Joost Sannen Posted October 25, 2021 Share Posted October 25, 2021 Hi guys, We have this setup on the ADC 13.0 for Exchange similar to https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/ . Because of the pre auth for OWA users see the URL change from https://webmail.domain.example to https://aaa.domain.example. Some users find this confusing. So I want the client to only see https://webmail.domain.example during authentication too. I've played with a transform policy but did not succeed. Is it possible to show the client only https://webmail.domain.example ? Link to comment Share on other sites More sharing options...
Julian Jakob Posted October 26, 2021 Share Posted October 26, 2021 Hello Joost, I think that's not possible, as the redirect to your aaa inserts the cookie NSC_TASS, which is filling the information about the redirection after successfull authentication. What I did in some deployments is, the user is able to go to aaa.domain.example, login and is redirected (and signed in) to webmail.domain.example, as many users are creating bookmarks for the aaa url and in default, after sign into the aaa page directly, there is an error, as aaa doesn't know to which destination the redirect should take place. Create a content switch policy with the following expression (so Cookie does not exist) HTTP.REQ.URL.PATH.EQ("/logon/LogonPoint/index.html")&&HTTP.REQ.COOKIE.VALUE("NSC_TASS").LENGTH.LE(0) Link this policy to a dummy lb vServer with a responder policy linked, which is redirecting to webmail.domain.example/owa (so your owa content switch policy hits) The redirect isn't shown to the user, as its fast and just creating and filling in the NSC_TASS cookie. Hope this helps Best Regards Julian 1 Link to comment Share on other sites More sharing options...
Joost Sannen Posted October 26, 2021 Author Share Posted October 26, 2021 Hello Julian, That's a pity. The other thing you mention is problem too. So thank you for your solution to solve that problem! However I'll not mark your answer as the solution for my original problem. That will only lead to confusion I guess. Best regards, Joost Link to comment Share on other sites More sharing options...
Julian Jakob Posted October 26, 2021 Share Posted October 26, 2021 9 hours ago, Joost Sannen said: Hello Julian, That's a pity. The other thing you mention is problem too. So thank you for your solution to solve that problem! However I'll not mark your answer as the solution for my original problem. That will only lead to confusion I guess. Best regards, Joost Trying my best, but absolutely understanding your pain. Another one is to publish a Citrix gateway as the „global landing page“ with your aaa linked (for ica proxy, websites,…) and set a bookmark to owa which includes SSO. Link to comment Share on other sites More sharing options...
Joost Sannen Posted October 27, 2021 Author Share Posted October 27, 2021 I know Julian and thanks for another suggestion! For our solution we only have to publish Exchange with several custom themes for OWA/ECP pre authentication. Link to comment Share on other sites More sharing options...
Jens Ostkamp Posted November 3, 2021 Share Posted November 3, 2021 I have configured this kind of solution a couple of times like this: you create non addressable aaa vserver with your desired authentication policies. as authentication fqdn on your lb vserver you enter the same dns record as you would use for your owa external record (e.g. owa.company.com). this dns record must point towards a content switch vserver. configure content switch action to point towards the non addressable aaa vserver. create policy with associated action like this: (http.REQ.URL.CONTAINS("/cgi/tm") || http.REQ.HEADER("Cookie").CONTAINS("NSC_TASS")) This way you get redirected towards the desired AAA vserver without hostname changing. it is basically the same as julian wrote, with some shortcuts (you wont need dummy lb vsrv or responder policy). 1 Link to comment Share on other sites More sharing options...
Joost Sannen Posted November 3, 2021 Author Share Posted November 3, 2021 Hi Jens, That's it! Actually my configuration already has such a policy . I only had to change the FQDN Only the expression is different. I use HTTP.REQ.URL.EQ("/").NOT && (is_vpn_url || HTTP.REQ.URL.STARTSWITH("/nf/auth/")) Thank you! Link to comment Share on other sites More sharing options...
Joost Sannen Posted November 4, 2021 Author Share Posted November 4, 2021 Another project finished with improvements from the both of you. - Authentication done on the same URL like webmail.custom.domain - Going directly to webmail.custom.domain/logon/logon point/index.html redirects to webmail.custom.domain/owa to take care of the cookie for the destination Thanks guys! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now