Jump to content
Welcome to our new Citrix community!

  • NetScaler Gateway and Microsoft Azure Multi-Factor Authentication Part 3

    Richard Faulkner

    By Richard Faulkner

      • Validation Status: Validated
      Summary: NetScaler Gateway presents all hosted, SaaS, web, enterprise, and mobile applications to users on any device and any browser. It uses nFactor Authentication to authenticate users against on-premises Microsoft AD and leverages Microsoft AD FS for Azure Multi-Factor Authentication (MFA).
      Has Video?: No
     Share

    Continued from Part 2

    Configure NetScaler Gateway and integrate with StoreFront – CLI

     

    Create Session Policy and Action for Citrix Receiver

    add vpn sessionAction AC_OS_22.22.44.50 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://access.ctxdemos.com/Citrix/ExternalWeb" -ClientChoices OFF -ntDomain CTXDEMOS -clientlessVpnMode OFF -storefronturl "https://access.ctxdemos.com"add vpn sessionPolicy PL_OS_22.22.44.50 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixVPN\").NOT && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"NSGiOSplugin\").NOT" AC_OS_22.22.44.50

     

    Create Session Policy and Action for Citrix Web Client

    add vpn sessionAction AC_WB_22.22.44.50 -transparentInterception ON -defaultAuthorizationAction ALLOW -forceCleanup cookie -SSO ON -ssoCredential PRIMARY -icaProxy OFF -wihome "https://storefront.ctxdemos.com/Citrix/ExternalWeb" -wiPortalMode COMPACT -ClientChoices OFF -ntDomain CTXDEMOS -clientlessVpnMode ON -clientlessPersistentCookie ALLOWadd vpn sessionPolicy PL_WB_22.22.44.50 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_22.22.44.50

     

    Create Session Policy and Action for NetScaler Gateway Client

    add vpn sessionAction UG_VPN_SAct_22.22.44.50 -transparentInterception ON -DefaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -clientlessVpnMode ONadd vpn sessionPolicy UG_VPN_SPol_22.22.44.50 true UG_VPN_SAct_22.22.44.50

     

    Create Responder Policy and Action for Gateway Logout

    add responder action RESACT_GATEWAY_LOGOFF_REDIRECT redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE" -responseStatusCode 302add responder policy RESPOL_GATEWAY_LOGOFF_REDIRECT "HTTP.REQ.URL.CONTAINS(\"/cgi/logout\")" RESACT_GATEWAY_LOGOFF_REDIRECT

     

    Create NetScaler Gateway vServer

    add vpn vserver UGVS_VPN_UGCTXDEMOS SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -vserverFqdn access.ctxdemos.comset ssl vserver UGVS_VPN_UGCTXDEMOS -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind ssl vserver UGVS_VPN_UGCTXDEMOS -certkeyName CTXDEMOS_PUBLIC_CERTbind ssl vserver UGVS_VPN_UGCTXDEMOS -cipherName CTXDEMOS_FRONTEND_APLUSbind vpn vserver UGVS_VPN_UGCTXDEMOS -portaltheme CTXDEMOS_PORTALbind vpn vserver UGVS_VPN_UGCTXDEMOS -staServer "https://wsctxdc01.ctxdemos.com"bind vpn vserver UGVS_VPN_UGCTXDEMOS -policy RESPOL_GATEWAY_LOGOFF_REDIRECT -priority 100 -gotoPriorityExpression END -type REQUESTbind vpn vserver UGVS_VPN_UGCTXDEMOS -policy PL_OS_22.22.44.50 -priority 100 -gotoPriorityExpression NEXT -type REQUESTbind vpn vserver UGVS_VPN_UGCTXDEMOS -policy PL_WB_22.22.44.50 -priority 110 -gotoPriorityExpression NEXT -type REQUESTbind vpn vserver UGVS_VPN_UGCTXDEMOS -policy UG_VPN_SPol_22.22.44.50 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST

     

    Create Content Switching Policy and Action for NetScaler Gateway

    add cs action CSACT_UGCTXDEMOS -targetVserver UGVS_VPN_UGCTXDEMOSadd cs policy CSPOL_UGCTXDEMOS -rule "is_vpn_url  ||  HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix/External\")" -action CSACT_UGCTXDEMOS

     

    Create Content Switching vServer for NetScaler Gateway

    add cs vserver CSVS_UGCTXDEMOS SSL 22.22.44.50 443 -cltTimeout 180set ssl vserver CSVS_UGCTXDEMOS -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind ssl vserver CSVS_UGCTXDEMOS -certkeyName CTXDEMOS_PUBLIC_CERTbind ssl vserver CSVS_UGCTXDEMOS -cipherName CTXDEMOS_FRONTEND_APLUSbind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_UGCTXDEMOS -priority 63000

     

    Create Responder Policy and Action for HTTP to HTTPS Redirection

    add responder action RESACT_HTTP_TO_HTTPS redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 301add responder policy RESPOL_HTTP_TO_HTTPS HTTP.REQ.IS_VALID RESACT_HTTP_TO_HTTPS

     

    Create Always On Server and Service

    add server LBSRV_ALWAYS_UP 127.0.0.1add service LBSVC_ALWAYS_UP LBSRV_ALWAYS_UP HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

     

    Create Always On vServer for NetScaler Gateway

    add lb vserver CSVS_UGCTXDEMOS_REDIRECT_HTTP_TO_HTTPS HTTP 22.22.44.50 80 -persistenceType NONE -cltTimeout 180bind lb vserver CSVS_UGCTXDEMOS_REDIRECT_HTTP_TO_HTTPS LBSVC_ALWAYS_UPbind lb vserver CSVS_UGCTXDEMOS_REDIRECT_HTTP_TO_HTTPS -policyName RESPOL_HTTP_TO_HTTPS -priority 100 -gotoPriorityExpression END -type REQUEST

     

    Configure the first authentication server

     

    Create Initialization SAML SP Policy and Action and Bind it to NetScaler ADC AAA Authentication vServer

    add authentication samlAction AUTH_ACT_SAML_SP_VPN_TO_LB -samlIdPCertName CTXDEMOS_PUBLIC_CERT -samlSigningCertName CTXDEMOS_PUBLIC_CERT -samlRedirectUrl "https://access.ctxdemos.com/samltolb" -signatureAlg RSA-SHA256 -digestMethod SHA256 -samlBinding REDIRECT -groupNameField Groupsadd authentication Policy AUTH_POL_SAMP_SP_VPN_TO_LB -rule TRUE -action AUTH_ACT_SAML_SP_VPN_TO_LB

     

    Create Authentication Policy and Action for SAML SP to ADFS

    add authentication samlAction AUTH_ACT_SAML_SP_ADFS -samlIdPCertName CTXDEMOS_ADFS_TOKEN_SIGNING -samlSigningCertName CTXDEMOS_PUBLIC_CERT -samlRedirectUrl "https://sts.ctxdemos.com/adfs/ls/" -samlUserField "Name ID" -samlRejectUnsignedAssertion OFF -samlIssuerName "https://access.ctxdemos.com" -Attribute1 "E-Mail Address" -signatureAlg RSA-SHA256 -digestMethod SHA256 -logoutURL "https://sts.ctxdemos.com/adfs/ls/wa=wsignout1.0" -forceAuthn ONadd authentication Policy AUTH_POL_SAML_SP_ADFS -rule TRUE -action AUTH_ACT_SAML_SP_ADFS

     

    Create Authentication Policy Label for for SAML SP to ADFS

    add authentication policylabel AUTH_POLLBL_ADFS_AZUREMFA -loginSchema LSCHEMA_INTbind authentication policylabel AUTH_POLLBL_ADFS_AZUREMFA -policyName AUTH_POL_SAML_SP_ADFS -priority 100 -gotoPriorityExpression NEXT

     

    Create Authentication Policy and Action for Group Extraction

    add authentication ldapAction AUTH_ACT_LDAP_GROUP_EXTRACTION_AZUREMFACA -serverIP 22.22.22.61 -serverPort 636 -ldapBase "DC=ctxdemos,DC=com" -ldapBindDn "CN=svc_ctxadc01,OU=Services,OU=Accounts,DC=ctxdemos,DC=com" -ldapBindDnPassword 0c4fe86d56a865ef514a15affd1429f3e079ce1089731d4a407772d21036f3c8 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=AzureMFACAUsers,OU=Groups,OU=Authorizations,DC=ctxdemos,DC=com" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -nestedGroupExtraction ON -maxNestingLevel 5 -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN -Attribute1 mail -Attribute2 objectGUIDadd authentication Policy AUTH_POL_LDAP_GROUP_EXTRACTION_AZURAMFACA -rule TRUE -action AUTH_ACT_LDAP_GROUP_EXTRACTION_AZUREMFACA

     

    Create Authentication Policy Label for Group Extraction

    add authentication policylabel AUTH_POLLBL_LDAP_GROUP_EXTRACTION_AZURAMFACA -loginSchema LSCHEMA_INTbind authentication policylabel AUTH_POLLBL_LDAP_GROUP_EXTRACTION_AZURAMFACA -policyName AUTH_POL_LDAP_GROUP_EXTRACTION_AZURAMFACA -priority 100 -gotoPriorityExpression NEXT -nextFactor AUTH_POLLBL_ADFS_AZUREMFA

    Create Login Schema Policy and Profile for First NetScaler ADC AAA Authentication vServer

    add authentication loginSchema LSCHEMA_PRF_NOSCHEMA -authenticationSchema noschema -SSOCredentials YESadd authentication loginSchemaPolicy LSCHEMA_POL_NOSCHEMA -rule TRUE -action LSCHEMA_PRF_NOSCHEMA

     

    Create First NetScaler ADC AAA Authentication vServer

    add authentication vserver AAAVS_CTXDEMOS_COM_FOR_VPN SSL 0.0.0.0set ssl vserver AAAVS_CTXDEMOS_COM_FOR_VPN -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind ssl vserver AAAVS_CTXDEMOS_COM_FOR_VPN -certkeyName CTXDEMOS_PUBLIC_CERTbind ssl vserver AAAVS_CTXDEMOS_COM_FOR_VPN -cipherName CTXDEMOS_FRONTEND_APLUSbind authentication vserver AAAVS_CTXDEMOS_COM_FOR_VPN -policy LSCHEMA_POL_NOSCHEMA -priority 100 -gotoPriorityExpression ENDbind authentication vserver AAAVS_CTXDEMOS_COM_FOR_VPN -policy AUTH_POL_SAMP_SP_VPN_TO_LB -priority 100 -nextFactor AUTH_POLLBL_LDAP_GROUP_EXTRACTION_AZURAMFACA -gotoPriorityExpression NEXT

     

    Create First NetScaler ADC AAA Authentication Profile

    add authentication authnProfile AAA_AUTH_PRF_VPN -authnVsName AAAVS_CTXDEMOS_COM_FOR_VPN -AuthenticationHost aaa.ctxdemos.com

     

    Set Authentication Profile on Gateway vServer

    set vpn vserver UGVS_VPN_UGCTXDEMOS -authnProfile AAA_AUTH_PRF_VPN

     

    Configure a second authentication server

     

    Create Authentication Policy and Action for LDAP

    add authentication ldapAction AUTH_ACT_LDAP -serverIP 22.22.22.61 -serverPort 636 -authTimeout 60 -ldapBase "DC=ctxdemos,DC=com" -ldapBindDn "CN=svc_ctxadc01,OU=Services,OU=Accounts,DC=ctxdemos,DC=com" -ldapBindDnPassword 273881819af883e70c33d83c0546eac84e81d6eeba904f2d65bbebf2819c025a -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -maxNestingLevel 5 -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN -Attribute1 userprincipalname -Attribute2 mail -Attribute3 userParametersadd authentication Policy AUTH_POL_LDAP_USER_NAME_PASSWORD -rule TRUE -action AUTH_ACT_LDAP

     

    Create Login Schema Policy and Profile for Second NetScaler ADC AAA Authentication vServer - Username (Pre-filled ) and Password

    add authentication loginSchema LSCHEMA_USER_NAME_PASSWORD -authenticationSchema "/nsconfig/loginschema/CTXDEMOS_USER_NAME_PASS.xml" -SSOCredentials YESadd authentication loginSchemaPolicy LSCHEMA_POL_USER_NAME_PASSWORD -rule TRUE -action LSCHEMA_USER_NAME_PASSWORD

     

    Create Authentication Policy Label for LDAP Username and Password

    add authentication policylabel AUTH_POLLBL_LDAP_USER_NAME_PASSWORD -loginSchema LSCHEMA_USER_NAME_PASSWORDbind authentication policylabel AUTH_POLLBL_LDAP_USER_NAME_PASSWORD -policyName AUTH_POL_LDAP_USER_NAME_PASSWORD -priority 110 -gotoPriorityExpression NEXT

     

    Create Login Schema Policy and Profile for Second NetScaler ADC AAA Authentication vServer - Username Only

    add authentication loginSchema LSCHEMA_USER_NAME_ONLY -authenticationSchema "/nsconfig/loginschema/CTXDEMOS_USER_NAME_ONLY.xml"add authentication loginSchemaPolicy LSCHEMA_POL_NOPASSWORD -rule TRUE -action LSCHEMA_USER_NAME_ONLY

     

    Create NetScaler ADC AAA Session Policy and Profile

    add tm sessionAction AAA_SESSION_PRF_CTXDEMOS -SSO ON -ssoDomain CTXDEMOS -persistentCookie ON -persistentCookieValidity 30add tm sessionPolicy AAA_SESSION_POL_CTXDEMOS TRUE AAA_SESSION_PRF_CTXDEMOS

     

    Create Second NetScaler ADC AAA Authentication vServer

    add authentication vserver AAAVS_CTXDEMOS_COM SSL 22.22.44.51 443set ssl vserver AAAVS_CTXDEMOS_COM -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind ssl vserver AAAVS_CTXDEMOS_COM -certkeyName CTXDEMOS_PUBLIC_CERTbind ssl vserver AAAVS_CTXDEMOS_COM -cipherName CTXDEMOS_FRONT 

    Create Second NetScaler ADC AAA Authentication Profile

    add authentication authnProfile AAA_AUTH_PRF -authnVsName AAAVS_CTXDEMOS_COM -AuthenticationHost aaa.ctxdemos.com

     

    Configure NetScaler ADC as AD FS WAP

    Run the following commands in NetScaler ADC CLI to configure NetScaler ADC as AD FS Web Application Proxy (WAP):

     

    Pattern Set - ADFS Proxy Hostname

    add policy patset PATSET_ADFS_HOSTNAMEbind policy patset PATSET_ADFS_HOSTNAME sts.ctxdemos.com -index 1 -charset ASCII

    Policy Expression - ADFS Proxy Hostname

    add policy expression is_ADFS_HOSTNAME "HTTP.REQ.HEADER(\"Host\").TO_LOWER.CONTAINS_ANY(\"PATSET_ADFS_HOSTNAME\")"

     

    Pattern Set - ADFS Proxy Path for NoAuth

    add policy patset PATSET_ADFS_PATH_NOAUTHbind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/services/trust" -index 1 -charset ASCIIbind policy patset PATSET_ADFS_PATH_NOAUTH "/federationmetadata/2007-06/federationmetadata.xml" -index 2 -charset ASCIIbind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/fs/federationserverservice.asmx" -index 3 -charset ASCIIbind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/ls/FormsSignIn.aspx" -index 4 -charset ASCIIbind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/services/trust/2005/usernamemixed" -index 5 -charset ASCIIbind policy patset PATSET_ADFS_PATH_NOAUTH "/adfs/services/trust/mex" -index 6 -charset ASCII

     

     

    Policy Expression - ADFS Proxy Path for NoAuth

    add policy expression is_ADFS_PROXY_NOAUTH "HTTP.REQ.URL.PATH.TO_LOWER.CONTAINS_ANY(\"PATSET_ADFS_PATH_NOAUTH\")"

     

    Pattern Set - ADFS Proxy Path for Passive Client

    add policy patset PATSET_ADFS_PATH_ACTIVE_PASSIVEbind policy patset PATSET_ADFS_PATH_ACTIVE_PASSIVE "/adfs" -index 1 -charset ASCIIbind policy patset PATSET_ADFS_PATH_ACTIVE_PASSIVE "/cgi/selfauth" -index 2 -charset ASCII

     

    Policy Expression - ADFS Proxy Path for Passive Client

    add policy expression is_ADFS_PROXY_ACTIVE_PASSIVE "(HTTP.REQ.HEADER(\"Host\").TO_LOWER.CONTAINS_ANY(\"PATSET_ADFS_HOSTNAME\") && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH_ANY(\"PATSET_ADFS_PATH_ACTIVE_PASSIVE\"))"

     

    Rewrite Policies for ADFS PIP

    add rewrite action RWACT_X_MS_Proxy insert_http_header X-MS-Proxy "\"NETSCALER\""add rewrite policy RWPOL_X_MS_Proxy true RWACT_X_MS_Proxy add rewrite action RWACT_X_MS_Forwarded_Client_IP insert_http_header X-MS-Forwarded-Client-IP CLIENT.IP.SRCadd rewrite policy RWPOL_X_MS_Forwarded_Client_IP true RWACT_X_MS_Forwarded_Client_IP add rewrite action RWACT_X_MS_Endpoint_Absolute_Path insert_http_header X-MS-Endpoint-Absolute-Path HTTP.REQ.URLadd rewrite policy RWPOL_X_MS_Endpoint_Absolute_Path true RWACT_X_MS_Endpoint_Absolute_Path add rewrite action RWACT_X_MS_Target_Role insert_http_header X-MS-Target-Role "\"PrimaryComputer\""add rewrite policy RWPOL_X_MS_Target_Role true RWACT_X_MS_Target_Role add rewrite action RWACT_X_MS_ADFS_Proxy_Client_IP insert_http_header X-MS-ADFS-Proxy-Client-IP CLIENT.IP.SRCadd rewrite policy RWPOL_X_MS_ADFS_Proxy_Client_IP true RWACT_X_MS_ADFS_Proxy_Client_IP add rewrite action RWACT_X_MS_Client_User_Agent insert_http_header X-MS-Client-User-Agent "HTTP.REQ.HEADER(\"User-Agent\")"add rewrite policy RWPOL_X_MS_Client_User_Agent true RWACT_X_MS_Client_User_Agent add rewrite action RWACT_ADFS_PROXYMEX replace HTTP.REQ.URL.PATH_AND_QUERY "\"/adfs/services/trust/proxymex\" + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(\"/adfs/services/trust/mex\").HTTP_URL_SAFE"add rewrite policy RWPOL_ADFS_PROXYMEX "is_ADFS_HOSTNAME && HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/services/trust/mex\")" RWACT_ADFS_PROXYMEX add rewrite policy RWPOL_ADFS_PROXY_HEADERS-NOACT TRUE NOREWRITE add rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS http_reqbind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Proxy 100 NEXTbind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Forwarded_Client_IP 110 NEXTbind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Endpoint_Absolute_Path 120 NEXTbind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Target_Role 130 NEXTbind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_ADFS_Proxy_Client_IP 140 NEXTbind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_X_MS_Client_User_Agent 150 NEXTbind rewrite policylabel RWPOLLBL_ADFS_PROXY_HEADERS RWPOL_ADFS_PROXYMEX 160 NEXT

     

    Create ADFS Server and Service Group

    add server LBSRV_ADFS wsadfs01.ctxdemos.comadd serviceGroup LBSVCGRP_ADFS_443 SSL -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YESbind ssl serviceGroup LBSVCGRP_ADFS_443 -cipherName CTXDEMO_BACKENDset ssl serviceGroup LBSVCGRP_ADFS_443 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLEDbind serviceGroup LBSVCGRP_ADFS_443 LBSRV_ADFS 443

     

     

    Create ADFS Proxy NoAuth Load Balancing vServer

    add lb vserver LBVS_ADFS_PROXY_NOAUTH SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180set ssl vserver LBVS_ADFS_PROXY_NOAUTH -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind ssl vserver LBVS_ADFS_PROXY_NOAUTH -certkeyName CTXDEMOS-PUBLICbind ssl vserver LBVS_ADFS_PROXY_NOAUTH -cipherName CTXDEMO_BACKENDbind lb vserver LBVS_ADFS_PROXY_NOAUTH LBSVCGRP_ADFS_443bind lb vserver LBVS_ADFS_PROXY_NOAUTH -policyName RWPOL_ADFS_PROXY_HEADERS-NOACT -priority 100 -gotoPriorityExpression NEXT -type REQUEST -invoke policylabel RWPOLLBL_ADFS_PROXY_HEADERS

     

    Create ADFS Proxy NoAuth Content Switching Policy and Action

    add cs action CSACT_ADFS_PROXY_NOAUTH -targetLBVserver LBVS_ADFS_PROXY_NOAUTHadd cs policy CSPOL_ADFS_PROXY_NOAUTH -rule is_ADFS_PROXY_NOAUTH -action CSACT_ADFS_PROXY_NOAUTH

     

    Create ADFS Proxy Active-Passive Load Balancing vServer

    add lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile AAA_AUTH_PRFset ssl vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE LBSVCGRP_ADFS_443bind ssl vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -certkeyName CTXDEMOS-PUBLICbind ssl vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -cipherName CTXDEMO_FRONTEND_APLUSbind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -policyName RWPOL_ADFS_PROXY_HEADERS-NOACT -priority 100 -gotoPriorityExpression NEXT -type REQUEST -invoke policylabel RWPOLLBL_ADFS_PROXY_HEADERS

    Create ADFS Proxy Active-Passive Content Switching Policy and Action

    add cs action CSACT_ADFS_PROXY_ACTIVE_PASSIVE -targetLBVserver LBVS_ADFS_PROXY_ACTIVE_PASSIVEadd cs policy CSPOL_ADFS_PROXY_ACTIVE_PASSIVE -rule is_ADFS_PROXY_ACTIVE_PASSIVE -action CSACT_ADFS_PROXY_ACTIVE_PASSIVE

     

    Bind Content Switching Policies to NetScaler Gateway Content Switching vServer

    bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_ADFS_PROXY_NOAUTH -priority 100bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_ADFS_PROXY_ACTIVE_PASSIVE -priority 300

     

    Create NetScaler ADC AAA Traffic Policies and Bind them to ADFS Proxy Active-Passive Load Balancing vServer

    add tm formSSOAction AAATM_SSOPRF_ADFS_LOGIN -actionURL "/adfs/ls" -userField UserName -passwdField Password -ssoSuccessRule true -nameValuePair AuthMethod=FormsAuthentication -responsesize 15000 -submitMethod POSTadd tm trafficAction AAATM_PRF_ADFS_LOGIN -appTimeout 1 -SSO ON -formSSOAction AAATM_SSOPRF_ADFS_LOGIN -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -userExpression "HTTP.REQ.USER.ATTRIBUTE(3)" -passwdExpression "HTTP.REQ.USER.ATTRIBUTE(2)"add tm trafficPolicy AAATM_POL_ADFS_LOGIN "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\")" AAATM_PRF_ADFS_LOGINadd tm trafficAction AAATM_PRF_ADFS_LOGOUT -appTimeout 1 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONEadd tm trafficPolicy AAATM_POL_ADFS_LOGOUT "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/ls\") && HTTP.REQ.URL.QUERY.VALUE(\"wa\").EQ(\"wsignout1.0\")" AAATM_PRF_ADFS_LOGOUTbind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -policyName AAATM_POL_ADFS_LOGIN -priority 100 -gotoPriorityExpression END -type REQUESTbind lb vserver LBVS_ADFS_PROXY_ACTIVE_PASSIVE -policyName AAATM_POL_ADFS_LOGOUT -priority 110 -gotoPriorityExpression END -type REQUEST

    Continued in Part 4

     Share
    Go to articles

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...