https://blog.j81.nl/categories/netscaler/Recent content in Netscaler on John Billekens | Notes from the fieldHugo -- gohugo.ioen© 2026 John BillekensSun, 23 Feb 2025 19:24:52 +0000https://blog.j81.nl/howto/howto-configure-netscaler-adns-as-an-authoritative-dns-server-for-a-subdomain/Sun, 23 Feb 2025 19:24:49 +0000https://blog.j81.nl/howto/howto-configure-netscaler-adns-as-an-authoritative-dns-server-for-a-subdomain/<p>group: &ldquo;NetScaler&rdquo;</p> <p>In this HowTo article, we’ll walk through the complete process of configuring a Citrix NetScaler HA pair to serve as an authoritative DNS server for a subdomain. This step-by-step guide covers everything from setting up the Authoritative DNS (ADNS) service on the NetScaler to delegating the subdomain in the parent domain’s DNS management panel. Whether you’re looking to improve DNS resolution performance, gain more control over DNS records, or support advanced NetScaler features, this guide will help you get it done efficiently and securely.</p>https://blog.j81.nl/howto/howto-netscaler-upgrade-firmware/Sat, 10 Feb 2024 21:00:55 +0000https://blog.j81.nl/howto/howto-netscaler-upgrade-firmware/<p>group: &ldquo;NetScaler&rdquo;</p> <p>Upgrading firmware on time is crucial for the business continuity. Especially when new firmware become available containing fixes for high CVE&rsquo;s we have seen recently.</p> <p>This how to guide focuses on upgrading the NetScaler manually. If you are using an ADM appliance or ADM service, you can use those as well, to automatically upgrade the node(s). </p>https://blog.j81.nl/howto/howto-pre-upgrade-cleanup/Sat, 10 Feb 2024 20:57:37 +0000https://blog.j81.nl/howto/howto-pre-upgrade-cleanup/<p>group: &ldquo;NetScaler&rdquo;</p> <p>Before you start an upgrade. You must make sure to have enough free space available. Although in the GUI you see sometimes that you must have 5 GB available, in my experience you need at least 6,5 GB free space.</p>https://blog.j81.nl/howto/howto-netscaler-create-a-backup/Mon, 23 Oct 2023 13:07:03 +0000https://blog.j81.nl/howto/howto-netscaler-create-a-backup/<p>group: &ldquo;NetScaler&rdquo;</p> <p>A backup can save you a lot of time in case of emergencies, configuration errors or hacks. You could download and save it in a secure environment. And when needed restore a new appliance with the saved backup.</p>https://blog.j81.nl/howto/howto-netscaler-update-certificate/Wed, 18 Oct 2023 13:27:47 +0000https://blog.j81.nl/howto/howto-netscaler-update-certificate/<p>group: &ldquo;NetScaler&rdquo;</p> <p>In this how-to article I will explain the procedure how to update a certificate on a Citrix NetScaler. If you wait until a certificate is expired wil cause a lot of issues for your users or visitors. By being on time with the renewal will save you a lot of trouble.</p>https://blog.j81.nl/howto/howto-netscaler-install-certificate/Wed, 18 Oct 2023 12:38:35 +0000https://blog.j81.nl/howto/howto-netscaler-install-certificate/<p>group: &ldquo;NetScaler&rdquo;</p> <p>In this how-to article I will explain the procedure how to install a new certificate on a Citrix NetScaler. Certificates are an important piece in a secure connection from a client to a server.</p>https://blog.j81.nl/howto/howto-windows-export-certificate-pfx/Wed, 18 Oct 2023 09:45:25 +0000https://blog.j81.nl/howto/howto-windows-export-certificate-pfx/<p>group: &ldquo;Windows&rdquo;</p> <p>Certificates are an important part of a modern environment. They make communication safer by encrypting the traffic between the client and server. A safe way to move certificates between servers or store them safely is by exporting the certificate (private and public key) to an encrypted format. A commonly used format is &ldquo;pfx&rdquo; (Personal Information Exchange also known as PKCS#12). A pfx file can contain one or more certificates and is encrypted with a password. Without the correct password the pfx is useless. You commonly see that a pfx contains a (web) server certificate and one or more intermediate certificate(s) and a root certificate.</p>https://blog.j81.nl/posts/manipulate-the-nameid-saml-content-part-1/Thu, 28 Oct 2021 15:22:45 +0000https://blog.j81.nl/posts/manipulate-the-nameid-saml-content-part-1/<p>Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain. </p>https://blog.j81.nl/posts/manage-native-otp-tokens-via-windows-part-2/Tue, 20 Apr 2021 19:31:56 +0000https://blog.j81.nl/posts/manage-native-otp-tokens-via-windows-part-2/<p>A couple weeks ago someone asked me if OTP4ADC could also support encrypted tokens. And at that time I hadn&rsquo;t done anything with encrypted tokens on a Citrix ADC. And if you not have heard of the OTP4ADC tool/script you can read my <a href="https://blog.j81.nl/2020/09/29/manage-native-otp-tokens-via-windows/" target="_blank" rel="nofollow noopener" title="Manage Native OTP tokens via Windows">initial blog article</a> from when I released the first version and the basics of how it works.</p>https://blog.j81.nl/posts/genlecertforns-new-update/Wed, 19 Feb 2020 16:42:40 +0000https://blog.j81.nl/posts/genlecertforns-new-update/<p>A lot of new users used my script after writing  my <a href="https://www.citrix.com/blogs/2019/06/24/why-certificates-are-more-important-today-than-ever/" target="_blank" rel="noopener noreferrer">first blog article for Citrix</a>. Since then I made some improvements and continuing to add new features. Today I released the latest version of my &ldquo;GenLeCertForNS&rdquo; script. Within this version I solved some issues and improved the overall speed (especially with larger orders).</p>https://blog.j81.nl/posts/lets-encrypt-certificates-on-a-netscaler/Thu, 06 Apr 2017 21:25:51 +0000https://blog.j81.nl/posts/lets-encrypt-certificates-on-a-netscaler/<p>For a while now it&rsquo;s possible to use <a href="https://letsencrypt.org/" target="_blank" rel="noreferrer">Let&rsquo;s Encrypt</a> certificates, they are trusted (cross signed), secure and most of all FREE! There are already a lot of tools available to generate these certificates. I haven&rsquo;t come across a tool or script to generate these certificates and upload them to a <a href="https://www.citrix.com/netscaler" target="_blank" rel="noreferrer">Citrix NetScaler</a>. So I thought why not build it myself. I already tried it in a previous <a href="https://blog.j81.nl/2016/07/03/generate-an-lets-encrypt-certificate-what-can-be-used-on-the-netscaler/" target="_blank" rel="noreferrer">attempt</a>, but I wanted more automation and thus I created this version. To learn more about the Let&rsquo;s Encrypt, check <a href="https://letsencrypt.org/how-it-works/" target="_blank" rel="noreferrer">how it works</a>.. What my script does in very basic steps (for example you want a certificate for <a href="https://www.domain.com" target="_blank" rel="noreferrer">www.domain.com</a>): Ask LE (Let&rsquo;s Encrypt) to validate &ldquo;<a href="https://www.domain.com" target="_blank" rel="noreferrer">www.domain.com</a>&rdquo; <strong>(1)</strong> LE returns data <strong>(2)</strong> among them:</p>https://blog.j81.nl/posts/create-offline-backups-of-the-netscaler-config/Thu, 06 Apr 2017 19:07:59 +0000https://blog.j81.nl/posts/create-offline-backups-of-the-netscaler-config/<p>I&rsquo;ve created a PowerShell script that can be used to generate an (offline) backup of a Citrix NetScaler. If you want you can use the supplied batchfile for example to schedule the backup in Scheduled Tasks to run everyday. Some more information about the parameters used:</p>https://blog.j81.nl/posts/disconnect-issues-on-netscaler-mpx/Fri, 03 Mar 2017 12:08:31 +0000https://blog.j81.nl/posts/disconnect-issues-on-netscaler-mpx/<p>Recently I upgraded a couple of MPX NetScalers to a recent 11.1 build at a customers location. During the following day the customer experienced a lot of disconnecting citrix sessions. I did not experience this issue on a VPX appliance. Turned out to be an issue with the &ldquo;<em><strong>TLS1.2-ECDHE-RSA-AES256-GCM-SHA384</strong></em>&rdquo; cypher. And because I want to strive for an A+ rating at ssllabs (<a href="https://www.citrix.com/blogs/2016/06/09/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-2016-update/" target="_blank" rel="noreferrer">Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update</a>) this one is in the list. After removing this cypher from the cypher group the customer didn&rsquo;t experience any disconnects. So I thought to share this one as you may experience it for your self. Please also note this Citrix article: <a href="https://support.citrix.com/article/CTX220994" target="_blank" rel="noreferrer">https://support.citrix.com/article/CTX220994</a></p>https://blog.j81.nl/posts/generate-an-lets-encrypt-certificate-what-can-be-used-on-the-netscaler/Sun, 03 Jul 2016 18:32:28 +0000https://blog.j81.nl/posts/generate-an-lets-encrypt-certificate-what-can-be-used-on-the-netscaler/<p>Edit 07-04-2017: <a href="https://blog.j81.nl/2017/04/06/lets-encrypt-certificates-on-a-netscaler/" target="_blank" rel="noreferrer">Check out my new and updated version!</a> I&rsquo;m trying to create an (PowerShell) script to automate the Let&rsquo;s Encrypt certificate creation. Specifically for the Citrix NetScaler. Currently still Work In Progress&hellip; It&rsquo;s not yet finished. The prerequisite is that you have a configured NetScaler (http) Content Switch vServer. The script will present you with the required configuration rules (it will also be copied to your clipboard so you only have to copy it in the cli of the NetScaler) For the meantime you can find it on GitHub: <a href="https://github.com/j81blog/GenCertForNS" target="_blank">GenCertForNS on GitHub</a> More soon (I hope)&hellip;</p>https://blog.j81.nl/posts/secure-deployment-guide-for-netscaler-mpx-vpx-and-sdx-appliances/Fri, 06 Mar 2015 15:29:41 +0000https://blog.j81.nl/posts/secure-deployment-guide-for-netscaler-mpx-vpx-and-sdx-appliances/<p><a href="http://support.citrix.com/article/CTX129514" target="_blank"><a href="http://support.citrix.com/article/CTX129514" target="_blank" rel="noreferrer">http://support.citrix.com/article/CTX129514</a></a></p>https://blog.j81.nl/posts/exchange-config-for-the-netscaler/Sat, 21 Feb 2015 20:54:22 +0000https://blog.j81.nl/posts/exchange-config-for-the-netscaler/<p>Below is the NetScaler configuration for an Exchange environment. You need a Standard licence for this.</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Below is the NetScaler configuration for an Exchange environment. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">You need a Standard licence for this. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#--- Replace the text below with the actual data---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Exchange server hostname and IP </span></span><span class="line"><span class="cl">&lt;EXCH01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl">&lt;EXCHANGEWEBMAILURL&gt; </span></span><span class="line"><span class="cl">#Content Switch IP </span></span><span class="line"><span class="cl">&lt;CSVIPIP&gt; </span></span><span class="line"><span class="cl">#Domain FQDN </span></span><span class="line"><span class="cl">&lt;DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">#Certiicatename as installed in the NetScaler, e.g. a wildcard certificate </span></span><span class="line"><span class="cl">&lt;WILDCARDCERTIFICATE&gt; </span></span><span class="line"><span class="cl">#Test user for the POP monitor </span></span><span class="line"><span class="cl">&lt;POPTESTUSER&gt; </span></span><span class="line"><span class="cl">&lt;POPTESTPASSWD&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#--- NS Config below this line ---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">enable ns feature LB CS CMP SSL REWRITE RESPONDER </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED </span></span><span class="line"><span class="cl">set ns httpParam -dropInvalReqs ON </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; &lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; &lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment &#34;Exchange Web Services&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_imap4 TCP-cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Exchange Web Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_imap4 SSL_TCP &lt;CSVIPIP&gt; 993 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_pop3 SSL_TCP &lt;CSVIPIP&gt; 995 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; SSL &lt;CSVIPIP&gt; 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl">add cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; HTTP &lt;CSVIPIP&gt; 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews </span></span><span class="line"><span class="cl">add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa </span></span><span class="line"><span class="cl">add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp </span></span><span class="line"><span class="cl">add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas </span></span><span class="line"><span class="cl">add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab </span></span><span class="line"><span class="cl">add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa </span></span><span class="line"><span class="cl">add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs policy CswPol_ews -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ews&#34;)&#34; -action CswAct_ews </span></span><span class="line"><span class="cl">add cs policy CswPol_owa -rule &#34;HTTP.REQ.HEADER(&#34;User-Agent&#34;).SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;Mozilla&#34;)&#34; -action CswAct_owa </span></span><span class="line"><span class="cl">add cs policy CswPol_ecp -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ecp&#34;)&#34; -action CswAct_ecp </span></span><span class="line"><span class="cl">add cs policy CswPol_eas -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/Microsoft-Server-ActiveSync&#34;)&#34; -action CswAct_eas </span></span><span class="line"><span class="cl">add cs policy CswPol_oab -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/oab&#34;)&#34; -action CswAct_oab </span></span><span class="line"><span class="cl">add cs policy CswPol_oa -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/rpc&#34;)&#34; -action CswAct_oa </span></span><span class="line"><span class="cl">add cs policy CswPol_autodiscover -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/AutoDiscover&#34;)&#34; -action CswAct_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_exchange_ToOwa redirect &#34;&#34;/owa&#34;&#34; </span></span><span class="line"><span class="cl">add responder policy ResPol_exchange_ToOwa &#34;HTTP.REQ.URL.STARTSWITH(&#34;/owa&#34;).NOT&#34; ResAct_exchange_ToOwa </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_301 respondwith q{&#34;HTTP/1.1 301 Moved Permanentlyrn&#34; + &#34;Location: https://&#34; + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + &#34;rnrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_404 respondwith q{&#34;HTTP/1.1 404 Not Foundrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_autodiscover -priority 100 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_eas -priority 110 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ews -priority 120 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oab -priority 130 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oa -priority 140 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ecp -priority 150 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_owa -priority 160 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb monitor Mon_imap4 TCP-ECV -send &#34;GET /&#34; -recv &#34;The Microsoft Exchange IMAP4 service is ready.&#34; -LRTM ENABLED -interval 30 -destPort 143 </span></span><span class="line"><span class="cl">add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName &lt;POPTESTUSER&gt; -password &lt;POPTESTPASSWD&gt; -LRTM ENABLED -interval 30 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Not needed for Exchange 2007-2010 </span></span><span class="line"><span class="cl">add lb monitor Mon_owa TCP-ECV -send &#34;GET /owa/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ecp TCP-ECV -send &#34;GET /ecp/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ews TCP-ECV -send &#34;GET /ews/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_eas TCP-ECV -send &#34;GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oab TCP-ECV -send &#34;GET /oab/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oa TCP-ECV -send &#34;GET /rpc/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_Autodiscover TCP-ECV -send &#34;GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_owa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ews -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_eas -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oab -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -ssl3 DISABLED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add ssl cipher HighSecurity </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName HighSecurity</span></span></code></pre></div></div> <p> </p>https://blog.j81.nl/posts/exchange-config-for-the-netscaler-with-aaa-authentication/Sat, 21 Feb 2015 20:20:55 +0000https://blog.j81.nl/posts/exchange-config-for-the-netscaler-with-aaa-authentication/<p>Below is the NetScaler configuration for an Exchange environment. You need an Enterprise licence to activate AAA.</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">#--- Replace the text below with the actual data---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Domain Controller hostname and IP </span></span><span class="line"><span class="cl">&lt;DC01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;DC01IP&gt; </span></span><span class="line"><span class="cl">&lt;DC02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;DC01IP&gt; </span></span><span class="line"><span class="cl">#Exchange server hostname and IP </span></span><span class="line"><span class="cl">&lt;EXCH01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl">#Active Directory data </span></span><span class="line"><span class="cl">&lt;LDAPPATH&gt; </span></span><span class="line"><span class="cl">&lt;LDAPREAD@DOAMIN.LOCAL&gt; </span></span><span class="line"><span class="cl">&lt;LDAPREADPASSWD&gt; </span></span><span class="line"><span class="cl">#Client subnet marked save for private profile </span></span><span class="line"><span class="cl">&lt;CLIENTSUBNET&gt; </span></span><span class="line"><span class="cl">#AD group for always use of the private profile </span></span><span class="line"><span class="cl">&lt;ADEXCHPRIVATEGRP&gt; </span></span><span class="line"><span class="cl">#AAA Server FQDN and IP </span></span><span class="line"><span class="cl">&lt;AUTHVIPFQDN&gt; </span></span><span class="line"><span class="cl">&lt;AUTHVIPIP&gt; </span></span><span class="line"><span class="cl">#Content Switch IP </span></span><span class="line"><span class="cl">&lt;CSVIPIP&gt; </span></span><span class="line"><span class="cl">#Domain FQDN </span></span><span class="line"><span class="cl">&lt;DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">#Certiicatename as installed in the NetScaler </span></span><span class="line"><span class="cl">&lt;CERTIFICATE&gt; </span></span><span class="line"><span class="cl">#Test user for the POP monitor </span></span><span class="line"><span class="cl">&lt;POPTESTUSER&gt; </span></span><span class="line"><span class="cl">&lt;POPTESTPASSWD&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#--- NS Config below this line ---# </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">enable ns feature LB CS CMP SSL AAA REWRITE RESPONDER </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; &lt;EXCH01IP&gt; </span></span><span class="line"><span class="cl">add server Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; &lt;EXCH02IP&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment &#34;Exchange Web Services&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl">add serviceGroup SvcGrp_exchange_imap4 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add authentication ldapAction AuthLdapSrv_&lt;DC01.DOMAIN.LOCAL&gt; -serverIP &lt;DC01IP&gt; -ldapBase &#34;&lt;LDAPPATH&gt;&#34; -ldapBindDn &lt;LDAPREAD@DOAMIN.LOCAL&gt; -ldapBindDnPassword &lt;LDAPREADPASSWD&gt; -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN </span></span><span class="line"><span class="cl">add authentication ldapAction AuthLdapSrv_&lt;DC02.DOMAIN.LOCAL&gt; -serverIP &lt;DC02IP&gt; -ldapBase &#34;&lt;LDAPPATH&gt;&#34; -ldapBindDn &lt;LDAPREAD@DOAMIN.LOCAL&gt; -ldapBindDnPassword &lt;LDAPREADPASSWD&gt; -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm formSSOAction AaaSsoPro_exchange_public -actionURL &#34;/owa/auth.owa&#34; -userField username -passwdField password -ssoSuccessRule &#34;HTTP.RES.SET_COOKIE.COOKIE(&#34;cadata&#34;).VALUE(&#34;cadata&#34;).LENGTH.GT(70)&#34; -nameValuePair &#34;flags=0&amp;trusted=0&#34; -responsesize 60000 -submitMethod POST </span></span><span class="line"><span class="cl">add tm formSSOAction AaaSsoPro_exchange_private -actionURL &#34;/owa/auth.owa&#34; -userField username -passwdField password -ssoSuccessRule &#34;HTTP.RES.SET_COOKIE.COOKIE(&#34;cadata&#34;).VALUE(&#34;cadata&#34;).LENGTH.GT(70)&#34; -nameValuePair &#34;flags=4&amp;trusted=0&#34; -responsesize 60000 -submitMethod POST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm trafficAction AaaTrafPro_exchange_public -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_public -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE </span></span><span class="line"><span class="cl">add tm trafficAction AaaTrafPro_exchange_private -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_private -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE </span></span><span class="line"><span class="cl">add tm trafficAction AaaTrafPro_exchange_logoff_global -appTimeout 1 -SSO ON -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add authentication ldapPolicy AuthLdapPol_&lt;DC01.DOMAIN.LOCAL&gt; ns_true AuthLdapSrv_&lt;DC01.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">add authentication ldapPolicy AuthLdapPol_&lt;DC02.DOMAIN.LOCAL&gt; ns_true AuthLdapSrv_&lt;DC02.DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm trafficPolicy AaaTrafPol_exchange_public &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; CLIENT.IP.SRC.IN_SUBNET(&lt;CLIENTSUBNET&gt;).NOT&#34; AaaTrafPro_exchange_public </span></span><span class="line"><span class="cl">add tm trafficPolicy AaaTrafPol_exchange_private &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; CLIENT.IP.SRC.IN_SUBNET(&lt;CLIENTSUBNET&gt;) || HTTP.REQ.USER.IS_MEMBER_OF(&#34;&lt;ADEXCHPRIVATEGRP&gt;&#34;)&#34; AaaTrafPro_exchange_private </span></span><span class="line"><span class="cl">add tm trafficPolicy AaaTrafPol_exchange_logoff_global &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/logoff.owa&#34;)&#34; AaaTrafPro_exchange_logoff_global </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost &lt;AUTHVIPFQDN&gt; -Authentication ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Outlook Web Access&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Exchange Web Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Autodiscover Service&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost &lt;AUTHVIPFQDN&gt; -Authentication ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Exchange Control Panel&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;ActiveSync Service for Mobile Mail clients&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Offline Address Book&#34; </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_&lt;AUTHVIPFQDN&gt; -comment &#34;Outlook Anywhere or RPC over HTTPS&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_imap4 SSL_TCP &lt;CSVIPIP&gt; 993 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl">add lb vserver LbVip_exchange_pop3 SSL_TCP &lt;CSVIPIP&gt; 995 -persistenceType SSLSESSION -cltTimeout 9000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; SSL &lt;AUTHVIPIP&gt; 443 -AuthenticationDomain &lt;DOMAIN.LOCAL&gt; </span></span><span class="line"><span class="cl">add cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; SSL &lt;CSVIPIP&gt; 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl">add cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; HTTP &lt;CSVIPIP&gt; 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews </span></span><span class="line"><span class="cl">add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa </span></span><span class="line"><span class="cl">add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp </span></span><span class="line"><span class="cl">add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas </span></span><span class="line"><span class="cl">add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab </span></span><span class="line"><span class="cl">add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa </span></span><span class="line"><span class="cl">add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add cs policy CswPol_ews -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ews&#34;)&#34; -action CswAct_ews </span></span><span class="line"><span class="cl">add cs policy CswPol_owa -rule &#34;HTTP.REQ.HEADER(&#34;User-Agent&#34;).SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;Mozilla&#34;)&#34; -action CswAct_owa </span></span><span class="line"><span class="cl">add cs policy CswPol_ecp -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/ecp&#34;)&#34; -action CswAct_ecp </span></span><span class="line"><span class="cl">add cs policy CswPol_eas -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/Microsoft-Server-ActiveSync&#34;)&#34; -action CswAct_eas </span></span><span class="line"><span class="cl">add cs policy CswPol_oab -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/oab&#34;)&#34; -action CswAct_oab </span></span><span class="line"><span class="cl">add cs policy CswPol_oa -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/rpc&#34;)&#34; -action CswAct_oa </span></span><span class="line"><span class="cl">add cs policy CswPol_autodiscover -rule &#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(&#34;/AutoDiscover&#34;)&#34; -action CswAct_autodiscover </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add rewrite action RewAct_exchange_insert_pback_cookie_1 insert_http_header COOKIE &#34;&#34;PBack=0;&#34;&#34; </span></span><span class="line"><span class="cl">add rewrite action RewAct_exchange_insert_pback_cookie_2 insert_after &#34;HTTP.REQ.HEADER(&#34;COOKIE&#34;).INSTANCE(0).SUBSTR(&#34;:&#34;)&#34; &#34;&#34; PBack=0;&#34;&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add rewrite policy RewPol_exchange_insert_pback_cookie_1 &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; HTTP.REQ.COOKIE.COUNT.GT(2).NOT&#34; RewAct_exchange_insert_pback_cookie_1 </span></span><span class="line"><span class="cl">add rewrite policy RewPol_exchange_insert_pback_cookie_2 &#34;HTTP.REQ.URL.CONTAINS(&#34;owa/auth/logon.aspx&#34;) &amp;&amp; HTTP.REQ.COOKIE.COUNT.GT(2)&#34; RewAct_exchange_insert_pback_cookie_2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind rewrite global RewPol_exchange_insert_pback_cookie_2 100 END -type REQ_DEFAULT </span></span><span class="line"><span class="cl">bind rewrite global RewPol_exchange_insert_pback_cookie_1 110 END -type REQ_DEFAULT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_exchange_ToOwa redirect &#34;&#34;/owa&#34;&#34; </span></span><span class="line"><span class="cl">add responder policy ResPol_exchange_ToOwa &#34;HTTP.REQ.URL.STARTSWITH(&#34;/owa&#34;).NOT&#34; ResAct_exchange_ToOwa </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_301 respondwith q{&#34;HTTP/1.1 301 Moved Permanentlyrn&#34; + &#34;Location: https://&#34; + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + &#34;rnrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add responder action ResAct_ToHTTPS_404 respondwith q{&#34;HTTP/1.1 404 Not Foundrn&#34;} -bypassSafetyCheck YES </span></span><span class="line"><span class="cl">add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_private -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_public -priority 110 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_public -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_private -priority 110 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl">bind cs vserver CswVip_http_&lt;DOMAIN.LOCAL&gt; -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_autodiscover -priority 100 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_eas -priority 110 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ews -priority 120 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oab -priority 130 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_oa -priority 140 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_ecp -priority 150 </span></span><span class="line"><span class="cl">bind cs vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -policyName CswPol_owa -priority 160 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ns httpParam -dropInvalReqs ON </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add lb monitor Mon_imap4 TCP-ECV -send &#34;GET /&#34; -recv &#34;The Microsoft Exchange IMAP4 service is ready.&#34; -LRTM ENABLED -interval 30 -destPort 143 </span></span><span class="line"><span class="cl">add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName &lt;POPTESTUSER&gt; -password &lt;POPTESTPASSWD&gt; -LRTM ENABLED -interval 30 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">#Not needed for Exchange 2007-2010 </span></span><span class="line"><span class="cl">add lb monitor Mon_owa TCP-ECV -send &#34;GET /owa/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ecp TCP-ECV -send &#34;GET /ecp/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_ews TCP-ECV -send &#34;GET /ews/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_eas TCP-ECV -send &#34;GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oab TCP-ECV -send &#34;GET /oab/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_oa TCP-ECV -send &#34;GET /rpc/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl">add lb monitor Mon_Autodiscover TCP-ECV -send &#34;GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:&lt;EXCHANGEWEBMAILURL&gt;rnConnection:Closernrn&#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 443 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">#Exchange 2013 </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover </span></span><span class="line"><span class="cl">#Exchange 2007-2010 </span></span><span class="line"><span class="cl">#bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 110 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH01.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 Srv_&lt;EXCH02.DOMAIN.LOCAL&gt; 143 -CustomServerID &#34;&#34;None&#34;&#34; </span></span><span class="line"><span class="cl">bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_owa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ews -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_eas -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oab -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_oa -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -ssl3 DISABLED </span></span><span class="line"><span class="cl">set ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -ssl3 DISABLED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add tm sessionAction AaaSesPro_sso_exchange -sessTimeout 60 -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -ssoDomain Domain -httpOnlyCookie NO -persistentCookie ON -persistentCookieValidity 30 </span></span><span class="line"><span class="cl">add tm sessionPolicy AaaSesPol_sso_exchange ns_true AaaSesPro_sso_exchange </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind tm global -policyName AaaTrafPol_exchange_logoff_global -priority 100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; -policy AuthLdapPol_&lt;DC01.DOMAIN.LOCAL&gt; -priority 100 </span></span><span class="line"><span class="cl">bind authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; -policy AuthLdapPol_&lt;DC02.DOMAIN.LOCAL&gt; -priority 110 </span></span><span class="line"><span class="cl">bind authentication vserver AaaVip_&lt;AUTHVIPFQDN&gt; -policy AaaSesPol_sso_exchange -priority 100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add ssl cipher HighSecurity </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA </span></span><span class="line"><span class="cl">bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -certkeyName &#34;&lt;CERTIFICATE&gt;&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl">unbind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName DEFAULT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver AaaVip_&lt;AUTHVIPFQDN&gt; -cipherName HighSecurity </span></span><span class="line"><span class="cl">bind ssl vserver CswVip_https_&lt;DOMAIN.LOCAL&gt; -cipherName HighSecurity</span></span></code></pre></div></div> <p> </p>https://blog.j81.nl/posts/citrix-access-gateway-enterprise-port-configuration/Sun, 30 Mar 2014 19:08:51 +0000https://blog.j81.nl/posts/citrix-access-gateway-enterprise-port-configuration/<p>I have put together this blog post about Citrix Access Gateway Enterprise Port Configuration to assist people in setting up their firewalls for implementing Access Gateway in one-arm mode. I have found that almost all of Citrix’s documentation covers the Access Gateway / NetScaler straddling the DMZ and the Internal LAN E.G the VIP sits in the DMZ and the SNIP sits in the internal LAN. In Enterprise deployments firewalls are firewalls and NetScalers are NetScalers and security do not like NetScalers trying to be firewalls; although I’m sure they do perfectly fine job of it. So the below article describes what firewall rules you will need to have in place to get a NetScaler working when all its interfaces reside in the DMZ (one-arm single subnet). You should find the diagram useful even if you are not using the model described above. This is a diagram I like to use to explain NetScalers in an HA pair. It shows all the possible routes that traffic could take, not the way traffic flows during normal operation. The VIP and SNIP “float” between the two devices, in reality they exist on both devices but at any given time are only active on whichever node is the primary in the HA pair. <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="" src="//www.shaunritchie.co.uk/wp-content/uploads/2012/03/Final-AGEE2.jpg" ></figure> </p>https://blog.j81.nl/posts/citrix-netscaler-for-xendesktop-firewall-considerations/Sun, 30 Mar 2014 19:01:37 +0000https://blog.j81.nl/posts/citrix-netscaler-for-xendesktop-firewall-considerations/<p>The NetScaler Access Gateway uses a number of IP addresses for various purposes. When Access Gateway is deployed in a DMZ, it is important to understand the role of each. The following table summarises the various types of IP addresses and their roles in a deployment: <img src="//myvirtualfunction.net/wp-content/uploads/2013/01/firewall2.gif" width="695" height="509" alt="firewall2" /> The following diagram illustrates the firewall port requirements for normal operation when the NetScaler Access Gateway platform is deployed in a DMZ in a two arm deployment, where no MIP is required. <img src="//myvirtualfunction.net/wp-content/uploads/2013/01/firewall1.gif" width="496" height="411" alt="firewall1" /> <img src="//myvirtualfunction.net/wp-content/uploads/2013/01/firewall3-Rules.gif" width="691" height="433" alt="NetScaler Firewall Rules for XenDesktop" /> <a href="http://myvirtualfunction.net/archives/357" target="_blank" rel="noreferrer">Source</a></p>https://blog.j81.nl/posts/citrix-netscaler-access-gateway-10-basic-fundamentals/Sun, 30 Mar 2014 18:43:54 +0000https://blog.j81.nl/posts/citrix-netscaler-access-gateway-10-basic-fundamentals/<h2 class="relative group">NetScaler Network Connections. <div id="netscaler-network-connections" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#netscaler-network-connections" aria-label="Anchor">#</a> </span> </h2> <p>At a very high level, considering the actual NetScaler connections to the network, and because of the way that NetScaler functions and can be configured, the NetScaler should be considered a switch, and not a router/firewall. With a switch, you can configure the management IP address on an individual port, responding to just devices reachable through that port, or it can be configured to respond on all ports to devices reachable from every port. With the NetScaler, either in single arm or multi arm deployment scenarios, there is no need to tell the NetScaler that network X is on interface 1/1 and network Y is on interface 1/2 (you can if you wish to, or instructed to by the network security team, by tagging IP addresses to a defined NetScaler VLANs which have specific interfaces assigned), but generally, it will happily use the IP addresses it is configured with on the relevant interfaces. When the NetScaler receives a packet destined for one of its IP addresses, it knows that the network which defines that address is available through the interface on which the request was received. Please Note: I don&rsquo;t claim to be a NetScaler Guru, or to have the knowledge to make all the bells and whistles of the NetScaler sound into a polyphony, there are others on the Internet who can better provide you with that information. The information here is from my own observations during a standard two arm deployment of Virtual and Physical NetScaler 10 Access Gateways.</p>https://blog.j81.nl/posts/change-text-password-1-password-2-on-netscaler-ag/Fri, 05 Jul 2013 05:50:42 +0000https://blog.j81.nl/posts/change-text-password-1-password-2-on-netscaler-ag/<p><code>add rewrite action AD_delete_rewrite_action delete_all &quot;http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)&quot; -pattern &quot;document.write(' 1');&quot; -bypassSafetyCheck YES add rewrite action AD_replace_rewrite_action replace_all &quot;http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)&quot; &quot;&quot;AD Password'&quot;&quot; -pattern &quot;&quot;Password&quot;&quot; -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*'[ ]*+[ ]*_(&quot;Password&quot;)[ ]*!)/ add rewrite action RSA_replace_rewrite_action replace_all &quot;http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)&quot; &quot;&quot;Secure token:'&quot;&quot; -pattern &quot;&quot;Password2&quot;&quot; -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*'[ ]*+[ ]*_(&quot;Password2&quot;)[ ]*!)/ add rewrite policy AD_rewrite_pol &quot;http.req.url.path.endswith(&quot;vpn/login.js&quot;)&quot; AD_replace_rewrite_action add rewrite policy RSA_rewrite_pol &quot;http.req.url.path.endswith(&quot;vpn/login.js&quot;)&quot; RSA_replace_rewrite_action add rewrite policy AD_delete_pol &quot;http.req.url.path.endswith(&quot;vpn/login.js&quot;)&quot; AD_delete_rewrite_action bind rewrite global AD_rewrite_pol 100 NEXT -type RES_OVERRIDE bind rewrite global RSA_rewrite_pol 110 NEXT -type RES_OVERRIDE bind rewrite global AD_delete_pol 120 NEXT -type RES_OVERRIDE</code></p>