Tag Archives: citrix

Citrix, NetScaler
0

NetScaler Gateway – Two-Factor Authentication – How to hide 2nd password field

Some two-factor products (e.g. DUO, SMS Passcode) require you to hide the 2nd password field. Easiest way is to use Rewrite policies, which works both Web browser and Receiver self-service.

Tested with:

Citrix Receiver for Windows 4.6.0
Citrix Receiver for Mac 12.4.0
NetScaler 11.1 51.26.nc

If you have any file level customizations on NetScaler, it needs to be reset as per default settings before doing these Rewrite policy – modifications.

For Web browser:

1. Create a Rewrite Action

Type: INSERT_HTTP_HEADER
Header Name: Set-Cookie
Expression: (“pwcount=”+ 1″)

2. Create a Rewrite Policy

Action: Select the rewrite action which you created
Undefined Result Action: -Global undefined result action
Expression: HTTP.REQ.HEADER(“Set-Cookie”).CONTAINS(“pwcount”).NOT

Bind this policy to the Netscaler Gateway Virtual Server where 2FA is configured.

For Receiver Self-Service:

1. Create a Rewrite Action

Type: INSERT_AFTER_ALL
Expression to choose target location: http.res.body(1024)
Expression: “rn”+”<META http-equiv=”X-Citrix-AM-GatewayAuthType” content=”SMS”>”
Pattern: content=”text/html; charset=UTF-8″>

2. Create a Rewrite Policy

Action: Select the Rewrite action which you created
Undefined Result Action: -Global undefined result action
Expression: http.req.url.path.endswith(“vpn/index.html”)

Bind this policy to the Netscaler Gateway Virtual Server where 2FA is configured.

[facebook_like_button]

Views: 675

Read More
Citrix, Exchange, NetScaler
0

NetScaler – Restrict SMTP Relay

Quick way to restrict Echange SMTP Relay in NetScalers is Extended ACLs. SMTP Relay can be restricted on Exchange servers or Firewalls using ACLs. Sometimes Firewalls could be managed by 3rd party company and it would be easier to manage ACLs on NetScaler. Here is an example how to configure it on NetScaler console:

#add Ectended ACLs
add ns acl InboundSMTP1 ALLOW -srcIP = 10.xxx.xxx.131 -destIP = 10.xxx.xxx.135 -destPort = 25 -protocol TCP -priority 101
add ns acl InboundSMTP2 ALLOW -srcIP = 10.xxx.xxx.123 -destIP = 10.xxx.xxx.135 -destPort = 25 -protocol TCP -priority 102
add ns acl InboundSMTP3 ALLOW -srcIP = 10.xxx.xxx.124 -destIP = 10.xxx.xxx.135 -destPort = 25 -protocol TCP -priority 103
add ns acl InboundSMTP4 ALLOW -srcIP = 10.xxx.xxx.162 -destIP = 10.xxx.xxx.135 -destPort = 25 -protocol TCP -priority 104
add ns acl InboundSMTP5 ALLOW -srcIP = 10.xxx.xxx.50 -destIP = 10.xxx.xxx.135 -destPort = 25 -protocol TCP -priority 105
#deny rest
add ns acl InboundSMTPSDeny DENY -destIP = 10.xxx.xxx.135 -destPort = 25 -protocol TCP -priority 300
#apply ACLs
apply ns acls
#save netscaler config
save ns config
 [facebook_like_button]

 

 

 

Views: 166

Read More
Blog, Citrix, Exchange, Load Balancing, NetScaler
0

Citrix NetScaler Console Commands to Load Balance Microsoft Exchange 2013 with Content Switching

NetScaler console commands to Load Balance Microsoft Exchange 2013 CAS Servers with Content Switching and advanced monitoring. Pre-requirements; NetScaler Server certificate exported and installed from Exchange CAS server.

It might take one full day and lot of coffee to configure this from NetScaler GUI, via console commands you’ll do it in couple of minutes.

You can just copy paste this whole script to your NetScaler console, remember to install cert first and you probably want to change IP addresses and server names before executing commands 🙂

More information about Load Balancing Exchange 2013:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-citrix-netscaler-deployment-guide.pdf

 

#ADD CAS SERVERS
add server EXCHANGE01 10.100.100.101
add server EXCHANGE02 10.100.100.102
add server EXCHANGE03 10.100.100.103
#ADD SERVICE GROUPS FOR EXCHANGE SSL
add serviceGroup service_group_cas_owa SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup service_group_cas_rpc SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup service_group_cas_ews SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup service_group_cas_activesync SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup service_group_cas_autodiscover SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup service_group_cas_ecp SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup service_group_cas_mapi SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup service_group_cas_oab SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
#ADD SERVICE GROUP FOR EXCHANGE SMTP
add serviceGroup service_group_cas_smtp TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
#ADD VIRTUAL SERVERS FOR EXCHANGE SSL
add lb vserver exchange_v_cas_owa SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
add lb vserver exchange_v_cas_rpc SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
add lb vserver exchange_v_cas_activesync SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
add lb vserver exchange_v_cas_ews SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
add lb vserver exchange_v_cas_autodiscover SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
add lb vserver exchange_v_cas_ecp SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
add lb vserver exchange_v_cas_mapi SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
add lb vserver exchange_v_cas_oab SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy NONE -cltTimeout 180
#ADD VIRTUAL SERVER FOR EXCHANGE SMTP
add lb vserver exchange_v_cas_smtp TCP 10.106.102.135 25 -persistenceType NONE -Listenpolicy NONE -cltTimeout 9000
#ADD CONTENT SWITCHING VIRTUAL SERVER FOR EXCHANCE SSL
add cs vserver exchange-cs-cas-vserver SSL 10.106.102.136 443 -cltTimeout 180 -Listenpolicy NONE
#ADD CONTENT SWITHING ACTIONS
add cs action exchange_cs_act_owa -targetLBVserver exchange_v_cas_owa
add cs action exchange_cs_act_activesync -targetLBVserver exchange_v_cas_activesync
add cs action exchange_cs_act_rpc -targetLBVserver exchange_v_cas_rpc
add cs action exchange_cs_act_ews -targetLBVserver exchange_v_cas_ews
add cs action exchange_cs_act_autodiscover -targetLBVserver exchange_v_cas_autodiscover
add cs action exchange_cs_act_ecp -targetLBVserver exchange_v_cas_ecp
add cs action exchange_cs_act_mapi -targetLBVserver exchange_v_cas_mapi
add cs action exchange_cs_act_oab -targetLBVserver exchange_v_cas_oab
#ADD CONTENT SWITHING POLICIES
add cs policy exchange_cs_pol_autodiscover -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/autodiscover")" -action exchange_cs_act_autodiscover
add cs policy exchange_cs_pol_ecp -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ecp")" -action exchange_cs_act_ecp
add cs policy exchange_cs_pol_mapi -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/mapi”)” -action exchange_cs_act_mapi
add cs policy exchange_cs_pol_oab -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/oab")" -action exchange_cs_act_oab
add cs policy exchange_cs_pol_ews -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ews")" -action exchange_cs_act_ews
add cs policy exchange_cs_pol_activesync -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/Microsoft-Server-ActiveSync")" -action exchange_cs_act_activesync
add cs policy exchange_cs_pol_owa -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/owa")" -action exchange_cs_act_owa
add cs policy exchange_cs_pol_rpc -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/rpc")" -action exchange_cs_act_rpc
#BIND SERVICE GROUPS TO LOAD BALANCING VIRTUAL SERVERS
bind lb vserver exchange_v_cas_owa service_group_cas_owa
bind lb vserver exchange_v_cas_rpc service_group_cas_rpc
bind lb vserver exchange_v_cas_ews service_group_cas_ews
bind lb vserver exchange_v_cas_activesync service_group_cas_activesync
bind lb vserver exchange_v_cas_autodiscover service_group_cas_autodiscover
bind lb vserver exchange_v_cas_ecp service_group_cas_ecp
bind lb vserver exchange_v_cas_mapi service_group_cas_mapi
bind lb vserver exchange_v_cas_oab service_group_cas_oab
bind lb vserver exchange_v_cas_smtp service_group_cas_smtp
#BIND CONTENT SWITHING VIRTUAL SERVER TO POLICIES
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_autodiscover -priority 100
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_ecp -priority 110
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_mapi -priority 120
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_oab -priority 130
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_ews -priority 140
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_activesync -priority 150
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_owa -priority 160
bind cs vserver exchange-cs-cas-vserver -policyName exchange_cs_pol_rpc -priority 170
#ADD MONITORS FOR EXCHANGE SSL
add lb monitor monitor-owa HTTP -respCode 200 -httpRequest "GET /owa/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
add lb monitor monitor-ews HTTP -respCode 200 -httpRequest "GET /ews/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
add lb monitor monitor-activesync HTTP -respCode 200 -httpRequest "GET /Microsoft-Server-ActiveSync/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
add lb monitor monitor-rpc HTTP -respCode 200 -httpRequest "GET /rpc/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
add lb monitor monitor-autodiscover HTTP -respCode 200 -httpRequest "GET /Autodiscover/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
add lb monitor monitor-ecp HTTP -respCode 200 -httpRequest "GET /ecp/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
add lb monitor monitor-mapi HTTP -respCode 200 -httpRequest "GET /mapi/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
add lb monitor monitor-oab HTTP -respCode 200 -httpRequest "GET /OAB/healthcheck.htm" -LRTM DISABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES
#ADD MONITOR FOR EXCHANGE SMTP
add lb monitor monitor-smtp SMTP -scriptName nssmtp.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -deviation 0 -interval 30 -resptimeout 5 -downTime 2 MIN
#BIND SERVERS TO SERVICE GROUPS
bind serviceGroup service_group_cas_owa EXCHANGE01 443
bind serviceGroup service_group_cas_owa EXCHANGE02 443
bind serviceGroup service_group_cas_owa EXCHANGE03 443
bind serviceGroup service_group_cas_owa -monitorName monitor-owa
bind serviceGroup service_group_cas_rpc EXCHANGE01 443
bind serviceGroup service_group_cas_rpc EXCHANGE02 443
bind serviceGroup service_group_cas_rpc EXCHANGE03 443
bind serviceGroup service_group_cas_rpc -monitorName monitor-rpc
bind serviceGroup service_group_cas_ews EXCHANGE01 443
bind serviceGroup service_group_cas_ews EXCHANGE02 443
bind serviceGroup service_group_cas_ews EXCHANGE03 443
bind serviceGroup service_group_cas_ews -monitorName monitor-ews
bind serviceGroup service_group_cas_activesync EXCHANGE01 443
bind serviceGroup service_group_cas_activesync EXCHANGE02 443
bind serviceGroup service_group_cas_activesync EXCHANGE03 443
bind serviceGroup service_group_cas_activesync -monitorName monitor-activesync
bind serviceGroup service_group_cas_autodiscover EXCHANGE01 443
bind serviceGroup service_group_cas_autodiscover EXCHANGE02 443
bind serviceGroup service_group_cas_autodiscover EXCHANGE03 443
bind serviceGroup service_group_cas_autodiscover -monitorName monitor-autodiscover
bind serviceGroup service_group_cas_ecp EXCHANGE01 443
bind serviceGroup service_group_cas_ecp EXCHANGE02 443
bind serviceGroup service_group_cas_ecp EXCHANGE03 443
bind serviceGroup service_group_cas_ecp -monitorName monitor-ecp
bind serviceGroup service_group_cas_mapi EXCHANGE01 443
bind serviceGroup service_group_cas_mapi EXCHANGE02 443
bind serviceGroup service_group_cas_mapi EXCHANGE03 443
bind serviceGroup service_group_cas_mapi -monitorName monitor-mapi
bind serviceGroup service_group_cas_oab EXCHANGE01 443
bind serviceGroup service_group_cas_oab EXCHANGE02 443
bind serviceGroup service_group_cas_oab EXCHANGE03 443
bind serviceGroup service_group_cas_oab -monitorName monitor-oab
bind serviceGroup service_group_cas_smtp EXCHANGE01 25
bind serviceGroup service_group_cas_smtp EXCHANGE02 25
bind serviceGroup service_group_cas_smtp EXCHANGE03 25
bind serviceGroup service_group_cas_smtp -monitorName monitor-smtp
#DISABLE SSL3, TLS11, TLS12 FROM SERVICEGROUPS
set ssl serviceGroup service_group_cas_oab -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl serviceGroup service_group_cas_mapi -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl serviceGroup service_group_cas_ecp -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl serviceGroup service_group_cas_autodiscover -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl serviceGroup service_group_cas_activesync -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl serviceGroup service_group_cas_ews -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl serviceGroup service_group_cas_rpc -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl serviceGroup service_group_cas_owa -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
#DISABLE SSL3 FROM VIRTUAL SERVERS
set ssl vserver exchange_v_cas_owa -ssl3 DISABLED
set ssl vserver exchange_v_cas_rpc -ssl3 DISABLED
set ssl vserver exchange_v_cas_activesync -ssl3 DISABLED
set ssl vserver exchange_v_cas_ews -ssl3 DISABLED
set ssl vserver exchange_v_cas_autodiscover -ssl3 DISABLED
set ssl vserver exchange_v_cas_ecp -ssl3 DISABLED
set ssl vserver exchange_v_cas_mapi -ssl3 DISABLED
set ssl vserver exchange_v_cas_oab -ssl3 DISABLED
set ssl vserver exchange-cs-cas-vserver -ssl3 DISABLED
#BIND SERVER CERTIFICATE TO VIRTUAL SERVERS
bind ssl vserver exchange_v_cas_owa -certkeyName mail_janikohonen_com
bind ssl vserver exchange_v_cas_rpc -certkeyName mail_janikohonen_com
bind ssl vserver exchange_v_cas_activesync -certkeyName mail_janikohonen_com
bind ssl vserver exchange_v_cas_ews -certkeyName mail_janikohonen_com
bind ssl vserver exchange_v_cas_autodiscover -certkeyName mail_janikohonen_com
bind ssl vserver exchange_v_cas_ecp -certkeyName mail_janikohonen_com
bind ssl vserver exchange_v_cas_mapi -certkeyName mail_janikohonen_com
bind ssl vserver exchange_v_cas_oab -certkeyName mail_janikohonen_com
#BIND SERVER CERTIFICATE TO CONTENT SWITCHING VIRTUAL SERVER
bind ssl vserver exchange-cs-cas-vserver -certkeyName mail_janikohonen_com
#SAVE CONFIG AND ENJOY!
save ns config

[facebook_like_button]

 

 

Views: 1508

Read More
1 2 3 10