[Multiple SAML Authentication Actions Single gateway vserver How do I write expression to chose appropriate action based on user URL entered?]

Hi Simon,

The expression you are using "HTTP.REQ.URL.CONTAINS" is just checking the URL part of your request, i.e. the string after your FQDN. E.g. if your site is "https://access.corp.com/login.html", it is just checking "/login.html".

To check the FQDN (i.e. "access.corp.com"), you can use "HTTP.REQ.HOSTNAME.CONTAINS".

Thanks and regds,

Chris

[Hope all of you have seen the new NetScaler Logo, website(https://www.netscaler.com/) colors messaging etc. Please comment on what you liked about this new change?]

I like the new design of our logo net>scaler. The ">" is the tricky and familiar sign for every one of us, who always logs on the CLI of NetScaler. It is the shell prompt ">". It also relates NetScaler to the current modern app delivery, which always includes certain scripting.

[NetScaler ns.log 101 question.. Why did my NetScaler HA failover?]

Oh. Then I think I will let our techsupport to give you an professional answer as there must be other log files providing more visibility and deep investigation.

Just one thing: normally, I would look into the ns.log files (maybe zipped into different versions already) around the failover timestamp and from that file, looking for any abnormal events happened around/before the failover happened. Surely, it might just give you the abnormal event (e.g. link down). The root cause behind that might need further analysis.

[NetScaler ns.log 101 question.. Why did my NetScaler HA failover?]

Hi Simon,

Have you ever tried uploading the support bundle to CIS (https://cis.citrix.com/) for a quick analysis?

 

This is the supporting tool and everyone can use it via your Citrix account credential. Once you log in, go to "Workspace" and click "Tools". Following the dialog, you can upload the support bundle file and it will automatically analyse all the logs for you.

After a while, an email will be sent to you, with the link for you to read the result.

See whether this online tool could help you troubleshoot first. Surely, any NetScaler with a valid support maintenance could also open a support case in your scenario.

[Hello, Is it possible to create a EPA pre auth scan for an lb vServer. Is this supported?]

Yes. You are correct.

• Enabling the Authentication setting in that LB VServer
• Configuring the required info, like logon FQDN, AAA Vserver, etc...
• Configuring the required info for the corresponding AAA Vserver.

 

All the nFactor flow in AAA Vserver is the same as the one used in Gateway Vserver use case.

[Is it possible to run a nFactor EPA pre-auth scan for a certain range of client IP addresses? We want to be able to run EPA pre-auth scans for connections from an untrusted network and bypass the EPA scans if on a trusted network.]

Yes, something like that:

 

And in the first Trusted-IP factor, the trusted-ip-pol policy is like that:

 

The Other-IP policy is like that:

 

You may try other combinations and alternatives going on and on. Good luck~!

[Is it possible to run a nFactor EPA pre-auth scan for a certain range of client IP addresses? We want to be able to run EPA pre-auth scans for connections from an untrusted network and bypass the EPA scans if on a trusted network.]

Yes. By using nFactor Auth approach, you may setup a Factor, with No-Auth policy, to distinguish the client source IP and see whether it is within a defined internal subnet. If yes, will go to the next Auth Factor directly. If no, will go to an EPA Factor, and then to the Auth Factor.

Using the nFactor Visualizer to configure will be easier for you to track the flow.