Setup NetScaler as ADFS Proxy

Most home labs and small businesses normally only have 1 public IP address and since a lot of services run on port 443 it becomes difficult to open these to the internet. That’s the case for me, and last week I spent WAY too much time trying to get NetScaler ADFS Proxy running behind a Content Switch.

I’ve been working a while on an article called Getting Started with Office 365, but before I can release that to the public I need to resolve my main problem, getting NetScaler ADFS Proxy up and running on the same IP address as my Unified Gateway.


NetScaler ADFS Proxy – Prerequisite

First off make sure to enable the Rewrite Feature.


NetScaler ADFS Proxy – Configuration

Replace the configurastion below with the following:

  • 192.168.1.170 with IP or FQDN of your internal ADFS Server
  • UG with the name of your content switch
  • HOSTNAME with the hostname of your ADFS certificate
  • Wildcard-External with the name of your wildcard certificate

Connect to your NetScaler through Putty and paste the following commands:


  • enable ns feature LB CS SSL SSLVPN AAA REWRITE
  • add server adfs 192.168.1.170
  • add service adfs_https adfs SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
  • add lb vserver vip_adfs_https SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
  • add cs policy adfs -rule “HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\”HOSTNAME.xenapptraining.com\”) && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\”/adfs\”)”
  • add rewrite action rewrite_adfs_ProxyHeader insert_http_header X-MS-Proxy “\”NETSCALER\””
  • add rewrite action rewrite_adfs_Mex replace HTTP.REQ.URL.PATH_AND_QUERY “\”/adfs/services/trust/proxymex\” + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(\”/adfs/services/trust/mex\”).HTTP_URL_SAFE”
  • add rewrite policy rw_pol_adfs_ProxyHeader “http.REQ.URL.TO_LOWER.STARTSWITH(\”/adfs\”)” rewrite_adfs_ProxyHeader
  • add rewrite policy rw_pol_adfs_Mex “http.REQ.URL.TO_LOWER.STARTSWITH(\”/adfs/services/trust/mex\”)” rewrite_adfs_Mex
  • bind lb vserver vip_adfs_https adfs_https
  • bind lb vserver vip_adfs_https -policyName rw_pol_adfs_ProxyHeader -priority 100 -gotoPriorityExpression NEXT -type REQUEST
  • bind lb vserver vip_adfs_https -policyName rw_pol_adfs_Mex -priority 110 -gotoPriorityExpression END -type REQUEST
  • bind cs vserver UG -policyName adfs -targetLBVserver vip_adfs_https -priority 70
  • add lb monitor mon_adfs_https HTTP-ECV -customHeaders “host: HOSTNAME.xenapptraining.com\r\n” -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “HOSTNAME.xenapptraining.com/adfs/services/trust” -LRTM ENABLED -secure YES
  • bind service adfs_https -monitorName mon_adfs_https
  • bind ssl vserver vip_adfs_https -certkeyName Wildcard-External

After you’ve added all the commands head into Traffic Management – Load Balancing and check that the vip_adfs_https vServer is in Up State.

Finally check externally or locally by modifying your local hosts file (IP ADR of your Content Switch).

Open a browser to http://microsoftonline.com

After entering your email address, the page should successfully redirect you to your internal ADFS authentication page.

Read the post Customize Your Internal Web Resources to customize the sign in page.

If everything works okay, head over to Putty again and save your config.


1

save config

You might get problems however, depending on SNI and your certificate. This can easily be resolved by running the following two commands on all of your ADFS Server(s).

 
  • netsh http show sslcert
  • netsh http add sslcert ipport=0.0.0.0:443 certhash=CERTIFICATIONHASH appid={APPLICATIONID} certstorename=MY

If you use Powershell you need appid='{APPLICATIONID}’ while with Command Prompt, it’s just appid={APPLICATIONID}.

You’ll probably see a lot of Warnings on your ADFS Server(s). This is related to NetScaler checking the XML file (Monitor), so no worries.

According to the twitter storm I hope many find this blog post helpful. One less server and OS license in the DMZ.

Leave a Reply

Your email address will not be published. Required fields are marked *