As we decided to now enable UAC back on all our computer I was finding it annoying when editing file in UAC protected folder I was searching for a solution and found this old blog post :
Send-to-notepad-as-admin - December 14, 2012
17 août 2017
22 juillet 2016
Configuring Netscaler for Exchange ActiveSync, RPC, OWA, OAB, EWS, Autodiscover
I've been asked for my Netsclaer configuration for Exchange so I'm sharing it for everyone to (hopefully) be helpfull to many.
Unfortunately I don't have the time luxury currently to comment and explain all of it but at least the important is that the config is there. Keep in mind that the some longer command will be truncated on the blog but they should be typed on one line.
Unfortunately I don't have the time luxury currently to comment and explain all of it but at least the important is that the config is there. Keep in mind that the some longer command will be truncated on the blog but they should be typed on one line.
create ssl dhparam ECDH.KEY 2048 -gen 2
add ssl profile No_SSL3_profileb -dhCount 10000 -dh ENABLED -dhFile "/nsconfig/ssl/ECDH.KEY" -eRSA ENABLED -eRSACount 10000 -sessReuse ENABLED -sessTimeout 120 -sslRedirect ENABLED -redirectPortRewrite ENABLED -ssl3 DISABLED
add serviceGroup SG_EXCH_HTTPs SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_EXCH_HTTPs exchange_K1 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_K2 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_J1 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs exchange_J2 443 -CustomServerID "\"None\""
bind serviceGroup SG_EXCH_HTTPs -monitorName https-ecv
add lb vserver LB_EXC=AutoDiscover=NoAuth SSL 0.0.0.0 0 -persistenceType NONE -Listenpolicy None -cltTimeout 360
bind lb vserver LB_EXC=AutoDiscover=NoAuth SG_EXCH_HTTPs
bind ssl vserver LB_EXC=AutoDiscover=NoAuth -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=AutoDiscover=NoAuth -certkeyName domain-wildcard
set ssl vserver LB_EXC=AutoDiscover=NoAuth -sslProfile No_SSL3_profile
add lb vserver LB_EXC=OAB_EWS=NoAuth SSL 0.0.0.0 0 -persistenceType SSLSESSION -timeout 720 -Listenpolicy None -cltTimeout 360
bind lb vserver LB_EXC=OAB_EWS=NoAuth SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OAB_EWS=NoAuth -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OAB_EWS=NoAuth -certkeyName domain-wildcard
set ssl vserver LB_EXC=OAB_EWS=NoAuth -sslProfile No_SSL3_profile
add lb vserver LB_EXC=OA-RPC=No_AUTH SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 720 -Listenpolicy None -cltTimeout 180
bind lb vserver LB_EXC=OA-RPC=No_AUTH SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OA-RPC=No_AUTH -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OA-RPC=No_AUTH -certkeyName domain-wildcard
set ssl vserver LB_EXC=OA-RPC=No_AUTH -sslProfile No_SSL3_profile
add lb vserver LB_EXC=ActiveSync=401Auth_Corp SSL 0.0.0.0 0 -persistenceType RULE -timeout 720 -rule "HTTP.REQ.HEADER(\"Authorization\")" -Listenpolicy None -cltTimeout 180 -authn401 ON -authnVsName vs_AuthCorp.domain.com
set ssl vserver LB_EXC=ActiveSync=401Auth_Corp -sslProfile No_SSL3_profile
bind ssl vserver LB_EXC=ActiveSync=401Auth_Corp -cipherName z_metro-cipher-list-with-gcm
bind ssl vserver LB_EXC=ActiveSync=401Auth_Corp -certkeyName domain-wildcard
bind lb vserver LB_EXC=ActiveSync=401Auth_Corp SG_EXCH_HTTPs
add lb vserver LB_EXC=OWA_ECP=FullAuth_Corp SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 720 -Listenpolicy None -cltTimeout 360 -Authentication ON -authnProfile Profile_Corp_Auth
bind lb vserver LB_EXC=OWA_ECP=FullAuth_Corp SG_EXCH_HTTPs
bind ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -cipherName claus-cipher-list-with-gcm
bind ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -certkeyName domain-wildcard
set ssl vserver LB_EXC=OWA_ECP=FullAuth_Corp -sslProfile No_SSL3_profile
add cs action ACT_SEND_EXC=AUTODISCOVER -targetLBVserver LB_EXC=AutoDiscover=NoAuth
add cs policy CSPol__EXC=AutoDiscover=No_AUTH -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"AutoDiscover\") || HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"autodiscover.domain.com\") || HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"autodiscover3.domain.com\")" -action ACT_SEND_EXC=AUTODISCOVER
add cs action ACT_SEND_EXC=OAB_EWS -targetLBVserver LB_EXC=OAB_EWS=NoAuth
add cs policy CSPol__EXC=OAB_EWS=No_Auth -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"oab\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.TO_LOWER.STARTSWITH(\"/ews\")" -action ACT_SEND_EXC=OAB_EWS
add cs action ACT_SEND_EXC=OA_RPC -targetLBVserver LB_EXC=OA-RPC=No_AUTH
add cs policy CSPol__EXC=RPC=NO-AUTH -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"rpc\")" -action ACT_SEND_EXC=OA_RPC
add cs action ACT_SEND_EXC=ActiveSync -targetLBVserver LB_EXC=ActiveSync=401Auth_Corp
add cs policy CSPol__EXC=ActiveSync=AUTH_401 -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH.GET(1).EQ(\"Microsoft-Server-ActiveSync\")" -action ACT_SEND_EXC=ActiveSync
add cs action ACT_SEND_EXC=OWA_ECP -targetLBVserver LB_EXC=OWA_ECP=FullAuth_Corp
add cs policy CSPol_EXC=OWA_ECP=FullAuth_Corp -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"mail.domain.com\")" -action ACT_SEND_EXC=OWA_ECP
add service Always_UP_service 1.2.3.4 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CustomServerID "\"None\"" -CKA NO -TCPB NO -CMP NO
add lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect HTTP 24.x.x.21 80 -persistenceType NONE -Listenpolicy None -cltTimeout 180
bind lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect Always_UP_service
add responder action http_to_https_actn redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"
add responder policy http_to_https_pol HTTP.REQ.IS_VALID http_to_https_actn RESET
bind lb vserver LB_EXC_HTTP=HTTPS_EXT_redirect -policyName http_to_https_pol -priority 100 -gotoPriorityExpression END -type REQUEST
add cs vserver CS_Exchange SSL 24.x.x.21 443 -cltTimeout 180 -caseSensitive OFF -Listenpolicy None
bind ssl vserver CS_Exchange -cipherName claus-cipher-list-with-gcm
bind ssl vserver CS_Exchange -certkeyName domain-wildcard
set ssl vserver CS_Exchange -sslProfile No_SSL3_profile
bind cs vserver CS_Exchange -policyName CSPol__EXC=RPC=NO-AUTH -priority 80
bind cs vserver CS_Exchange -policyName CSPol__EXC=ActiveSync=AUTH_401 -priority 90
bind cs vserver CS_Exchange -policyName CSPol__EXC=OAB_EWS=No_Auth -priority 110
bind cs vserver CS_Exchange -policyName CSPol__EXC=AutoDiscover=No_AUTH -priority 120
bind cs vserver CS_Exchange -policyName CSPol_EXC=OWA_ECP=FullAuth_Corp -priority 130
02 mai 2016
Semi automate Netscaler CLI command
I wanted to automate the creation of VIP into the netscaler but I currently don't have time to learn how to powershell+nitro all of it but had an urgent need to standardise the creation of new VIP. So to go around that time limitation, I have created a batch file that semi-automate the process of creating new VIP into the Netscaler so that everything that gets created in the Netscaler follow the same standard. The batch file ask you some basic question and return you command that you have to copy/paste into the Netsclaer CLI (I connect to the netscaler using PuTTy). The script is not 100% dummy-proof so if you enter wrong information in a field the batch file does not double check all that you enter and your command output will not be good.
Save the following into a text file with extension .bat and run it.
-------------------------- Copy below this line --------------------------
That's the batch file I use now to create VIP into the Netscaler.
Save the following into a text file with extension .bat and run it.
-------------------------- Copy below this line --------------------------
-------------------------- Copy abovet his line --------------------------@echo off
Echo.
Echo.
Echo **************************************************************************
Echo The recommended command-line window width is 168 characters to be certain of not having command over 2 lines.
Echo **************************************************************************
Echo.
CHOICE /C PV /M "Netscaler Physical or Virtual ?"
IF %ERRORLEVEL% == 1 SET NS=Phys
IF %ERRORLEVEL% == 2 SET NS=Virt
Echo.
REM we have 3 differents level of authentication and have created auth_profile and auth_vserver accordingly
:VIP_Authentification
ECHO.
ECHO ...............................................
ECHO Do you need authentication?
ECHO ...............................................
ECHO.
ECHO 1 - Authentification 401 Forest
ECHO 2 - Authentification 401 Corp
ECHO 3 - Authentification Form Base Forest
ECHO 4 - Authentification Form Base Corp
ECHO 5 - Authentification Form Base + RSA (Dual Auth)
ECHO 6 - No authentication
ECHO.
SET /P Auth=Type 1, 2, 3, 4, 5 or 6 then press ENTER:
IF %auth% GEQ 7 goto VIP_Authentification
IF %auth% == 0 goto VIP_Authentification
Echo.
set /P VipIP=Enter the IP address of the VIP:
Echo.
:Vip_type
CHOICE /C HS /M "What kind of VIP: Http gold Ssl?"
IF %ERRORLEVEL% == 1 SET VT=HTTP
IF %ERRORLEVEL% == 2 SET VT=ssl
set /P vPort=Enter the VIP port:
Echo.
set /P VipName=Enter the name of the VIP {LB_..._SSL} (If the VIP port is different than the default Change _SSL for _#### ):
Echo.
REM if the VIP is not addressable we will place it behind a Content Switching vServer
:Content_Switch
set "CSVS="
IF %VipIP% NEQ 0.0.0.0 goto IpNotNull
set csact=ACT_SEND_%vipname%
set cspol=CSPol_%VipName%
echo.
CHOICE /C EIB /M "VIP behind which content switch vServer: External, Internal or Both? "
IF %ERRORLEVEL% == 1 SET CSVS=Externe
IF %ERRORLEVEL% == 2 SET CSVS=Interne
IF %ERRORLEVEL% == 3 SET CSVS=Deux
:IpNotNull
:Sg_Type
echo.
CHOICE /C HS /M "Service Group type: Http or Ssl?"
IF %ERRORLEVEL% == 1 SET SGT=http
IF %ERRORLEVEL% == 2 SET SGT=SSL
Echo.
:MonitorType
IF %SGT% == http SET Mtyp=http-ecv
IF %SGT% == SSL SET Mtyp=https-ecv
:ServiceGroupPort
set /P BPort=Enter the port of the backend servers:
Echo.
:ServiceGroup_Name
set /P SGName=Enter the name of the Service Group {SG_...} Add _### if port is not 80:
Echo.
:Backend
choice /c 1234 /M "Enter the number of backend server without pressing enter?"
IF %ERRORLEVEL% == 1 SET nbr=4
IF %ERRORLEVEL% == 2 SET nbr=3
IF %ERRORLEVEL% == 3 SET nbr=2
IF %ERRORLEVEL% == 4 SET nbr=1
set nbrsvr=%errorlevel%
set svr=1
Echo.
REM clear the variables before using them for added security if the batch is run multiples times...
set "svr4name="
set "svr3name="
set "svr2name="
set "svr1name="
set "svr4IP="
set "svr3IP="
set "svr2IP="
set "svr1IP="
set "csrule1="
set "csrule2="
set "csrule3="
set "csrule4="
:while
if %nbr% lss 5 (
set /P Svr%nbr%Name=Enter Server %svr% name:
set /P Svr%nbr%IP=Enter server %svr% IP:
set /a nbr+=1
set /a svr+=1
goto :while
)
echo.
echo.
echo ************** copy line below this point in putty to create *****************
echo.
Echo add serviceGroup %SGName% %SGT%
If %nbrsvr% == 4 goto 4server
If %nbrsvr% == 3 goto 3server
If %nbrsvr% == 2 goto 2server
If %nbrsvr% == 1 goto 1server
:4server
if [%svr1name%] ==[] echo. && echo Server 4 name is empty restarting process... && echo.
if [%svr1name%] ==[] goto :backend
Echo add server %svr1name% %svr1IP%
Echo bind serviceGroup %SGName% %svr1name% %bport%
set csrule4=||HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"%svr1name%.company.com\")
:3server
if [%svr2name%] ==[] echo. && echo Server 3 name is empty restarting process... && echo.
if [%svr2name%] ==[] goto :backend
Echo add server %svr2name% %svr2IP%
echo bind serviceGroup %SGName% %svr2name% %bport%
set csrule3=||HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"%svr2name%.company.com\")
:2server
if [%svr3name%] ==[] echo. && echo Server 2 name is empty restarting process... && echo.
if [%svr3name%] ==[] goto :backend
Echo add server %svr3name% %svr3IP%
echo bind serviceGroup %SGName% %svr3name% %bport%
set csrule2=||HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"%svr3name%.company.com\")
:1server
if [%svr4name%] ==[] echo. && echo Server 1 name is empty restarting process... && echo
if [%svr4name%] ==[] goto :backend
Echo add server %svr4name% %svr4IP%
echo bind serviceGroup %SGName% %svr4name% %bport%
set csrule1=HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"%svr4name%.company.com\")
Echo bind serviceGroup %SGName% -monitorName %Mtyp%
IF %SGT% == SSL Echo set ssl serviceGroup %SGName% -ssl3 DISABLED
REM check if auth was selected
if Not %Auth% == 6 Goto Auth
Echo add lb vserver %VipName% %VT% %VipIP% %vport% -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180
Goto EndAuth
:Auth
if %Auth% == 1 set authVs=vs_Auth.company.com
if %Auth% == 2 set authVs=vs_AuthCorp.company.com
if %Auth% == 3 set AuthProf=Profile_Company_Auth
if %Auth% == 4 set AuthProf=Profile_Corp_Auth
if %Auth% == 5 set AuthProf=Profile_Corp-Radius_Auth
if %Auth% LEQ 2 Echo add lb vserver %VipName% %VT% %VipIP% %vport% -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180 -authn401 ON -authnVsName %authVS%
if %Auth% GEQ 3 Echo add lb vserver %VipName% %VT% %VipIP% %vport% -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180 -Authentication ON -authnProfile %AuthProf%
:EndAuth
Echo bind lb vserver %VipName% %SGName%
If %VT%==HTTP goto skipssl
REM we use an SSL profile for the SSL parameter and wilcard cert
Echo set ssl vserver %VipName% -sslProfile No_SSL3_profile
IF %NS% == Virt Echo bind ssl vserver %VipName% -certkeyName Company-Wildcard-SHA2
IF %NS% == Phys Echo bind ssl vserver %VipName% -certkeyName Company-wildcard
Echo unbind ssl vserver %VipName% -cipherName ALL
IF %NS% == Phys Echo bind ssl vserver %VipName% -cipherName claus-cipher-list-with-gcm
IF %NS% == virt Echo bind ssl vserver %VipName% -cipherName vpx-cipher-list
Echo bind ssl vserver %VipName% -eccCurveName P_256
Echo bind ssl vserver %VipName% -eccCurveName P_384
Echo bind ssl vserver %VipName% -eccCurveName P_224
Echo bind ssl vserver %VipName% -eccCurveName P_521
:skipssl
IF %VipIP% NEQ 0.0.0.0 goto IpNotNull2
echo add cs action %csact% -targetLBVserver %VipName%
echo add cs policy %cspol% -rule "%csrule1%%csrule2%%csrule3%%csrule4%" -action %csact%
if %CSVS%==Externe echo. && echo sh cs vserver CS_Company_External_app && echo. && echo bind cs vserver CS_Company_External_app -policyName %cspol% -priority xxx
if %CSVS%==Interne echo. && echo sh cs vserver CS_Internal_App && echo bind cs vserver CS_Internal_App -policyName %cspol% -priority xxx
if %CSVS%==Deux echo. && echo sh cs vserver CS_Internal_App && echo bind cs vserver CS_Internal_App -policyName %cspol% -priority xxx
if %CSVS%==Deux echo. && echo sh cs vserver CS_Company_External_app && echo. && echo bind cs vserver CS_Company_External_app -policyName %cspol% -priority xxx
echo.
echo.
Echo +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
echo + Since we don't know what priority are available on the +
echo + Content switching, the last two command above show the CS vserver +
echo + so that you manually type the priority on the Bind policy... command +
Echo +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
:IpNotNull2
Echo.
echo ************** copy line above this point in putty to create *****************
echo.
echo.
Echo ********************************************************
Echo * Do not forget to create the DNS entry ... *
Echo * Run the following commands to create them internally *
Echo ********************************************************
echo.
echo.
for /f "tokens=1 delims=." %%a IN ('echo %VipName%') DO (
set DNSLBNAME=%%a
)
for /f "tokens=2 delims=_" %%b IN ('echo %DNSLBNAME%') DO (
set DNSLBNAME2=%%b
)
echo.
IF %VipIP% == 0.0.0.0 goto IpNull
echo dnscmd %LOGONSERVER% /RecordAdd company.com %DNSLBNAME% /CreatePTR A %vipip%
echo dnscmd %LOGONSERVER% /RecordAdd company.com %DNSLBNAME2% A %VipIP%
echo.
:IpNull
echo.
echo dnscmd %LOGONSERVER% /RecordAdd company.com %DNSLBNAME2% CNAME CS_Internal_app.company.com
echo.
Echo **************** End DNS commands *****************
echo.
echo. Completed, this is the end of the batch file
echo.
pause
That's the batch file I use now to create VIP into the Netscaler.
17 mars 2016
Vmware PowerCLI 6 scheduled task
We just upgraded our VmWare environment to vSphere 6 with the vCenter installed on Windows 2012r2 using SQL server. The only problem we faced when we migrated the Windows scheduled task that run powercli command from the old 5.5 vCenter to the new one. Keep in mind that my powershell knowledge is very limited...
The task run weekly to return all the running VMs and also VMs with snapshot that are older than 7 days. After hours of investigation I finally found out that the script were running fine when ran directly from whitin powercli so the problem had to come from task scheduler. I found some blog page that suggested to test the scheduled task command with the parameter from the command prompt to see where things goes wrong. That proved to be the best troubleshooting option as I quickly realised that the script was running fine but all the vmware command were returning "invalid command name". This lead me to diagnose further and understand that the vim.psc1file is just a simple text file (powershell console file) instructing powershell to load specific module and/or snapin. I also discovered that you can create new powershell console file by using the export-console command, so I exported the console loaded from the powercli shortcut on the desktop and oh surprise the console file is different than the vim.psc1 created automatically from Vmware. I tested running my script with this powershell console file and tadam! The scripts all works again. The problem is that the default vim.psc1 file miss this line:
<PSSnapIn Name="VMware.VimAutomation.Core" />
This SnapIn is the one used for the get-vm command and was the one causing the problem.
The task run weekly to return all the running VMs and also VMs with snapshot that are older than 7 days. After hours of investigation I finally found out that the script were running fine when ran directly from whitin powercli so the problem had to come from task scheduler. I found some blog page that suggested to test the scheduled task command with the parameter from the command prompt to see where things goes wrong. That proved to be the best troubleshooting option as I quickly realised that the script was running fine but all the vmware command were returning "invalid command name". This lead me to diagnose further and understand that the vim.psc1file is just a simple text file (powershell console file) instructing powershell to load specific module and/or snapin. I also discovered that you can create new powershell console file by using the export-console command, so I exported the console loaded from the powercli shortcut on the desktop and oh surprise the console file is different than the vim.psc1 created automatically from Vmware. I tested running my script with this powershell console file and tadam! The scripts all works again. The problem is that the default vim.psc1 file miss this line:
<PSSnapIn Name="VMware.VimAutomation.Core" />
This SnapIn is the one used for the get-vm command and was the one causing the problem.
Citrix Netscaler - HTTP to HTTPs sharepoint page rewrite
The contex: sharepoint is accessed directly on http internally.
We came across a problem that some of our Sharepoint page have hardcoded link instead of dynamic link so when we expose the page externally the link are static to HTTP and since the page are accessed on a secure connection the browser complain that there is unsecure data accessed in clear text instead of SSL. The work around is to rewrite the page body when they are returned to the end user so that the link contained in the page are httpS instead of http. I tried doing rewrite response body without succes and then Citrix consultant suggested to use URL Transformation feature under AppExpert -> Rewrite -> URL Transformation instead that provided a working solution for us.
First we create the profile and enter a descriptive name: TrProfile_http-httpS
Now edit this profile to add an action by clicking on insert:
Name: http2https-action
Priority: 20
Enable = Check
Response URL From: http://(.*)
Response URL Into: https://$1
Click OK.
After that we create the Policies
Name: TrPol-http-https
Profile: TrProfile_http-httpS
Expression: HTTP.REQ.IS_VALID
Click OK.
Finally bind this transform Policy to a CS or LB Vserver:
Edit your Vserver, click the "PLUS" sign under policies, choose: transform -> Request and then bind your newly created transform policy: TrPol-http-https
Click OK, Click Done.
Now when the end users access the page, the Netscaler transform all http link in the page to https and we didn't need the developper to build a new page for external users.
We came across a problem that some of our Sharepoint page have hardcoded link instead of dynamic link so when we expose the page externally the link are static to HTTP and since the page are accessed on a secure connection the browser complain that there is unsecure data accessed in clear text instead of SSL. The work around is to rewrite the page body when they are returned to the end user so that the link contained in the page are httpS instead of http. I tried doing rewrite response body without succes and then Citrix consultant suggested to use URL Transformation feature under AppExpert -> Rewrite -> URL Transformation instead that provided a working solution for us.
First we create the profile and enter a descriptive name: TrProfile_http-httpS
Now edit this profile to add an action by clicking on insert:
Name: http2https-action
Priority: 20
Enable = Check
Response URL From: http://(.*)
Response URL Into: https://$1
Click OK.
After that we create the Policies
Name: TrPol-http-https
Profile: TrProfile_http-httpS
Expression: HTTP.REQ.IS_VALID
Click OK.
Finally bind this transform Policy to a CS or LB Vserver:
Edit your Vserver, click the "PLUS" sign under policies, choose: transform -> Request and then bind your newly created transform policy: TrPol-http-https
Click OK, Click Done.
Now when the end users access the page, the Netscaler transform all http link in the page to https and we didn't need the developper to build a new page for external users.
06 mars 2015
Exchange 2010 - Room mailbox working hours
To define the working hour of a room mailbox, you can use powershell with the command Get-MailboxCalendarConfiguration and Set-MailboxCalendarConfigurationbut I found out in a comment on another blog I found that you can do it using the OWA/ECP with an account with enough rights.
Open exchange ECP at mail.yourocmpany.com/ECP, log in as high privileges users (I used my domain admin account)
Click on top on "manage my organization" and choose "Another users"
In the pop-up box search for the room mailbox you want to manage and then go to settings, Calendar, there you can define the working hours and then click save in the bottom right and you're done.
Open exchange ECP at mail.yourocmpany.com/ECP, log in as high privileges users (I used my domain admin account)
Click on top on "manage my organization" and choose "Another users"
In the pop-up box search for the room mailbox you want to manage and then go to settings, Calendar, there you can define the working hours and then click save in the bottom right and you're done.
03 mars 2015
Using Netscaler as ADFS proxy - Exported configuration
After my last blog article on how to replace the Microsoft ADFS Proxy, I've been asked to provide
the configuration of my Netscaler for the ADFS proxy replacement so I've
exported the part that are needed to achieve this, please comment with a little
thanks if it was helpful to you. Note that I'm using Netscaler 10.1 with ADFS 2.0 on windows 2008r2.
I found a Citrix article about ADFS 3.0 that refer to the fact that Netscaler doesn't support the sni feature for the backend server that is used in ADFS 3.0 which is most likely causing headache to ADFS 3.0 users.
http://support.citrix.com/article/CTX125798
The citrix article refer you to this microsoft article that talk about a way to partially disable the SNI feature for ADFS 3.0...
http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx
Here's the code and some comments :
I found a Citrix article about ADFS 3.0 that refer to the fact that Netscaler doesn't support the sni feature for the backend server that is used in ADFS 3.0 which is most likely causing headache to ADFS 3.0 users.
http://support.citrix.com/article/CTX125798
The citrix article refer you to this microsoft article that talk about a way to partially disable the SNI feature for ADFS 3.0...
http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx
Here's the code and some comments :
*********
Begin Starting Notes *******
This config is for Netscaler 10.1 (Currently at Build 129.11 but it's been working with previous 10.1. build)
Your Netscaler must be licensed for "AAA - Traffic management" and it must be enable under settings -> "Configure Basic Features" (Authentication, Authorization and Auditing)
Your ADFS URL must be reachable by DNS externally (you can't authenticate using IP address, it has to be a DNS name, worst case scenario you can edit your host file temporarily for testing)
you need to have an external IP address available to Setup the Reverse Proxy
If you have multiple domain, you can easily repeat the config for the second domain and add the 2nd LDAP policy to the authentication Vserver with a different priority
Example: bind authentication Vserver vs_Auth.Company.com -policy Subdomain2.Company.com -priority 110
The domain settings in the Netscaler is not related to the AD domain but to the domain in the FQDN url (i.e.: email domain, If your internal domain is company.local and your website is company.com then the domain you set in the Netscaler is company.com)
********* End Starting Notes *******
********* Begin configuration code *******
enable ns feature AAA LB CS SSL SSLVPN REWRITE RESPONDER
add serviceGroup SG_LDAP_CORP_389 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp1 389 -CustomServerID "\"None\""
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp2 389 -CustomServerID "\"None\""
add lb vserver LB_LDAP_CORP TCP 192.168.1.79 389 -persistenceType NONE -cltTimeout 9000
bind lb vserver LB_LDAP_CORP SG_LDAP_CORP_389
add authentication ldapAction LDAP-LB_LDAP_corp -serverIP 192.168.1.79 -authTimeout 5 -ldapBase "DC=corp,DC=Company,DC=com" -ldapBindDn netscaler@corp.Company.com -ldapBindDnPassword TypeThePasswordForTheAccountHere -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 4 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapPolicy corp.Company.com ns_true LDAP-LB_LDAP_corp
add authentication vserver vs_Auth.Company.com SSL 192.167.233.32 443 -AuthenticationDomain Company.com
bind authentication vserver vs_Auth.Company.com -policy corp.Company.com -priority 100
set tm sessionParameter -SSO ON
add serviceGroup SG_ADFS_HTTPS SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_ADFS_HTTPS ADFS_Server1 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS ADFS_Server2 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS -monitorName https-ecv
add lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SSL 192.167.233.30 443 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180 -AuthenticationHost auth.Company.com -Authentication ON
bind lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SG_ADFS_HTTPS
bind ssl vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest -certkeyName Company-wildcard
*************** This part is related to RSA and is optional but we require that user authenticate using their AD password AND RSA token, make sure the LDAP part works fine before adding secondary authentication ***************
add serviceGroup SG_RSA_1645 RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_RSA_1645 RSA-AM-Server1 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 RSA-AM-Server2 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 -monitorName ping
add lb vserver LB_RSA-AM RADIUS 192.168.1.14 1645 -persistenceType SOURCEIP -timeout 700 -cltTimeout 120
bind lb vserver LB_RSA-AM SG_RSA_1645
add authentication radiusAction LB_RSA-AM_srv -serverIP 192.168.1.14 -serverPort 1645 -radKey YourRadiusSharedSecretHere -encrypted
add authentication radiusPolicy Radius-Company ns_true LB_RSA-AM_srv
bind authentication vserver vs_Auth.Company.com -policy Radius-Company -priority 100 -secondary
********* End configuration code *******
*************** Begin Ending Notes ***************
For LDAP authentication action, you have to create a standard user (no special right required except "password never expire") for the netscaler to use this account to log in to the LDAP server and check for the user credential. The GUI offer an option to test the LDAP credential to make sure the connection works.
The Domain you set on your ADFS_Proxy_replacement and on your Auth.company.com MUST MATCH with the domain in the URL your users are sent for the ADFS authentication. My ADFS is setup as fs.company.com, this is the name clients will connect to, and so it must be resolvable via DNS externally.
Fs.company.com must resolve to your LB_ADFS_Proxy_Replacement_FullAuth_Forest
*************** Finish Ending Notes ***************
This config is for Netscaler 10.1 (Currently at Build 129.11 but it's been working with previous 10.1. build)
Your Netscaler must be licensed for "AAA - Traffic management" and it must be enable under settings -> "Configure Basic Features" (Authentication, Authorization and Auditing)
Your ADFS URL must be reachable by DNS externally (you can't authenticate using IP address, it has to be a DNS name, worst case scenario you can edit your host file temporarily for testing)
you need to have an external IP address available to Setup the Reverse Proxy
If you have multiple domain, you can easily repeat the config for the second domain and add the 2nd LDAP policy to the authentication Vserver with a different priority
Example: bind authentication Vserver vs_Auth.Company.com -policy Subdomain2.Company.com -priority 110
The domain settings in the Netscaler is not related to the AD domain but to the domain in the FQDN url (i.e.: email domain, If your internal domain is company.local and your website is company.com then the domain you set in the Netscaler is company.com)
********* End Starting Notes *******
********* Begin configuration code *******
enable ns feature AAA LB CS SSL SSLVPN REWRITE RESPONDER
add serviceGroup SG_LDAP_CORP_389 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp1 389 -CustomServerID "\"None\""
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp2 389 -CustomServerID "\"None\""
add lb vserver LB_LDAP_CORP TCP 192.168.1.79 389 -persistenceType NONE -cltTimeout 9000
bind lb vserver LB_LDAP_CORP SG_LDAP_CORP_389
add authentication ldapAction LDAP-LB_LDAP_corp -serverIP 192.168.1.79 -authTimeout 5 -ldapBase "DC=corp,DC=Company,DC=com" -ldapBindDn netscaler@corp.Company.com -ldapBindDnPassword TypeThePasswordForTheAccountHere -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 4 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapPolicy corp.Company.com ns_true LDAP-LB_LDAP_corp
add authentication vserver vs_Auth.Company.com SSL 192.167.233.32 443 -AuthenticationDomain Company.com
bind authentication vserver vs_Auth.Company.com -policy corp.Company.com -priority 100
set tm sessionParameter -SSO ON
add serviceGroup SG_ADFS_HTTPS SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_ADFS_HTTPS ADFS_Server1 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS ADFS_Server2 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS -monitorName https-ecv
add lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SSL 192.167.233.30 443 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180 -AuthenticationHost auth.Company.com -Authentication ON
bind lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SG_ADFS_HTTPS
bind ssl vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest -certkeyName Company-wildcard
*************** This part is related to RSA and is optional but we require that user authenticate using their AD password AND RSA token, make sure the LDAP part works fine before adding secondary authentication ***************
add serviceGroup SG_RSA_1645 RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_RSA_1645 RSA-AM-Server1 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 RSA-AM-Server2 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 -monitorName ping
add lb vserver LB_RSA-AM RADIUS 192.168.1.14 1645 -persistenceType SOURCEIP -timeout 700 -cltTimeout 120
bind lb vserver LB_RSA-AM SG_RSA_1645
add authentication radiusAction LB_RSA-AM_srv -serverIP 192.168.1.14 -serverPort 1645 -radKey YourRadiusSharedSecretHere -encrypted
add authentication radiusPolicy Radius-Company ns_true LB_RSA-AM_srv
bind authentication vserver vs_Auth.Company.com -policy Radius-Company -priority 100 -secondary
********* End configuration code *******
*************** Begin Ending Notes ***************
For LDAP authentication action, you have to create a standard user (no special right required except "password never expire") for the netscaler to use this account to log in to the LDAP server and check for the user credential. The GUI offer an option to test the LDAP credential to make sure the connection works.
The Domain you set on your ADFS_Proxy_replacement and on your Auth.company.com MUST MATCH with the domain in the URL your users are sent for the ADFS authentication. My ADFS is setup as fs.company.com, this is the name clients will connect to, and so it must be resolvable via DNS externally.
Fs.company.com must resolve to your LB_ADFS_Proxy_Replacement_FullAuth_Forest
*************** Finish Ending Notes ***************
S'abonner à :
Messages (Atom)