Jump to content
Welcome to our new Citrix community!

Differente Reverse Proxy behind Content Switch with different authentication

Recommended Posts

Hello together,


I have a challenge that I don't have an idea about at the moment, maybe somebody can help me.


I have one Content Switch accessible from the Internet, through this CS there are about 10 Reverse Proxy available.


I would like to to configure some kind of authentication to this Reverse Proxy, but nearly every Reverse Proxy needs a different authentication.


- some should be available without any kind of authentication

- some should have just LDAP (member of AD group)

- some should have LDAP (member of AD group) + Token


I could create a AAA vServer for each Authentication and bind it to the LB vServer. Than I would need a IP for each AAA vServer, which is not nice. Is is possible to realize this with just one AAA vServer.


Thanks for your help!



Link to comment
Share on other sites

When you edit a LB vServer, there's an Authentication section where you can point it to a AAA vServer. You can use whatever FQDN you want for AAA. The FQDN should resolve to your Content Switching VIP and then the CS VIP should have a CS Policy that looks for the AAA FQDN and forwards it to a CS Action which is a AAA vServer. If you want the same FQDN for both the AAA and LB, then you need to use is_vpn_url in your CS Policy Expression so AAA URL Paths go to AAA and the rest of the URL Paths go to the LB vServer. 

Link to comment
Share on other sites

Hi Carl,

Thanks again for your time and help.


This one is clear to me, but I still miss the part where I can define which kind of authentication is used for which LB vServer.


- LB vServer 1 should use no authentication

- LB vServer 2 should use just LDAP (member of) authentication

- LB vServer 3 should use LDAP (member of) + Token


I cannot configure this on the AAA vServer, if I would, all LB vServer would have the same authentication type.


Or do I have to create a non routable AAA vServer (and different FQDN) for each LB vServer ( or better for each different authentication type)?

Link to comment
Share on other sites

Hi Carl,


I found some time to test it, so I have created two non-addressable AAA vServer and tried to bind them to a CS vServer.

It was no problem to bind the first  AAA vServer to the CS vServer and it works like it should.

But when I try to bind the second AAA vServer to the same CS vServer an receive the following error message:

"Only one Authentication vserver can be bound to a CS vserver."


Do you haven an idea to solve it ?


Thank you very much for your Help!!

Link to comment
Share on other sites

  • 2 weeks later...

You could use the nFactor schemas with a single AAA server. Bind different Authentication policies to the AAA server with expressions matching your apps 1 ,2, 3 and use the next factor to point to a new schema for the required authentication factor.




100 auth_App1 HTTP.REQ.URL.CONTAINS("app1.domain.net") End AuthPolLab_noFactor

110 auth_App2 HTTP.REQ.URL.CONTAINS("app2.domain.net") End AuthPolLab_LDAP_Grp_extract  > another schema with an expression evaluating the AD grp > True > forward to LB

120 auth_App3 HTTP.REQ.URL.CONTAINS("app3.domain.net") End AuthPolLab_LDAP_Token   > another schema with an expression evaluating the AD grp > True > present authentication page for token > pass >forward to LB




Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...