1. Home
  2. BLOG
  3. NETSCALER GATEWAY AND MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION - PART 3: TECH BRIEF

NETSCALER GATEWAY AND MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION - PART 3: TECH BRIEF

09 Jan
NETSCALER GATEWAY AND MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION - PART 3: TECH BRIEF

Courtesy Cloud Software Group/NetScaler

NetScaler Gateway presents all hosted, SaaS, web, enterprise, and mobile applications to users on any device and any browser. It uses nFactor Authentication to authenticate users against on-premises Microsoft AD and leverages Microsoft AD FS for Azure Multi-Factor Authentication (MFA). 

Configure NetScaler Gateway and integrate with StoreFront – CLI

 

Create Session Policy and Action for Citrix Receiver

add vpn sessionAction AC_OS_22.22.44.50 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://access.ctxdemos.com/Citrix/ExternalWeb" -ClientChoices OFF -ntDomain CTXDEMOS -clientlessVpnMode OFF -storefronturl "https://access.ctxdemos.com" 
add vpn sessionPolicy PL_OS_22.22.44.50 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixVPN\").NOT && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"NSGiOSplugin\").NOT" AC_OS_22.22.44.50

 

Create Session Policy and Action for Citrix Web Client

add vpn sessionAction AC_WB_22.22.44.50 -transparentInterception ON -defaultAuthorizationAction ALLOW -forceCleanup cookie -SSO ON -ssoCredential PRIMARY -icaProxy OFF -wihome "https://storefront.ctxdemos.com/Citrix/ExternalWeb" -wiPortalMode COMPACT -ClientChoices OFF -ntDomain CTXDEMOS -clientlessVpnMode ON -clientlessPersistentCookie ALLOW 
add vpn sessionPolicy PL_WB_22.22.44.50 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_22.22.44.50

 

Create Session Policy and Action for NetScaler Gateway Client

add vpn sessionAction UG_VPN_SAct_22.22.44.50 -transparentInterception ON -DefaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -clientlessVpnMode ON 
add vpn sessionPolicy UG_VPN_SPol_22.22.44.50 true UG_VPN_SAct_22.22.44.50

 

Create Responder Policy and Action for Gateway Logout

add responder action RESACT_GATEWAY_LOGOFF_REDIRECT redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE" -responseStatusCode 302 
add responder policy RESPOL_GATEWAY_LOGOFF_REDIRECT "HTTP.REQ.URL.CONTAINS(\"/cgi/logout\")" RESACT_GATEWAY_LOGOFF_REDIRECT

 

Create NetScaler Gateway vServer

add vpn vserver UGVS_VPN_UGCTXDEMOS SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -vserverFqdn access.ctxdemos.com set ssl vserver UGVS_VPN_UGCTXDEMOS -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES 
bind ssl vserver UGVS_VPN_UGCTXDEMOS -certkeyName CTXDEMOS_PUBLIC_CERT 
bind ssl vserver UGVS_VPN_UGCTXDEMOS -cipherName CTXDEMOS_FRONTEND_APLUS 
bind vpn vserver UGVS_VPN_UGCTXDEMOS -portaltheme CTXDEMOS_PORTAL 
bind vpn vserver UGVS_VPN_UGCTXDEMOS -staServer "https://wsctxdc01.ctxdemos.com" 
bind vpn vserver UGVS_VPN_UGCTXDEMOS -policy RESPOL_GATEWAY_LOGOFF_REDIRECT -priority 100 -gotoPriorityExpression END -type REQUEST 
bind vpn vserver UGVS_VPN_UGCTXDEMOS -policy PL_OS_22.22.44.50 -priority 100 -gotoPriorityExpression NEXT -type REQUEST 
bind vpn vserver UGVS_VPN_UGCTXDEMOS -policy PL_WB_22.22.44.50 -priority 110 -gotoPriorityExpression NEXT -type REQUEST 
bind vpn vserver UGVS_VPN_UGCTXDEMOS -policy UG_VPN_SPol_22.22.44.50 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST

 

Create Content Switching Policy and Action for NetScaler Gateway

add cs action CSACT_UGCTXDEMOS -targetVserver UGVS_VPN_UGCTXDEMOS 
add cs policy CSPOL_UGCTXDEMOS -rule "is_vpn_url  ||  HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix/External\")" -action CSACT_UGCTXDEMOS

 

Create Content Switching vServer for NetScaler Gateway

add cs vserver CSVS_UGCTXDEMOS SSL 22.22.44.50 443 -cltTimeout 180 
set ssl vserver CSVS_UGCTXDEMOS -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES 
bind ssl vserver CSVS_UGCTXDEMOS -certkeyName CTXDEMOS_PUBLIC_CERT 
bind ssl vserver CSVS_UGCTXDEMOS -cipherName CTXDEMOS_FRONTEND_APLUS 
bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_UGCTXDEMOS -priority 63000

 

Create Responder Policy and Action for HTTP to HTTPS Redirection

add responder action RESACT_HTTP_TO_HTTPS redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 301 
add responder policy RESPOL_HTTP_TO_HTTPS HTTP.REQ.IS_VALID RESACT_HTTP_TO_HTTPS

 

Create Always On Server and Service

add server LBSRV_ALWAYS_UP 127.0.0.1 
add service LBSVC_ALWAYS_UP LBSRV_ALWAYS_UP HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

 

Create Always On vServer for NetScaler Gateway

add lb vserver CSVS_UGCTXDEMOS_REDIRECT_HTTP_TO_HTTPS HTTP 22.22.44.50 80 -persistenceType NONE -cltTimeout 180 
bind lb vserver CSVS_UGCTXDEMOS_REDIRECT_HTTP_TO_HTTPS LBSVC_ALWAYS_UP 
bind lb vserver CSVS_UGCTXDEMOS_REDIRECT_HTTP_TO_HTTPS -policyName RESPOL_HTTP_TO_HTTPS -priority 100 -gotoPriorityExpression END -type REQUEST

 

Configure the first authentication server

 

Create Initialization SAML SP Policy and Action and Bind it to NetScaler ADC AAA Authentication vServer

add authentication samlAction AUTH_ACT_SAML_SP_VPN_TO_LB -samlIdPCertName CTXDEMOS_PUBLIC_CERT -samlSigningCertName CTXDEMOS_PUBLIC_CERT -samlRedirectUrl "https://access.ctxdemos.com/samltolb" -signatureAlg RSA-SHA256 -digestMethod SHA256 -samlBinding REDIRECT -groupNameField Groups 
add authentication Policy AUTH_POL_SAMP_SP_VPN_TO_LB -rule TRUE -action AUTH_ACT_SAML_SP_VPN_TO_LB

 

Create Authentication Policy and Action for SAML SP to ADFS

add authentication samlAction AUTH_ACT_SAML_SP_ADFS -samlIdPCertName CTXDEMOS_ADFS_TOKEN_SIGNING -samlSigningCertName CTXDEMOS_PUBLIC_CERT -samlRedirectUrl "https://sts.ctxdemos.com/adfs/ls/" -samlUserField "Name ID" -samlRejectUnsignedAssertion OFF -samlIssuerName "https://access.ctxdemos.com" -Attribute1 "E-Mail Address" -signatureAlg RSA-SHA256 -digestMethod SHA256 -logoutURL "https://sts.ctxdemos.com/adfs/ls/wa=wsignout1.0" -forceAuthn ON 
add authentication Policy AUTH_POL_SAML_SP_ADFS -rule TRUE -action AUTH_ACT_SAML_SP_ADFS

 

Create Authentication Policy Label for for SAML SP to ADFS

add authentication policylabel AUTH_POLLBL_ADFS_AZUREMFA -loginSchema LSCHEMA_INT 
bind authentication policylabel AUTH_POLLBL_ADFS_AZUREMFA -policyName AUTH_POL_SAML_SP_ADFS -priority 100 -gotoPriorityExpression NEXT

 

Create Authentication Policy and Action for Group Extraction

add authentication ldapAction AUTH_ACT_LDAP_GROUP_EXTRACTION_AZUREMFACA -serverIP 22.22.22.61 -serverPort 636 -ldapBase "DC=ctxdemos,DC=com" -ldapBindDn "CN=svc_ctxadc01,OU=Services,OU=Accounts,DC=ctxdemos,DC=com" -ldapBindDnPassword 0c4fe86d56a865ef514a15affd1429f3e079ce1089731d4a407772d21036f3c8 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=AzureMFACAUsers,OU=Groups,OU=Authorizations,DC=ctxdemos,DC=com" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -nestedGroupExtraction ON -maxNestingLevel 5 -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN -Attribute1 mail -Attribute2 objectGUID 
add authentication Policy AUTH_POL_LDAP_GROUP_EXTRACTION_AZURAMFACA -rule TRUE -action AUTH_ACT_LDAP_GROUP_EXTRACTION_AZUREMFACA

 

Create Authentication Policy Label for Group Extraction

add authentication policylabel AUTH_POLLBL_LDAP_GROUP_EXTRACTION_AZURAMFACA -loginSchema LSCHEMA_INT 
bind authentication policylabel AUTH_POLLBL_LDAP_GROUP_EXTRACTION_AZURAMFACA -policyName AUTH_POL_LDAP_GROUP_EXTRACTION_AZURAMFACA -priority 100 -gotoPriorityExpression NEXT -nextFactor AUTH_POLLBL_ADFS_AZUREMFA

Create Login Schema Policy and Profile for First NetScaler ADC AAA Authentication vServer

add authentication loginSchema LSCHEMA_PRF_NOSCHEMA -authenticationSchema noschema -SSOCredentials YES 
add authentication loginSchemaPolicy LSCHEMA_POL_NOSCHEMA -rule TRUE -action LSCHEMA_PRF_NOSCHEMA

 

Create First NetScaler ADC AAA Authentication vServer

add authentication vserver AAAVS_CTXDEMOS_COM_FOR_VPN SSL 0.0.0.0 
set ssl vserver AAAVS_CTXDEMOS_COM_FOR_VPN -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES 
bind ssl vserver AAAVS_CTXDEMOS_COM_FOR_VPN -certkeyName CTXDEMOS_PUBLIC_CERT 
bind ssl vserver AAAVS_CTXDEMOS_COM_FOR_VPN -cipherName CTXDEMOS_FRONTEND_APLUS 
bind authentication vserver AAAVS_CTXDEMOS_COM_FOR_VPN -policy LSCHEMA_POL_NOSCHEMA -priority 100 -gotoPriorityExpression END 
bind authentication vserver AAAVS_CTXDEMOS_COM_FOR_VPN -policy AUTH_POL_SAMP_SP_VPN_TO_LB -priority 100 -nextFactor AUTH_POLLBL_LDAP_GROUP_EXTRACTION_AZURAMFACA -gotoPriorityExpression NEXT

 

Create First NetScaler ADC AAA Authentication Profile

add authentication authnProfile AAA_AUTH_PRF_VPN -authnVsName AAAVS_CTXDEMOS_COM_FOR_VPN -AuthenticationHost aaa.ctxdemos.com

 

Set Authentication Profile on Gateway vServer

set vpn vserver UGVS_VPN_UGCTXDEMOS -authnProfile AAA_AUTH_PRF_VPN

 

Configure a second authentication server

 

Create Authentication Policy and Action for LDAP

add authentication ldapAction AUTH_ACT_LDAP -serverIP 22.22.22.61 -serverPort 636 -authTimeout 60 -ldapBase "DC=ctxdemos,DC=com" -ldapBindDn "CN=svc_ctxadc01,OU=Services,OU=Accounts,DC=ctxdemos,DC=com" -ldapBindDnPassword 273881819af883e70c33d83c0546eac84e81d6eeba904f2d65bbebf2819c025a -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -maxNestingLevel 5 -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN -Attribute1 userprincipalname -Attribute2 mail -Attribute3 userParameters 
add authentication Policy AUTH_POL_LDAP_USER_NAME_PASSWORD -rule TRUE -action AUTH_ACT_LDAP

 

Create Login Schema Policy and Profile for Second NetScaler ADC AAA Authentication vServer - Username (Pre-filled ) and Password

add authentication loginSchema LSCHEMA_USER_NAME_PASSWORD -authenticationSchema "/nsconfig/loginschema/CTXDEMOS_USER_NAME_PASS.xml" -SSOCredentials YES 
add authentication loginSchemaPolicy LSCHEMA_POL_USER_NAME_PASSWORD -rule TRUE -action LSCHEMA_USER_NAME_PASSWORD

 

Create Authentication Policy Label for LDAP Username and Password

add authentication policylabel AUTH_POLLBL_LDAP_USER_NAME_PASSWORD -loginSchema LSCHEMA_USER_NAME_PASSWORD 
bind authentication policylabel AUTH_POLLBL_LDAP_USER_NAME_PASSWORD -policyName AUTH_POL_LDAP_USER_NAME_PASSWORD -priority 110 -gotoPriorityExpression NEXT

 

Create Login Schema Policy and Profile for Second NetScaler ADC AAA Authentication vServer - Username Only

add authentication loginSchema LSCHEMA_USER_NAME_ONLY -authenticationSchema "/nsconfig/loginschema/CTXDEMOS_USER_NAME_ONLY.xml" 
add authentication loginSchemaPolicy LSCHEMA_POL_NOPASSWORD -rule TRUE -action LSCHEMA_USER_NAME_ONLY

 

Create NetScaler ADC AAA Session Policy and Profile

add tm sessionAction AAA_SESSION_PRF_CTXDEMOS -SSO ON -ssoDomain CTXDEMOS -persistentCookie ON -persistentCookieValidity 30 
add tm sessionPolicy AAA_SESSION_POL_CTXDEMOS TRUE AAA_SESSION_PRF_CTXDEMOS

 

Create Second NetScaler ADC AAA Authentication vServer

add authentication vserver AAAVS_CTXDEMOS_COM SSL 22.22.44.51 443 
set ssl vserver AAAVS_CTXDEMOS_COM -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES 
bind ssl vserver AAAVS_CTXDEMOS_COM -certkeyName CTXDEMOS_PUBLIC_CERT 
bind ssl vserver AAAVS_CTXDEMOS_COM -cipherName CTXDEMOS_FRONT 

Create Second NetScaler ADC AAA Authentication Profile

add authentication authnProfile AAA_AUTH_PRF -authnVsName AAAVS_CTXDEMOS_COM -AuthenticationHost aaa.ctxdemos.com

 

Configure NetScaler ADC as AD FS WAP

Run the following commands in NetScaler ADC CLI to configure NetScaler ADC as AD FS Web Application Proxy (WAP): 

Pattern Set - ADFS Proxy Hostname

add policy patset PATSET_ADFS_HOSTNAME 
bind policy patset PATSET_ADFS_HOSTNAME sts.ctxdemos.com -index 1 -charset ASCII

Policy Expression - ADFS Proxy Hostname

add policy expression is_ADFS_HOSTNAME "HTTP.REQ.HEADER(\"Host\").TO_LOWER.CONTAINS_ANY(\"PATSET_ADFS_HOSTNAME\")"

 

Pattern Set - ADFS Proxy Path for NoAuth

add policy patset PATSET_ADFS_PATH_NOAUTH 
bind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/services/trust" -index 1 -charset ASCII 
bind policy patset PATSET_ADFS_PATH_NOAUTH "/federationmetadata/2007-06/federationmetadata.xml" -index 2 -charset ASCII 
bind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/fs/federationserverservice.asmx" -index 3 -charset ASCII 
bind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/ls/FormsSignIn.aspx" -index 4 -charset ASCII 
bind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/services/trust/2005/usernamemixed" -index 5 -charset ASCII 
bind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/services/trust/mex" -index 6 -charset ASCII

  

Policy Expression - ADFS Proxy Path for NoAuth

add policy expression is_ADFS_PROXY_NOAUTH "HTTP.REQ.URL.PATH.TO_LOWER.CONTAINS_ANY(\"PATSET_ADFS_PATH_NOAUTH\")"

 

Pattern Set - ADFS Proxy Path for Passive Client

add policy patset PATSET_ADFS_PATH_ACTIVE_PASSIVE 
bind policy patset PATSET_ADFS_PATH_ACTIVE_PASSIVE "/adfs" -index 1 -charset ASCII 
bind policy patset PATSET_ADFS_PATH_ACTIVE_PASSIVE "/cgi/selfauth" -index 2 -charset ASCII

 

Policy Expression - ADFS Proxy Path for Passive Client

add policy expression is_ADFS_PROXY_ACTIVE_PASSIVE "(HTTP.REQ.HEADER(\"Host\").TO_LOWER.CONTAINS_ANY(\"PATSET_ADFS_HOSTNAME\") && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH_ANY(\"PATSET_ADFS_PATH_ACTIVE_PASSIVE\"))"

 

Rewrite Policies for ADFS PIP

add rewrite action RWACT_X_MS_Proxy insert_http_header X-MS-Proxy "\"NETSCALER\"" 
add rewrite policy RWPOL_X_MS_Proxy true RWACT_X_MS_Proxy 
  add rewrite action RWACT_X_MS_Forwarded_Client_IP insert_http_header X-MS-Forwarded-Client-IP CLIENT.IP.SRC 
add rewrite policy RWPOL_X_MS_Forwarded_Client_IP true RWACT_X_MS_Forwarded_Client_IP 
  add rewrite action RWACT_X_MS_Endpoint_Absolute_Path insert_http_header X-MS-Endpoint-Absolute-Path HTTP.REQ.URL 
add rewrite policy RWPOL_X_MS_Endpoint_Absolute_Path true RWACT_X_MS_Endpoint_Absolute_Path 
  add rewrite action RWACT_X_MS_Target_Role insert_http_header X-MS-Target-Role "\"PrimaryComputer\"" 
add rewrite policy RWPOL_X_MS_Target_Role true RWACT_X_MS_Target_Role 
  add rewrite action RWACT_X_MS_ADFS_Proxy_Client_IP insert_http_header X-MS-ADFS-Proxy-Client-IP CLIENT.IP.SRC 
add rewrite policy RWPOL_X_MS_ADFS_Proxy_Client_IP true RWACT_X_MS_ADFS_Proxy_Client_IP 
  add rewrite action RWACT_X_MS_Client_User_Agent insert_http_header X-MS-Client-User-Agent "HTTP.REQ.HEADER(\"User-Agent\")" 
add rewrite policy RWPOL_X_MS_Client_User_Agent true RWACT_X_MS_Client_User_Agent 
  add rewrite action RWACT_ADFS_PROXYMEX replace HTTP.REQ.URL.PATH_AND_QUERY "\"/adfs/services/trust/proxymex\" + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(\"/adfs/services/trust/mex\").HTTP_URL_SAFE" 
add rewrite policy RWPOL_ADFS_PROXYMEX "is_ADFS_HOSTNAME && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/services/trust/mex\")" RWACT_ADFS_PROXYMEX 
  add rewrite policy RWPOL_ADFS_PROXY_HEADERS-NOACT TRUE NOREWRITE 
  add rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS http_req 
bind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Proxy 100 NEXT 
bind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Forwarded_Client_IP 110 NEXT 
bind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Endpoint_Absolute_Path 120 NEXT 
bind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Target_Role 130 NEXT 
bind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_ADFS_Proxy_Client_IP 140 NEXT 
bind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Client_User_Agent 150 NEXT 
bind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_ADFS_PROXYMEX 160 NEXT

 

Create ADFS Server and Service Group

add server LBSRV_ADFS wsadfs01.ctxdemos.com add serviceGroup LBSVCGRP_ADFS_443 SSL -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES 
bind ssl serviceGroup LBSVCGRP_ADFS_443 -cipherName CTXDEMO_BACKEND 
set ssl serviceGroup LBSVCGRP_ADFS_443 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED 
bind serviceGroup LBSVCGRP_ADFS_443 LBSRV_ADFS 443

  

Create ADFS Proxy NoAuth Load Balancing vServer

add lb vserver LBVS_ADFS_PROXY_NOAUTH SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 
set ssl vserver LBVS_ADFS_PROXY_NOAUTH -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES 
bind ssl vserver LBVS_ADFS_PROXY_NOAUTH -certkeyName CTXDEMOS-PUBLIC 
bind ssl vserver LBVS_ADFS_PROXY_NOAUTH -cipherName CTXDEMO_BACKEND 
bind lb vserver LBVS_ADFS_PROXY_NOAUTH LBSVCGRP_ADFS_443 
bind lb vserver LBVS_ADFS_PROXY_NOAUTH -policyName RWPOL_ADFS_PROXY_HEADERS-NOACT -priority 100 -gotoPriorityExpression NEXT -type REQUEST -invoke policylabel RWPOLLBL_ADFS_PROXY_HEADERS

 

Create ADFS Proxy NoAuth Content Switching Policy and Action

add cs action CSACT_ADFS_PROXY_NOAUTH -targetLBVserver LBVS_ADFS_PROXY_NOAUTH 
add cs policy CSPOL_ADFS_PROXY_NOAUTH -rule is_ADFS_PROXY_NOAUTH -action CSACT_ADFS_PROXY_NOAUTH

 

Create ADFS Proxy Active-Passive Load Balancing vServer

add lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile AAA_AUTH_PRF 
set ssl vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES 
bind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE LBSVCGRP_ADFS_443 
bind ssl vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -certkeyName CTXDEMOS-PUBLIC 
bind ssl vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -cipherName CTXDEMO_FRONTEND_APLUS 
bind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -policyName RWPOL_ADFS_PROXY_HEADERS-NOACT -priority 100 -gotoPriorityExpression NEXT -type REQUEST -invoke policylabel RWPOLLBL_ADFS_PROXY_HEADERS

Create ADFS Proxy Active-Passive Content Switching Policy and Action

add cs action CSACT_ADFS_PROXY_ACTIVE_PASSIVE -targetLBVserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE 
add cs policy CSPOL_ADFS_PROXY_ACTIVE_PASSIVE -rule is_ADFS_PROXY_ACTIVE_PASSIVE -action CSACT_ADFS_PROXY_ACTIVE_PASSIVE

 

Bind Content Switching Policies to NetScaler Gateway Content Switching vServer

bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_ADFS_PROXY_NOAUTH -priority 100 
bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_ADFS_PROXY_ACTIVE_PASSIVE -priority 300

 

Create NetScaler ADC AAA Traffic Policies and Bind them to ADFS Proxy Active-Passive Load Balancing vServer

add tm formSSOAction AAATM_SSOPRF_ADFS_LOGIN -actionURL "/adfs/ls" -userField UserName -passwdField Password -ssoSuccessRule true -nameValuePair AuthMethod=FormsAuthentication -responsesize 15000 -submitMethod POST 
add tm trafficAction AAATM_PRF_ADFS_LOGIN -appTimeout 1 -SSO ON -formSSOAction AAATM_SSOPRF_ADFS_LOGIN -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -userExpression "HTTP.REQ.USER.ATTRIBUTE(3)" -passwdExpression "HTTP.REQ.USER.ATTRIBUTE(2)" 
add tm trafficPolicy AAATM_POL_ADFS_LOGIN "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\")" AAATM_PRF_ADFS_LOGIN 
add tm trafficAction AAATM_PRF_ADFS_LOGOUT -appTimeout 1 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE 
add tm trafficPolicy AAATM_POL_ADFS_LOGOUT "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\") && HTTP.REQ.URL.QUERY.VALUE(\"wa\").EQ(\"wsignout1.0\")" AAATM_PRF_ADFS_LOGOUT 
bind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -policyName AAATM_POL_ADFS_LOGIN -priority 100 -gotoPriorityExpression END -type REQUEST 
bind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -policyName AAATM_POL_ADFS_LOGOUT -priority 110 -gotoPriorityExpression END -type request

Continued in part 4

22Jul
RAMP UP CLOUD ADOPTION WITH VITRUAL WORKSPACE
19Aug
HARNESS THE VIRTUALIZATION TECHNOLOGY
26Apr
CYBER SECRUITY–TECH HYPE OR REAL THREAT
Comments
* The email will not be published on the website.