Jump to content

NetScaler AAA nFactor get "memberOf" and us it to create a new "rdpServerAttribute" that I can use in RDP Client Profile


Recommended Posts

Posted

Hi,

I'm working on removing F5 portal and create a new NetScaler Unified Gateway instead.
Things are working fine, but the F5 has a custom "RULE_INIT" that takes the groups beginning with "lr_" and takes the rest of the groupname (adds domainname) and creates custom RDP icons for the persons using the portal.

I'm think I want the nFactor to use the LDAPS "memberOf" result and find all groups matching "lr_COMPUTERNAME", remove the "lr_" part of the name, using the reset of the name and add "domain.local".
and create a new AAA attribute "rdpServerAttribute" thats comma separated, for each of the groups. then I can use the rdpServerAttribute in RDP Client

https://docs.netscaler.com/en-us/netscaler-gateway/current-release/rdp-proxy/populate-rdp-url-based-on-ldap-attribute.html#to-populate-rdp-urls-based-on-the-ldap-attribute-by-using-the-gui

Is this possible? And how would I do to make it happen in a nFactor-step after LDAPS-lookup?
Kind Regards

 

Posted

Hi Nicklas,

wouldn't be enough to just create the needed RDP Bookmarks on NetScaler, create AAA groups which are identical to your AD-groups the NetScaler should filter of and bind the RDP Bookmarks to the AAA groups? So during logon NetScaler will check the group matchings and place RDP Bookmarks to the user's portal.

Regards

Julian

Posted
2 hours ago, Julian Jakob said:

Hi Nicklas,

wouldn't be enough to just create the needed RDP Bookmarks on NetScaler, create AAA groups which are identical to your AD-groups the NetScaler should filter of and bind the RDP Bookmarks to the AAA groups? So during logon NetScaler will check the group matchings and place RDP Bookmarks to the user's portal.

Regards

Julian

Hi Julian,

Yes, that would also be a solution, but a bit more static.
There are more than 200 groups and over 400 members. (and nested groups) 
I can script in 200 groups and 200 bookmarks in the NetScaler, but groups are constantly being added and removed from the Active Directory.
I'm working on a powershell-script that can run once a day to populate an AD attribute (i.e info) with the NetScaler RDP Profile needed RDP Link Attribute (i.e info).

https://docs.netscaler.com/en-us/netscaler-gateway/current-release/rdp-proxy/populate-rdp-url-based-on-ldap-attribute.html#to-populate-rdp-urls-based-on-the-ldap-attribute-by-using-the-gui
 

I can't find if i'm able to process the "memberOf" in a nFactor result, and create a new AAA attribute. to the format needed.
Cheers :) 
 

Posted

If you're already doing that Powershell bit, I would take it a bit further and in that same script manage the NetScaler config bits (PSH/Nitro, https://www.citrix.com/blogs/2017/04/20/talking-nitro-with-powershell/). I've considered the same for managing parts of configuration that are closely connected to AD groups (VPN & RDP Proxy).

I don't think what you're describing here is supported on NetScaler. I might be wrong.

Posted
On 11/19/2024 at 3:36 PM, Kari Ruissalo said:

If you're already doing that Powershell bit, I would take it a bit further and in that same script manage the NetScaler config bits (PSH/Nitro, https://www.citrix.com/blogs/2017/04/20/talking-nitro-with-powershell/). I've considered the same for managing parts of configuration that are closely connected to AD groups (VPN & RDP Proxy).

I don't think what you're describing here is supported on NetScaler. I might be wrong.

Hi Kari,

Yes, i've made a powershell-script that will populate AD attribute with the correct data.
Script is done.
I've also done another script that uses "invoke-nitro" and powershell module and can make the aaagroup, vpnurl and bind them with aaagroup_vpnurl_binding.
Script is done.
I see, most likely using the AD attribute will be the way to go :)

I've found som traces of a programing code support in NetScaler called "NetScaler Lua"
https://docs.netscaler.com/en-us/citrix-adc/current-release/citrix-adc-extensions/citrix-adc-extensions-language-overview
With this I probably would be able to program some thing, but I'm not a developer 

 

Kind Regards,

Cheers

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...