Configuring Netscaler for Exchange ActiveSync, RPC, OWA, OAB, EWS, Autodiscover

I've been asked for my Netsclaer configuration for Exchange so I'm sharing it for everyone to (hopefully) be helpfull to many.

Unfortunately I don't have the time luxury currently to comment and explain all of it but at least the important is that the config is there. Keep in mind that the some longer command will be truncated on the blog but they should be typed on one line.

create ssl dhparam ECDH.KEY 2048 -gen 2

add ssl profile No_SSL3_profileb -dhCount 10000 -dh ENABLED -dhFile "/nsconfig/ssl/ECDH.KEY" -eRSA ENABLED -eRSACount 10000 -sessReuse ENABLED -sessTimeout 120 -sslRedirect ENABLED -redirectPortRewrite ENABLED -ssl3 DISABLED


add serviceGroup SG_EXCH_HTTPs SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_EXCH_HTTPs exchange_K1 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_K2 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_J1 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_J2 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs -monitorName https-ecv

add lb vserver LB_EXC=AutoDiscover=NoAuth SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy None -cltTimeout 360
bind lb vserver LB_EXC=AutoDiscover=NoAuth SG_EXCH_HTTPs
bind ssl vserver LB_EXC=AutoDiscover=NoAuth -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=AutoDiscover=NoAuth -certkeyName domain-wildcard
set ssl vserver LB_EXC=AutoDiscover=NoAuth -sslProfile No_SSL3_profile

add lb vserver LB_EXC=OAB_EWS=NoAuth SSL 0.0.0.0 0 -persistenceType SSLSESSION -timeout 720 -Listenpolicy None -cltTimeout 360
bind lb vserver LB_EXC=OAB_EWS=NoAuth SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OAB_EWS=NoAuth -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OAB_EWS=NoAuth -certkeyName domain-wildcard
set ssl vserver LB_EXC=OAB_EWS=NoAuth -sslProfile No_SSL3_profile

add lb vserver LB_EXC=OA-RPC=No_AUTH SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 720 -Listenpolicy None -cltTimeout 180
bind lb vserver LB_EXC=OA-RPC=No_AUTH SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OA-RPC=No_AUTH -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OA-RPC=No_AUTH -certkeyName domain-wildcard
set ssl vserver LB_EXC=OA-RPC=No_AUTH -sslProfile No_SSL3_profile

add lb vserver LB_EXC=ActiveSync=401Auth_Corp SSL 0.0.0.0 0 -persistenceType RULE -timeout 720 -rule "HTTP.REQ.HEADER(\"Authorization\")" -Listenpolicy None -cltTimeout 180 -authn401 ON -authnVsName vs_AuthCorp.domain.com
set ssl vserver LB_EXC=ActiveSync=401Auth_Corp -sslProfile No_SSL3_profile
bind ssl vserver LB_EXC=ActiveSync=401Auth_Corp -cipherName z_metro-cipher-list-with-gcm
bind ssl vserver LB_EXC=ActiveSync=401Auth_Corp -certkeyName domain-wildcard
bind lb vserver LB_EXC=ActiveSync=401Auth_Corp SG_EXCH_HTTPs

add lb vserver LB_EXC=OWA_ECP=FullAuth_Corp SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 720 -Listenpolicy None -cltTimeout 360 -Authentication ON -authnProfile Profile_Corp_Auth
bind lb vserver LB_EXC=OWA_ECP=FullAuth_Corp SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -certkeyName domain-wildcard
set ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -sslProfile No_SSL3_profile



add cs action ACT_SEND_EXC=AUTODISCOVER -targetLBVserver LB_EXC=AutoDiscover=NoAuth
add cs policy CSPol__EXC=AutoDiscover=No_AUTH -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"AutoDiscover\") || HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"autodiscover.domain.com\") || HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"autodiscover3.domain.com\")" -action ACT_SEND_EXC=AUTODISCOVER

add cs action ACT_SEND_EXC=OAB_EWS -targetLBVserver LB_EXC=OAB_EWS=NoAuth
add cs policy CSPol__EXC=OAB_EWS=No_Auth -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"oab\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.TO_LOWER.STARTSWITH(\"/ews\")" -action ACT_SEND_EXC=OAB_EWS

add cs action ACT_SEND_EXC=OA_RPC -targetLBVserver LB_EXC=OA-RPC=No_AUTH
add cs policy CSPol__EXC=RPC=NO-AUTH -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"rpc\")" -action ACT_SEND_EXC=OA_RPC

add cs action ACT_SEND_EXC=ActiveSync -targetLBVserver LB_EXC=ActiveSync=401Auth_Corp
add cs policy CSPol__EXC=ActiveSync=AUTH_401 -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"Microsoft-Server-ActiveSync\")" -action ACT_SEND_EXC=ActiveSync

add cs action ACT_SEND_EXC=OWA_ECP -targetLBVserver LB_EXC=OWA_ECP=FullAuth_Corp
add cs policy CSPol_EXC=OWA_ECP=FullAuth_Corp -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"mail.domain.com\")" -action ACT_SEND_EXC=OWA_ECP



add service Always_UP_service 1.2.3.4 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CustomServerID "\"None\"" -CKA NO -TCPB NO -CMP NO

add lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect HTTP 24.x.x.21 80 -persistenceType NONE -Listenpolicy None -cltTimeout 180
bind lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect Always_UP_service

add responder action http_to_https_actn redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"
add responder policy http_to_https_pol HTTP.REQ.IS_VALID http_to_https_actn RESET

bind lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect -policyName http_to_https_pol -priority 100 -gotoPriorityExpression END -type REQUEST


add cs vserver CS_Exchange SSL 24.x.x.21 443 -cltTimeout 180 -caseSensitive OFF -Listenpolicy None
bind ssl vserver CS_Exchange -cipherName claus-cipher-list-with-gcm
bind ssl vserver CS_Exchange -certkeyName domain-wildcard
set ssl vserver CS_Exchange -sslProfile No_SSL3_profile

bind cs vserver CS_Exchange -policyName CSPol__EXC=RPC=NO-AUTH -priority 80
bind cs vserver CS_Exchange -policyName CSPol__EXC=ActiveSync=AUTH_401 -priority 90
bind cs vserver CS_Exchange -policyName CSPol__EXC=OAB_EWS=No_Auth -priority 110
bind cs vserver CS_Exchange -policyName CSPol__EXC=AutoDiscover=No_AUTH -priority 120
bind cs vserver CS_Exchange -policyName CSPol_EXC=OWA_ECP=FullAuth_Corp -priority 130

Citrix Netscaler - HTTP to HTTPs sharepoint page rewrite

The contex: sharepoint is accessed directly on http internally.
We came across a problem that some of our Sharepoint page have hardcoded link instead of dynamic link so when we expose the page externally the link are static to HTTP and since the page are accessed on a secure connection the browser complain that there is unsecure data accessed in clear text instead of SSL. The work around is to rewrite the page body when they are returned to the end user so that the link contained in the page are httpS instead of http. I tried doing rewrite response body without succes and then Citrix consultant suggested to use URL Transformation feature under AppExpert -> Rewrite -> URL Transformation instead that provided a working solution for us.

First we create the profile and enter a descriptive name: TrProfile_http-httpS

Now edit this profile to add an action by clicking on insert:
Name: http2https-action
Priority: 20
Enable = Check
Response URL From: http://(.*)
Response URL Into: https://$1

Click OK.

After that we create the Policies
Name:  TrPol-http-https
Profile: TrProfile_http-httpS
Expression: HTTP.REQ.IS_VALID

Click OK.

Finally bind this transform Policy to a CS or LB Vserver:

Edit your Vserver, click the "PLUS" sign under policies, choose: transform -> Request and then bind your newly created transform policy: TrPol-http-https

Click OK, Click Done.

Now when the end users access the page, the Netscaler transform all http link in the page to https and we didn't need the developper to build a new page for external users.