NetScaler performs not only the functionality of Forefront Threat Management Gateway, but adds many additional features to optimize, protect and Web-based applications ladder. One of the main uses of NetScaler is to front-end applications such as Microsoft Lync, SharePoint and Exchange in the enterprise data center of any size. But most customers used TMG to provide secure access to Exchange for e-mail synchronization.
This is a document that describes what is possible with NetScaler including a nice feature matrix. But there is no step by step guide or best practices to configure the NetScaler for load balancing Exchange and have properly configured authentication for all services. So I will share my personal experience. With this guide, you should be able to configure a NetScaler for external access with e-mail authentication and SSO to the CAS.
Prerequisites
- Configure your NetScaler using the best practices guide and secure with the secure deployment guide you place the box in the DMZ.
- Be sure you have at least one NetScaler Enterprise license installed
- Activating Functions at least the following: LB, SSL, CS, REWRITE, AAA and RESPONDER
- Set time zone and NTP server and check the date and time on the NetScaler
- set your DNS settings properly
- Request and install the necessary certificates. At least 2 host, the CS-Vserver and one for the AAA-Vserver or use a wildcard certificate
- Create for each Exchange server a "server object" under load balancing
- Create for each Exchange service Monitor a custom
- / owa (Outlook Web Access)
- / ecp (Exchange Control Panel)
- / ews (EWS)
- / Microsoft-Server-ActiveSync (ActiveSync Service mobile email clients)
- / oab (address book offline)
- / rpc (Outlook Anywhere or RPC over HTTPS)
- / Autodiscover (Service Automatic discovery)
- Create for each Exchange service a "Group-Object service" and bind the object server and the appropriate monitor for it
- Create for each Exchange service LB -Vserver and link the appropriate service group for her and a certificate. (Can be a self-signed) You can uncheck directly addressable as we will link later to a CS-Vserver. Take appropriate method as lb-less connection and a useful persistence as SSLSESSION.
Installation and AAA-Authentication Policies TM
- Create a AAA-Vserver with an address IP with external access via https and link the appropriate certificate to it.
- Create an authentication and policy profile (with ns_true) for LDAP and link to the AAA-Vserver
- Creating a session profile and politics (with ns_true) with these settings: Link to the AAA-Vserver
Some parameters refer to a post in the forum with Citrix HTTPOnly Cookie "Yes "some native Android email clients have problems to synchronize mail.
- Form Set on the basis of SSO profiles for OWA. In addition, you can differentiate between private and public computers in the name of intellectual property Source, group membership or other triggers. For private computers just change the name value pair of "flags = 4 & trusted = 4". This applies to Exchange 2010. Exchange 2013 I have yet to validate.
- Configure traffic profiles for each profile form based SSO created another for disconnection.
- Set the necessary traffic policies. In my case user member AD group "VIP" or from an internal network use the privately OWA and other public use. also set the policy of disconnection action with the appropriate URL
- Link SSO traffic policies for OWA and LB-Vserver disconnection policy globally
- Configure authorization policies if necessary to lock the ports and IP access or limit upstream and downloading the attachment types. Link them correctly.
Configure authentication on the LB-vservers
- Open OWA and ECP LB-vservers and go to the advanced tab and enable authentication under "authentication settings" and set the authentication and authentication Vserver FQDN.
- now, open all other LB-vservers and go to the Advanced tab and enable 401 authentication based on the "authentication settings" and set the Vserver authentication.
configure Redirect / political owa
- Configuring an answering action and policy of redirecting owa users to the directory / on the CAS server.
- link this policy with OWA LB-Vserver
Create CS vserver
- Create CS-vserver with the correct IP address, bind it to the correct certificate.
- CSW Create policies for each LB-Vserver target. Use ignore case to avoid incorrect customer implementations. Because OWA is normally accessible by browsers, I search for the header User-Agent "Mozilla".
With this information, you should be able to set up a NetScaler for replacement TMG and Exchange 2013. This configuration also applies to Exchange 2010. Unfortunately there is no specific surveillance service, as in the 2013 server
this is the ns.config shears for this configuration :.
ns.conf_tmg
Thank Rafyel Brooks, who has done excellent work, we now have a guide to use authentication and certificate-based SSO with Kerberos Constrained Delegation
How to configure Citrix NetScaler for the authentication certificate based client with KCD SSO for ActiveSync v1.1
0 Komentar