22 juillet 2016

Configuring Netscaler for Exchange ActiveSync, RPC, OWA, OAB, EWS, Autodiscover

I've been asked for my Netsclaer configuration for Exchange so I'm sharing it for everyone to (hopefully) be helpfull to many.

Unfortunately I don't have the time luxury currently to comment and explain all of it but at least the important is that the config is there. Keep in mind that the some longer command will be truncated on the blog but they should be typed on one line.


create ssl dhparam ECDH.KEY 2048 -gen 2

add ssl profile No_SSL3_profileb -dhCount 10000 -dh ENABLED -dhFile "/nsconfig/ssl/ECDH.KEY" -eRSA ENABLED -eRSACount 10000 -sessReuse ENABLED -sessTimeout 120 -sslRedirect ENABLED -redirectPortRewrite ENABLED -ssl3 DISABLED


add serviceGroup SG_EXCH_HTTPs SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_EXCH_HTTPs exchange_K1 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_K2 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_J1 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_J2 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs -monitorName https-ecv

add lb vserver LB_EXC=AutoDiscover=NoAuth SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy None -cltTimeout 360
bind lb vserver LB_EXC=AutoDiscover=NoAuth SG_EXCH_HTTPs
bind ssl vserver LB_EXC=AutoDiscover=NoAuth -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=AutoDiscover=NoAuth -certkeyName domain-wildcard
set ssl vserver LB_EXC=AutoDiscover=NoAuth -sslProfile No_SSL3_profile

add lb vserver LB_EXC=OAB_EWS=NoAuth SSL 0.0.0.0 0 -persistenceType SSLSESSION -timeout 720 -Listenpolicy None -cltTimeout 360
bind lb vserver LB_EXC=OAB_EWS=NoAuth SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OAB_EWS=NoAuth -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OAB_EWS=NoAuth -certkeyName domain-wildcard
set ssl vserver LB_EXC=OAB_EWS=NoAuth -sslProfile No_SSL3_profile

add lb vserver LB_EXC=OA-RPC=No_AUTH SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 720 -Listenpolicy None -cltTimeout 180
bind lb vserver LB_EXC=OA-RPC=No_AUTH SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OA-RPC=No_AUTH -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OA-RPC=No_AUTH -certkeyName domain-wildcard
set ssl vserver LB_EXC=OA-RPC=No_AUTH -sslProfile No_SSL3_profile

add lb vserver LB_EXC=ActiveSync=401Auth_Corp SSL 0.0.0.0 0 -persistenceType RULE -timeout 720 -rule "HTTP.REQ.HEADER(\"Authorization\")" -Listenpolicy None -cltTimeout 180 -authn401 ON -authnVsName vs_AuthCorp.domain.com
set ssl vserver LB_EXC=ActiveSync=401Auth_Corp -sslProfile No_SSL3_profile
bind ssl vserver LB_EXC=ActiveSync=401Auth_Corp -cipherName z_metro-cipher-list-with-gcm
bind ssl vserver LB_EXC=ActiveSync=401Auth_Corp -certkeyName domain-wildcard
bind lb vserver LB_EXC=ActiveSync=401Auth_Corp SG_EXCH_HTTPs

add lb vserver LB_EXC=OWA_ECP=FullAuth_Corp SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 720 -Listenpolicy None -cltTimeout 360 -Authentication ON -authnProfile Profile_Corp_Auth
bind lb vserver LB_EXC=OWA_ECP=FullAuth_Corp SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -certkeyName domain-wildcard
set ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -sslProfile No_SSL3_profile



add cs action ACT_SEND_EXC=AUTODISCOVER -targetLBVserver LB_EXC=AutoDiscover=NoAuth
add cs policy CSPol__EXC=AutoDiscover=No_AUTH -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"AutoDiscover\") || HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"autodiscover.domain.com\") || HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"autodiscover3.domain.com\")" -action ACT_SEND_EXC=AUTODISCOVER

add cs action ACT_SEND_EXC=OAB_EWS -targetLBVserver LB_EXC=OAB_EWS=NoAuth
add cs policy CSPol__EXC=OAB_EWS=No_Auth -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"oab\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.TO_LOWER.STARTSWITH(\"/ews\")" -action ACT_SEND_EXC=OAB_EWS

add cs action ACT_SEND_EXC=OA_RPC -targetLBVserver LB_EXC=OA-RPC=No_AUTH
add cs policy CSPol__EXC=RPC=NO-AUTH -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"rpc\")" -action ACT_SEND_EXC=OA_RPC

add cs action ACT_SEND_EXC=ActiveSync -targetLBVserver LB_EXC=ActiveSync=401Auth_Corp
add cs policy CSPol__EXC=ActiveSync=AUTH_401 -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"Microsoft-Server-ActiveSync\")" -action ACT_SEND_EXC=ActiveSync

add cs action ACT_SEND_EXC=OWA_ECP -targetLBVserver LB_EXC=OWA_ECP=FullAuth_Corp
add cs policy CSPol_EXC=OWA_ECP=FullAuth_Corp -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"mail.domain.com\")" -action ACT_SEND_EXC=OWA_ECP



add service Always_UP_service 1.2.3.4 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CustomServerID "\"None\"" -CKA NO -TCPB NO -CMP NO

add lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect HTTP 24.x.x.21 80 -persistenceType NONE -Listenpolicy None -cltTimeout 180
bind lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect Always_UP_service

add responder action http_to_https_actn redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"
add responder policy http_to_https_pol HTTP.REQ.IS_VALID http_to_https_actn RESET

bind lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect -policyName http_to_https_pol -priority 100 -gotoPriorityExpression END -type REQUEST


add cs vserver CS_Exchange SSL 24.x.x.21 443 -cltTimeout 180 -caseSensitive OFF -Listenpolicy None
bind ssl vserver CS_Exchange -cipherName claus-cipher-list-with-gcm
bind ssl vserver CS_Exchange -certkeyName domain-wildcard
set ssl vserver CS_Exchange -sslProfile No_SSL3_profile

bind cs vserver CS_Exchange -policyName CSPol__EXC=RPC=NO-AUTH -priority 80
bind cs vserver CS_Exchange -policyName CSPol__EXC=ActiveSync=AUTH_401 -priority 90
bind cs vserver CS_Exchange -policyName CSPol__EXC=OAB_EWS=No_Auth -priority 110
bind cs vserver CS_Exchange -policyName CSPol__EXC=AutoDiscover=No_AUTH -priority 120
bind cs vserver CS_Exchange -policyName CSPol_EXC=OWA_ECP=FullAuth_Corp -priority 130


Aucun commentaire:

Publier un commentaire