Update:
54.9 breaks XenMobile Browser Session Policy due to correctly processing of policy expression!
The policy expressions are wrong and I need to find out what will be the best policy for HTTPS and HTTP to go forward. This expression is wrong as it fires for anything with Mozilla and port 443 and even IE11 has a user agent containing Mozilla:
REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser
Most probably it is only required to keep com.citrix.browser?
Original:
Deploying Netscaler globally in a corporate environment.
Use XenMobile WorxWeb application to achieve the following:
- Access to internal http applications (SSO)
- Access to internal https applications
- Access to Internet http web sites via a Proxy
- Access to Internet https web sites via a Proxy
- FullTunnel for WorxWeb is a must, otherwise HTTPS via Proxy does not work
- create a trafficPolicy for each requirement and a policyAction
This is a short summary of the 4 traffic policies:
intranet - http, SSO (filter on networks and port 80)
intranet-https - tcp (filter on networks)
proxy-http - http, proxy, proxy port, SSO (filter on port 80)
proxy-https - tcp, proxy, proxy port (filter on port 443)
Citrix has many different setup possibilities but it's hard to find the correct to achieve what you want.
In this environment there are still some challenges:
- multi-user active directory authentication
- solved using a single LDAP policy using UPN to a Global Catalog Server
- SSO issues with Proxy (407 Proxy)
- UPN looks like \user.name@company.com and if you need only NTLM format this will not work
- Citrix has a filed SSO Name Attribute and it actually works but setting it to sAMAccountName but this ends up with NETSCALER\user.name
- This again can be fixed with some Session policies that match an active directory group that identifies the user as being part of a domain and then set the SSO Domain, but I have not yet implemented it.
- The SSO Name Attribute could also be another attribute but I have not found one that is like the pre Windows 2000 displayed in dsa. And a custom attribute I won't propose.
- Ultimately in this case proxy is used with authentication bypass
- Kerberos SSO for internal web pages not yet configured
Here are the traffic policies necessary:
add vpn trafficPolicy HTTP-TP "(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser) && REQ.TCP.DESTPORT == 80" proxy-http
add vpn trafficPolicy HTTPS-TP "(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser) && REQ.TCP.DESTPORT == 443" proxy-https
add vpn trafficPolicy intranet-tcp "(REQ.IP.DESTIP == 2.10.0.0 -netmask 255.255.0.0 || REQ.IP.DESTIP == 10.0.0.0 -netmask 255.0.0.0 || REQ.IP.DESTIP == 5.1.12.0 -netmask 255.255.255.0)" intranet-tcp
add vpn trafficPolicy intranet-http "(REQ.IP.DESTIP == 2.10.0.0 -netmask 255.255.0.0 || REQ.IP.DESTIP == 10.0.0.0 -netmask 255.0.0.0 || REQ.IP.DESTIP == 5.1.12.0 -netmask 255.255.255.0) && REQ.TCP.DESTPORT == 80" intranet-http
bind vpn vserver vpngateway -policy intranet-http -priority 40
bind vpn vserver vpngateway -policy intranet-tcp -priority 50
bind vpn vserver vpngateway -policy HTTP-TP -priority 100
bind vpn vserver vpngateway -policy HTTPS-TP -priority 110
add vpn trafficAction proxy-http http -SSO ON -kcdAccount NONE -proxy 1.2.3.4:8080
add vpn trafficAction proxy-https tcp -kcdAccount NONE -proxy 1.2.3.4:8080
add vpn trafficAction intranet-tcp tcp -kcdAccount NONE
add vpn trafficAction intranet-http http -SSO ON -kcdAccount NONE
No comments:
Post a Comment