Jump to content
Welcome to our new Citrix community!

NetScaler Configuration for Exchange Hybrid

Jens Ostkamp

Recommended Posts

Hey everyone,


I wanted to get some new ideas regarding Content Switch configuration for exchange hybrid setups with pre-auth on the NetScaler.

So far I have solved this issue by writing CSW-policies which excludes the specific URLs for Azure request, looking like this:

( http.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("owa.domain.com") || http.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("autodiscover.domain.com")) && ( http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/ews/exchange.asmx/wssecurity") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/autodiscover/autodiscover.svc/wssecurity") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/autodiscover/autodiscover.svc") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/ews/mrsproxy.svc") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/metadata/json") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/ews/exchange.asmx") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("autodiscover/autodiscover.json/") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/api") )


The problem with this configuration is, that some of my clients don't have UPN and Mail configured with the same value. This causes problems when users are trying to setup Outlook from external, because OutlookAnywhere will use the /ews/exchange.asmx/ URL, which will then get bypassed by NetScaler to a non-authenticaiton vServer and the user cannot authenticate to Exchange, because exchange will not accept mailaddress as authentication. I know that this issue will go away, when UPN and mail are the same, but until this is the case i need some configuration that will bypass the Azure Connections for Hybrid Exchange in another way and not URL-based. I was thinking about Source-IP but as far as I know the public-addresses are constantly changing on Azure.


So, how do you guys solve nowadays Hybrid Exchange configuration when you have a NetScaler which does pre-authentication for on-prem Exchange users?


Thank you very much in advance and best regards!


Link to comment
Share on other sites

Just an idea for one way to get this to work:


- configure preauth (aaa) for all exchange services including /ews at your NetScaler

- change the ldap policy for your aaa so your users can enter their sAMAccountName into the outlook popup and NetScaler will push the mapped UPN to your exchange in the backend for sso (see https://msandbu.wordpress.com/2014/09/12/using-netscaler-with-upn-and-storefront/ for example)


Let me know if I missed sth in my setup.


Best Regards


Link to comment
Share on other sites

Hey Julian,


thanks for your response.

Unfortunately, your suggestion would cause Exchange Online requests to fail against NetScaler, as they use /ews for certain requests and don't support pre-authentication. That's why I need so separate OutlookAnywhere /ews requests (with pre auth) and Exchange Online /ews requests (both use /ews/exchange.asmx) without pre-auth on the same CSW vServer.

I am currently thinking about extracting Header from OutlookAnywhere for this, but as far as I could look these requests up in Wireshark, OutlookAnywhere doesn't use this Header in every request, which would cause some requests to fail and resulting in authentication popup on the clien side.


Thank you nevertheless :)


Best Regards


Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...