Jump to content
Welcome to our new Citrix community!

Exchange Online/Hybrid thru Netscaler


Eric Wuichner

Recommended Posts

What's the best doc to follow to setup Exchange Online/Hybrid connectivity thru our netscalers? We're having a devil getting free/busy to work correctly. We've heard some conflicting info as to whether SSL offload actually will work with microsoft modern authentication methods (ADAL,OATH, DAUTH). SSL Bridge seems to work at netscaler but our security policy mandates offload. I'm wondering if anyone has made netscaler work with Exchange on-prem and O365?

 

THX> Eric

Edited by Eric Wuichner
Link to comment
Share on other sites

  • 2 months later...

Hi Eric

 

Please use below guides for Exchange 2016 and O365 with SAML( For browser-based clients like OWA) for a hybrid deployment. As of now, we support OAuth, SAML, WSFED(In the process of certification with Microsoft) but not ADAL. I have a setup works with exchange on-prem and O365 with WSFED and you can contact me for any information.

https://www.citrix.com/content/dam/citrix/en_us/documents/guide/deploying-netscaler-with-microsoft-exchange-2016.pdf

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/single-sign-on-for-office365-with-netscaler.pdf

 

Regards

Avinash

 

Link to comment
Share on other sites

  • 1 month later...
On 7/10/2018 at 11:47 PM, Avinash Voona said:

Hi Eric

 

Please use below guides for Exchange 2016 and O365 with SAML( For browser-based clients like OWA) for a hybrid deployment. As of now, we support OAuth, SAML, WSFED(In the process of certification with Microsoft) but not ADAL. I have a setup works with exchange on-prem and O365 with WSFED and you can contact me for any information.

https://www.citrix.com/content/dam/citrix/en_us/documents/guide/deploying-netscaler-with-microsoft-exchange-2016.pdf

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/single-sign-on-for-office365-with-netscaler.pdf

 

Regards

Avinash

 

 

Avinash, 

 

Do you have any documents specific to Hybrid deployments? Everywhere I look it appears that SSL_BRIDGE is required, but I don't see mention of that in either document. The first document appears to be focused around an on-prem deployment. 

 

Thanks

Link to comment
Share on other sites

  • 2 years later...
On 8/29/2018 at 10:06 PM, jfuggi said:

 

Avinash, 

 

Do you have any documents specific to Hybrid deployments? Everywhere I look it appears that SSL_BRIDGE is required, but I don't see mention of that in either document. The first document appears to be focused around an on-prem deployment. 

 

Thanks


Did you ever got this to work? Having the same issue and searching for some guides setting up oauth for aaa Hybrid Exchange on my ADC. 
 

Thanks

Regards

Julian

Link to comment
Share on other sites

  • 9 months later...
On 10/2/2020 at 9:29 PM, Julian Jakob said:


Did you ever got this to work? Having the same issue and searching for some guides setting up oauth for aaa Hybrid Exchange on my ADC. 
 

Thanks

Regards

Julian

 

Hi Julian

 

Did you ever get this working? Thanks!

Link to comment
Share on other sites

  • 1 month later...
On 7/29/2021 at 3:54 PM, Chris Gundry said:

 

Hi Julian

 

Did you ever get this working? Thanks!

 

Hello Chris,

 

yes - as of the post from the MS Exchange Team "Autodiscover and EWS URLs should be available from the Internet. Pre-Auth is not supported. If you use some sort of publishing system, you will need to configure pass-through." in https://techcommunity.microsoft.com/t5/exchange-team-blog/configuring-teams-calendar-access-for-exchange-on-premises/ba-p/1484009 I already did a comment on the post, to verify if the statement is up to date, but no answer, yet.

I created a PatSet on ADC to filter all public-IPv4-Ranges of Exchange Online and MS Teams with port 443 from the JSON https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 and set /autodiscover and /ews to passthrough, as preauth with oauth isn't supported - I'm sure it WOULD technically work, but it isn't an option for my customers to run unsupported exchange hybrid architectures. 

So if random clients are connecting to my onprem exchange for outlook anywhere -> AAA is hitting

If Exchange online or ms teams servers are connecting to my onprem exchange -> only ssl-offloading is hitting, no preauth

Hope this helps!

Best Regards

Julian

Link to comment
Share on other sites

10 hours ago, Julian Jakob said:

 

Hello Chris,

 

yes - as of the post from the MS Exchange Team "Autodiscover and EWS URLs should be available from the Internet. Pre-Auth is not supported. If you use some sort of publishing system, you will need to configure pass-through." in https://techcommunity.microsoft.com/t5/exchange-team-blog/configuring-teams-calendar-access-for-exchange-on-premises/ba-p/1484009 I already did a comment on the post, to verify if the statement is up to date, but no answer, yet.

I created a PatSet on ADC to filter all public-IPv4-Ranges of Exchange Online and MS Teams with port 443 from the JSON https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 and set /autodiscover and /ews to passthrough, as preauth with oauth isn't supported - I'm sure it WOULD technically work, but it isn't an option for my customers to run unsupported exchange hybrid architectures. 

So if random clients are connecting to my onprem exchange for outlook anywhere -> AAA is hitting

If Exchange online or ms teams servers are connecting to my onprem exchange -> only ssl-offloading is hitting, no preauth

Hope this helps!

Best Regards

Julian

 

Hi Julian

 

Thanks for the reply.

 

I came to roughly the same conclusion, and set it up in roughly the same way as well using the MS online public IPs for a passthrough workaround.

 

I still had issues though, but found this: http://www.johnliew.net/2016/04/office-365-exchange-online-freebusy.html

 

Effectivly, even though WSSecurity is enabled for the vdirs, they don't actually work and you need to re-enable it using:

Get-AutodiscoverVirtualDirectory -server | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $true

 

Get-WebServicesVirtualDirectory -server | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $true

 

Next, either do a IISReset or just recycle the following AppPools from IIS Manager:

MSExchangeAutodiscoverAppPool

MSExchangeServicesAppPool

 

Once I did that and the public IP bypass, it worked correctly.

 

Thanks

 

Chris

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...