Jump to content
Welcome to our new Citrix community!

Configure Native OTP with Content-Switch VS for Exchange Services


Marc Kuhn

Recommended Posts

Hi guys

 

i have done the configuration on another Netscaler with a Citrix Gateway VS and OTP which is working just fine. I also have another Netscaler with Loadbalancing Exchange configured like in this guide:

 

https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

 

I'm trying to have now a Load-Balancing (Content Switching VS) instead of a Citrix Gateway VS configured with OTP. I'm not sure if that is a possible setup or not. Somehow when i enter the URL with /manageotp i'm not getting redirected to the Login Schema with Single Auth for OTP.

 

Does anybody know if that should be possible to be configured?

 

Many thanks for your feedback

 

Best regards,

Marc

Link to comment
Share on other sites

Hi Marc,

 

sure it's possible. I've done this like:

 

- As the /manageotp should only be accessable from internal, I'm using a separate NA AAA which is linked to a separate CS vServer with an expression like "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"token.customer.com\")" with a private DMZ IP, only accessable from internal / LAN and linked to the singleauthmanageotp Loginschema

 

- There is another NA AAA which is linked to a separate CS vServer which is accessable from external where I'm linking all kind of cs policies / actions (citrix gateway, Exchange LoadBalancer,...) and this AAA is acting with the OTP 2-Factor authentication because I'm linking the DualAuth Loginschema

 

Hope this helps

Regards

Julian

Link to comment
Share on other sites

Hi Julian

 

that's great news, many thanks for your feedback. I'm not able to follow you till the end. I've created a new AAA VS with the Login Schema for "Single Auth Manage OTP". Also i have created the CS VS. These two configs i have configured now:

 

CS VS:

- No NAT configured to this IP in DMZ, so only accessable internally

- linked certificate with otp.domain.intern

- Do you mean configure a cs policy with "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("otp.domain.intern")"? If yes, is the expression in the action or in the policy itself? 

 

AAA VS:

- linked certificate with otp.domain.intern

- Advanced Auth Policy: LDAP Policy

- linked to Form based auth to new CS VS which i created above

- Login Schema for "Single Auth Manage OTP"

 

Like that i receive this Website:

 

image.thumb.png.d486ff4c6c4c5003818f06dbf981fc7f.png

 

Many thanks for your help on that.

 

Best regards,

Marc

 

 

 

 


 

image.png

Link to comment
Share on other sites

Hi Julian

 

many thanks for your help. I configured now a Citrix Gateway VS and liked the AAA Server to it. The only thing i have is that i'm able to browse the VIP with the IP. I bound an internal certificate to it and configured a DNS Host Entry for otp.domain.intern.

 

I receive this message:

 

image.thumb.png.f4cd4ab58e5ea8f7746fe1649ac0729a.png

 

Probably i have tested that much that i don't see the forest for the trees :-)

 

Best regards,

Marc

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...