Jump to content
Welcome to our new Citrix community!

Authentication Content Switch

Recommended Posts



I'm trying to create a Content Switch where users first have to authenticate before they can continue.

I followed this guide https://support.citrix.com/article/CTX201949 but can't get it to work.


below is the config:


add cs vserver cs_WEB_prod_ssl SSL 443 -cltTimeout 180 -persistenceType NONE
add cs action cs_act_WEB_Prod -targetLBVserver lb_vsrv_WEB_prod
add cs policy cs_pol_WEB_Prod -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/PROD\")" -action cs_act_WEB_Prod
add responder action resp_act_WEB_prod redirect "\"https://\"+HTTP.REQ.HOSTNAME+\"/PROD"" -responseStatusCode 302
add responder policy resp_pol_WEB_prod "HTTP.REQ.HOSTNAME.CONTAINS(\"WEB.domain.com\")" resp_act_WEB_prod
add responder policy resp_pol_WEB_prod_ssl "HTTP.REQ.URL.EQ(\"/\") && HTTP.REQ.HOSTNAME.CONTAINS(\"WEB.domain.com\")" resp_act_WEB_prod
bind cs vserver cs_WEB_prod_ssl -policyName resp_pol_WEB_prod_ssl -priority 100 -gotoPriorityExpression END -type REQUEST
bind cs vserver cs_WEB_prod_ssl -policyName cs_pol_WEB_Prod -priority 100
bind cs vserver cs_WEB_prod -policyName resp_pol_WEB_prod -priority 100 -gotoPriorityExpression END -type REQUEST
add lb monitor mon_WEB_prod HTTP -respCode 200 -httpRequest "GET /PROD_125_HTTPS/SignIn?ReturnUrl=%2FPROD_125_HTTPS%2F" -LRTM DISABLED -secure YES
bind ssl vserver cs_WEB_prod_ssl -certkeyName Wildcard


add authentication vserver auth_vsrv SSL
add cs action cs_act_auth_vserver -targetVserver auth_vsrv
add cs policy cs_pol_auth_vserver –rule 'http.req.url.eq(\"/\").not && (is_vpn_url||http.req.url.startswith(\"/nf/auth/\"))' –action cs_act_auth_vserver
bind cs vserver cs_WEB_prod_ssl –policyName cs_pol_auth_vserver –priority 10





Link to comment
Share on other sites

What aspect is not working...

Can't get authentication to trigger?

Authentication runs but is failing?


My guess is you are missing this sentence in the article:
Rest of the configuration is similar to normal CS configuration. It is omitted for brevity.
DO not forget to add Authentication on the CS and set up the correct Authentication FQDN if using Form Based Authentication.


You have the authentication vserver behind the CS vserver, but you don't have the authentication vserver configured to do authentication.

Create the authentication profile and bind to the cs vserver to direct traffic to the aaa vserver.

You'll see this in the cs vserver's "authentication" section in the gui.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...