Transform URL to hide AAA vserver for Exchange OWA

[Joost Sannen]

Hi guys,

 

We have this setup on the ADC 13.0 for Exchange similar to https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/ . Because of the pre auth for OWA users see the URL change from https://webmail.domain.example to https://aaa.domain.example.

 

Some users find this confusing. So I want the client to only see https://webmail.domain.example during authentication too. I've played with a transform policy but did not succeed. 

 

Is it possible to show the client only https://webmail.domain.example ?

[Julian Jakob]

Hello Joost,

 

I think that's not possible, as the redirect to your aaa inserts the cookie NSC_TASS, which is filling the information about the redirection after successfull authentication. What I did in some deployments is, the user is able to go to aaa.domain.example, login and is redirected (and signed in) to webmail.domain.example, as many users are creating bookmarks for the aaa url and in default, after sign into the aaa page directly, there is an error, as aaa doesn't know to which destination the redirect should take place.

 

Create a content switch policy with the following expression (so Cookie does not exist)

HTTP.REQ.URL.PATH.EQ("/logon/LogonPoint/index.html")&&HTTP.REQ.COOKIE.VALUE("NSC_TASS").LENGTH.LE(0)

 

Link this policy to a dummy lb vServer with a responder policy linked, which is redirecting to webmail.domain.example/owa (so your owa content switch policy hits)

 

The redirect isn't shown to the user, as its fast and just creating and filling in the NSC_TASS cookie.

 

Hope this helps

Best Regards

Julian

 

[Joost Sannen]

Hello Julian,

 

That's a pity.

 

The other thing you mention is problem too. So thank you for your solution to solve that problem! However I'll not mark your answer as the solution for my original problem. That will only lead to confusion I guess.

 

Best regards, Joost

[Julian Jakob]

9 hours ago, Joost Sannen said:

Hello Julian,

 

That's a pity.

 

The other thing you mention is problem too. So thank you for your solution to solve that problem! However I'll not mark your answer as the solution for my original problem. That will only lead to confusion I guess.

 

Best regards, Joost

Trying my best, but absolutely understanding your pain. 
 

 

Another one is to publish a Citrix gateway as the „global landing page“ with your aaa linked (for ica proxy, websites,…) and set a bookmark to owa which includes SSO. 

[Joost Sannen]

I know Julian and thanks for another suggestion!

 

For our solution we only have to publish Exchange with several custom themes for OWA/ECP pre authentication.

[Jens Ostkamp]

I have configured this kind of solution a couple of times like this:

 

you create non addressable aaa vserver with your desired authentication policies. as authentication fqdn on your lb vserver you enter the same dns record as you would use for your owa external record (e.g. owa.company.com).

this dns record must point towards a content switch vserver. configure content switch action to point towards the non addressable aaa vserver. create policy with associated action like this:

 

(http.REQ.URL.CONTAINS("/cgi/tm") || http.REQ.HEADER("Cookie").CONTAINS("NSC_TASS"))

 

This way you get redirected towards the desired AAA vserver without hostname changing. it is basically the same as julian wrote, with some shortcuts (you wont need dummy lb vsrv or responder policy).

 

 

 

 

 

[Joost Sannen]

Hi Jens,

 

That's it! Actually my configuration already has such a policy . I only had to change the FQDN 

 

Only the expression is different. I use HTTP.REQ.URL.EQ("/").NOT && (is_vpn_url || HTTP.REQ.URL.STARTSWITH("/nf/auth/"))

 

Thank you!

[Joost Sannen]

Another project finished with improvements from the both of you.

 

- Authentication done on the same URL like webmail.custom.domain

- Going directly to webmail.custom.domain/logon/logon point/index.html redirects to webmail.custom.domain/owa to take care of the cookie for the destination

 

Thanks guys!