Skip to main content

Windows Blog

Loading...

VMware Blogs

Loading...
Labels

Citrix Netscaler – Loadbalancing Exchange 2016



Citrix Netscaler – Load-balancing Exchange 2016 

Citrix Recommendations https://support.citrix.com/article/CTX208563




1. Requirements
  • One public ip address
  • Two private IP addresses (Content Switch and Load Balancer)
  • Working DNS/NTP on NetScaler
  • Wildcard SSL certificate

1.1 Firewall Rules

From
To
Port
Description
SNIP
DNS Server
UDP/TCP 53
DNS
SNIP
NTP Server
UDP 123
NTP
SNIP
Domain Controller
TCP 389
LDAP
SNIP
Domain Controller
TCP 636
LDAPS
NSIP
Exchange Server
TCP 25, 465, 587
SMTP Monitor
SNIP
Exchange Server
TCP 25, 465, 587
SMTP
SNIP
Exchange Server
TCP 143, 993
IMAP
SNIP
Exchange Server
HTTPS – 443
OWA, AutoDiscover, ActiveSync, MAPI, etc.
Internet
SMTP LB IP
TCP 25, 465, 587
SMTP
Internet
IMAP LB IP
TCP 143, 993
IMAP
Internet
Content Switch VIP
HTTP – 80
Web Traffic
Internet
Content Switch VIP
HTTPS – 443
Web Traffic

If you dont load balance DNS/LDAPS/NTP the traffic will flow from the NSIP. In my setup the servers are load balanced –> The SNIP is communicating with the backend servers.

2. Configuration

2.1 Features

1
2
#Features
enable ns feature CS,RESPONDER,LB,SSL

2.2 Server
1
2
3
4
#Create serves
#Replace FQDN and ip address regarding  your environment
add server EX01.lab.local 192.168.2.102
add server EX02.lab.local 192.168.2.103

2.3 Monitors
Name
Type
Standard Parameter
Send String
mon_smtp
SMTP
mon_owa
HTTP-ECV
Secure
“GET /owa/healthcheck.htm”
mon_activesync
HTTP-ECV
Secure
“GET /Microsoft-Server-ActiveSync/healthcheck.htm”
mon_rpc
HTTP-ECV
Secure
“GET /rpc/healthcheck.htm”
mon_ews
HTTP-ECV
Secure
“GET /ews/healthcheck.htm”
mon_autodiscover
HTTP-ECV
Secure
“GET /Autodiscover/healthcheck.htm”
mon_mapi
HTTP-ECV
Secure
“GET /mapi/healthcheck.htm”
mon_ecp
HTTP-ECV
Secure
“GET /ecp/healthcheck.htm”

1
2
3
4
5
6
7
8
9
10
#Create monitors
add lb monitor mon_smtp SMTP
add lb monitor mon_owa HTTP-ECV -send "GET /owa/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_activesync HTTP-ECV -send "GET /Microsoft-Server-ActiveSync/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_rpc HTTP-ECV -send "GET /rpc/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_ews HTTP-ECV -send "GET /ews/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_autodiscover HTTP-ECV -send "GET /Autodiscover/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_oab HTTP-ECV -send "GET /oab/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_mapi HTTP-ECV -send "GET /mapi/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_ecp HTTP-ECV -send "GET /ecp/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES

2.4 Service Groups
Name
Protocol
Monitor
svcgrp_ex2016_smtp_25
TCP
mon_smtp
svcgrp_ex2016_smtp_465
TCP
mon_smtp
svcgrp_ex2016_smtp_587
TCP
mon_smtp
svcgrp_ex2016_imap_143
TCP
TCP
svcgrp_ex2016_imap_993
TCP
TCP
svcgrp_ex2016_owa
SSL
mon_owa
svcgrp_ex2016_activesync
SSL
mon_activesync
svcgrp_ex2016_rpc
SSL
mon_rpc
svcgrp_ex2016_ews
SSL
mon_ews
svcgrp_ex2016_autodisover
SSL
mon_autodiscover
svcgrp_ex2016_oab
SSL
mon_oab
svcgrp_ex2016_mapi
SSL
mon_mapi
svcgrp_ex2016_epc
SSL
mon_epc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#Create Service Groups
add serviceGroup svcgrp_ex2016_smtp_25 TCP
add serviceGroup svcgrp_ex2016_smtp_465 TCP
add serviceGroup svcgrp_ex2016_smtp_587 TCP
add serviceGroup svcgrp_ex2016_imap_143 TCP
add serviceGroup svcgrp_ex2016_imap_993 TCP
add serviceGroup svcgrp_ex2016_owa SSL
add serviceGroup svcgrp_ex2016_activesync SSL
add serviceGroup svcgrp_ex2016_rpc SSL
add serviceGroup svcgrp_ex2016_ews SSL
add serviceGroup svcgrp_ex2016_autodisover SSL
add serviceGroup svcgrp_ex2016_oab SSL
add serviceGroup svcgrp_ex2016_mapi SSL
add serviceGroup svcgrp_ex2016_ecp SSL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#Bind Service Groups
#Replace FQDN and ip address regarding your environment
bind servicegroup svcgrp_ex2016_smtp_25 EX01.lab.local 25
bind servicegroup svcgrp_ex2016_smtp_25 EX02.lab.local 25
bind serviceGroup svcgrp_ex2016_smtp_25 -monitorName mon_smtp

bind servicegroup svcgrp_ex2016_smtp_465 EX01.lab.local 465
bind servicegroup svcgrp_ex2016_smtp_465  EX02.lab.local 465
bind serviceGroup svcgrp_ex2016_smtp_465 -monitorName mon_smtp

bind servicegroup svcgrp_ex2016_smtp_587 EX01.lab.local 587
bind servicegroup svcgrp_ex2016_smtp_587 EX02.lab.local 587
bind serviceGroup svcgrp_ex2016_smtp_587 -monitorName mon_smtp

bind servicegroup svcgrp_ex2016_imap_143 EX01.lab.local 143
bind servicegroup svcgrp_ex2016_imap_143 EX02.lab.local 143
bind serviceGroup svcgrp_ex2016_imap_143 -monitorName TCP

bind servicegroup svcgrp_ex2016_imap_993 EX01.lab.local 993
bind servicegroup svcgrp_ex2016_imap_993 EX02.lab.local 993
bind serviceGroup svcgrp_ex2016_imap_993 -monitorName TCP

bind servicegroup svcgrp_ex2016_owa EX01.lab.local 443
bind servicegroup svcgrp_ex2016_owa EX02.lab.local 443
bind serviceGroup svcgrp_ex2016_owa -monitorName mon_owa

bind servicegroup svcgrp_ex2016_activesync EX01.lab.local 443
bind servicegroup svcgrp_ex2016_activesync EX02.lab.local 443
bind servicegroup svcgrp_ex2016_activesync -monitorName mon_activesync

bind servicegroup svcgrp_ex2016_rpc EX01.lab.local 443
bind servicegroup svcgrp_ex2016_rpc EX02.lab.local 443
bind servicegroup svcgrp_ex2016_rpc -monitorName mon_rpc

bind servicegroup svcgrp_ex2016_ews EX01.lab.local 443
bind servicegroup svcgrp_ex2016_ews EX02.lab.local 443
bind servicegroup svcgrp_ex2016_ews -monitorName mon_ews

bind servicegroup svcgrp_ex2016_autodisover EX01.lab.local 443
bind servicegroup svcgrp_ex2016_autodisover EX02.lab.local 443
bind servicegroup svcgrp_ex2016_autodisover -monitorName mon_autodiscover

bind servicegroup svcgrp_ex2016_oab EX01.lab.local 443
bind servicegroup svcgrp_ex2016_oab EX02.lab.local 443
bind servicegroup svcgrp_ex2016_oab -monitorName mon_oab

bind servicegroup svcgrp_ex2016_mapi EX01.lab.local 443
bind servicegroup svcgrp_ex2016_mapi EX02.lab.local 443
bind servicegroup svcgrp_ex2016_mapi -monitorName mon_mapi

bind servicegroup svcgrp_ex2016_ecp EX01.lab.local 443
bind servicegroup svcgrp_ex2016_ecp EX02.lab.local 443
bind servicegroup svcgrp_ex2016_ecp -monitorName mon_ecp

2.5 Load Balancer
vServer
IP address
Method
Persistence
Timeout
Protocol
Authentication (AAA)


SMTP
192.168.2.248
Least Connection
NONE
Default
TCP


IMAP
192.168.2.248
Least Connection
NONE
Default
TCP


OWA
0.0.0.0
Least Connection
NONE
Default
SSL
FBA


ECP
0.0.0.0
Least Connection
NONE
Default
SSL
FBA


ActiveSync
0.0.0.0
SRCIPDESTIP
NONE
Default
SSL
401


AutoDiscover
0.0.0.0
SourceIP
NONE
30
SSL
401


RPC
0.0.0.0
Least Connection
SOURCEIP
30
SSL
401


EWS
0.0.0.0
Least Connection
NONE
Default
SSL
401


OAB
0.0.0.0
Least Connection
NONE
Default
SSL
401


MAPI
0.0.0.0
Least Connection
SOURCEIP
30
SSL
401

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#Create Load Balancer
add lb vserver lb_vsrv_ex2016_smtp_25 TCP 192.168.2.248 25
add lb vserver lb_vsrv_ex2016_smtp_465 TCP 192.168.2.248 465
add lb vserver lb_vsrv_ex2016_smtp_587 TCP 192.168.2.248 587
add lb vserver lb_vsrv_ex2016_imap_143 TCP 192.168.2.248 143
add lb vserver lb_vsrv_ex2016_imap_993 TCP 192.168.2.248 993
add lb vserver lb_vsrv_ex2016_owa SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_vsrv_ex2016_activesync SSL 0.0.0.0 0 -persistenceType SRCIPDESTIP
add lb vserver lb_vsrv_ex2016_rpc SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_vsrv_ex2016_ews SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_vsrv_ex2016_autodiscover SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_vsrv_ex2016_oab SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_vsrv_ex2016_mapi SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_vsrv_ex2016_ecp SSL 0.0.0.0 0 -persistenceType NONE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#Bind Service Groups to vServer
bind lb vserver lb_vsrv_ex2016_smtp_25 svcgrp_ex2016_smtp_25
bind lb vserver lb_vsrv_ex2016_smtp_465 svcgrp_ex2016_smtp_465
bind lb vserver lb_vsrv_ex2016_smtp_587 svcgrp_ex2016_smtp_587
bind lb vserver lb_vsrv_ex2016_imap_143 svcgrp_ex2016_imap_143
bind lb vserver lb_vsrv_ex2016_imap_993 svcgrp_ex2016_imap_993
bind lb vserver lb_vsrv_ex2016_owa svcgrp_ex2016_owa
bind lb vserver lb_vsrv_ex2016_activesync svcgrp_ex2016_activesync
bind lb vserver lb_vsrv_ex2016_rpc svcgrp_ex2016_rpc
bind lb vserver lb_vsrv_ex2016_ews svcgrp_ex2016_ews
bind lb vserver lb_vsrv_ex2016_autodiscover svcgrp_ex2016_autodisover
bind lb vserver lb_vsrv_ex2016_oab svcgrp_ex2016_oab
bind lb vserver lb_vsrv_ex2016_mapi svcgrp_ex2016_mapi
bind lb vserver lb_vsrv_ex2016_ecp svcgrp_ex2016_ecp

1
2
3
4
5
6
7
8
9
10
#Bind SSL certificate
#Replace certificate name
bind ssl vserver lb_vsrv_ex2016_owa -certkeyName 'Wildcard-Flashmob'
bind ssl vserver lb_vsrv_ex2016_activesync -certkeyName 'Wildcard-Flashmob'
bind ssl vserver lb_vsrv_ex2016_rpc -certkeyName 'Wildcard-Flashmob'
bind ssl vserver lb_vsrv_ex2016_ews -certkeyName 'Wildcard-Flashmob'
bind ssl vserver lb_vsrv_ex2016_autodiscover -certkeyName 'Wildcard-Flashmob'
bind ssl vserver lb_vsrv_ex2016_oab -certkeyName 'Wildcard-Flashmob'
bind ssl vserver lb_vsrv_ex2016_mapi -certkeyName 'Wildcard-Flashmob'
bind ssl vserver lb_vsrv_ex2016_ecp -certkeyName 'Wildcard-Flashmob'

2.6 Content Switch
Name
Action
Target
Expression
cs_pol_owa
cs_act_owa
lb_vsrv_ex2016_owa
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/owa”)
cs_pol_ews
cs_act_ews
lb_vsrv_ex2016_ews
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/ews”)
cs_pol_activesync
cs_act_activesync
lb_vsrv_ex2016_activesync
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“Microsoft”)
cs_pol_autodiscover
cs_act_autodiscover
lb_vsrv_ex2016_autodiscover
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/autodiscover”)
cs_pol_rpc
cs_act_rpc
lb_vsrv_ex2016_rpc
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/rpc”)
cs_pol_ews
cs_act_ews
lb_vsrv_ex2016_ews
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/ews”)
cs_pol_oab
cs_act_oab
lb_vsrv_ex2016_oab
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/oab”)
cs_pol_mapi
cs_act_mapi
lb_vsrv_ex2016_mapi
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/mapi”)
cs_pol_cgi
cs_act_owa
lb_vsrv_ex2016_owa
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/cgi”)
cs_pol_owa_redirect
cs_act_owa
lb_vsrv_ex2016_owa
HTTP.REQ.HOSTNAME.EQ(“mail.flashmob-saulgau.de”)

1
2
3
4
5
6
#Create Content Switch
#Replace IP address of Content Switch
add cs vserver cs_exchange2016_http HTTP 192.168.1.20 80
add cs vserver cs_exchange2016_ssl SSL 192.168.1.20 443
#Replace certificate name
bind ssl vserver cs_exchange2016_ssl -certkeyName 'Wildcard-Flashmob'

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#Create Content Switch Policies
add cs action cs_act_owa -targetLBVserver lb_vsrv_ex2016_owa
add cs policy cs_pol_owa -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/owa")' -action cs_act_owa
add cs action cs_act_ews -targetLBVserver  lb_vsrv_ex2016_ews
add cs policy cs_pol_ews -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ews")' -action cs_act_ews
add cs action cs_act_autodiscover -targetLBVserver  lb_vsrv_ex2016_autodiscover
add cs policy cs_pol_autodiscover -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/autodiscover")' -action cs_act_autodiscover
add cs action cs_act_activesync -targetLBVserver  lb_vsrv_ex2016_activesync
add cs policy cs_pol_activesync -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("Microsoft")' -action cs_act_activesync
add cs action cs_act_oab -targetLBVserver  lb_vsrv_ex2016_oab
add cs policy cs_pol_oab -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/oab")' -action cs_act_oab
add cs action cs_act_mapi -targetLBVserver  lb_vsrv_ex2016_mapi
add cs policy cs_pol_mapi -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/mapi")' -action cs_act_mapi
add cs action cs_act_rpc -targetLBVserver  lb_vsrv_ex2016_rpc
add cs policy cs_pol_rpc -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/rpc")' -action cs_act_rpc
add cs action cs_act_ecp -targetLBVserver  lb_vsrv_ex2016_ecp
add cs policy cs_pol_ecp -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ecp")' -action cs_act_ecp
#OWA Fix https://support.citrix.com/article/CTX209060
add cs policy cs_pol_cgi -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/cgi")' -action cs_act_owa
#Redirect to OWA if only https://mail.flashmob-saulgau.de will be entered
#Replace the mail FQDN
add cs policy cs_pol_owa_redirect -rule 'HTTP.REQ.HOSTNAME.EQ("mail.flashmob-saulgau.de")' -action cs_act_owa

1
2
3
4
5
6
7
8
9
10
11
#Bind Content Switch Policies
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_owa -priority 100
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_ews -priority 110
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_autodiscover -priority 120
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_activesync -priority 130
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_oab -priority 140
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_mapi -priority 150
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_rpc -priority 160
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_ecp -priority 170
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_cgi -priority 180
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_owa_redirect -priority 190

1
2
3
4
5
#OWA HTTP Redirect (Responder)
#Replace the mail FQDN
add responder action resp_act_owa redirect '"https://"+HTTP.REQ.HOSTNAME+"/owa/"'
add responder policy resp_pol_owa 'HTTP.REQ.HOSTNAME.CONTAINS("mail.flashmob-saulgau.de")' resp_act_owa
bind cs vserver cs_exchange2016_http -policyName resp_pol_owa -priority 100

2.7 AAA (Enterprise)
If you have an enterprise licence you can let take the authenication on the AAA server and redirect the credentials to OWA. This feature offers improved security integration and n-factor authentication like RADIUS, SAML and certificate authentication is possible. If you enter the mail domain you will be redirected to the AAA login page.

If you want to you use “401 Based Authentication” on the Autodiscover service you need to set the following registry key in the user profile.
1
HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL (REG_DWORD 0)
Otherwise Outlook 2016 is crashing while setting up the profile (ADAL is enabled by default)
NetScaler is not supporting ADAL at the moment.
https://discussions.citrix.com/topic/376086-outlook-2016-and-autodiscover/
Update (2018-05-23): When using NetScaler >= 12.0 there is no need to create the “EnableADAL” key. https://support.citrix.com/article/CTX216539
1
2
3
4
5
6
7
8
9
#Enable AAA Feature
enable ns feature AAA
#Create AAA Server
add authentication vserver AAA_Exchange_2016 SSL 0.0.0.0
#Replace certificate name
bind ssl vserver AAA_Exchange_2016 -certkeyName 'Wildcard-Flashmob'
bind authentication vserver AAA_Exchange_2016 -portaltheme X1
#Replace AAA FQDN
set authentication vserver AAA_Exchange_2016 -authenticationDomain 'flashmob-saulgau.de'

2.7.1 Authentication Policies
In this setup we  will authenticate with LDAP only. For this we need create two policies.
1.) LDAP with sAMAccountName
2.) LDAP with userPrincipalName
The user can login with “test” or “test@lab.local”.
1
2
3
4
5
6
#LDAP SAM + UPN Policy
#Replace server ip, ldapbase, bind user and password
add authentication ldapaction LDAP_UPN -serverip 192.168.2.1 -secType SSL -serverPort 636 -ldapBase "DC=lab,DC=local" -ldapBindDn ns-ldap@lab.local -ldapBindDnPassword ##password## -ldapLoginName userPrincipalName -groupAttrName "memberOf" -subAttributeName "cn" -ssoNameAttribute userPrincipalName -passwdChange ENABLED -followReferrals ON
add authentication ldapaction LDAP_SAM -serverip 192.168.2.1 -secType SSL -serverPort 636 -ldapBase "DC=lab,DC=local" -ldapBindDn ns-ldap@lab.local -ldapBindDnPassword ##password## -ldapLoginName sAMAccountName -groupAttrName "memberOf" -subAttributeName "cn" -ssoNameAttribute userPrincipalName -passwdChange ENABLED -followReferrals ON
add authentication ldappolicy LDAP_UPN ns_true LDAP_UPN
add authentication ldappolicy LDAP_SAM ns_true LDAP_SAM
1
2
3
#Bind LDAP Policies
bind authentication vserver AAA_Exchange_2016 -policy LDAP_UPN -priority 100
bind authentication vserver AAA_Exchange_2016 -policy LDAP_SAM -priority 110


2.7.2 SSO Traffic Policies
1
2
3
4
#Create AAA Session Policy
#Replace "ssoDomain"
add tm sessionAction tm_act_exchange2016_owa_sso -defaultAuthorization ALLOW -SSO ON -ssoDomain 'lab.local'
add tm sessionPolicy tm_pol_exchange2016_owa_sso 'HTTP.REQ.URL.CONTAINS("/owa/auth/logon.aspx")' tm_act_exchange2016_owa_sso

1
2
3
4
5
6
7
8
#Create SSO Form and Policies
add tm formSSOAction sso_profile_exchange_2016_owa -actionURL "/owa/auth.owa" -userField "username" -passwdField "password" -responsesize "60000" -ssoSuccessRule 'HTTP.RES.SET_COOKIE.COOKIE("cadata").VALUE("cadata").LENGTH.GT(70)' -nvtype DYNAMIC -submitMethod POST

add tm trafficAction traffic_prof_exchange_2016_owa -SSO ON -appTimeout 1 -formSSOAction sso_profile_exchange_2016_owa
add tm trafficAction traffic_prof_exchange_2016_owa_logout -InitiateLogout ON

add tm trafficPolicy traffic_pol_exchange_2016_owa 'HTTP.REQ.URL.CONTAINS("/owa/auth/logon.aspx")' traffic_prof_exchange_2016_owa
add tm trafficPolicy traffic_pol_exchange_2016_owa_logout 'HTTP.REQ.URL.CONTAINS("/owa/logoff.owa")' traffic_prof_exchange_2016_owa_logout

1
2
3
#Bind SSO Policies to the OWA vServer
bind lb vserver lb_vsrv_ex2016_owa -policyName traffic_pol_exchange_2016_owa -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver lb_vsrv_ex2016_owa -policyName traffic_pol_exchange_2016_owa_logout -priority 110 -gotoPriorityExpression END -type REQUEST
1
2
3
4
5
6
7
8
9
10
#Set FBA and 401 authentication
#Replace AuthenticationHost FQDN
set lb vserver lb_vsrv_ex2016_owa -Authentication ON -authnVsName AAA_Exchange_2016 -AuthenticationHost aaa.flashmob-saulgau.de
set lb vserver lb_vsrv_ex2016_ecp -Authentication ON -authnVsName AAA_Exchange_2016 -AuthenticationHost aaa.flashmob-saulgau.de
set lb vserver lb_vsrv_ex2016_activesync -authn401 ON -authnVsName AAA_Exchange_2016
set lb vserver lb_vsrv_ex2016_autodiscover -authn401 ON -authnVsName AAA_Exchange_2016
set lb vserver lb_vsrv_ex2016_rpc -authn401 ON -authnVsName AAA_Exchange_2016
set lb vserver lb_vsrv_ex2016_ews -authn401 ON -authnVsName AAA_Exchange_2016
set lb vserver lb_vsrv_ex2016_oab -authn401 ON -authnVsName AAA_Exchange_2016
set lb vserver lb_vsrv_ex2016_mapi -authn401 ON -authnVsName AAA_Exchange_2016


1
2
3
4
5
#Content Switch AAA
#Replace AuthenticationHost FQDN
add cs action cs_act_aaa -targetVserver AAA_Exchange_2016
add cs policy cs_pol_aaa -rule 'HTTP.REQ.HOSTNAME.EQ("aaa.flashmob-saulgau.de")' -action cs_act_aaa
bind cs vserver cs_exchange2016_ssl -policyName cs_pol_aaa -priority 90
The priorty of the AAA content switch policy must be the one with the lowest priority.

2.7.3 Group Filtering
If you need to restrict the external access to security groups in Active Directory, create the following authorization policies.
1
2
3
4
5
#Group Filtering
#Replace AD Groups
add authorization policy pol_auth_owa "HTTP.REQ.USER.IS_MEMBER_OF(\"External-OWA\").NOT" DENY
add authorization policy pol_auth_outlook "HTTP.REQ.USER.IS_MEMBER_OF(\"External-Outlook\").NOT" DENY
add authorization policy pol_auth_activesync "HTTP.REQ.USER.IS_MEMBER_OF(\"External-ActiveSync\").NOT" DENY
Bind the authorization policies to the vServers.
1
2
3
4
5
6
7
bind lb vserver lb_vsrv_ex2016_owa -policyName pol_auth_owa -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver lb_vsrv_ex2016_ecp -policyName pol_auth_owa -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver lb_vsrv_ex2016_rpc -policyName  pol_auth_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver lb_vsrv_ex2016_mapi -policyName pol_auth_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver lb_vsrv_ex2016_ews -policyName pol_auth_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver lb_vsrv_ex2016_oab -policyName pol_auth_outlook -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver lb_vsrv_ex2016_activesync -policyName pol_auth_activesync -priority 100 -gotoPriorityExpression END -type REQUEST
When your user is not in the “External-OWA” group and the authentication against the AAA server was succesfull you will get the following notification:
“Error: Not a privileged User.”
I created a responder html page, to present a more user friendly message. This can’t be done via CLI. Go to AppExpert –> Responder –> HTML Page Imports
1
2
3
4
You are not authorized to use the OWA service.
Please contact the Helpdesk.
0049 - 0000 - 0000
helpdesk@flashmob-saulgau.de

Now you can create the responder policy & action.
1
2
3
4
#OWA Deny Responder
add responder action resp_act_owa_deny respondwithhtmlpage html_owa -responseStatusCode 200
add responder policy resp_pol_owa_deny "HTTP.REQ.USER.IS_MEMBER_OF(\"External-OWA\").NOT" resp_act_owa_deny
bind lb vserver lb_vsrv_ex2016_owa -policyName resp_pol_owa_deny -priority 100 -gotoPriorityExpression END -type REQUEST
2.8 Front End Optimization (Enterprise)
I couldnt test this feature too much so I configured like descriped in the Citrix whitepaper. If the optimization action “Moderate” is not suiting your expectations you can try the “Aggresive” mode. You can verify if FOE is working within the GUI. Go to Optimization –> Front End Optimization –> Statics (“stat feo” in CLI)


1
2
3
4
5
6
#Enable Front End Optimization
enable ns feature FEO
#Front End Optimization
#Replace FQDN
add feo policy feo_pol_exchange2016 'HTTP.REQ.HOSTNAME.CONTAINS("mail.flashmob-saulgau.de")' MODERATE
bind cs vserver cs_exchange2016_ssl -policyName feo_pol_exchange2016 -priority 100
2.9 Integrated Caching (Platinum)
In the Citrix docs its recommended to allocate less than half of the NetScalers memory for integrated caching. Set the parameter “memLimit” fitting to your appliance. I’m using 500MB. You can verify if the cache is working within the GUI. Go to Optimization –> Integrated Caching –> View Cache Objects (“show cache object” in CLI)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#Enable Integrated Caching
enable ns feature IC<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>
#Integrated Caching
set cache parameter -memLimit 500
set serviceGroup svcgrp_ex2016_owa -CMP YES
set serviceGroup svcgrp_ex2016_activesync -CMP YES
set serviceGroup svcgrp_ex2016_rpc -CMP YES
set serviceGroup svcgrp_ex2016_ews -CMP YES
set serviceGroup svcgrp_ex2016_autodisover -CMP YES
set serviceGroup svcgrp_ex2016_oab -CMP YES
<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>set serviceGroup svcgrp_ex2016_mapi -CMP YES
set serviceGroup svcgrp_ex2016_ecp -CMP YES

add cache contentGroup <span id="mce_SELREST_end" style="overflow:hidden;line-height:0;"></span>cache_group_exchange2016 -type HTTP -weakNegRelExpiry 233 -weakPosRelExpiry 233
add cache policy cache_pol_exchange2016 -rule 'TRUE' -action CACHE -storeInGroup cache_group_exchange2016

bind cs vserver cs_exchange2016_ssl -policyName cache_pol_exchange2016 -priority 100 -type REQUEST


Labels:

Comments

Post a Comment