Jump to content

Configuring Unified Gateway with Full VPN and Exchange 2019 OWA


Marc Kuhn

Recommended Posts

Hi guys

i see lots of configuration guides for having OWA on a Unified Gateway. We have configured a new clean appliance with just the certificate on it. When configuring a Unified Gatway, we added the following Web Application to it:

 

image.thumb.png.8f2b2d830f363cee74350ca027a20921.png

 

Like that OWA is opening but the user needs to authenticate here again to be able to login. I tried to accomplish the SSO for OWA with that Article and configured this:

add vpn formSSOAction OWA_SSO_Form_Action -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -responsesize 60000 -submitMethod POST

add vpn trafficAction OWA_SSO_Traffic_Profile HTTP -appTimeout 1 -SSO ON -formSSOAction OWA_SSO_Form_Action -kcdAccount NONE

add vpn trafficPolicy OWA_SSO_Traffic_Policy "REQ.HTTP.URL CONTAINS owa/auth/logon.aspx" OWA_SSO_Traffic_Profile

bind vpn vserver "name of your unifiedgateway vserver" -policy OWA_SSO_Traffic_Policy -priority 10

 

https://www.smali.net/netscaler-unifiedgateway-owa-sso-clientless-access-application-type/

 

The UG isn't configured with "ICA Only", the other steps i skipped as i do not need Clientless Access we will require the VPN Plugin. What else is required to have that SSO working for OWA? We will need SSO also for other internal Websites like Confluence and so on.

 

Many thanks for your help.

 

Best regards,
Marc 

Link to comment
Share on other sites

You did (most) of the things right. However some things changed recently (depends on, which version of firmware you're using).

Follow this steps for OWA and SSO: https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

 

Greetings

 

Johannes Norz

CTA, CCI, CCE-N

https://blog.norz.at

https://www.wonderkitchen.network

Link to comment
Share on other sites

Hi Johannes

 

i'm on 13.0 64.35.nc. I'm know that article and configured another appliance with it and have the NAT for webmail configured towards the Netscaler, but without Unified Gatway. I'm not sure if all that steps are really needed or if the traffic policies are sufficient.

 

 

Best regards,

Marc

image.png

image.png

Link to comment
Share on other sites

Hi Johannes

 

i'm a little lost in the configuration of this OWA Link. With the article you mentioned i'm able to enter OWA over webmail.domain.ch without any issues. What i'm not able to configure is adding the OWA bookmark on the Unified Gatway with SSO and Clientless VPN.

 

How do i need to configure the bookmark to have it working? Do i need to point the url to the lbl for owa where i have the traffic policies configured?

 

Best regards

Marc

 

Link to comment
Share on other sites

Hi Johannes

 

i'm not able to get this working. In this post the solution was to configure it with Clientless mode with the following: 

 

https://discussions.citrix.com/topic/375019-unified-gateway-with-sso-for-owa/page/3/

 

This configuration worked for me:

 

add vpn formSSOAction formProf_OWA_SSO -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -responsesize 60000 -submitMethod POST
add vpn trafficAction traffProfile_OWA_SSO HTTP -appTimeout 1 -SSO ON -formSSOAction formProf_OWA_SSO  -kcdAccount NONE
add vpn trafficPolicy traffPolicy_OWA_SSO "REQ.HTTP.URL CONTAINS owa/auth/logon.aspx" traffProfile_OWA_SSO
bind vpn vserver "<name of vserver>" -policy traffPolicy_OWA_SSO -priority 60

When i configure that like that SSO isn't working.

 

Best regards,
Marc

Link to comment
Share on other sites

Hi Daniel

 

i have configured it like that, but i have it as a Traffic-Policy under Citrix Gatway configured with that commands:

 

add vpn formSSOAction sso_profile_exchange_2016_owa -actionURL "/owa/auth.owa" -userField "username" -passwdField "password" -responsesize "60000" -ssoSuccessRule 'HTTP.RES.SET_COOKIE.COOKIE("cadata").VALUE("cadata").LENGTH.GT(70)' -nvtype DYNAMIC -submitMethod POST

add vpn trafficAction traffic_prof_exchange_2016_owa HTTP -SSO ON -appTimeout 1 -formSSOAction sso_profile_exchange_2016_owa

 

image.thumb.png.fff5109bf177ba8f2267b462a4a3ad66.png

 

I Julians Blog he has it configured under TrafficManagement. But as i do not want to have webmail configured and loadbalanced over the Netscaler, i tried to configure it like that.

 

Could that be the issue?


Best regards,
Marc

Link to comment
Share on other sites

Hi Johannes, hi Daniel

 

i was able to solve my issue with configuring a Bookmark for OWA now. I didn't configured in the LDAP Profile UserPrincipalName, i had instead SamAccountName. Now it is working with just the Traffic Policy like expected. One thing i'm still looking for is the logout. In Julien's Article it is configure with this:

add tm trafficAction traffic_prof_exchange_2016_owa_logout -InitiateLogout ON
add tm trafficPolicy traffic_pol_exchange_2016_owa_logout 'HTTP.REQ.URL.CONTAINS("/owa/logoff.owa")' traffic_prof_exchange_2016_owa_logout

As far as i understood i'm not able to use this for the Bookmarks and Unified Gateway. I will need to do this with "add vpn trafficAction", but there i miss the "InitiateLogout" switch. Does anybody know how to configure that vpn trafficAction?

 

Best regards,
Marc

Link to comment
Share on other sites

Hi Johannes, hi all

 

many thanks for your help. I'm still trying to get the configuration right on the ADC. I have a LDAP Policy with SamAccountName and OTP. Like that i'm able to login with 2FA and have RDP Bookmarks configured, which we can use. But like that OWA SSO isn't working anymore. So i need a way to use different LDAP Policy with UPN for OWA. As far as i understand i need to configure a LBL vServer to achive that.

 

So it's getting a little comlicated with the config. I have the following configured:

UG -> Authentication with SAMAccountName & OTP

--> Bookmark for OWA webmail.domain.com/owa (LBL vServer configured)

------> LBL vServer where i have Authentication configured and point it to a AAA vServer

-----------> AAA vServer where i have configured a LDAP Policy with UPN

 

It isn't working as expected. Do i misunderstand something or is there a easier way to have internal websites configured with SSO and UPN as well as websites with SSO and SamAccountName?

 

Many thanks for your toughts on that

 

Best regards,
Marc

Link to comment
Share on other sites

Marc, I didn't get it in full.

In nFA, you always use the last factor for SSO, so LDAP has to be the last factor. With OWA, you may use either domain\user-name or username@domain as a user-name. Both is OK. So you might use both, SAMAccountname or UPN. You could also extract UPN from a SAMAccontname profile and vice versa (it would be an additional attribute to retrieve). Which parameters to use is defined in a "Form SSO Profile". There is good documentation from Carl Stalhood available about this.

 

Greetings

 

Johannes Norz

Link to comment
Share on other sites

Hi Johannes

many thanks for your feedback. I was looking exactly for that to configure a LDAP Profile which i can use for extract UPN and SAMAccountName and which i can use for SSO for different Intranet Websites. Under which section did you find that on Carl's Website? I didn't found that by my own. If i can define a LDAP Profile which extracts both that will probably solve my issue.

 

Best regards,
Marc

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...