Most home labs and small businesses normally only have 1 public IP address and since a lot of services run on port 443 it becomes difficult to open these to the internet. That’s the case for me, and last week I spent WAY to much time trying to get NetScaler ADFS Proxy running behind a Content Switch.
I’ve been working a while on an article called Getting Started with Office 365, but before I can release that to the public I need to resolve my main problem, getting NetScaler ADFS Proxy up and running on the same IP address as my Unified Gateway.
Needless to say, after pointing my public IP address to my NetScaler Content Switch, ADFS went down and my business email became unavailable (luckily it worked from iOS devices).
There’s hardly any info online and most are related to ADFS 2.0. Without this blog post I would never been able to figure this out. But there was a problem, the NetScaler monitor in that post didn’t work for me.
85% of my NetScaler Load Balancer Config time is customizing monitors
Dave Brett – CUGC Netscaler SIG Leader
So let me show you how I managed to configure NetScaler as ADFS Proxy without AAA. Let’s get started.
NetScaler ADFS Proxy – Prerequisite
First off make a backup/snapshot your of NetScaler VM and download a copy of /flash/nsconfig/ns.conf.
Make sure to enable the Rewrite Feature.
NetScaler ADFS Proxy – Configuration
Replace the config below with the following:
- 192.168.1.170 with IP or FQDN of your internal ADFS Server
- UG with the name of your content switch
- HOSTNAME with the hostname of your ADFS certificate
- Wildcard-External with the name of your wildcard certificate
Connect to your NetScaler through Putty and paste the following commands:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
enable ns feature LB CS SSL SSLVPN AAA REWRITE
add server adfs 192.168.1.170
add service adfs_https adfs SSL 443 –gslb NONE –maxClient 0 –maxReq 0 –cip ENABLED X–MS–Forwarded–Client–IP –usip NO –useproxyport YES –sp ON –cltTimeout 180 –svrTimeout 360 –CKA NO –TCPB NO –CMP YES
add lb vserver vip_adfs_https SSL 0.0.0.0 0 –persistenceType NONE –cltTimeout 180
add cs policy adfs –rule “HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\”HOSTNAME.xenapptraining.com\”) && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\”/adfs\”)”
add rewrite action rewrite_adfs_ProxyHeader insert_http_header X–MS–Proxy “\”NETSCALER\””
add rewrite action rewrite_adfs_Mex replace HTTP.REQ.URL.PATH_AND_QUERY “\”/adfs/services/trust/proxymex\” + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(\”/adfs/services/trust/mex\”).HTTP_URL_SAFE”
add rewrite policy rw_pol_adfs_ProxyHeader “http.REQ.URL.TO_LOWER.STARTSWITH(\”/adfs\”)” rewrite_adfs_ProxyHeader
add rewrite policy rw_pol_adfs_Mex “http.REQ.URL.TO_LOWER.STARTSWITH(\”/adfs/services/trust/mex\”)” rewrite_adfs_Mex
bind lb vserver vip_adfs_https adfs_https
bind lb vserver vip_adfs_https –policyName rw_pol_adfs_ProxyHeader –priority 100 –gotoPriorityExpression NEXT –type REQUEST
bind lb vserver vip_adfs_https –policyName rw_pol_adfs_Mex –priority 110 –gotoPriorityExpression END –type REQUEST
bind cs vserver UG –policyName adfs –targetLBVserver vip_adfs_https –priority 70
add lb monitor mon_adfs_https HTTP–ECV –customHeaders “host: HOSTNAME.xenapptraining.com\r\n” –send “GET /federationmetadata/2007-06/federationmetadata.xml” –recv “HOSTNAME.xenapptraining.com/adfs/services/trust” –LRTM ENABLED –secure YES
bind service adfs_https –monitorName mon_adfs_https
bind ssl vserver vip_adfs_https –certkeyName Wildcard–External
|
I could provide 50 screen shots on the above config, but there’s so many things that could go wrong that I ONLY recommend going the command route.
As with every blog posts and videos inside my xenapptraining.com course, they’re all tested various times!
After you’ve added all the commands head into Traffic Management – Load Balancing and check that the vip_adfs_https vServer is in Up State.
Finally check externally or locally by modifying your local hosts file (IP ADR of your Content Switch).
Open a browser to http://microsoftonline.com
After entering your email address the page should successfully redirect you to your internal ADFS authentication page.
Read the post Customize Your Internal Web Resources to customize the sign in page.
If everything works okay, head over to Putty again and save your config.
|
1
|
save config
|
You might get problems however, depeding on SNI and your certificate. This can easily be resolved by running the following two commands on all of your ADFS Server(s).
|
1
2
|
netsh http show sslcert
netsh http add sslcert ipport=0.0.0.0:443 certhash=CERTIFICATIONHASH appid={APPLICATIONID} certstorename=MY
|
If you use Powershell you need appid='{APPLICATIONID}’ while with Command Prompt it’s just appid={APPLICATIONID}.
You’ll probably see a lot of Warnings on your ADFS Server(s). This is related to NetScaler checking the XML file (Monitor), so no worries.
According to the twitter storm I hope many find this blog post helpful. One less server and OS license in the DMZ.