Most home labs and small businesses normally only have 1 public IP address and since a lot of services run on port 443 it becomes difficult to open these to the internet. That’s the case for me, and last week I spent WAY to much time trying to get NetScaler ADFS Proxy running behind a Content Switch.
I’ve been working a while on an article called Getting Started with Office 365, but before I can release that to the public I need to resolve my main problem, getting NetScaler ADFS Proxy up and running on the same IP address as my Unified Gateway.
Needless to say, after pointing my public IP address to my NetScaler Content Switch, ADFS went down and my business email became unavailable (luckily it worked from iOS devices).
There’s hardly any info online and most are related to ADFS 2.0. Without this blog post I would never been able to figure this out. But there was a problem, the NetScaler monitor in that post didn’t work for me.
85% of my NetScaler Load Balancer Config time is customizing monitors
Dave Brett – CUGC Netscaler SIG Leader
So let me show you how I managed to configure NetScaler as ADFS Proxy without AAA. Let’s get started.
NetScaler ADFS Proxy – Prerequisite
First off make a backup/snapshot your of NetScaler VM and download a copy of /flash/nsconfig/ns.conf.
Make sure to enable the Rewrite Feature.
NetScaler ADFS Proxy – Configuration
Replace the config below with the following:
- 192.168.1.170 with IP or FQDN of your internal ADFS Server
- UG with the name of your content switch
- HOSTNAME with the hostname of your ADFS certificate
- Wildcard-External with the name of your wildcard certificate
Connect to your NetScaler through Putty and paste the following commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
enable ns feature LB CS SSL SSLVPN AAA REWRITE add server adfs 192.168.1.170 add service adfs_https adfs SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES add lb vserver vip_adfs_https SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 add cs policy adfs -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"HOSTNAME.xenapptraining.com\") && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/adfs\")" add rewrite action rewrite_adfs_ProxyHeader insert_http_header X-MS-Proxy "\"NETSCALER\"" add rewrite action rewrite_adfs_Mex replace HTTP.REQ.URL.PATH_AND_QUERY "\"/adfs/services/trust/proxymex\" + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(\"/adfs/services/trust/mex\").HTTP_URL_SAFE" add rewrite policy rw_pol_adfs_ProxyHeader "http.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs\")" rewrite_adfs_ProxyHeader add rewrite policy rw_pol_adfs_Mex "http.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/services/trust/mex\")" rewrite_adfs_Mex bind lb vserver vip_adfs_https adfs_https bind lb vserver vip_adfs_https -policyName rw_pol_adfs_ProxyHeader -priority 100 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver vip_adfs_https -policyName rw_pol_adfs_Mex -priority 110 -gotoPriorityExpression END -type REQUEST bind cs vserver UG -policyName adfs -targetLBVserver vip_adfs_https -priority 70 add lb monitor mon_adfs_https HTTP-ECV -customHeaders "host: HOSTNAME.xenapptraining.com\r\n" -send "GET /federationmetadata/2007-06/federationmetadata.xml" -recv "HOSTNAME.xenapptraining.com/adfs/services/trust" -LRTM ENABLED -secure YES bind service adfs_https -monitorName mon_adfs_https bind ssl vserver vip_adfs_https -certkeyName Wildcard-External |
I could provide 50 screen shots on the above config, but there’s so many things that could go wrong that I ONLY recommend going the command route.
As with every blog posts and videos inside my xenapptraining.com course, they’re all tested various times!
After you’ve added all the commands head into Traffic Management – Load Balancing and check that the vip_adfs_https vServer is in Up State.
Finally check externally or locally by modifying your local hosts file (IP ADR of your Content Switch).
Open a browser to http://microsoftonline.com
After entering your email address the page should successfully redirect you to your internal ADFS authentication page.
Read the post Customize Your Internal Web Resources to customize the sign in page.
If everything works okay, head over to Putty again and save your config.
1 |
save config |
You might get problems however, depeding on SNI and your certificate. This can easily be resolved by running the following two commands on all of your ADFS Server(s).
1 2 |
netsh http show sslcert netsh http add sslcert ipport=0.0.0.0:443 certhash=CERTIFICATIONHASH appid={APPLICATIONID} certstorename=MY |
If you use Powershell you need appid='{APPLICATIONID}’ while with Command Prompt it’s just appid={APPLICATIONID}.
You’ll probably see a lot of Warnings on your ADFS Server(s). This is related to NetScaler checking the XML file (Monitor), so no worries.
According to the twitter storm I hope many find this blog post helpful. One less server and OS license in the DMZ.
I want to thank Dave Brett for giving me a 30 minute deep-dive into how Content Switch and Monitors work together and Phillip Jones that was about to log into my system and resolve my headache.
PS: Please note that I used a Services instead of Service Group simply because I only have one ADFS server internally at the moment.
Nice job and great article! I am doing exact the same thing, except I use sslbridging. I let ADFS terminate the SSL session.
Awesome, but the thing is that SSL Bridging won’t work behind a Netscaler Unified Gateway. I only have one external IP in my lab.
Hi guys,
to avoid the mess in the ADFS log use the new monitoring method Microsoft introduced with ADFS 3: HEAD /adfs/probe on port 80.
See monitor notes here: https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/
Thanks Simon, will take a look at it.
What would we need to change on your script if we didnt want everything under a single IP?
EG we want to use ADFS proxy as above without AAA however we want to assign it to a VIP which we will then NAT to our Public IP (we have a few spare so no need to context switch) Thanks in advanced
You probably have to change the line bind cs vserver and use bind to VIP instead.
A great article thanks! Have you tested access via the different clients? OWA, Outlook 2016, Outlook 2013?
I’ve just tested with Office 365 version 2013 & 2016.
Hi Erik,
thanks for the excellent article. I have my ADFS Proxy set up exactly as per your article and it works just like yours (but with a basic CS, not Unified Gateway). In this config I have tested Salesforce using the ADFS proxy for SAML authentication and it works fine. When I setup Unified Gateway but using your ADFS Proxy / SAML Policy for authentication to UG, SAML apps like Salesforce no longer work – it keeps redirecting back to the UG landing page once Salesforce is authenticated. I’m thinking I should use 2 IP addresses (UG and ADFS Proxy) to simplify things regarding the content switching. What do you think? Is there a better way?
I agree, I would try that.
Can you share your script as I would like to use a dedicated IP for this. This script above did not work for me, I may be doing something wrong or missed a step perhaps.
thanks for your help
You need to carefully read through the script and the blog. Just change my IP’s with yours.
Trond,
First of all great article !
The benefit of using this compared to the guide from Citrix (https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/guide-to-deploying-netscaler-as-an-active-directory-federation-services-proxy.pdf) is that you don’t need an Enterprise or Platinum license for your VPX/MPX ?
In the configuration you’re enabling the AAA feature this shouldn’t be necessary since your not using the AAA feature on the Netscaler ?
Exactly, guess that AAA feature was enabled by default in my Platinum edition, so you just need rewrite.
Nice blog! I prefer enable SNI on the Netscaler VS Service or service group. Instead of changes certificate configuration on the ADFS server. SNI enabled is supported in the VS service or service group since Netscaler 12.X
https://docs.citrix.com/en-us/netscaler/12/ssl/config-ssloffloading/support_for_sni_on_backend_service.html
Was looking for exactly this. Thanks a bunch!
I do have one Q; Does ADFS still sees the connections coming in as Extranet or would it now be considered intranet? Referring to the authentication methods that get applied.
Thanks again!
Hi Erik
Great post, i have followed your article and was able to get ADFS working
Only issue is when using Outlook app on iOS when i setup email it redirects me to ADFS page and after authenticating gives me a Http/1.1 Service Unavailable error it happens on S4B and Office apps also on iOS
Any ideas or have you tested this with your configuration?
Many thanks
Adam
Great Adam, sorry haven’t tried with other services, you should try to ping @dbretty on Twitter.
HI Trond,
Great article. Doesn’t seem to work for ADFS 3 in Server 2012 R2. Using Wireshark, I can see failed SSL Handshakes on the ADFS server. The ADFS server doesn’t respond with a Server Hello or error, just an ACK/RST.
Yeah using this will severely cut the ADFS feature set. It completely breaks client certificate authentication and pass-through authentication, for example.
Hi Eric,
Great read, thanks very much. I was wondering if you have any experience with the new ADFS smartlockout features.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection
https://www.microsoft.com/en-us/microsoft-365/blog/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/
I have enabled them on the ADFS servers but not sure it is working and everything I am ready points to a possible issue with the Proxy layer.
Any help would be greatly appreciated.
No sorry, haven’t had time to look into that.
Hi Eric
Thank you for the article
I have set up the system and found that the Pass-through authentication is not working. I need to type the user name and password everytime.
Is there anything that am missing?
Thank you