Jump to content
Welcome to our new Citrix community!

Binding advanced authentication policies?


FUNDY MUTUAL

Recommended Posts

I must be missing something silly here...  I have four authentication servers defined, 2 for radius (for my 2FA solution) and 2 for LDAP:

add authentication radiusAction RADIUS_AD-SERVER-01 -serverIP 192.168.1.2 -serverPort 1812 -authTimeout 30 -radKey 123456 -encrypted -encryptmethod ENCMTHD_3
add authentication radiusAction RADIUS_AD-SERVER-02 -serverIP 192.168.1.3 -serverPort 1812 -authTimeout 30 -radKey 123456 -encrypted -encryptmethod ENCMTHD_3
add authentication ldapAction AD-SERVER-01_LDAP -serverIP 192.168.1.2 -serverPort 636 -ldapBase "DC=MYDOMAIN,DC=LOCAL" -ldapBindDn "CN=LDAP,CN=Users,DC=MYDOMAIN,DC=LOCAL" -ldapBindDnPassword 123456 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=CITRIX-USERS,CN=Users,DC=MYDOMAIN,DC=LOCAL" -groupAttrName memberOf -subAttributeName CN -secType SSL
add authentication ldapAction AD-SERVER-02_LDAP -serverIP 192.168.1.3 -serverPort 636 -ldapBase "DC=MYDOMAIN,DC=LOCAL" -ldapBindDn "CN=LDAP,CN=Users,DC=MYDOMAIN,DC=LOCAL" -ldapBindDnPassword 123456 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -searchFilter "memberOf=CN=CITRIX-USERS,CN=Users,DC=MYDOMAIN,DC=LOCAL" -groupAttrName memberOf -subAttributeName CN -secType SSL

 

Then I have four classic policies for these four authentication servers:

add authentication radiusPolicy RADIUS_Authentication_AD-SERVER-01 ns_true RADIUS_AD-SERVER-01
add authentication radiusPolicy RADIUS_Authentication_AD-SERVER-02 ns_true RADIUS_AD-SERVER-02
add authentication ldapPolicy AD-SERVER-01_LDAP_policy ns_true AD-SERVER-01_LDAP
add authentication ldapPolicy AD-SERVER-02_LDAP_policy ns_true AD-SERVER-02_LDAP

 

I know that i need to convert these to Advanced policies, which should be this:

add authentication Policy nspepi_adv_RADIUS_Authentication_AD-SERVER-01 -rule TRUE -action RADIUS_AD-SERVER-01
add authentication Policy nspepi_adv_RADIUS_Authentication_AD-SERVER-02 -rule TRUE -action RADIUS_AD-SERVER-02
add authentication Policy nspepi_adv_AD-SERVER-01_LDAP_policy -rule TRUE -action AD-SERVER-01_LDAP
add authentication Policy nspepi_adv_AD-SERVER-02_LDAP_policy -rule TRUE -action AD-SERVER-02_LDAP

 

However if I unbind my classic policies from my vservers, and then delete them, when I go in the UI to bind the new advanced policies, there are no advanced policies showing to bind.

 

What am I missing here?

 

Thanks

 

dcc

 

Link to comment
Share on other sites

It can help if you use a slightly different naming convention to the difference between your authe_polc_ and authe_poladv_  policies.

Martin is correct:  if you are under the vpn vserver properties you can only bind classic authentication policies to the vpn vserver and you will not see the advanced instances.

 

Regarding editions:

To use advanced authentication policies with the vpn vserver, you will need to integrate the vpn vserver with an authentication vserver (the AAA for App Traffic feature) and bind the advanced policies to the authentication vserver.

 

You can use the AAA feature with even standard edition gateways now to support the migration to the advanced engine (though I don't think you get all nfactor capabilities).   A non-addressable authentication vserver for gateway only use is permitted (show unlicensed features to access).  This was announced middle of last year (may be some dependency on exact firmware you are on.)

 

Here:  https://www.carlstalhood.com/nfactor-authentication-citrix-gateway-13/  (see carl stalhood's note and search for standard edition)

Issue if you can't retain aaa (and version its fixed in)

https://support.citrix.com/article/CTX285241

 

  • Like 1
Link to comment
Share on other sites

Its more clearly spelled out there. I can't find the citrix article where they announced the aaa support for gateway customers with ADC Standard edition (I was going to provide that first.)  I thought it was license dependent but apparently non-addressable AAA works. If it doesn't it might be firmware version or license change dependent but I don't think so.

Link to comment
Share on other sites

So at a minimum (and I'm sure some of this still needs tweaked), it appears to add an authentication profile that suits my needs (based on my earlier code snippets at the top of this post), I need to add this code to my config:

 

add authentication authnProfile AAA-LDAP-AUTH-PROFILE -authnVsName AAA-LDAP-AUTH
add authentication vserver AAA-LDAP-AUTH SSL 0.0.0.0
add authentication Policy nspepi_adv_AD-SERVER-01_LDAP_policy -rule TRUE -action AD-SERVER-01_LDAP
add authentication Policy nspepi_adv_AD-SERVER-02_LDAP_policy -rule TRUE -action AD-SERVER-02_LDAP
set ssl vserver AAA-LDAP-AUTH -dtls1 DISABLED
bind authentication vserver AAA-LDAP-AUTH -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind authentication vserver AAA-LDAP-AUTH -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind authentication vserver AAA-LDAP-AUTH -policy nspepi_adv_AD-SERVER-01_LDAP_policy -priority 100 -gotoPriorityExpression NEXT
bind authentication vserver AAA-LDAP-AUTH -policy nspepi_adv_AD-SERVER-02_LDAP_policy -priority 110 -gotoPriorityExpression NEXT
bind ssl vserver AAA-LDAP-AUTH -cipherName DEFAULT
bind ssl vserver AAA-LDAP-AUTH -certkeyName wildcard2022
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_256
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_384
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_224
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_521

 

Then it allows me to remove the basic authentication binding from my vpn vserver and add the newly created "AAA-LDAP-AUTH-PROFILE" Authentication Profile.  If nothing else, I can log into my test VA desktop via my test NS.   :-)    My next step is test this on a Standard edition NS.

 

dcc

Link to comment
Share on other sites

I guess maybe I should explain myself here and why I'm trying to accomplish all this via CLI... I'm a Citrix reseller and MSP.  Many of my customers' setups are cookie cutters and end up configured similarly.  First I'm looking for an easy way to convert their existing configs from classic to advanced, in advance of 13.1 coming out.  Second - when I deploy a new NS (all are virtualized on ESXi), immediately after I power the VM on for the first time and I configure the IP and gateway in the VM console, I SFTP the customer's wildcard.pfx and the license file onto the VM.  Then I Putty in and pre-configure many things such as DNS, the certificate linking and binding, my custom ssl cipher (based on SSL Labs), and my LDAP and RADIUS sources.  I keep all the necessary initial setup commands in a text file that allows me to search replace words and IPs as necessary and then I can just dump all those commands into Putty, save the config and reboot, then I can log into the GUI to start the setup wizards where required.  It makes the wizards fly because instead of having to stop and use the GUI to configure my LDAP and RADIUS servers (and there are always 2 or 3 of each), they are already in a matter of a few seconds via CLI.

Link to comment
Share on other sites

So yes - it works fine using my CLI commands above in Standard - even still managed to score an A+ at Qualsys from that perspective, and it works with my 3rd party radius based MFA solution.  The downside however is that the "XenApp and XenDesktop" "Create New Gateway" wizard (at least in 13.0-76.29) doesn't seem to understand or offer advanced authentication policies and it appears it insists on creating basic authentication policies.  To be honest, I haven't used the "Create New Gateway" wizard in quite some time though - I generally just search and replace an existing ns.conf and then cut and paste as required.

 

Also Carl - it did persist through reboots (including a wholesale search and replace of IPs and names in the existing ns.conf so I could run it against Qualsys with the external identity of one of my existing appliances).

 

dcc

Link to comment
Share on other sites

I need to figure the settings for my syslog logging now to convert from classic to advanced.   :-)

 

EDIT:  Hmm... That was too easy.  Looks like all I need to do was change ns_true to true in my audit policy and the CLI no longer complains it is classic.

 

add audit syslogPolicy syslog_policy true syslog01

add audit syslogPolicy syslog_policy true syslog01

 

Edited by Dean Colpitts
Added fix to change from classic to advanced.
Link to comment
Share on other sites

  • 4 months later...

I opened a case with Citrix about this as well and they referenced the document below.  It would seem that starting with version 13.0 build 67.X nFactor authentication is now supported with Standard license.  So, the process would be to update to this version and then use nFactor.

 

https://docs.citrix.com/en-us/citrix-gateway/current-release/authentication-authorization/nfactor-for-gateway-authentication.html

 

Link to comment
Share on other sites

  • 1 year later...
13 minutes ago, Sagar Phadatare1709163092 said:

Hi Dean,

Were you able to put this config? Im also same pit as you were. We also use LDAP and radius server auth for our gateway vserver and that needs to be replaced as we are moving to 13.1.

Can you please help me with the config that worked for you?

 

Here's what I have in my current NS template.  This is basically how I start off all my new Netscalers, and then I adjust from there.

 

dcc


 

###Complete ESXi appliance deployment and take a snapshot prior to initially powering on.
###If replacing an existing appliance, ensure the MAC Address of the new machine matches the old machine
###Power on, run through the appliance IP wizard in the console
###SSH the appliance IP and login as nsroot / nsroot - change password when prompted
###SFTP the license file to /nsconfig/license and the wildcard.pfx (plus root chain) to /nsconfig/ssl before using Putty to configure via CLI

###Configure DNS
set ns vpxparam -cpuyield YES
add dns nameServer 192.168.1.2
add dns nameServer 192.168.1.3
add dns nameServer 192.168.1.4
add dns suffix mydomain.fqdn

###Configure NTP
set ns param -timezone "GMT-05:00-EST-America/Toronto"
add ntp server 192.168.1.1
enable ntp sync

###Add GoDaddy certs (sftp these to /nsconfig/ssl before running these commands)
add ssl certKey gdroot-g2 -cert gdroot-g2.crt -expiryMonitor DISABLED
add ssl certKey gdig2 -cert gdig2.crt -expiryMonitor DISABLED
add ssl certKey wildcard2023 -cert wildcard2023.pfx -key wildcard2023.pfx -inform PFX -password pfx_cleartext_password -expiryMonitor DISABLED
link ssl certKey gdig2 gdroot-g2
link ssl certKey wildcard2023 gdig2

###Bind GoDaddy certs to default services
bind ssl service nsrnatsip-127.0.0.1-5061 -certkeyName wildcard2023
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName wildcard2023
bind ssl service nshttps-::1l-443 -certkeyName wildcard2023
bind ssl service nsrpcs-::1l-3008 -certkeyName wildcard2023
bind ssl service nshttps-127.0.0.1-443 -certkeyName wildcard2023
bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName wildcard2023

###Create custom cipher group
add ssl cipher ssllabs-smw-q2-2018
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-256-CBC-SHA

save ns config

###----- LOGIN AND COMPLETE INITIAL SETUP WIZARD VIA BROWSER BEFORE RETURNING TO SAVE AND REBOOT -----

save ns config
reboot

###Configure appliance features
### These features must be applied after the license file has been applied and the appliance rebooted at least once!!!
enable ns feature WL SSL SSLVPN REWRITE CH
enable ns feature AAA LB
enable ns mode FR L3 Edge USNIP PMTUD
set ssl parameter -denySSLReneg NONSECURE
set ns tcpParam -WS ENABLED -SACK ENABLED
set ns param -cookieversion 1
set ns httpParam -dropInvalReqs ON

###Configure new Advanced Authentication Policies for LDAP
add authentication ldapAction LDAP_AD01 -serverIP 192.168.1.2 -serverPort 636 -ldapBase "DC=MYDOMAIN,DC=FQDN" -ldapBindDn "CN=LDAP,CN=Users,DC=MYDOMAIN,DC=FQDN" -ldapBindDnPassword ldap_Password -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=NS_USERS,CN=Users,DC=MYDOMAIN,DC=FQDN" -groupAttrName memberOf -subAttributeName cn -secType SSL
add authentication ldapAction LDAP_AD02 -serverIP 192.168.1.3 -serverPort 636 -ldapBase "DC=MYDOMAIN,DC=FQDN" -ldapBindDn "CN=LDAP,CN=Users,DC=MYDOMAIN,DC=FQDN" -ldapBindDnPassword ldap_Password -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=NS_USERS,CN=Users,DC=MYDOMAIN,DC=FQDN" -groupAttrName memberOf -subAttributeName cn -secType SSL
add authentication ldapAction LDAP_UTIL01 -serverIP 192.168.1.4 -serverPort 636 -ldapBase "DC=MYDOMAIN,DC=FQDN" -ldapBindDn "CN=LDAP,CN=Users,DC=MYDOMAIN,DC=FQDN" -ldapBindDnPassword ldap_Password -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=NS_USERS,CN=Users,DC=MYDOMAIN,DC=FQDN" -groupAttrName memberOf -subAttributeName cn -secType SSL
add authentication Policy nspepi_adv_LDAP_AD01_policy -rule TRUE -action LDAP_AD01
add authentication Policy nspepi_adv_LDAP_AD02_policy -rule TRUE -action LDAP_AD02
add authentication Policy nspepi_adv_LDAP_UTIL01_policy -rule TRUE -action LDAP_UTIL01

###Configure new Advanced Authentication Policies for RADIUS
add authentication radiusAction RADIUS_AD01 -serverIP 192.168.1.2 -serverPort 1812 -radKey RADIUSRadkey
add authentication radiusAction RADIUS_AD02 -serverIP 192.168.1.3 -serverPort 1812 -radKey RADIUSRadkey
add authentication radiusAction RADIUS_UTIL01 -serverIP 192.168.1.4 -serverPort 1812 -radKey RADIUSRadkey
add authentication Policy nspepi_adv_RADIUS_AD01_policy -rule TRUE -action RADIUS_AD01
add authentication Policy nspepi_adv_RADIUS_AD02_policy -rule TRUE -action RADIUS_AD02
add authentication Policy nspepi_adv_RADIUS_UTIL01_policy -rule TRUE -action RADIUS_UTIL01

###Configure LDAP Authentication Profile
add authentication authnProfile AAA-LDAP-AUTH-PROFILE -authnVsName AAA-LDAP-AUTH
add authentication vserver AAA-LDAP-AUTH SSL 0.0.0.0
set ssl vserver AAA-LDAP-AUTH -dtls1 DISABLED
bind authentication vserver AAA-LDAP-AUTH -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-LDAP-AUTH -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind authentication vserver AAA-LDAP-AUTH -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind authentication vserver AAA-LDAP-AUTH -policy nspepi_adv_LDAP_AD01_policy -priority 100 -gotoPriorityExpression NEXT
bind authentication vserver AAA-LDAP-AUTH -policy nspepi_adv_LDAP_AD02_policy -priority 110 -gotoPriorityExpression NEXT
bind authentication vserver AAA-LDAP-AUTH -policy nspepi_adv_LDAP_UTIL01_policy -priority 120 -gotoPriorityExpression NEXT

###Bind cipher group and cert to LDAP Authentication Profile
bind ssl vserver AAA-LDAP-AUTH -cipherName ssllabs-smw-q2-2018
bind ssl vserver AAA-LDAP-AUTH -certkeyName wildcard2023
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_256
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_384
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_224
bind ssl vserver AAA-LDAP-AUTH -eccCurveName P_521

###Configure RADIUS Authentication Profile
add authentication authnProfile AAA-RADIUS-AUTH-PROFILE -authnVsName AAA-RADIUS-AUTH
add authentication vserver AAA-RADIUS-AUTH SSL 0.0.0.0
set ssl vserver AAA-RADIUS-AUTH -dtls1 DISABLED
bind authentication vserver AAA-RADIUS-AUTH -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-RADIUS-AUTH -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-RADIUS-AUTH -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-RADIUS-AUTH -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind authentication vserver AAA-RADIUS-AUTH -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind authentication vserver AAA-RADIUS-AUTH -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind authentication vserver AAA-RADIUS-AUTH -policy nspepi_adv_RADIUS_AD01_policy -priority 100 -gotoPriorityExpression NEXT
bind authentication vserver AAA-RADIUS-AUTH -policy nspepi_adv_RADIUS_AD02_policy -priority 110 -gotoPriorityExpression NEXT
bind authentication vserver AAA-RADIUS-AUTH -policy nspepi_adv_RADIUS_UTIL01_policy -priority 120 -gotoPriorityExpression NEXT

###Bind cipher group and cert to RADIUS Authentication Profile
bind ssl vserver AAA-RADIUS-AUTH -cipherName ssllabs-smw-q2-2018
bind ssl vserver AAA-RADIUS-AUTH -certkeyName wildcard2023
bind ssl vserver AAA-RADIUS-AUTH -eccCurveName P_256
bind ssl vserver AAA-RADIUS-AUTH -eccCurveName P_384
bind ssl vserver AAA-RADIUS-AUTH -eccCurveName P_224
bind ssl vserver AAA-RADIUS-AUTH -eccCurveName P_521

###Configure STS
add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy insert_STS_header true insert_STS_header

###Configure vServers - use LDAP if the client IP is in the 192.168.1.0/24 subnet, otherwise use RADIUS for authentication requests from all other subnets
add vpn vserver _XD_192.168.1.18_443 SSL 192.168.1.18 443 -dtls OFF -Listenpolicy "CLIENT.IP.SRC.IN_SUBNET(192.168.1.0/24)" -Listenpriority 1 -deploymentType ICA_STOREFRONT -authnProfile AAA-LDAP-AUTH-PROFILE -vserverFqdn cag01.mydomain.fqdn
add vpn vserver _XD_192.168.1.18_443_EXT SSL 192.168.1.18 443 -Listenpolicy NONE -deploymentType ICA_STOREFRONT -authnProfile AAA-RADIUS-AUTH-PROFILE
set ssl vserver _XD_192.168.1.18_443 -ssl3 DISABLED -dtls1 DISABLED
set ssl vserver _XD_192.168.1.18_443_EXT -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -dtls1 DISABLED
add vpn sessionAction AC_OS_192.168.1.18 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xd01.mydomain.fqdn/Citrix/StoreWeb" -ClientChoices OFF -ntDomain mydomain.fqdn -clientlessVpnMode OFF -storefronturl "https://xd01.mydomain.fqdn" -sfGatewayAuthType RSA
add vpn sessionAction AC_WB_192.168.1.18 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xd01.mydomain.fqdn/Citrix/StoreWeb" -ClientChoices OFF -ntDomain mydomain.fqdn -clientlessVpnMode OFF -sfGatewayAuthType RSA
add vpn sessionPolicy PL_OS_192.168.1.18 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_192.168.1.18
add vpn sessionPolicy PL_WB_192.168.1.18 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_192.168.1.18
bind vpn vserver _XD_192.168.1.18_443 -staServer "https://xd01.mydomain.fqdn"
bind vpn vserver _XD_192.168.1.18_443_EXT -staServer "https://xd01.mydomain.fqdn"
bind vpn vserver _XD_192.168.1.18_443 -portaltheme RfWebUI
bind vpn vserver _XD_192.168.1.18_443_EXT -portaltheme RfWebUI
bind vpn vserver _XD_192.168.1.18_443 -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443 -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443 -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443 -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443 -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_192.168.1.18_443 -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_192.168.1.18_443 -policy PL_OS_192.168.1.18 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_192.168.1.18_443 -policy PL_WB_192.168.1.18 -priority 110 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_192.168.1.18_443_EXT -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443_EXT -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443_EXT -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443_EXT -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.1.18_443_EXT -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_192.168.1.18_443_EXT -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_192.168.1.18_443_EXT -policy PL_OS_192.168.1.18 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_192.168.1.18_443_EXT -policy PL_WB_192.168.1.18 -priority 110 -gotoPriorityExpression NEXT -type REQUEST

###Bind cipher group and cert to vServers
unbind ssl vserver _XD_192.168.1.18_443 -cipherName DEFAULT
unbind ssl vserver _XD_192.168.1.18_443_EXT -cipherName DEFAULT
bind ssl vserver _XD_192.168.1.18_443 -cipherName ssllabs-smw-q2-2018
bind ssl vserver _XD_192.168.1.18_443_EXT -cipherName ssllabs-smw-q2-2018
bind ssl vserver _XD_192.168.1.18_443 -certkeyName wildcard2023
bind ssl vserver _XD_192.168.1.18_443_EXT -certkeyName wildcard2023
bind lb vserver _XD_192.168.1.18_443 -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE
bind lb vserver _XD_192.168.1.18_443_EXT -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE
add ns tcpProfile tcp_test -WS ENABLED -SACK ENABLED -maxBurst 20 -initialCwnd 8 -bufferSize 4096000 -flavor BIC -dynamicReceiveBuffering DISABLED -sendBuffsize 4096000

###Configure syslog
add audit syslogAction syslog01 syslog01.mydomain.fqdn -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -dateFormat YYYYMMDD -logFacility LOCAL1 -appflowExport ENABLED
add audit syslogPolicy syslog_policy true syslog01
bind audit syslogGlobal -policyName SETSYSLOGPARAMS_ADV_POL -priority 2000000000
bind audit nslogGlobal -policyName SETNSLOGPARAMS_ADV_POL -priority 2000000000
bind audit syslogGlobal -policyName syslog_policy -priority 2000000010
bind system global syslog_policy -priority 100

 

 

Link to comment
Share on other sites

  • 6 months later...
On 6/29/2023 at 4:09 PM, Sagar Phadatare1709163092 said:

Hi Dean,

Were you able to put this config? Im also same pit as you were. We also use LDAP and radius server auth for our gateway vserver and that needs to be replaced as we are moving to 13.1.

Can you please help me with the config that worked for you?

HI,

I do have the same situation. I use NS 13.0 92.13.n.c with a standard license and  have to migrate to 13.1 soon. I use LDAP and radius server auth for several gateway vservers and don't know how to configure the basic policies to advance so I can use them. I have several LDAP (for each DCs site) and 2 radius server pol (test and prod) and have 4 vserver configurations. I am not much in NS and citrix, just I inherit all the infra and now I have to deal will it, somehow. Now.. I am looking for help and some solution

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...