Single external ip for multiple Netscaler Gateway Virtual Servers

[Björn Schläfli]

We now have one Netscaler gateway vServer with a drop-down to send the users to their site. 

Soon we will have multiple tenants for every customer. Users should be able to authenticate to their EntraID (saml) with mfa. As I understand it, I need one Gateway vServer for each customer because I will have to configure one authentication server and authentication profile for each of them and bind it to the appropriate Gateway vServer. First I thought to use Unified Gateway, set expressions in cs policies to differentiate the customers and send them to the appropriate Gateway vServer but UG only supports 1 Gateway vServer. 

The 

Am I right, that I will have to configure one Gateway vServer for each customer?

Or shall it be possible to configure multiple authentication policies and bind them to the Gateway vServer?

 

[Jeff Riechers]

You can have 1 Citrix Gateway attached to 1 Content Switch in your environment.  You can then use the hostname that they use to access the content switch to apply the appropriate nfactor SAML connection.  On the SAML response URL you would but a hostname that points directly to a Citrix Gateway site and use the UPN that is supplied from SAML to log the users in.

[Björn Schläfli]

Hi Jeff,

thank you for your answer. 

I think I don't understand what you're saying. 1 Content Switching server as a single external access point with 1 Gateway server attached. Then I would need a host name for each tenant, i.e. a DNS entry, but they all point to the same content switching server (plus a SAN certificate)? Or how should I generate different hostnames?
Then I could query the host name in the expression of the authentication profile and call the appropriate action, but that doesn't seem practical to me.

I'll give an example of what is necessary in my opinion, assuming 40 tenants that are to be made available via a single external access point. 20 of these tenants each access 1 Virtual Apps & Desktops site via the gateway:
- 1 external url for all users
- 1 gateway server for all users
- 40 authentication actions for every saml tenant configuration
- 40 authentication policies (Expression differentiates customers. How?)
- 1 authentication virtual server
- 1 authentication profile
- ? session profiles to send the users to one of the two sites
- Content switching server (Unified Gateway) necessary?

Can group extraction be carried out via saml? How? The saml authentication action does not offer an option here like with ldap.

[Jeff Riechers]

Thinking about it, you might be able to just do it via nfactor.  Setup your initial landing page with a drop down where they select which customer they are a part of.  Then the next step in the nfactor would send users to their appropriate location.  And you can do session policies based on the nfactor choice to send them to the proper storefront store. (If you are doing dedicated stores for each customer)

 

I did a design similar to this in my terraform template to create an Authentication drop down for my lab so I can do LDAP, SAML, Okta, etc from my single IP.  It was based on the domain drop down in nfactor.  I included the nfactor Authentication Dropdown.xml you can look at for designing your own dropdown.

 

https://github.com/jeffriechers/NetScaler_Terraform_Template

 

 

[Björn Schläfli]

Hi Jeff

That's very kind of you. Thank you. 

The nFactor drop-down solution is the one I use in the current configuration since a few years. I've thought about to use it for this new configuration but that's not possible, as we have a lot of customers and therefore I would have to create a huge drop-down selection and further I cannot publish our customers names in to the internet. 

 

I think if we want to do it with one single entry point the only solution will be to configure a first factor with ldap noauth for group extraction and further factors in order to then assign the appropriate gateway and authentication policy.

[Johannes Norz]

Bjoern, n-factor flows get bound to a AAA vServer by a policy. So the solution would be changing the expression from a simple true to something like HTTP.REQ.HOSTNAME.EQ("customer1.example.com")

That way, you may use the same gateway for several customers and - at the same time - authenticate each one of them using a different n-factor flow. That makes things very handy to use for users and - at the same time - clearer for the admin.

 

Of course, you could create just a single n-factor flow as well and start with a dropdown list. However, this would expose the list of your customers to users, and for the user, it would mean he would have to select the right customer, an unnecessary overhead.

 

Next, you would have to change expressions of the session policies as well. They would be something like HTTP.REQ.HOSTNAME.EQ("customer1.example.com") && HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix Receiver").NOT

[Björn Schläfli]

Hi Johannes,

 

thank you very much for that idea. I appreciate. I think that covers more or less what I've mentioned in my post from 08. december 23.

That would mean I have to use an external dns entry per customer which is pointing to the same (single) gateway ip. That would also mean I would have to use a SAN certificate which I have to expand with every new customer. 

 

I think it will be the simpler solution to use group extraction but use that in a similar way as your solution. AAA.USER.IS_MEMBER_OF("xyz") && HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix Receiver").NOT. 

 

Thank you all. I now know variants of how I can accomplish this.