDER
NetScaler Standard
enable ns feature LB CS SSL CF SSLVPN REWRITE RESPONDER
NetScaler Enteprise
enable ns feature LB CS SSL CF SSLVPN AAA REWRITE RESPONDER RDPProxy
3.4. LDAP
add authentication ldapAction act_auth_ldap -serverName ${DC} -serverPort 636 -ldapBase "${LDAP_BASEDN}" -ldapBindDn "${LDAP_BINDDN}" -ldapBindDnPassword "${LDAP_BINDPW}" -ldapLoginName sAMAccountName -searchFilter "${LDAP_FILTER}" -groupAttrName memberOf -subAttributeName CN -secType SSL -ssoNameAttribute sAMAccountName -passwdChange ENABLED -nestedGroupExtraction ON -ldapHostname ${LDAP_FQDN} -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapPolicy pol_auth_ldap ns_true act_auth_ldap
Admin authentication
bind system global pol_auth_ldap
add system group "${LDAP_ADMINS}"
bind system group "${LDAP_ADMINS}" -policyName superuser 100
3.5. Syslog
add audit syslogAction act_audit_syslog ${SYSLOG} -logLevel ${SYSLOG_LOGLEVEL}
add audit syslogPolicy pol_audit_syslog ns_true act_audit_syslog
bind system global pol_audit_syslog -priority 100
3.6. SNMP
add snmp community ${SNMP_COMMUNITY} GET_NEXT
set snmp mib -name ${SNMP_NAME} -contact ${SNMP_CONTACT} -customID ${SNMP_CUSTOM_ID} -location ${SNMP_LOCATION}
3.7. NTP
add ntp server ${NTP1}
add ntp server ${NTP2}
NTP synchronisation is disabled by default.
enable ntp sync
3.8. VLAN Binding
You should configure a SNIP for each network interface and bind it to a VLAN. This avoids MAC flapping between ports (NetScaler auto discovery).
add vlan ${VLAN_EXT} -aliasName ${VLAN_EXT_ALIAS}
bind vlan ${VLAN_EXT} -IPAddress ${SNIP_EXT} ${SNIP_EXT_MASK}
bind vlan ${VLAN_EXT} -ifnum ${VLAN_EXT_INTERFACE}
3.9. DNS Loadbalancing
add server ${DNS1_FQDN} ${DNS1_IP}
add server ${DNS2_FQDN} ${DNS2_IP}
add serviceGroup sg_dns_ad DNS -maxClient 0 -maxReq 0 -usip NO -useproxyport NO -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind serviceGroup sg_dns_ad ${DNS1_FQDN} 53
bind serviceGroup sg_dns_ad ${DNS2_FQDN} 53
add lb vserver vs_lb_dns_ad DNS 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
bind lb vserver vs_lb_dns_ad sg_dns_ad
add dns nameServer vs_lb_dns_ad
3.10. DNS Suffix
add dns suffix ${DNS_SUFFIX}
3.11. Generic SSL Redirect
add responder action act_responder_ssl_redirect_generic redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.HTTP_URL_SAFE" -responseStatusCode 301
add responder policy pol_responder_ssl_redirect_generic true act_responder_ssl_redirect_generic
3.12. Access Log
add audit messageaction access_log INFORMATIONAL q/CLIENT.IP.SRC + HTTP.REQ.HEADER("X-Forwarded-For").HTTP_HEADER_SAFE + " " + HTTP.REQ.HOSTNAME + " \"" +HTTP.REQ.METHOD + " " +HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE + "\"" +" \"" + HTTP.REQ.HEADER("User-Agent").HTTP_HEADER_SAFE + "\"" /
4. SSL Hardening
4.1. Secure Ciphers
High secure ciphers only - TLS 1.3 and TLS 1.2.
add ssl cipher CUSTOM_MODERN
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.3-AES256-GCM-SHA384
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.3-AES128-GCM-SHA256
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.3-CHACHA20-POLY1305-SHA256
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher CUSTOM_MODERN -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
High secure ciphers for TLS 1.3 and TLS 1.2, but keep some legacy ciphers enabled.
add ssl cipher CUSTOM_INTERMEDIATE
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.3-AES256-GCM-SHA384
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.3-AES128-GCM-SHA256
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.3-CHACHA20-POLY1305-SHA256
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher CUSTOM_INTERMEDIATE -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
If support for TLS 1.0 or TLS 1.1 is required. Also a good choice for your backend profile.
add ssl cipher CUSTOM_MODERN_LEGACY
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.3-AES256-GCM-SHA384
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.3-AES128-GCM-SHA256
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.3-CHACHA20-POLY1305-SHA256
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher CUSTOM_MODERN_LEGACY -cipherName TLS1-AES-128-CBC-SHA
4.2. Default Profile
set ssl parameter -defaultProfile ENABLED
Y
set ssl profile ns_default_ssl_profile_frontend -denySSLReneg NONSECURE
bind ssl profile ns_default_ssl_profile_frontend -cipherName CUSTOM_INTERMEDIATE
unbind ssl profile ns_default_ssl_profile_frontend -cipherName DEFAULT
set ssl profile ns_default_ssl_profile_backend -denySSLReneg NONSECURE
bind ssl profile ns_default_ssl_profile_backend -cipherName CUSTOM_INTERMEDIATE
unbind ssl profile ns_default_ssl_profile_backend -cipherName DEFAULT_BACKEND
4.3. Disable TLS 1.0 and TLS 1.1
-
disable TLS 1.0
-
disable TLS 1.1
-
enable TLS 1.2
-
enable TLS 1.3
set ssl profile ns_default_ssl_profile_frontend -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 ENABLED
set ssl profile ns_default_ssl_profile_backend -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 ENABLED
4.4. Enable HSTS
This adds the STS header to all HTTP responses. This is required to get an A+ rating on ssllabs.com.
add rewrite action act_rewrite_inject_http_sts_header insert_http_header Strict-Transport-Security "\"max-age=31536000\""
add rewrite policy pol_rewrite_inject_http_sts_header true act_rewrite_inject_http_sts_header
bind rewrite global pol_rewrite_inject_http_sts_header 100 NEXT -type RES_OVERRIDE
NetScaler 12.0+ Since version 12.0 NetScaler has a builtin HSTS feature. The rewrite policy from above is no longer needed.
set ssl profile ns_default_ssl_profile_frontend -HSTS ENABLED -maxage 31536000
4.5. Diffie-Hellman key
Create a Diffie-Hellman key and bind it to the default frontend profile (be aware, this could take a lot of time).
create dhParam /nsconfig/ssl/ECDHE.key -gen 5 2048
set ssl profile ns_default_ssl_profile_frontend -dh ENABLED -dhFile "/nsconfig/ssl/ECDHE.key"
5. SSH Hardening
5.1. Create ed25519 hostkey
The default configuration does not use ed25519 hostkeys.
ssh-keygen -t ed25519 -f /nsconfig/ssh/ssh_host_ed25519_key -N ""
5.2. Secure configuration
This will disable legacy ciphers, the dsa hostkey and the password authentication.
Copy this file to /nsconfig/sshd_config and reboot your NetScaler.
Port 22
ListenAddress 0.0.0.0
ListenAddress ::
#HostKey /nsconfig/ssh/ssh_host_dsa_key
#HostKey /nsconfig/ssh/ssh_host_ecdsa_key
HostKey /nsconfig/ssh/ssh_host_rsa_key
HostKey /nsconfig/ssh/ssh_host_ed25519_key
LoginGraceTime 120
PermitRootLogin without-password
LogLevel INFO
IgnoreRhosts no
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
KeepAlive yes
SyslogFacility AUTH
PasswordAuthentication no
PermitEmptyPasswords no
UsePam no
UseDNS no
ClientAliveInterval 10
ClientAliveCountMax 5
Subsystem sftp /usr/libexec/sftp-server
AllowTcpForwarding no
MaxStartups 10:30:60
MaxAuthTries 3
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
6. Exchange 2016
This is an example configuration for Exchange 2016 on NetScaler.
-
Content Switching for every single service/directory
-
Formbased Preauth for Outlook Web Access
-
401 Preauth for Active Sync Traffic
-
NTLM Preauth for Outlook Anywhere Traffic
To use all features (e.g. preauth) at least a Enterprise license is required (AAA).
This configuration was built for my Citrix Networking specialist exam and Exchange 2013. I added some improvements and support for Exchange 2016 (e.g. MAPI over HTTPS) afterwards.
This configuration runs in production on 10+ customer setups (not all of them use preauth).
6.1. Content Switching
Add your exchange servers
Be sure that you use the real FQDN of the machine as name for the server object. This is important if you plan to use Kerberos preauth for Outlook Anywhere.
add server ${EX1_FQDN} ${EX1_IP}
add server ${EX2_FQDN} ${EX2_IP}
Service groups
add serviceGroup sg_ssl_ex2016_owa SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_ssl_ex2016_ews SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_ssl_ex2016_activesync SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_ssl_ex2016_rpc SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_ssl_ex2016_autodiscover SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_ssl_ex2016_ecp SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_ssl_ex2016_oab SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_ssl_ex2016_mapi SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
Add Exchange servers to the servicegroups
bind serviceGroup sg_ssl_ex2016_owa ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_owa ${EX2_FQDN} 443
bind serviceGroup sg_ssl_ex2016_ews ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_ews ${EX2_FQDN} 443
bind serviceGroup sg_ssl_ex2016_activesync ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_activesync ${EX2_FQDN} 443
bind serviceGroup sg_ssl_ex2016_rpc ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_rpc ${EX2_FQDN} 443
bind serviceGroup sg_ssl_ex2016_autodiscover ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_autodiscover ${EX2_FQDN} 443
bind serviceGroup sg_ssl_ex2016_ecp ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_ecp ${EX2_FQDN} 443
bind serviceGroup sg_ssl_ex2016_oab ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_oab ${EX2_FQDN} 443
bind serviceGroup sg_ssl_ex2016_mapi ${EX1_FQDN} 443
bind serviceGroup sg_ssl_ex2016_mapi ${EX2_FQDN} 443
Monitoring
add lb monitor mon_ex2016_owa HTTP -respCode 200 -httpRequest "GET /owa/healthcheck.htm" -LRTM ENABLED -secure YES
add lb monitor mon_ex2016_ews HTTP -respCode 200 -httpRequest "GET /ews/healthcheck.htm" -LRTM ENABLED -secure YES
add lb monitor mon_ex2016_activesync HTTP -respCode 200 -httpRequest "GET /Microsoft-Server-ActiveSync/healthcheck.htm" -LRTM ENABLED -secure YES
add lb monitor mon_ex2016_rpc HTTP -respCode 200 -httpRequest "GET /rpc/healthcheck.htm" -LRTM ENABLED -secure YES
add lb monitor mon_ex2016_autodiscover HTTP -respCode 200 -httpRequest "GET /Autodiscover/healthcheck.htm" -LRTM ENABLED -secure YES
add lb monitor mon_ex2016_ecp HTTP -respCode 200 -httpRequest "GET /ecp/healthcheck.htm" -LRTM ENABLED -secure YES
add lb monitor mon_ex2016_oab HTTP -respCode 200 -httpRequest "GET /oab/healthcheck.htm" -LRTM ENABLED -secure YES
add lb monitor mon_ex2016_mapi HTTP -respCode 200 -httpRequest "GET /mapi/healthcheck.htm" -LRTM ENABLED -secure YES
bind serviceGroup sg_ssl_ex2016_owa -monitorName mon_ex2016_owa
bind serviceGroup sg_ssl_ex2016_ews -monitorName mon_ex2016_ews
bind serviceGroup sg_ssl_ex2016_activesync -monitorName mon_ex2016_activesync
bind serviceGroup sg_ssl_ex2016_rpc -monitorName mon_ex2016_rpc
bind serviceGroup sg_ssl_ex2016_autodiscover -monitorName mon_ex2016_autodiscover
bind serviceGroup sg_ssl_ex2016_ecp -monitorName mon_ex2016_ecp
bind serviceGroup sg_ssl_ex2016_oab -monitorName mon_ex2016_oab
bind serviceGroup sg_ssl_ex2016_mapi -monitorName mon_ex2016_mapi
Internal LB vServers
add lb vserver vs_lb_http_ex2016_owa HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
add lb vserver vs_lb_http_ex2016_owa_redirect HTTP 0.0.0.0 0 -cltTimeout 180
add lb vserver vs_lb_http_ex2016_ews HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
add lb vserver vs_lb_http_ex2016_activesync HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
add lb vserver vs_lb_http_ex2016_rpc HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
add lb vserver vs_lb_http_ex2016_autodiscover HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
add lb vserver vs_lb_http_ex2016_ecp HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
add lb vserver vs_lb_http_ex2016_oab HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
add lb vserver vs_lb_http_ex2016_mapi HTTP 0.0.0.0 0 -lbMethod LEASTRESPONSETIME -cltTimeout 180
Connect LB vServers and the servicegroups
bind lb vserver vs_lb_http_ex2016_owa sg_ssl_ex2016_owa
bind lb vserver vs_lb_http_ex2016_owa_redirect sg_ssl_ex2016_owa
bind lb vserver vs_lb_http_ex2016_ews sg_ssl_ex2016_ews
bind lb vserver vs_lb_http_ex2016_activesync sg_ssl_ex2016_activesync
bind lb vserver vs_lb_http_ex2016_rpc sg_ssl_ex2016_rpc
bind lb vserver vs_lb_http_ex2016_autodiscover sg_ssl_ex2016_autodiscover
bind lb vserver vs_lb_http_ex2016_ecp sg_ssl_ex2016_ecp
bind lb vserver vs_lb_http_ex2016_oab sg_ssl_ex2016_oab
bind lb vserver vs_lb_http_ex2016_mapi sg_ssl_ex2016_mapi
Content Switching policies
add cs action act_cs_ex2016_owa -targetLBVserver vs_lb_http_ex2016_owa
add cs action act_cs_ex2016_ews -targetLBVserver vs_lb_http_ex2016_ews
add cs action act_cs_ex2016_activesync -targetLBVserver vs_lb_http_ex2016_activesync
add cs action act_cs_ex2016_rpc -targetLBVserver vs_lb_http_ex2016_rpc
add cs action act_cs_ex2016_autodiscover -targetLBVserver vs_lb_http_ex2016_autodiscover
add cs action act_cs_ex2016_ecp -targetLBVserver vs_lb_http_ex2016_ecp
add cs action act_cs_ex2016_oab -targetLBVserver vs_lb_http_ex2016_oab
add cs action act_cs_ex2016_mapi -targetLBVserver vs_lb_http_ex2016_mapi
add cs policy pol_cs_ex2016_owa -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/owa\")\n|| HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/owa\")\n||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/cgi/selfauth\") ||\nHTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/cgi/selfauth\")" -action act_cs_ex2016_owa
add cs policy pol_cs_ex2016_ews -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/ews\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/ews\")" -action act_cs_ex2016_ews
add cs policy pol_cs_ex2016_rpc -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/rpc\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/rpc\")" -action act_cs_ex2016_rpc
add cs policy pol_cs_ex2016_autodiscover -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/Autodiscover\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Autodiscover\")" -action act_cs_ex2016_autodiscover
add cs policy pol_cs_ex2016_ecp -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/ecp\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/ecp\")" -action act_cs_ex2016_ecp
add cs policy pol_cs_ex2016_oab -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/oab\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/oab\")" -action act_cs_ex2016_oab
add cs policy pol_cs_ex2016_mapi -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/mapi\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/mapi\")" -action act_cs_ex2016_mapi
add cs policy pol_cs_ex2016_activesync -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/Microsoft-Server-ActiveSync\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Microsoft-Server-ActiveSync\")" -action act_cs_ex2016_activesync
Create CS vServer
add cs vserver vs_cs_ssl_ex2016 SSL ${EX_VIP} 443 -cltTimeout 180
add cs vserver vs_cs_http_ex2016 HTTP ${EX_VIP} 80 -cltTimeout 180
Add the CS policies to the CS vServer
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_owa -priority 100
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_ews -priority 110
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_activesync -priority 120
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_rpc -priority 130
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_autodiscover -priority 140
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_ecp -priority 150
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_oab -priority 160
bind cs vserver vs_cs_ssl_ex2016 -policyName pol_cs_ex2016_mapi -priority 170
bind cs vserver vs_cs_ssl_ex2016 -lbvserver vs_lb_http_ex2016_owa_redirect
Redirect all HTTP requests to SSL
bind cs vserver vs_cs_http_ex2016 -policyName pol_responder_ssl_redirect_generic -priority 100 -gotoPriorityExpression END -type REQUEST
Redirect invalid requests to OWA
add responder action act_responder_ssl_redirect_owa redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + \"/owa/\"" -responseStatusCode 302
add responder policy pol_responder_ssl_redirect_owa "true" act_responder_ssl_redirect_owa
bind lb vserver vs_lb_http_ex2016_owa_redirect -policyName pol_responder_ssl_redirect_owa -priority 100 -gotoPriorityExpression END -type REQUEST
6.2. Persistence
This creates a SOURCEIP persistence group for Exchange services. This is not required, but it can make your troubleshooting a lot easier.
bind lb group persistency_group_ex2016_web vs_lb_http_ex2016_ews
bind lb group persistency_group_ex2016_web vs_lb_http_ex2016_activesync
bind lb group persistency_group_ex2016_web vs_lb_http_ex2016_rpc
bind lb group persistency_group_ex2016_web vs_lb_http_ex2016_autodiscover
bind lb group persistency_group_ex2016_web vs_lb_http_ex2016_oab
bind lb group persistency_group_ex2016_web vs_lb_http_ex2016_mapi
set lb group persistency_group_ex2016_web -persistenceType SOURCEIP
6.3. Preauth for Activesync
AAA vServer
add authentication vserver vs_aaa_ex2016_auth_basic SSL 0.0.0.0 -AuthenticationDomain ${AAA_DOMAIN}
Bind LDAP policy
bind authentication vserver aaa_vs_ex2016_auth_basic -policy pol_auth_ldap -priority 100
Enable 401 auth for ActiveSync
set lb vserver vs_lb_http_ex2016_activesync -authn401 ON -authnVsName aaa_vs_ex2016_auth_basic
6.3.1. Group Filtering for ActiveSync
Authorization policy
add authorization policy pol_authorization_activesync "HTTP.REQ.USER.IS_MEMBER_OF(\"Netscaler-ActiveSync\").NOT" DENY
Bind authorization policy
bind lb vserver vs_lb_http_ex2016_activesync -policyName pol_authorization_activesync -priority 100 -gotoPriorityExpression END -type REQUEST
6.4. Preauth for OWA
AAA vServer
add authentication vserver vs_aaa_ex2016_auth_form SSL ${AAA_VIP} 443 -AuthenticationDomain ${AAA_DOMAIN}
add cs vserver vs_cs_http_ex2016_auth_form HTTP ${AAA_VIP} 80 -cltTimeout 180
Redirect all requests to SSL
bind cs vserver vs_cs_http_ex2016_auth_form -policyName pol_responder_ssl_redirect_owa -priority 100 -gotoPriorityExpression END -type REQUEST
Bind authentication policies
Bind your authentication policies as you like. This is an example with 2-factor (LDAP+RADIUS).
bind authentication vserver aaa_vs_ex2016_auth_form -policy pol_auth_ldap -priority 100
bind authentication vserver aaa_vs_ex2016_auth_form -policy pol_auth_radius -priority 100 -secondary
Enable formbased auth for OWA and ECP
set lb vserver vs_lb_http_ex2016_owa -AuthenticationHost ${AAA_FQDN} -Authentication ON -authnVsName vs_aaa_ex2016_auth_form
set lb vserver vs_lb_http_ex2016_ecp -AuthenticationHost ${AAA_FQDN} -Authentication ON -authnVsName vs_aaa_ex2016_auth_form
6.4.1. Group Filtering for OWA
Authorization policy
add authorization policy pol_authorization_owa "HTTP.REQ.USER.IS_MEMBER_OF(\"Netscaler-OWA\").NOT" DENY
Bind authorization policy
bind lb vserver vs_lb_http_ex2016_owa -policyName pol_authorization_owa -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver vs_lb_http_ex2016_ecp -policyName pol_authorization_owa -priority 100 -gotoPriorityExpression END -type REQUEST
FormSSO and Logout from OWA
add tm formSSOAction prof_formsso_exchange_sso -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -nameValuePair "destination=https://${EX_FQDN}/owa/#authRedirect=true&flags=4&forcedownlevel=0&passwordText=&isUtf8=1" -responsesize 60000 -submitMethod POST
add tm trafficAction prof_traffic_exchange_sso_login -appTimeout 1 -SSO ON -formSSOAction prof_formsso_exchange_sso -persistentCookie ON -InitiateLogout OFF -kcdAccount NONE
add tm trafficAction prof_traffic_exchange_sso_logout -appTimeout 1 -SSO ON -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE
add tm trafficPolicy pol_traffic_exchange_sso_login "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/owa/auth/logon.aspx\")" prof_traffic_exchange_sso_login
add tm trafficPolicy pol_traffic_exchange_sso_logout "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/owa/logoff.owa\")" prof_traffic_exchange_sso_logout
6.5. Preauth for Outlook Anywhere
You should already have an Keytab file. See CTX129314 for more information.
AAA vServer
add authentication vserver vs_aaa_ex2016_auth_kerberos SSL 0.0.0.0 -AuthenticationDomain ${AAA_DOMAIN}
Enable 401 based auth with Kerberos/NTLM
set lb vserver vs_lb_http_ex2016_ews -authn401 ON -authnVsName vs_aaa_ex2016_auth_kerberos
set lb vserver vs_lb_http_ex2016_rpc -authn401 ON -authnVsName vs_aaa_ex2016_auth_kerberos
set lb vserver vs_lb_http_ex2016_autodiscover -authn401 ON -authnVsName vs_aaa_ex2016_auth_kerberos
set lb vserver vs_lb_http_ex2016_oab -authn401 ON -authnVsName vs_aaa_ex2016_auth_kerberos
set lb vserver vs_lb_http_ex2016_mapi -authn401 ON -authnVsName vs_aaa_ex2016_auth_kerberos
Negotiate policy
For "NTML external path" a url with NTLM enabled auth on the target is required. This example may work if formbased auth is disabled for OWA.
add authentication negotiateAction act_negotiate_ex2016 -keytab "/nsconfig/krb/ns_kcd.keytab" -NTLMPath "https://${INT_EX_LB}/owa/"
add authentication negotiatePolicy pol_negotiate_ex2016 ns_true act_negotiate_ex2016
Bind negotiate policy
bind authentication vserver aaa_vs_ex2016_auth_kerberos -policy pol_negotiate_ex2016 -priority 100
Add KCD account
The realm should be your internal domain name in uppercase.
add aaa kcdAccount svc_ctxnetscaler_krb -keytab "/nsconfig/krb/nskrb.keytab" -userRealm ${REALM}
Session policy
add tm sessionPolicy pol_session_ex2016 true prof_session_kerberos
add tm sessionAction act_session_ex2016 -sessTimeout 60 -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -ssoDomain ${SSO_DOMAIN} -httpOnlyCookie NO -kcdAccount svc_ctxnetscaler_krb
Bind session policy
bind authentication vserver aaa_vs_ex2016_auth_kerberos -policy pol_session_ex2016 -priority 100 -gotoPriorityExpression NEXT
6.5.1. Group Filtering for Outlook Anywhere
It’s not possible to extract the groups from a user when NTLM or Kerberos authentication is used. Instead you could use a HTTP callout to a PHP script with and simple ldapsearch. You can find an example written in PHP inside of the contrib directory.
It’s possible to host the file directly on the NetScaler (NetScaler has php and php-ldap installed). I only recommend this if a Platinum license is available (so caching of callout responses is possible). Otherwise consider hosting the script on a different machine.
Just put the file ldapgroups.php inside of /nsconfig and create a symlink from /var/ns_gui/shared/ldapgroups.php to /nsconfig/ldapgroups.php. Use the nsbefore.sh to make this persistent across reboots.
Callouts to the NSIP are blocked. Make sure you use a SNIP with management access (HTTP or HTTPS) enabled.
nsbefore.sh
# /nsconfig/nsbefore.sh
cd /var/ns_gui/shared && ln -s /nsconfig/ldapgroups.php .
HTTP Callout
add policy httpCallout callout_http_usergroups -IPAddress ${MGMT_SNIP} -port 80 -returnType TEXT -hostExpr "\"${MGMT_SNIP}\"" -urlStemExpr "\"/shared/ldapgroups.php\"" -parameters username(HTTP.REQ.USER.LOGIN_NAME) -scheme http -resultExpr "HTTP.RES.BODY(99999)" -cacheForSecs 3600 -comment "get groups from active directory"
Responder filtering policy
The HTTP response code is set to 503. If a user is blocked he will receive an error in his Outlook client.
add responder action act_responder_filter_outlook respondwithhtmlpage ex2016_deny.html -responseStatusCode 503
add responder policy pol_responder_filter_outlook "SYS.HTTP_CALLOUT(callout_http_usergroups).CONTAINS(\"Netscaler-Outlook\").NOT" act_responder_filter_outlook
Bind responder policy
bind lb vserver vs_lb_http_ex2016_ews -policyName pol_responder_filter_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver vs_lb_http_ex2016_rpc -policyName pol_responder_filter_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver vs_lb_http_ex2016_autodiscover -policyName pol_responder_filter_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver vs_lb_http_ex2016_oab -policyName pol_responder_filter_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver vs_lb_http_ex2016_mapi -policyName pol_responder_filter_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
6.6. SMTP, IMAP, POP3
Be sure that you use USIP to forward the client IPs to the Exchange servers.
LB vServers
add lb vserver vs_lb_tcp_ex2016_pop3 TCP ${EX_VIP} 110 -persistenceType NONE -state DISABLED -cltTimeout 180
add lb vserver vs_lb_tcp_ex2016_imap TCP ${EX_VIP} 143 -persistenceType NONE -state DISABLED -cltTimeout 180
add lb vserver vs_lb_ssl_tcp_ex2016_imaps SSL ${EX_VIP} 993 -persistenceType NONE -state DISABLED -cltTimeout 180
add lb vserver vs_lb_ssl_tcp_ex2016_pop3s SSL ${EX_VIP} 995 -persistenceType NONE -state DISABLED -cltTimeout 180
add lb vserver vs_lb_tcp_ex2016_smtp TCP ${EX_VIP} 25 -persistenceType NONE -state DISABLED -cltTimeout 180
add lb vserver vs_lb_ssl_tcp_ex2016_smtps SSL ${EX_VIP} 465 -persistenceType NONE -state DISABLED -cltTimeout 180
add lb vserver vs_lb_tcp_ex2016_msa TCP ${EX_VIP} 587 -persistenceType NONE -state DISABLED -cltTimeout 180
@TODO: configuration of service groups
@TODO: configuration of peristence
7. NetScaler Gateway
7.1. ICA only
add vpn sessionAction action_session_receiver -splitTunnel OFF -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://${SF_FQDN}/Citrix/StoreWeb" -ClientChoices OFF -ntDomain CTXDEMO -clientlessVpnMode OFF -storefronturl "https://${SF_FQDN}"
add vpn sessionAction action_session_web -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -homePage "https://${SF_FQDN}/Citrix/StoreWeb" -icaProxy ON -wihome "http://${SF_FQDN}/Citrix/StoreWeb" -ClientChoices OFF -ntDomain CTXDEMO -clientlessVpnMode OFF
add vpn sessionPolicy pol_session_receiver "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" action_session_receiver
add vpn sessionPolicy pol_session_web ns_true action_session_web
add vpn vserver vs_vpn_citrix SSL ${VIP_GW} 443 -icaOnly ON -downStateFlush DISABLED -Listenpolicy NONE
bind vpn vserver vs_vpn_citrix -staServer "http://${XDC1_FQDN}"
bind vpn vserver vs_vpn_citrix -staServer "http://${XDC2_FQDN}"
bind vpn vserver vs_vpn_citrix -policy pol_auth_ldap
bind vpn vserver vs_vpn_citrix -policy pol_session_receiver -priority 100
bind vpn vserver vs_vpn_citrix -policy pol_session_web -priority 200
Workaround: Inject internal Storefront FQDN into each Requests Sometimes the request to Storefront is sent with the external FQDN. This causes that the request is dropped in some situations (e.g. with Loadbalancing on a Sophos UTM).
add rewrite action act_rewrite_hostname replace HTTP.REQ.HOSTNAME "${SF_FQDN}"
add rewrite policy pol_rewrite_hostname true act_rewrite_hostname
bind vpn vserver vs_vpn_citrix -policy pol_rewrite_hostname -priority 100 -gotoPriorityExpression END -type REQUEST
7.2. SmartAccess
Rewriting of Storefront Cookies need to be disabled.
add policy patset patset_storefront_cookies
bind policy patset patset_storefront_cookies CsrfToken -index 1
bind policy patset patset_storefront_cookies ASP.NET_SessionId -index 2
bind policy patset patset_storefront_cookies CtxsPluginAssistantState -index 3
bind policy patset patset_storefront_cookies CtxsAuthId -index 4
add vpn clientlessAccessProfile profile_clientless_storefront
set vpn clientlessAccessProfile profile_clientless_storefront -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies patset_storefront_cookies
add vpn clientlessAccessPolicy pol_clientless_storefront true profile_clientless_storefront
Setting for Storefront (web.config) to allow use in HTML Frames.
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Content-Security-Policy" value="frame-ancestors 'self'" />
add vpn sessionPolicy pol_session_web_portal ns_true profile_session_web_portal
add vpn sessionAction profile_session_web_portal -sessTimeout 1440 -transparentInterception ON -defaultAuthorizationAction ALLOW -clientIdleTimeout 1440 -clientCleanupPrompt OFF -forceCleanup none -clientConfiguration trace -SSO ON -homePage none -icaProxy ON -wihome "https://${SF_FQDN}/Citrix/LabWeb" -citrixReceiverHome "https://${SF_FQDN}/Citrix/LabWeb" -wiPortalMode NORMAL -ClientChoices ON -ntDomain ${SSO_DOMAIN} -clientlessVpnMode OFF -emailHome "https://${EX_FQDN}/owa" -clientlessModeUrlEncoding TRANSPARENT -storefronturl "https://${SF_FQDN}/Citrix/Lab" -rdpClientProfileName profile_rdp_client_default -iconWithReceiver ON
8. XenMobile
8.1. MDM Loadbalancing
# Server
add server ${XMS_FQDN} ${XMS_IP}
Servicegroups
add serviceGroup sg_xm_mdm SSL_BRIDGE -maxClient 0 -maxReq 0 -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
add serviceGroup sg_xm_mdm_ios SSL_BRIDGE -maxClient 0 -maxReq 0 -cacheable YES -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
Server Binding
bind serviceGroup sg_xm_mdm ${XMS_FQDN} 443
bind serviceGroup sg_xm_mdm_ios ${XMS_FQDN} 8443
Monitor
bind serviceGroup sg_xm_mdm -monitorName tcp
bind serviceGroup sg_xm_mdm_ios -monitorName tcp
vServers
add lb vserver vs_lb_ssl_bridge_xm_mdm SSL_BRIDGE ${MDM_VIP} 443 -persistenceType SSLSESSION -cltTimeout 180
add lb vserver vs_lb_ssl_bridge_xm_mdm_ios SSL_BRIDGE ${MDM_VIP} 8443 -persistenceType SSLSESSION -cltTimeout 180
Servicegroup Binding
bind lb vserver vs_lb_ssl_bridge_xm_mdm sg_xm_mdm
bind lb vserver vs_lb_ssl_bridge_xm_mdm_ios sg_xm_mdm_ios
8.2. MAM Loadbalancing
# Servicegroup
add serviceGroup sg_xm_mam_http HTTP -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
# Server Binding
bind serviceGroup sg_xm_mam_http ${XMS_FQDN} 80
# Monitor
bind serviceGroup sg_xm_mam_http -monitorName tcp
# vServer
add lb vserver vs_lb_xm_mam SSL ${MAM_LB_VIP} 8443 -persistenceType SOURCEIP -cltTimeout 180
# Service Binding
bind lb vserver vs_lb_xm_mam sg_xm_mam_http
8.3. MAM Gateway
# Intranet Domains (Client VPN)
bind vpn global -intranetDomain customer.local
# Intranet Domains (Clientless VPN)
bind policy patset ns_cvpn_default_inet_domains customer.local -index 2
bind policy patset ns_cvpn_default_inet_domains mdm.customer.com -index 3
bind policy patset ns_cvpn_default_inet_domains mdm.customer.com:8443 -index 4
# Traffic fuer mdm.customer.com an den MAM Loadbalancer schicken
add dns addRec mdm.customer.com ${MAM_LB_VIP}
# Storefront Cookies Patternset
add policy patset storefront_cookies
bind policy patset storefront_cookies CsrfToken -index 1
bind policy patset storefront_cookies ASP.NET_SessionId -index 2
bind policy patset storefront_cookies CtxsPluginAssistantState -index 3
bind policy patset storefront_cookies CtxsAuthId -index 4
# Clientless Access Rewrite
add vpn clientlessAccessProfile prof_clientless_rewrite_sf
add vpn clientlessAccessProfile prof_clientless_norewrite
set vpn clientlessAccessProfile prof_clientless_rewrite_sf -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies storefront_cookies
add vpn clientlessAccessPolicy pol_clientless_rewrite_sf true prof_clientless_rewrite_sf
add vpn clientlessAccessPolicy pol_clientless_norewrite "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" prof_clientless_norewrite
# Session Policies
add vpn sessionAction act_session_xenmobile_os -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://mdm.customer.com:8443"
add vpn sessionAction act_session_xenmobile_web -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://mdm.customer.com:8443/Citrix/StoreWeb" -icaProxy OFF -wihome "https://mdm.customer.de:8443/Citrix/StoreWeb" -ClientChoices OFF -clientlessVpnMode ON -SecureBrowse ENABLED
add vpn sessionAction act_session_xenmobile_ag -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://mdm.customer.com:8443/Citrix/StoreWeb"
-icaProxy OFF -ClientChoices OFF -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://mdm.customer.com:8443"
add vpn sessionPolicy pol_session_xenmobile_os "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" act_session_xenmobile_os
add vpn sessionPolicy pol_session_xenmobile_web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" act_session_xenmobile_web
add vpn sessionPolicy pol_session_xenmobile_ag "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS" act_session_xenmobile_ag
# VPN vServer
add vpn vserver vs_vpn_xm_mam_gateway SSL ${MAM_VIP} 443 -Listenpolicy NONE -cginfraHomePageRedirect DISABLED
# Binding Auth (UPN)
bind vpn vserver vs_vpn_xm_mam_gateway -policy pol_auth_ldaps_lm_xenmobile -priority 100
# Binding Session Policies
bind vpn vserver vs_vpn_xm_mam_gateway -policy pol_session_xenmobile_os -priority 100
bind vpn vserver vs_vpn_xm_mam_gateway -policy pol_session_xenmobile_web -priority 110
bind vpn vserver vs_vpn_xm_mam_gateway -policy pol_session_xenmobile_ag -priority 120
# Binding Clientless Access Policies
bind vpn vserver vs_vpn_xm_mam_gateway -policy prof_clientless_norewrite -priority 80 -gotoPriorityExpression END -type REQUEST
bind vpn vserver vs_vpn_xm_mam_gateway -policy pol_clientless_rewrite_sf -priority 100 -gotoPriorityExpression END -type REQUEST
# STA; Sharefile, AppController (obsolet)
bind vpn vserver vs_vpn_xm_mam_gateway -staServer "http://mdm.customer.com:8443"
bind vpn vserver vs_vpn_xm_mam_gateway -appController "https://mdm.customer.com:8443"
bind vpn vserver vs_vpn_xm_mam_gateway -sharefile mdm.customer.com:8443
# Default Cache Policies
bind vpn vserver vs_vpn_xm_mam_gateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver vs_vpn_xm_mam_gateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver vs_vpn_xm_mam_gateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver vs_vpn_xm_mam_gateway -policy _noCacheRest -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver vs_vpn_xm_mam_gateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
9. ShareFile StorageZone
add server %{SZC_FQDN} ${SZC_IP}
add serviceGroup sg_ssl_sharefile SSL -maxClient 0 -maxReq 0 -cacheable YES -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO
bind serviceGroup sg_ssl_sharefile %{SZC_FQDN} 443
add lb vserver vs_lb_http_sharefile_storagezone HTTP 0.0.0.0 0 -persistenceType SOURCEIP -lbMethod TOKEN -rule "http.REQ.URL.QUERY.VALUE(\"uploadid\")" -Listenpolicy NONE -cltTimeout 180
add lb vserver vs_lb_http_sharefile_cifs_sp HTTP 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 240 -Listenpolicy NONE -cltTimeout 180 -authn401 ON -authnVsName vs_aaa_sharefile_auth
add lb vserver vs_lb_http_sf_zone_options HTTP 0.0.0.0 0 -persistenceType SOURCEIP -Listenpolicy NONE -cltTimeout 180
bind lb vserver vs_lb_ssl_sharefile_storagezone sg_http_sharefile
bind lb vserver vs_lb_ssl_sharefile_cifs_sp sg_http_sharefile
bind lb vserver vs_lb_ssl_sf_zone_options sg_http_sharefile
add cs vserver vs_cs_ssl_sharefile SSL ${SZC_LB_VIP} 443 -cltTimeout 180 -Listenpolicy NONE
add cs vserver vs_cs_http_sharefile_redirect_to_ssl HTTP ${SZC_LB_VIP} 80 -cltTimeout 180 -Listenpolicy NONE
add authentication vserver vs_aaa_sharefile_auth SSL ${AAA_VIP} 443
add cs vserver vs_cs_http_shareauth_redirect_to_ssl HTTP ${AAA_VIP} 80 -cltTimeout 180 -Listenpolicy NONE
add policy httpCallout callout_sharefile -vServer vs_lb_http_sharefile_storagezone -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.BEFORE_STR(\"&h\").HTTP_URL_SAFE.B64ENCODE + \"&h=\"+ HTTP.REQ.URL.QUERY.VALUE(\"h\")" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).N192OT"
add policy httpCallout callout_sharefile_y -vServer vs_lb_http_sharefile_storagezone -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
set policy httpCallout callout_sharefile -vServer vs_lb_http_sharefile_storagezone -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.BEFORE_STR(\"&h\").HTTP_URL_SAFE.B64ENCODE + \"&h=\"+ HTTP.REQ.URL.QUERY.VALUE(\"h\")" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
set policy httpCallout callout_sharefile_y -vServer vs_lb_http_sharefile_storagezone -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
add responder policy pol_responder_sharefile "HTTP.REQ.URL.CONTAINS(\"&h=\") && HTTP.REQ.URL.CONTAINS(\"/crossdomain.xml\").NOT&& HTTP.REQ.URL.CONTAINS(\"/validate.ashxrequri\").NOT&& SYS.HTTP_CALLOUT(callout_sharefile) || HTTP.REQ.URL.CONTAINS(\"&h=\").NOT && HTTP.REQ.URL.CONTAINS(\"/crossdomain.xml\").NOT&& HTTP.REQ.URL.CONTAINS(\"/validate.ashxrequri\").NOT&& SYS.HTTP_CALLOUT(callout_sharefile_y)" DROP
Import the SAML certificate from sharefile.com.
add ssl certKey saml_sharefile.com -cert saml_sharefile.com.crt
add authentication samlIdPProfile profile_auth_saml_idp_sharefile -samlSPCertName ${SF_SUBDOMAIN}.sharefile.com -samlIdPCertName sharefile.customer.de -assertionConsumerServiceURL "https://customer.sharefile.com/saml/acs" -samlIssuerName "https://shareauth.customer.de" -rejectUnsignedRequests OFF -audience "https://customer.sharefile.com"
add authentication samlIdPPolicy pol_auth_saml_idp_sharefile -rule "HTTP.REQ.URL.CONTAINS(\"saml\")" -action profile_auth_saml_idp_sharefile
add cs action act_cs_sharefile_options -targetLBVserver vs_lb_http_sf_zone_options
add cs policy pol_cs_sharefile_options -rule "HTTP.REQ.METHOD.EQ(\"OPTIONS\")" -action act_cs_sharefile_options
add cs policy pol_cs_sharefile_not_cifs_sp_proxy -rule "HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT || HTTP.REQ.URL.CONTAINS(\"/ProxyService/\").NOT"
add cs policy pol_cs_sharefile_cifs_sp_proxy -rule "HTTP.REQ.URL.CONTAINS(\"/cifs/\") || HTTP.REQ.URL.CONTAINS(\"/sp/\") || HTTP.REQ.URL.CONTAINS(\"/ProxyService/\") "
bind lb vserver vs_lb_http_sharefile_storagezone sg_http_sharefile
bind lb vserver vs_lb_http_sharefile_cifs_sp sg_http_sharefile
bind lb vserver vs_lb_http_sf_zone_options sg_http_sharefile
bind lb vserver vs_lb_http_sharefile_storagezone -policyName pol_responder_sharefile -priority 100 -gotoPriorityExpression END -type REQUEST
bind cs vserver vs_cs_ssl_sharefile -policyName pol_cs_sharefile_options -priority 80
bind cs vserver vs_cs_ssl_sharefile -policyName pol_cs_sharefile_cifs_sp_proxy -targetLBVserver vs_lb_http_sharefile_cifs_sp -priority 90
bind cs vserver vs_cs_ssl_sharefile -policyName pol_cs_sharefile_not_cifs_sp_proxy -targetLBVserver vs_lb_http_sharefile_storagezone -priority 100
bind cs vserver vs_cs_http_sharefile_redirect_to_ssl -policyName pol_responder_generic_redirect_ssl -priority 100 -gotoPriorityExpression END -type REQUEST
add tm sessionAction act_session_sharefile -SSO ON -ssoCredential PRIMARY -ssoDomain CUSTOMER -homePage "https://${SF_SUBDOMAIN}.sharefile.com/saml/login"
add tm sessionPolicy pol_session_sharefile ns_true act_session_sharefile
bind authentication vserver vs_aaa_sharefile_auth -policy pol_ldap_sharefile -priority 100
bind authentication vserver vs_aaa_sharefile_auth -policy pol_session_sharefile -priority 100
bind authentication vserver vs_aaa_sharefile_auth -policy pol_auth_saml_idp_sharefile -priority 100 -gotoPriorityExpression END
10. SMS Passcode
RADIUS configuration for SMS Passcode, also known as CensorNet MFA.
add authentication radiusAction act_radius_smspasscode -serverName ${SMSPC_SERVER} -serverPort 1812 -radKey ${SMSPC_PSK} -radVendorID 1 -radAttributeType 99 -radGroupsPrefix CTXUserGroups= -radGroupSeparator "," -accounting ON -callingstationid ENABLED
add authentication radiusPolicy pol_radius_smspasscode ns_true act_radius_smspasscode
10.1. Hide second password field
Hide second password field via HTTP header for Citrix Receiver.
add rewrite action act_rewrite_auth_type_SMS insert_http_header X-Citrix-AM-GatewayAuthType "\"SMS\""
add rewrite policy pol_rewrite_auth_type_SMS true act_rewrite_auth_type_SMS
add rewrite action act_rewrite_auth_type_CertAndRSA insert_http_header X-Citrix-AM-GatewayAuthType "\"CertAndRSA\""
add rewrite policy pol_rewrite_auth_type_CertAndRSA true act_rewrite_auth_type_CertAndRSA
Hide second password field via Cookie (Webbrowser).
add rewrite action act_rewrite_pwcount_cookie insert_http_header Set-Cookie "\"pwcount=0\""
add rewrite policy pol_rewrite_pwcount_cookie true act_rewrite_pwcount_cookie
11. Preauth for VMware vCenter (vCSA)
-
Publishing VMware vSphere 6.5 vCSA HTML5 UI behind NetScaler
-
Rewriting the internal dnsname for external access
-
Preauth with NetScaler AAA (SSO: to be done)
11.1. Loadbalancing
Server
add server ${VCSA_FQDN} ${VCSA_IP}
Servicegroup
add serviceGroup sg_ssl_vcsa SSL -cip ENABLED X-Forwarded-For
Server Binding
bind serviceGroup sg_ssl_vcsa ${VCSA_FQDN} 443
vServer
add lb vserver vs_lb_http_vcsa HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
Servicegroup Binding
bind lb vserver vs_lb_http_vcsa sg_ssl_vcsa
11.2. Content Switching
vServer
add cs vserver vs_cs_ssl_vcsa SSL ${VCSA_VIP} 443 -cltTimeout 180
add cs vserver vs_cs_http_vcsa HTTP ${VCSA_VIP} 80 -cltTimeout 180
CS Policy
add cs policy pol_cs_vcsa_ui -rule "HTTP.REQ.URL.STARTSWITH(\"/websso/\") || HTTP.REQ.URL.STARTSWITH(\"/ui/\")" -action act_cs_vcsa_ui
add cs action act_cs_vcsa_ui -targetLBVserver vs_lb_http_vcsa_websso
Enable Websockets
add ns httpProfile profile_http_websockets -dropInvalReqs ENABLED -markHttp09Inval ENABLED -conMultiplex DISABLED -webSocket ENABLED
set cs vserver vs_cs_ssl_vcsa -httpProfileName profile_http_websockets
11.3. URL Rewriting
Transform Policy
add transform profile prof_transform_vcsa
add transform action act_transform_vcsa prof_transform_vcsa 100
set transform action act_transform_vcsa -priority 100 -reqUrlFrom vcsa.example.com -reqUrlInto vcenter01.example.local -resUrlFrom vcenter01.example.local -resUrlInto vcsa.example.com
add transform policy pol_transform_vcsa "HTTP.REQ.URL.STARTSWITH(\"/ui/login\") || HTTP.REQ.URL.STARTSWITH(\"/ui/logout\") || HTTP.REQ.URL.STARTSWITH(\"/ui/saml\") || HTTP.REQ.URL.STARTSWITH(\"/websso/\")" prof_transform_vcsa
Binding Policy
bind lb vserver vs_lb_http_vcsa -policyName pol_transform_vcsa -priority 100 -gotoPriorityExpression END -type REQUEST
11.4. Preauth
Traffic Policy (Logout)
add tm trafficAction prof_traffic_vcsa_logout -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE
add tm trafficPolicy pol_traffic_vcsa_logout "HTTP.REQ.URL.EQ(\"/ui/logout\")" prof_traffic_vcsa_logout
Traffic Policy Binding (also possible on cs level)
bind lb vserver vs_lb_http_vcsa -policyName pol_traffic_vcsa_logout -priority 100 -gotoPriorityExpression END -type REQUEST
12. External links
Common
-
Netscaler HowTo Guides - Common Configuration HowTo guides
-
NetScaler Deployment Guides - Some offical Deployment Guides by Citrix
CTX Articles
-
CTX214033 - NetScaler Networking and VLAN Best Practices
-
CTX121149 - Recommended Settings and Best Practices for Generic Implementation of a NetScaler Appliance
-
CTX200278 - NetScaler VPX Loses Network Connectivity on VMware ESXi 5.1.0 2191751, VMware ESXi 5.5 2143827 and also on VMware ESXi 6.0
-
CTX224576 - NetScaler VPX Loses Network Connectivity Intermittently on VMware ESXi After Upgrading to Version 12.0
-
CTX201949 - One Public IP for AAA-TM Deployments on NetScaler
-
CTX138055 - How to Force Secure and HttpOnly Cookie Options for Websites Using NetScaler Appliance
-
CTX205578 - Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Server Breaks
-
CTX225681 - Large File Uploads Fails on NetScaler with Content Length 0 POST Requests
SSL Tips
-
https://testssl.sh/ - Shell script for testing TLS/SSL encryption
-
https://cipherli.st/ - Strong Ciphers for Apache, nginx and Lighttpd
-
https://www.ssllabs.com/ssltest/ - Qualys SSL Labs server test
-
https://observatory.mozilla.org/ - Mozilla Observatory test
Monitoring
-
check_netscaler - check_netscaler Nagios Plugin
-
check_netscaler_gateway - check_netscaler_gateway Nagios Plugin
-
check_nsupdates - check_nsupdates Nagios Plugin