Jump to content
Welcome to our new Citrix community!

Transform URL to hide AAA vserver for Exchange OWA

Joost Sannen

Recommended Posts

Hi guys,


We have this setup on the ADC 13.0 for Exchange similar to https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/ . Because of the pre auth for OWA users see the URL change from https://webmail.domain.example to https://aaa.domain.example.


Some users find this confusing. So I want the client to only see https://webmail.domain.example during authentication too. I've played with a transform policy but did not succeed. 


Is it possible to show the client only https://webmail.domain.example ?

Link to comment
Share on other sites

Hello Joost,


I think that's not possible, as the redirect to your aaa inserts the cookie NSC_TASS, which is filling the information about the redirection after successfull authentication. What I did in some deployments is, the user is able to go to aaa.domain.example, login and is redirected (and signed in) to webmail.domain.example, as many users are creating bookmarks for the aaa url and in default, after sign into the aaa page directly, there is an error, as aaa doesn't know to which destination the redirect should take place.


Create a content switch policy with the following expression (so Cookie does not exist)



Link this policy to a dummy lb vServer with a responder policy linked, which is redirecting to webmail.domain.example/owa (so your owa content switch policy hits)


The redirect isn't shown to the user, as its fast and just creating and filling in the NSC_TASS cookie.


Hope this helps

Best Regards



  • Like 1
Link to comment
Share on other sites

9 hours ago, Joost Sannen said:

Hello Julian,


That's a pity.


The other thing you mention is problem too. So thank you for your solution to solve that problem! However I'll not mark your answer as the solution for my original problem. That will only lead to confusion I guess.


Best regards, Joost

Trying my best, but absolutely understanding your pain. 


Another one is to publish a Citrix gateway as the „global landing page“ with your aaa linked (for ica proxy, websites,…) and set a bookmark to owa which includes SSO. 

Link to comment
Share on other sites

I have configured this kind of solution a couple of times like this:


you create non addressable aaa vserver with your desired authentication policies. as authentication fqdn on your lb vserver you enter the same dns record as you would use for your owa external record (e.g. owa.company.com).

this dns record must point towards a content switch vserver. configure content switch action to point towards the non addressable aaa vserver. create policy with associated action like this:


(http.REQ.URL.CONTAINS("/cgi/tm") || http.REQ.HEADER("Cookie").CONTAINS("NSC_TASS"))


This way you get redirected towards the desired AAA vserver without hostname changing. it is basically the same as julian wrote, with some shortcuts (you wont need dummy lb vsrv or responder policy).






  • Like 1
Link to comment
Share on other sites

Another project finished with improvements from the both of you.


- Authentication done on the same URL like webmail.custom.domain

- Going directly to webmail.custom.domain/logon/logon point/index.html redirects to webmail.custom.domain/owa to take care of the cookie for the destination


Thanks guys!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...