Citrix on John Billekens | Notes from the fieldhttps://blog.j81.nl/categories/citrix/Recent content in Citrix on John Billekens | Notes from the fieldHugo -- gohugo.ioen© 2026 John BillekensThu, 18 Sep 2025 15:56:46 +0000HowTo - Update the Citrix FAS Authorization Certificatehttps://blog.j81.nl/howto/howto-update-the-citrix-fas-authorization-certificate/Mon, 07 Jul 2025 19:54:57 +0000https://blog.j81.nl/howto/howto-update-the-citrix-fas-authorization-certificate/<p>group: &ldquo;Citrix FAS&rdquo;</p> <p>When you are using Citrix FAS you will also have a Authorization Certificate. Without this certificate Citrix FAS would not be able to function. The same is applicable when the Authorization Certificate is expired, FAS can no longer do it&rsquo;s job. When the Authorization Certificate is expired users are no longer able to login. Because FAS cannot request new smartcard certificates for a user.</p>HowTo - Configure NetScaler ADNS as an Authoritative DNS Server for a Subdomainhttps://blog.j81.nl/howto/howto-configure-netscaler-adns-as-an-authoritative-dns-server-for-a-subdomain/Sun, 23 Feb 2025 19:24:49 +0000https://blog.j81.nl/howto/howto-configure-netscaler-adns-as-an-authoritative-dns-server-for-a-subdomain/<p>group: &ldquo;NetScaler&rdquo;</p> <p>In this HowTo article, we’ll walk through the complete process of configuring a Citrix NetScaler HA pair to serve as an authoritative DNS server for a subdomain. This step-by-step guide covers everything from setting up the Authoritative DNS (ADNS) service on the NetScaler to delegating the subdomain in the parent domain’s DNS management panel. Whether you’re looking to improve DNS resolution performance, gain more control over DNS records, or support advanced NetScaler features, this guide will help you get it done efficiently and securely.</p>Citrix WorkspaceApp Update Script: Check and Alert for Security Riskshttps://blog.j81.nl/posts/citrix-workspaceapp-update-script-check-and-alert-for-security-risks/Wed, 28 Aug 2024 19:50:19 +0000https://blog.j81.nl/posts/citrix-workspaceapp-update-script-check-and-alert-for-security-risks/<p>It&rsquo;s crucial to regularly update your Citrix WorkspaceApp to an up-to date version. Many environments still use outdated versions with significant security vulnerabilities (CVEs). Too often, I encounter environments that are still running old versions, including the antiquated &ldquo;Receiver&rdquo; versions. Not updating to a non-vulnerable or recent supported version poses a real security risk!<br> In many environments, users have company-managed devices, for example managed via Microsoft Intune, which can be updated centrally. These devices are typically kept up to date. The greatest risk lies with non-company-managed devices, such as privately owned laptops or bring-your-own-device (BYOD) systems, where users are responsible for maintaining updates themselves.</p>HowTo - NetScaler - Upgrade firmwarehttps://blog.j81.nl/howto/howto-netscaler-upgrade-firmware/Sat, 10 Feb 2024 21:00:55 +0000https://blog.j81.nl/howto/howto-netscaler-upgrade-firmware/<p>group: &ldquo;NetScaler&rdquo;</p> <p>Upgrading firmware on time is crucial for the business continuity. Especially when new firmware become available containing fixes for high CVE&rsquo;s we have seen recently.</p> <p>This how to guide focuses on upgrading the NetScaler manually. If you are using an ADM appliance or ADM service, you can use those as well, to automatically upgrade the node(s). </p>HowTo - (Pre upgrade) Cleanuphttps://blog.j81.nl/howto/howto-pre-upgrade-cleanup/Sat, 10 Feb 2024 20:57:37 +0000https://blog.j81.nl/howto/howto-pre-upgrade-cleanup/<p>group: &ldquo;NetScaler&rdquo;</p> <p>Before you start an upgrade. You must make sure to have enough free space available. Although in the GUI you see sometimes that you must have 5 GB available, in my experience you need at least 6,5 GB free space.</p>HowTo - NetScaler - Create a backuphttps://blog.j81.nl/howto/howto-netscaler-create-a-backup/Mon, 23 Oct 2023 13:07:03 +0000https://blog.j81.nl/howto/howto-netscaler-create-a-backup/<p>group: &ldquo;NetScaler&rdquo;</p> <p>A backup can save you a lot of time in case of emergencies, configuration errors or hacks. You could download and save it in a secure environment. And when needed restore a new appliance with the saved backup.</p>HowTo - NetScaler - Update Certificatehttps://blog.j81.nl/howto/howto-netscaler-update-certificate/Wed, 18 Oct 2023 13:27:47 +0000https://blog.j81.nl/howto/howto-netscaler-update-certificate/<p>group: &ldquo;NetScaler&rdquo;</p> <p>In this how-to article I will explain the procedure how to update a certificate on a Citrix NetScaler. If you wait until a certificate is expired wil cause a lot of issues for your users or visitors. By being on time with the renewal will save you a lot of trouble.</p>HowTo - NetScaler - Install Certificatehttps://blog.j81.nl/howto/howto-netscaler-install-certificate/Wed, 18 Oct 2023 12:38:35 +0000https://blog.j81.nl/howto/howto-netscaler-install-certificate/<p>group: &ldquo;NetScaler&rdquo;</p> <p>In this how-to article I will explain the procedure how to install a new certificate on a Citrix NetScaler. Certificates are an important piece in a secure connection from a client to a server.</p>HowTo - Windows - Export certificate (pfx)https://blog.j81.nl/howto/howto-windows-export-certificate-pfx/Wed, 18 Oct 2023 09:45:25 +0000https://blog.j81.nl/howto/howto-windows-export-certificate-pfx/<p>group: &ldquo;Windows&rdquo;</p> <p>Certificates are an important part of a modern environment. They make communication safer by encrypting the traffic between the client and server. A safe way to move certificates between servers or store them safely is by exporting the certificate (private and public key) to an encrypted format. A commonly used format is &ldquo;pfx&rdquo; (Personal Information Exchange also known as PKCS#12). A pfx file can contain one or more certificates and is encrypted with a password. Without the correct password the pfx is useless. You commonly see that a pfx contains a (web) server certificate and one or more intermediate certificate(s) and a root certificate.</p>Manipulate the 'NameID' SAML content - part 1https://blog.j81.nl/posts/manipulate-the-nameid-saml-content-part-1/Thu, 28 Oct 2021 15:22:45 +0000https://blog.j81.nl/posts/manipulate-the-nameid-saml-content-part-1/<p>Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain. </p>Manage Native OTP tokens via Windows, Part 2https://blog.j81.nl/posts/manage-native-otp-tokens-via-windows-part-2/Tue, 20 Apr 2021 19:31:56 +0000https://blog.j81.nl/posts/manage-native-otp-tokens-via-windows-part-2/<p>A couple weeks ago someone asked me if OTP4ADC could also support encrypted tokens. And at that time I hadn&rsquo;t done anything with encrypted tokens on a Citrix ADC. And if you not have heard of the OTP4ADC tool/script you can read my <a href="https://blog.j81.nl/2020/09/29/manage-native-otp-tokens-via-windows/" target="_blank" rel="nofollow noopener" title="Manage Native OTP tokens via Windows">initial blog article</a> from when I released the first version and the basics of how it works.</p>Manage Native OTP tokens via Windowshttps://blog.j81.nl/posts/manage-native-otp-tokens-via-windows/Tue, 29 Sep 2020 20:36:32 +0000https://blog.j81.nl/posts/manage-native-otp-tokens-via-windows/<p>Today I want to release an early (beta) version of a new tool I created, &ldquo;OTP4ADC&rdquo; With this tool you can add, remove or change the native OTP tokens used within your Citrix ADC, previously called NetScaler. </p>GenLeCertForNS New Updatehttps://blog.j81.nl/posts/genlecertforns-new-update/Wed, 19 Feb 2020 16:42:40 +0000https://blog.j81.nl/posts/genlecertforns-new-update/<p>A lot of new users used my script after writing  my <a href="https://www.citrix.com/blogs/2019/06/24/why-certificates-are-more-important-today-than-ever/" target="_blank" rel="noopener noreferrer">first blog article for Citrix</a>. Since then I made some improvements and continuing to add new features. Today I released the latest version of my &ldquo;GenLeCertForNS&rdquo; script. Within this version I solved some issues and improved the overall speed (especially with larger orders).</p>Office Online apparently only supports TLS 1.0https://blog.j81.nl/posts/office-online-apparently-only-supports-tls-1.0/Thu, 20 Sep 2018 19:57:00 +0000https://blog.j81.nl/posts/office-online-apparently-only-supports-tls-1.0/<p>Recently I had to configure a new <s>NetScaler</s> Citrix ADC for a new <s>ShareFile</s> Citrix Files deployment. Two Storage Zone Controllers load balanced via a Citrix ADC with a Content switch. Nothing out of the ordinary. It was when I activated the Office Online functionality on the Storage Zone Controller configuration page the error messages appeared. Each time as we tried to open an office document we got an error &ldquo;Sorry, there was a problem and we can&rsquo;t open this document. If this happens again, try opening the document in Microsoft Word.&rdquo; for Word documents and &ldquo;We couldn&rsquo;t find the file you wanted. It&rsquo;s possible the file was renamed, moved or deleted.&rdquo; for Excel documents. <img src="https://blog.j81.nl/wp-content/uploads/2018/09/OOExcelOnlineError.png" class="aligncenter size-medium wp-image-831" width="300" height="120" /> <img src="https://blog.j81.nl/wp-content/uploads/2018/09/OOWordOnlineError.png" class="aligncenter size-medium wp-image-832" width="300" height="130" /> I followed all the necessary checks as described in a Citrix Files <a href="https://docs.citrix.com/en-us/storagezones-controller/5-0/install/configure-storagezones-controller-for-web-app-previews-thumbnails.html" target="_blank" rel="noopener">Article</a>. But everything turned out okay, it worked as expected. What could it be? As it turned out to be the NetScaler SSL configuration was configured to high!? I always want that <a href="https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/" target="_blank" rel="noopener">A+</a> on <a href="https://www.ssllabs.com/" target="_blank" rel="noopener">SSL Labs,</a> the same with this setup. It was when I reverted the Content Switch to it&rsquo;s default SSL parameters (TLS1.0 and the default Cipher suite) that Office Online started functioning. It could not retrieve the documents from the Storage Zone Controllers and thus it gave me this error messages. Luckily I had a separate Content Switch for internal and external traffic. I only had to lower the SSL settings on the internal Content Switch, this is the Content Switch the Office Online server was communicating with. So I hope Microsoft will add support for TLS 1.2 in Office Online (and give it some updates)</p>Hide or change "domain user or username@domain.com" text in Storefront, part 2https://blog.j81.nl/posts/hide-or-change-domain-user-or-username@domain.com-text-in-storefront-part-2/Tue, 26 Jun 2018 21:08:27 +0000https://blog.j81.nl/posts/hide-or-change-domain-user-or-username@domain.com-text-in-storefront-part-2/<p>A while ago I wrote a blog about how to change the &ldquo;domain\user or <a href="mailto:username@domain.com" >username@domain.com</a>&rdquo; text in Citrix StoreFront. Now I&rsquo;ve create a small PowerShell script that can do that for you.</p>Hide or change "domain user or username@domain.com" text in Storefront.https://blog.j81.nl/posts/hide-or-change-domain-user-or-username@domain.com-text-in-storefront./Mon, 15 Jan 2018 12:05:16 +0000https://blog.j81.nl/posts/hide-or-change-domain-user-or-username@domain.com-text-in-storefront./<p>The following was tested om 3.10+ versions, not sure if it works on older or 2.x versions.</p> <h2 class="relative group">Hide the default text <div id="hide-the-default-text" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#hide-the-default-text" aria-label="Anchor">#</a> </span> </h2> <p>You can hide the default text &ldquo;domain\user or <a href="mailto:username@domain.com" >username@domain.com</a>&rdquo; in the storefront username field. <img src="https://blog.j81.nl/wp-content/uploads/2018/01/StoreFrontLogonDefault-e1516023050803.png" class="alignnone size-full wp-image-738" width="628" height="394" /> This can be done by simply editing the &ldquo;custom style.css&rdquo; file. This file is located in &ldquo;C:\inetpub\wwwroot\Citrix\Store&gt;Web\custom&rdquo;. Replace &ldquo;&lt;Store&gt;&rdquo; with your own store name. You need to edit each store separately. Add the following to hide the text (1):</p>Let's Encrypt Certificates on a NetScalerhttps://blog.j81.nl/posts/lets-encrypt-certificates-on-a-netscaler/Thu, 06 Apr 2017 21:25:51 +0000https://blog.j81.nl/posts/lets-encrypt-certificates-on-a-netscaler/<p>For a while now it&rsquo;s possible to use <a href="https://letsencrypt.org/" target="_blank" rel="noreferrer">Let&rsquo;s Encrypt</a> certificates, they are trusted (cross signed), secure and most of all FREE! There are already a lot of tools available to generate these certificates. I haven&rsquo;t come across a tool or script to generate these certificates and upload them to a <a href="https://www.citrix.com/netscaler" target="_blank" rel="noreferrer">Citrix NetScaler</a>. So I thought why not build it myself. I already tried it in a previous <a href="https://blog.j81.nl/2016/07/03/generate-an-lets-encrypt-certificate-what-can-be-used-on-the-netscaler/" target="_blank" rel="noreferrer">attempt</a>, but I wanted more automation and thus I created this version. To learn more about the Let&rsquo;s Encrypt, check <a href="https://letsencrypt.org/how-it-works/" target="_blank" rel="noreferrer">how it works</a>.. What my script does in very basic steps (for example you want a certificate for <a href="https://www.domain.com" target="_blank" rel="noreferrer">www.domain.com</a>): Ask LE (Let&rsquo;s Encrypt) to validate &ldquo;<a href="https://www.domain.com" target="_blank" rel="noreferrer">www.domain.com</a>&rdquo; <strong>(1)</strong> LE returns data <strong>(2)</strong> among them:</p>Create offline backups of the NetScaler confighttps://blog.j81.nl/posts/create-offline-backups-of-the-netscaler-config/Thu, 06 Apr 2017 19:07:59 +0000https://blog.j81.nl/posts/create-offline-backups-of-the-netscaler-config/<p>I&rsquo;ve created a PowerShell script that can be used to generate an (offline) backup of a Citrix NetScaler. If you want you can use the supplied batchfile for example to schedule the backup in Scheduled Tasks to run everyday. Some more information about the parameters used:</p>Disconnect issues on NetScaler MPXhttps://blog.j81.nl/posts/disconnect-issues-on-netscaler-mpx/Fri, 03 Mar 2017 12:08:31 +0000https://blog.j81.nl/posts/disconnect-issues-on-netscaler-mpx/<p>Recently I upgraded a couple of MPX NetScalers to a recent 11.1 build at a customers location. During the following day the customer experienced a lot of disconnecting citrix sessions. I did not experience this issue on a VPX appliance. Turned out to be an issue with the &ldquo;<em><strong>TLS1.2-ECDHE-RSA-AES256-GCM-SHA384</strong></em>&rdquo; cypher. And because I want to strive for an A+ rating at ssllabs (<a href="https://www.citrix.com/blogs/2016/06/09/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-2016-update/" target="_blank" rel="noreferrer">Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update</a>) this one is in the list. After removing this cypher from the cypher group the customer didn&rsquo;t experience any disconnects. So I thought to share this one as you may experience it for your self. Please also note this Citrix article: <a href="https://support.citrix.com/article/CTX220994" target="_blank" rel="noreferrer">https://support.citrix.com/article/CTX220994</a></p>RES ONE Workspace on Windows 10 lessons learnedhttps://blog.j81.nl/posts/res-one-workspace-on-windows-10-lessons-learned/Sun, 07 Aug 2016 18:40:54 +0000https://blog.j81.nl/posts/res-one-workspace-on-windows-10-lessons-learned/<p>For a while now Windows 10 is supported with RES ONE Workspace 2015 and up. More and more companies are switching from their old versions (Yes, some of them are still using Windows XP) to Windows 10. I&rsquo;ve done a couple of implementation now and thought to share some of the knowledge I found during these implementations.</p>OptimizeEndpointhttps://blog.j81.nl/posts/optimizeendpoint/Mon, 16 May 2016 13:40:44 +0000https://blog.j81.nl/posts/optimizeendpoint/<p>I&rsquo;ve been using my &ldquo;Windows optimize script&rdquo; for a while now. Most issues are resolved and it&rsquo;s been tested thoroughly. So I thought why not give it back to the community, so here it is: <a href="https://github.com/j81blog/OptimizeEndpoint" target="_blank">OptimizeEndpoint</a>. It can be used to optimize Windows 7, 8, 8.1 and 10. (It can also be used for Windows Server versions, but this is not tested) I used the script made by <a href="http://www.ingmarverheij.com/citrix-pvs-optimize-endpoint-with-powershell/" target="_blank">Ingmar Verheij</a>, and made some changes. It contains most of the Citrix XenDesktop Best Practices. Please don&rsquo;t run the script without reviewing the options, it can damage you master image if you&rsquo;re not careful! At the top of the image there are some parameters that can be set. Read the comments. Run it on your own risk. If you have issues or questions let me know.</p>Provisioning Target Device Unattended Deploymenthttps://blog.j81.nl/posts/provisioning-target-device-unattended-deployment/Sat, 05 Mar 2016 18:57:44 +0000https://blog.j81.nl/posts/provisioning-target-device-unattended-deployment/<p>When deployoing the Citrix PVS Target Device software with for example SCCM or RES ONE Automation, this fails. As it turns out &ldquo;CFsDep2.sys&rdquo; is missing from the System32\Drivers directory. This is because during the (unattended) installation of the Target Device software the installation of &ldquo;CFsDep2&rdquo; fails. When you install the software by hand, everything is works as it should. This can be solved to run the following command after the installation of the Target Device Software.</p>CtxVdDrain Scripthttps://blog.j81.nl/posts/ctxvddrain-script/Thu, 14 Jan 2016 21:52:54 +0000https://blog.j81.nl/posts/ctxvddrain-script/<p>I released also my CtxVdDrain Script, this script will put any selected XenDesktop Machine catalog in maintenance mode and turn it of where possible. It won&rsquo;t kick users out of their desktops, it will wait and try again. You can download it <a href="https://github.com/j81blog/CtxVdDrain" target="_blank">here</a></p>CtxVdContinuousShutdown Scripthttps://blog.j81.nl/posts/ctxvdcontinuousshutdown-script/Thu, 14 Jan 2016 19:28:42 +0000https://blog.j81.nl/posts/ctxvdcontinuousshutdown-script/<p>For a customer we needed a solution to recycle &ldquo;old&rdquo; PVS Virtual Desktops. And because Citrix XenDesktop doesn&rsquo;t use the oldest desktops first (without using power options), we had to come up with a solution. And so my Shutdown Script was born. The script basically checks which Virtual Machines are the oldest, puts them in maintenance mode so no user can use it anymore. After this is done the vm&rsquo;s are given a shutdown command. When their down , maintenance mode will be turned off. You can get it <a href="https://github.com/j81blog/CtxVdContinuousShutdown" target="_blank">here</a>.</p>CtxVdStatus Scripthttps://blog.j81.nl/posts/ctxvdstatus-script/Thu, 22 Oct 2015 20:37:44 +0000https://blog.j81.nl/posts/ctxvdstatus-script/<p>Today I decided to put my CtxVdStatus script on GitHub. With this script you can get an overview of your Citrix XenDesktop environment. It helped me to troubleshoot some issues. You can download/view it <a href="https://github.com/j81blog/CtxVdStatus" target="_blank">here</a></p>Citrix Provisioning Services Versions 7.x (current) Available Updateshttps://blog.j81.nl/posts/citrix-provisioning-services-versions-7.x-current-available-updates/Sat, 03 Oct 2015 11:03:47 +0000https://blog.j81.nl/posts/citrix-provisioning-services-versions-7.x-current-available-updates/<p>Here you will find a list of the latest Citrix Provisioning Services Updates. I will do my best to update the list as soon as there are new updates available. <strong>Citrix Provisioning Services 7.6 (Server)</strong> Provisioning Services 7.6 Cumulative Update 1 for Server and Console x86 <a href="http://support.citrix.com/article/CTX142613" target="_blank"><a href="http://support.citrix.com/article/CTX142613" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142613</a></a> Replaces: None (yet) Provisioning Services 7.6 Cumulative Update 1 for Server and Console x64 <a href="http://support.citrix.com/article/CTX142614" target="_blank"><a href="http://support.citrix.com/article/CTX142614" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142614</a></a> Replaces: None (yet) <strong>Citrix Provisioning Services 7.6 (Target)</strong> Provisioning Services 7.6 Cumulative Update 1 for Target Device x86 <a href="http://support.citrix.com/article/CTX142615" target="_blank"><a href="http://support.citrix.com/article/CTX142615" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142615</a></a> Replaces: None (yet) Provisioning Services 7.6 Cumulative Update 1 for Target Device x64 <a href="http://support.citrix.com/article/CTX142616" target="_blank"><a href="http://support.citrix.com/article/CTX142616" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142616</a></a> Replaces: None (yet) <strong>Citrix Provisioning Services 7.1 (Server)</strong> Hotfix PVS710ServerConsoleWX86004 for PVS Server and Console 7.1 x86 <a href="http://support.citrix.com/article/CTX142336" target="_blank"><a href="http://support.citrix.com/article/CTX142336" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142336</a></a> Replaces: All Other Versions Hotfix PVS710ServerConsoleWX64004 for PVS Server and Console 7.1 x64 <a href="http://support.citrix.com/article/CTX142406" target="_blank"><a href="http://support.citrix.com/article/CTX142406" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142406</a></a> Replaces: All Other Versions <strong>Citrix Provisioning Services 7.1 (Target)</strong> Hotfix PVS710TargetDeviceWX86004 for PVS Target Device 7.1 x86 <a href="http://support.citrix.com/article/CTX142333" target="_blank"><a href="http://support.citrix.com/article/CTX142333" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142333</a></a> Replaces: All Other Versions Hotfix PVS710TargetDeviceWX64004 for PVS Target Device 7.1 x64 <a href="http://support.citrix.com/article/CTX142397" target="_blank"><a href="http://support.citrix.com/article/CTX142397" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX142397</a></a> Replaces: All Other Versions</p>Windows 8 Maintenance jobshttps://blog.j81.nl/posts/windows-8-maintenance-jobs/Wed, 15 Apr 2015 11:27:08 +0000https://blog.j81.nl/posts/windows-8-maintenance-jobs/<p>Windows 8 has some new maintenance jobs. These are great when you have an physical machine. But not when you&rsquo;re using Citrix PVS to stream the OS. To disable these tasks enter the following commands:</p>Secure Deployment Guide for NetScaler MPX, VPX, and SDX Applianceshttps://blog.j81.nl/posts/secure-deployment-guide-for-netscaler-mpx-vpx-and-sdx-appliances/Fri, 06 Mar 2015 15:29:41 +0000https://blog.j81.nl/posts/secure-deployment-guide-for-netscaler-mpx-vpx-and-sdx-appliances/<p><a href="http://support.citrix.com/article/CTX129514" target="_blank"><a href="http://support.citrix.com/article/CTX129514" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX129514</a></a></p>Citrix StoreFront Domain passthrough not working when base url is different from machine domainhttps://blog.j81.nl/posts/citrix-storefront-domain-passthrough-not-working-when-base-url-is-different-from-machine-domain/Tue, 03 Mar 2015 12:17:44 +0000https://blog.j81.nl/posts/citrix-storefront-domain-passthrough-not-working-when-base-url-is-different-from-machine-domain/<p>When using a different base url for storefront than your storefront is member of you might run into this one. When logging on to a machine configured for Domain Passthrough you need to enter the credentials again in Windows. To resolve this issue enter on your StoreFront server the following command:</p>Optimize StoreFront 2.xhttps://blog.j81.nl/posts/optimize-storefront-2.x/Wed, 25 Feb 2015 13:58:53 +0000https://blog.j81.nl/posts/optimize-storefront-2.x/<h1 class="relative group">Socket Pooling. <div id="socket-pooling" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#socket-pooling" aria-label="Anchor">#</a> </span> </h1> <p>In StoreFront we need to configgure socket polling in the config files, while in Web Interface we could configure this in the console. Storefront maintaines a pool of sockets instead of creating a socket each time a new user connects, when enabled it will give a better performance for SSL traffic. To change this, edit C:inetpubwwwrootCitrix&lt;STORE&gt;web.config (as Administrator) and find:</p>Exchange config for the NetScalerhttps://blog.j81.nl/posts/exchange-config-for-the-netscaler/Sat, 21 Feb 2015 20:54:22 +0000https://blog.j81.nl/posts/exchange-config-for-the-netscaler/<p>Below is the NetScaler configuration for an Exchange environment. You need a Standard licence for this.</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Below is the NetScaler configuration for an Exchange environment. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">You need a Standard licence for this. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#--- Replace the text below with the actual data---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Exchange server hostname and IP </span></span><span class="line"><span class="cl">&lt;EXCH01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl">&lt;EXCHANGEWEBMAILURL&gt; </span></span><span class="line"><span class="cl">#Content Switch IP </span></span><span class="line"><span class="cl">&lt;CSVIPIP&gt; </span></span><span class="line"><span class="cl">#Domain FQDN </span></span><span class="line"><span class="cl">&lt;DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">#Certiicatename as installed in the NetScaler, e.g. a wildcard certificate </span></span><span class="line"><span class="cl">&lt;WILDCARDCERTIFICATE&gt; </span></span><span class="line"><span class="cl">#Test user for the POP monitor </span></span><span class="line"><span class="cl">&lt;POPTESTUSER&gt; </span></span><span class="line"><span class="cl">&lt;POPTESTPASSWD&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#--- NS Config below this line ---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">enable ns feature LB CS CMP SSL REWRITE RESPONDER </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED </span></span><span class="line"><span class="cl">set ns httpParam -dropInvalReqs ON </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; &lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; &lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment &#34;Exchange Web Services&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_imap4 TCP-cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Exchange Web Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_imap4 SSL_TCP &lt;CSVIPIP&gt; 993 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_pop3 SSL_TCP &lt;CSVIPIP&gt; 995 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; SSL &lt;CSVIPIP&gt; 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl">add cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; HTTP &lt;CSVIPIP&gt; 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews </span></span><span class="line"><span class="cl">add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa </span></span><span class="line"><span class="cl">add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp </span></span><span class="line"><span class="cl">add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas </span></span><span class="line"><span class="cl">add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab </span></span><span class="line"><span class="cl">add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa </span></span><span class="line"><span class="cl">add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs policy CswPol_ews -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ews&#34;)&#34; -action CswAct_ews </span></span><span class="line"><span class="cl">add cs policy CswPol_owa -rule &#34;HTTP.REQ.HEADER(&#34;User-Agent&#34;).SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;Mozilla&#34;)&#34; -action CswAct_owa </span></span><span class="line"><span class="cl">add cs policy CswPol_ecp -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ecp&#34;)&#34; -action CswAct_ecp </span></span><span class="line"><span class="cl">add cs policy CswPol_eas -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/Microsoft-Server-ActiveSync&#34;)&#34; -action CswAct_eas </span></span><span class="line"><span class="cl">add cs policy CswPol_oab -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/oab&#34;)&#34; -action CswAct_oab </span></span><span class="line"><span class="cl">add cs policy CswPol_oa -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/rpc&#34;)&#34; -action CswAct_oa </span></span><span class="line"><span class="cl">add cs policy CswPol_autodiscover -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/AutoDiscover&#34;)&#34; -action CswAct_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_exchange_ToOwa redirect &#34;&#34;/owa&#34;&#34; </span></span><span class="line"><span class="cl">add responder policy ResPol_exchange_ToOwa &#34;HTTP.REQ.URL.STARTSWITH(&#34;/owa&#34;).NOT&#34; ResAct_exchange_ToOwa </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_301 respondwith q{&#34;HTTP/1.1 301 Moved Permanentlyrn&#34; + &#34;Location: https://&#34; + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + &#34;rnrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_404 respondwith q{&#34;HTTP/1.1 404 Not Foundrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_autodiscover -priority 100 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_eas -priority 110 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ews -priority 120 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oab -priority 130 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oa -priority 140 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ecp -priority 150 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_owa -priority 160 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb monitor Mon_imap4 TCP-ECV -send &#34;GET /&#34; -recv &#34;The Microsoft Exchange IMAP4 service is ready.&#34; -LRTM ENABLED -interval 30 -destPort 143 </span></span><span class="line"><span class="cl">add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName &lt;POPTESTUSER&gt; -password &lt;POPTESTPASSWD&gt; -LRTM ENABLED -interval 30 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Not needed for Exchange 2007-2010 </span></span><span class="line"><span class="cl">add lb monitor Mon_owa TCP-ECV -send &#34;GET /owa/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ecp TCP-ECV -send &#34;GET /ecp/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ews TCP-ECV -send &#34;GET /ews/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_eas TCP-ECV -send &#34;GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oab TCP-ECV -send &#34;GET /oab/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oa TCP-ECV -send &#34;GET /rpc/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_Autodiscover TCP-ECV -send &#34;GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_owa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ews -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_eas -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oab -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -ssl3 DISABLED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add ssl cipher HighSecurity </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName HighSecurity</span></span></code></pre></div></div> <p> </p>Exchange config for the NetScaler with AAA Authenticationhttps://blog.j81.nl/posts/exchange-config-for-the-netscaler-with-aaa-authentication/Sat, 21 Feb 2015 20:20:55 +0000https://blog.j81.nl/posts/exchange-config-for-the-netscaler-with-aaa-authentication/<p>Below is the NetScaler configuration for an Exchange environment. You need an Enterprise licence to activate AAA.</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">#--- Replace the text below with the actual data---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Domain Controller hostname and IP </span></span><span class="line"><span class="cl">&lt;DC01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;DC01IP&gt; </span></span><span class="line"><span class="cl">&lt;DC02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;DC01IP&gt; </span></span><span class="line"><span class="cl">#Exchange server hostname and IP </span></span><span class="line"><span class="cl">&lt;EXCH01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl">#Active Directory data </span></span><span class="line"><span class="cl">&lt;LDAPPATH&gt; </span></span><span class="line"><span class="cl">&lt;LDAPREAD@DOAMIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;LDAPREADPASSWD&gt; </span></span><span class="line"><span class="cl">#Client subnet marked save for private profile </span></span><span class="line"><span class="cl">&lt;CLIENTSUBNET&gt; </span></span><span class="line"><span class="cl">#AD group for always use of the private profile </span></span><span class="line"><span class="cl">&lt;ADEXCHPRIVATEGRP&gt; </span></span><span class="line"><span class="cl">#AAA Server FQDN and IP </span></span><span class="line"><span class="cl">&lt;AUTHVIPFQDN&gt; </span></span><span class="line"><span class="cl">&lt;AUTHVIPIP&gt; </span></span><span class="line"><span class="cl">#Content Switch IP </span></span><span class="line"><span class="cl">&lt;CSVIPIP&gt; </span></span><span class="line"><span class="cl">#Domain FQDN </span></span><span class="line"><span class="cl">&lt;DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">#Certiicatename as installed in the NetScaler </span></span><span class="line"><span class="cl">&lt;CERTIFICATE&gt; </span></span><span class="line"><span class="cl">#Test user for the POP monitor </span></span><span class="line"><span class="cl">&lt;POPTESTUSER&gt; </span></span><span class="line"><span class="cl">&lt;POPTESTPASSWD&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#--- NS Config below this line ---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">enable ns feature LB CS CMP SSL AAA REWRITE RESPONDER </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; &lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; &lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment &#34;Exchange Web Services&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_imap4 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add authentication ldapAction AuthLdapSrv_&lt;DC01.DOMAIN.LOCAL&gt; -serverIP &lt;DC01IP&gt; -ldapBase &#34;&lt;LDAPPATH&gt;&#34; -ldapBindDn &lt;LDAPREAD@DOAMIN.LOCAL&gt; -ldapBindDnPassword &lt;LDAPREADPASSWD&gt; -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN </span></span><span class="line"><span class="cl">add authentication ldapAction AuthLdapSrv_&lt;DC02.DOMAIN.LOCAL&gt; -serverIP &lt;DC02IP&gt; -ldapBase &#34;&lt;LDAPPATH&gt;&#34; -ldapBindDn &lt;LDAPREAD@DOAMIN.LOCAL&gt; -ldapBindDnPassword &lt;LDAPREADPASSWD&gt; -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm formSSOAction AaaSsoPro_exchange_public -actionURL &#34;/owa/auth.owa&#34; -userField username -passwdField password -ssoSuccessRule &#34;HTTP.RES.SET_COOKIE.COOKIE(&#34;cadata&#34;).VALUE(&#34;cadata&#34;).LENGTH.GT(70)&#34; -nameValuePair &#34;flags=0&amp;trusted=0&#34; -responsesize 60000 -submitMethod POST </span></span><span class="line"><span class="cl">add tm formSSOAction AaaSsoPro_exchange_private -actionURL &#34;/owa/auth.owa&#34; -userField username -passwdField password -ssoSuccessRule &#34;HTTP.RES.SET_COOKIE.COOKIE(&#34;cadata&#34;).VALUE(&#34;cadata&#34;).LENGTH.GT(70)&#34; -nameValuePair &#34;flags=4&amp;trusted=0&#34; -responsesize 60000 -submitMethod POST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm trafficAction AaaTrafPro_exchange_public -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_public -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE </span></span><span class="line"><span class="cl">add tm trafficAction AaaTrafPro_exchange_private -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_private -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE </span></span><span class="line"><span class="cl">add tm trafficAction AaaTrafPro_exchange_logoff_global -appTimeout 1 -SSO ON -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add authentication ldapPolicy AuthLdapPol_&lt;DC01.DOMAIN.LOCAL&gt; ns_true AuthLdapSrv_&lt;DC01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">add authentication ldapPolicy AuthLdapPol_&lt;DC02.DOMAIN.LOCAL&gt; ns_true AuthLdapSrv_&lt;DC02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm trafficPolicy AaaTrafPol_exchange_public &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; CLIENT.IP.SRC.IN_SUBNET(&lt;CLIENTSUBNET&gt;).NOT&#34; AaaTrafPro_exchange_public </span></span><span class="line"><span class="cl">add tm trafficPolicy AaaTrafPol_exchange_private &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; CLIENT.IP.SRC.IN_SUBNET(&lt;CLIENTSUBNET&gt;) || HTTP.REQ.USER.IS_MEMBER_OF(&#34;&lt;ADEXCHPRIVATEGRP&gt;&#34;)&#34; AaaTrafPro_exchange_private </span></span><span class="line"><span class="cl">add tm trafficPolicy AaaTrafPol_exchange_logoff_global &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/logoff.owa&#34;)&#34; AaaTrafPro_exchange_logoff_global </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost &lt;AUTHVIPFQDN&gt; -Authentication ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Exchange Web Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost &lt;AUTHVIPFQDN&gt; -Authentication ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_imap4 SSL_TCP &lt;CSVIPIP&gt; 993 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_pop3 SSL_TCP &lt;CSVIPIP&gt; 995 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; SSL &lt;AUTHVIPIP&gt; 443 -AuthenticationDomain &lt;DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">add cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; SSL &lt;CSVIPIP&gt; 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl">add cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; HTTP &lt;CSVIPIP&gt; 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews </span></span><span class="line"><span class="cl">add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa </span></span><span class="line"><span class="cl">add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp </span></span><span class="line"><span class="cl">add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas </span></span><span class="line"><span class="cl">add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab </span></span><span class="line"><span class="cl">add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa </span></span><span class="line"><span class="cl">add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs policy CswPol_ews -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ews&#34;)&#34; -action CswAct_ews </span></span><span class="line"><span class="cl">add cs policy CswPol_owa -rule &#34;HTTP.REQ.HEADER(&#34;User-Agent&#34;).SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;Mozilla&#34;)&#34; -action CswAct_owa </span></span><span class="line"><span class="cl">add cs policy CswPol_ecp -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ecp&#34;)&#34; -action CswAct_ecp </span></span><span class="line"><span class="cl">add cs policy CswPol_eas -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/Microsoft-Server-ActiveSync&#34;)&#34; -action CswAct_eas </span></span><span class="line"><span class="cl">add cs policy CswPol_oab -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/oab&#34;)&#34; -action CswAct_oab </span></span><span class="line"><span class="cl">add cs policy CswPol_oa -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/rpc&#34;)&#34; -action CswAct_oa </span></span><span class="line"><span class="cl">add cs policy CswPol_autodiscover -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/AutoDiscover&#34;)&#34; -action CswAct_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add rewrite action RewAct_exchange_insert_pback_cookie_1 insert_http_header COOKIE &#34;&#34;PBack=0;&#34;&#34; </span></span><span class="line"><span class="cl">add rewrite action RewAct_exchange_insert_pback_cookie_2 insert_after &#34;HTTP.REQ.HEADER(&#34;COOKIE&#34;).INSTANCE(0).SUBSTR(&#34;:&#34;)&#34; &#34;&#34; PBack=0;&#34;&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add rewrite policy RewPol_exchange_insert_pback_cookie_1 &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; HTTP.REQ.COOKIE.COUNT.GT(2).NOT&#34; RewAct_exchange_insert_pback_cookie_1 </span></span><span class="line"><span class="cl">add rewrite policy RewPol_exchange_insert_pback_cookie_2 &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; HTTP.REQ.COOKIE.COUNT.GT(2)&#34; RewAct_exchange_insert_pback_cookie_2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind rewrite global RewPol_exchange_insert_pback_cookie_2 100 END -type REQ_DEFAULT </span></span><span class="line"><span class="cl">bind rewrite global RewPol_exchange_insert_pback_cookie_1 110 END -type REQ_DEFAULT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_exchange_ToOwa redirect &#34;&#34;/owa&#34;&#34; </span></span><span class="line"><span class="cl">add responder policy ResPol_exchange_ToOwa &#34;HTTP.REQ.URL.STARTSWITH(&#34;/owa&#34;).NOT&#34; ResAct_exchange_ToOwa </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_301 respondwith q{&#34;HTTP/1.1 301 Moved Permanentlyrn&#34; + &#34;Location: https://&#34; + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + &#34;rnrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_404 respondwith q{&#34;HTTP/1.1 404 Not Foundrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_private -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_public -priority 110 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_public -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_private -priority 110 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_autodiscover -priority 100 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_eas -priority 110 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ews -priority 120 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oab -priority 130 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oa -priority 140 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ecp -priority 150 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_owa -priority 160 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ns httpParam -dropInvalReqs ON </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb monitor Mon_imap4 TCP-ECV -send &#34;GET /&#34; -recv &#34;The Microsoft Exchange IMAP4 service is ready.&#34; -LRTM ENABLED -interval 30 -destPort 143 </span></span><span class="line"><span class="cl">add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName &lt;POPTESTUSER&gt; -password &lt;POPTESTPASSWD&gt; -LRTM ENABLED -interval 30 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Not needed for Exchange 2007-2010 </span></span><span class="line"><span class="cl">add lb monitor Mon_owa TCP-ECV -send &#34;GET /owa/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ecp TCP-ECV -send &#34;GET /ecp/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ews TCP-ECV -send &#34;GET /ews/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_eas TCP-ECV -send &#34;GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oab TCP-ECV -send &#34;GET /oab/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oa TCP-ECV -send &#34;GET /rpc/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_Autodiscover TCP-ECV -send &#34;GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_owa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ews -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_eas -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oab -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -ssl3 DISABLED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm sessionAction AaaSesPro_sso_exchange -sessTimeout 60 -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -ssoDomain Domain -httpOnlyCookie NO -persistentCookie ON -persistentCookieValidity 30 </span></span><span class="line"><span class="cl">add tm sessionPolicy AaaSesPol_sso_exchange ns_true AaaSesPro_sso_exchange </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind tm global -policyName AaaTrafPol_exchange_logoff_global -priority 100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; -policy AuthLdapPol_&lt;DC01.DOMAIN.LOCAL&gt; -priority 100 </span></span><span class="line"><span class="cl">bind authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; -policy AuthLdapPol_&lt;DC02.DOMAIN.LOCAL&gt; -priority 110 </span></span><span class="line"><span class="cl">bind authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; -policy AaaSesPol_sso_exchange -priority 100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add ssl cipher HighSecurity </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName HighSecurity</span></span></code></pre></div></div> <p> </p>Citrix Desktop Director Auto Fill Domain Namehttps://blog.j81.nl/posts/citrix-desktop-director-auto-fill-domain-name/Wed, 02 Apr 2014 12:11:30 +0000https://blog.j81.nl/posts/citrix-desktop-director-auto-fill-domain-name/<p>When logging on to the Citrix Director you have to enter the domain name along with the username and password. If you don&rsquo;t want to enter the domain name each time you logon you can have it filled in by default. Edit C:inetpubwwwrootDesktopDirectorLogOn.aspx (With admin rights)</p>Citrix Access Gateway Enterprise Port Configurationhttps://blog.j81.nl/posts/citrix-access-gateway-enterprise-port-configuration/Sun, 30 Mar 2014 19:08:51 +0000https://blog.j81.nl/posts/citrix-access-gateway-enterprise-port-configuration/<p>I have put together this blog post about Citrix Access Gateway Enterprise Port Configuration to assist people in setting up their firewalls for implementing Access Gateway in one-arm mode. I have found that almost all of Citrix’s documentation covers the Access Gateway / NetScaler straddling the DMZ and the Internal LAN E.G the VIP sits in the DMZ and the SNIP sits in the internal LAN. In Enterprise deployments firewalls are firewalls and NetScalers are NetScalers and security do not like NetScalers trying to be firewalls; although I’m sure they do perfectly fine job of it. So the below article describes what firewall rules you will need to have in place to get a NetScaler working when all its interfaces reside in the DMZ (one-arm single subnet). You should find the diagram useful even if you are not using the model described above. This is a diagram I like to use to explain NetScalers in an HA pair. It shows all the possible routes that traffic could take, not the way traffic flows during normal operation. The VIP and SNIP “float” between the two devices, in reality they exist on both devices but at any given time are only active on whichever node is the primary in the HA pair. <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="" src="//www.shaunritchie.co.uk/wp-content/uploads/2012/03/Final-AGEE2.jpg" ></figure> </p>Citrix NetScaler for XenDesktop Firewall Considerationshttps://blog.j81.nl/posts/citrix-netscaler-for-xendesktop-firewall-considerations/Sun, 30 Mar 2014 19:01:37 +0000https://blog.j81.nl/posts/citrix-netscaler-for-xendesktop-firewall-considerations/<p>The NetScaler Access Gateway uses a number of IP addresses for various purposes. When Access Gateway is deployed in a DMZ, it is important to understand the role of each. The following table summarises the various types of IP addresses and their roles in a deployment: <img src="//myvirtualfunction.net/wp-content/uploads/2013/01/firewall2.gif" width="695" height="509" alt="firewall2" /> The following diagram illustrates the firewall port requirements for normal operation when the NetScaler Access Gateway platform is deployed in a DMZ in a two arm deployment, where no MIP is required. <img src="//myvirtualfunction.net/wp-content/uploads/2013/01/firewall1.gif" width="496" height="411" alt="firewall1" /> <img src="//myvirtualfunction.net/wp-content/uploads/2013/01/firewall3-Rules.gif" width="691" height="433" alt="NetScaler Firewall Rules for XenDesktop" /> <a href="http://myvirtualfunction.net/archives/357" target="_blank" rel="noreferrer">Source</a></p>Citrix NetScaler Access Gateway 10 - Basic Fundamentalshttps://blog.j81.nl/posts/citrix-netscaler-access-gateway-10-basic-fundamentals/Sun, 30 Mar 2014 18:43:54 +0000https://blog.j81.nl/posts/citrix-netscaler-access-gateway-10-basic-fundamentals/<h2 class="relative group">NetScaler Network Connections. <div id="netscaler-network-connections" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#netscaler-network-connections" aria-label="Anchor">#</a> </span> </h2> <p>At a very high level, considering the actual NetScaler connections to the network, and because of the way that NetScaler functions and can be configured, the NetScaler should be considered a switch, and not a router/firewall. With a switch, you can configure the management IP address on an individual port, responding to just devices reachable through that port, or it can be configured to respond on all ports to devices reachable from every port. With the NetScaler, either in single arm or multi arm deployment scenarios, there is no need to tell the NetScaler that network X is on interface 1/1 and network Y is on interface 1/2 (you can if you wish to, or instructed to by the network security team, by tagging IP addresses to a defined NetScaler VLANs which have specific interfaces assigned), but generally, it will happily use the IP addresses it is configured with on the relevant interfaces. When the NetScaler receives a packet destined for one of its IP addresses, it knows that the network which defines that address is available through the interface on which the request was received. Please Note: I don&rsquo;t claim to be a NetScaler Guru, or to have the knowledge to make all the bells and whistles of the NetScaler sound into a polyphony, there are others on the Internet who can better provide you with that information. The information here is from my own observations during a standard two arm deployment of Virtual and Physical NetScaler 10 Access Gateways.</p>Profile Permissionshttps://blog.j81.nl/posts/profile-permissions/Mon, 18 Mar 2013 18:40:37 +0000https://blog.j81.nl/posts/profile-permissions/<p><strong>NTFS Permissions for Roaming Profile Parent Folder</strong> User Account    : Minimum Permissions Required Creator Owner    : Full Control, Subfolders and Files Only Administrator    : Full Control (Microsoft actually recommends none but it simplifies things if you give admins full control) Security group of users needing to put data on share    : List Folder/Read Data, Create Folders/Append Data - This Folder Only Everyone    : No permissions Local System    : Full Control, This Folder, Subfolders and Files <strong>Share level (SMB) Permissions for Roaming Profile Share</strong> User Account    : Minimum Permissions Required Everyone    : No permissions Security group of users needing to put data on share    : Full Control</p>Disable Win+L on clienthttps://blog.j81.nl/posts/disable-win-l-on-client/Sat, 02 Feb 2013 16:26:39 +0000https://blog.j81.nl/posts/disable-win-l-on-client/<p><a href="http://technet.microsoft.com/en-us/library/cc786409%28WS.10%29.aspx" target="_blank" rel="noreferrer">http://technet.microsoft.com/en-us/library/cc786409%28WS.10%29.aspx</a></p>Citrix Receiver 3.3 installatiehttps://blog.j81.nl/posts/citrix-receiver-3.3-installatie/Wed, 28 Nov 2012 13:13:17 +0000https://blog.j81.nl/posts/citrix-receiver-3.3-installatie/<p>ReceiverInstall.exe /addlocal=&ldquo;ICA_Client,ReceiverInside,SSON,Flash,USB,DesktopViewer,HDX,Vd3d&rdquo;</p>