Setup NetScaler as ADFS Proxy

43 Shares

Most home labs and small businesses normally only have 1 public IP address and since a lot of services run on port 443 it becomes difficult to open these to the internet. That’s the case for me, and last week I spent WAY to much time trying to get NetScaler ADFS Proxy running behind a Content Switch.

I’ve been working a while on an article called Getting Started with Office 365, but before I can release that to the public I need to resolve my main problem, getting NetScaler ADFS Proxy up and running on the same IP address as my Unified Gateway.

Setup Netscaler as ADFS Proxy 01

Needless to say, after pointing my public IP address to my NetScaler Content Switch, ADFS went down and my business email became unavailable (luckily it worked from iOS devices).

There’s hardly any info online and most are related to ADFS 2.0. Without this blog post I would never been able to figure this out. But there was a problem, the NetScaler monitor in that post didn’t work for me.

85% of my NetScaler Load Balancer Config time is customizing monitors
Dave Brett – CUGC Netscaler SIG Leader

So let me show you how I managed to configure NetScaler as ADFS Proxy without AAA. Let’s get started.

NetScaler ADFS Proxy – Prerequisite

First off make a backup/snapshot your of NetScaler VM and download a copy of /flash/nsconfig/ns.conf.

Make sure to enable the Rewrite Feature.

Netscaler ADFS Proxy 06

NetScaler ADFS Proxy – Configuration

Replace the config below with the following:

  • 192.168.1.170 with IP or FQDN of your internal ADFS Server
  • UG with the name of your content switch
  • HOSTNAME with the hostname of your ADFS certificate
  • Wildcard-External with the name of your wildcard certificate

Connect to your NetScaler through Putty and paste the following commands:

I could provide 50 screen shots on the above config, but there’s so many things that could go wrong that I ONLY recommend going the command route.

As with every blog posts and videos inside my xenapptraining.com course, they’re all tested various times!

After you’ve added all the commands head into Traffic Management – Load Balancing and check that the vip_adfs_https vServer is in Up State.

Netscaler ADFS Proxy 08

Finally check externally or locally by modifying your local hosts file (IP ADR of your Content Switch).

Open a browser to http://microsoftonline.com

Netscaler ADFS Proxy 02

After entering your email address the page should successfully redirect you to your internal ADFS authentication page.

Netscaler ADFS Proxy 04

Read the post Customize Your Internal Web Resources to customize the sign in page.

If everything works okay, head over to Putty again and save your config.

You might get problems however, depeding on SNI and your certificate. This can easily be resolved by running the following two commands on all of your ADFS Server(s).

Netscaler ADFS Proxy 10

If you use Powershell you need appid='{APPLICATIONID}’ while with Command Prompt it’s just appid={APPLICATIONID}.

You’ll probably see a lot of Warnings on your ADFS Server(s). This is related to NetScaler checking the XML file (Monitor), so no worries.

Netscaler ADFS Proxy 09

According to the twitter storm I hope many find this blog post helpful. One less server and OS license in the DMZ.

Netscaler ADFS Proxy 07

I want to thank Dave Brett for giving me a 30 minute deep-dive into how Content Switch and Monitors work together and Phillip Jones that was about to log into my system and resolve my headache.

PS: Please note that I used a Services instead of Service Group simply because I only have one ADFS server internally at the moment.

NetScaler ADFS Proxy – Resources

43 Shares

Automation Framework Community Edition

The fastest way to build your lab environment.

Virtual Expo

Friday 30th of September 2022

23 thoughts on “Setup NetScaler as ADFS Proxy”

  1. Nice job and great article! I am doing exact the same thing, except I use sslbridging. I let ADFS terminate the SSL session.

    Reply
  2. What would we need to change on your script if we didnt want everything under a single IP?

    EG we want to use ADFS proxy as above without AAA however we want to assign it to a VIP which we will then NAT to our Public IP (we have a few spare so no need to context switch) Thanks in advanced

    Reply
  3. A great article thanks! Have you tested access via the different clients? OWA, Outlook 2016, Outlook 2013?

    Reply
  4. Hi Erik,
    thanks for the excellent article. I have my ADFS Proxy set up exactly as per your article and it works just like yours (but with a basic CS, not Unified Gateway). In this config I have tested Salesforce using the ADFS proxy for SAML authentication and it works fine. When I setup Unified Gateway but using your ADFS Proxy / SAML Policy for authentication to UG, SAML apps like Salesforce no longer work – it keeps redirecting back to the UG landing page once Salesforce is authenticated. I’m thinking I should use 2 IP addresses (UG and ADFS Proxy) to simplify things regarding the content switching. What do you think? Is there a better way?

    Reply
  5. Trond,

    First of all great article !
    The benefit of using this compared to the guide from Citrix (https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/guide-to-deploying-netscaler-as-an-active-directory-federation-services-proxy.pdf) is that you don’t need an Enterprise or Platinum license for your VPX/MPX ?
    In the configuration you’re enabling the AAA feature this shouldn’t be necessary since your not using the AAA feature on the Netscaler ?

    Reply
  6. Was looking for exactly this. Thanks a bunch!

    I do have one Q; Does ADFS still sees the connections coming in as Extranet or would it now be considered intranet? Referring to the authentication methods that get applied.

    Thanks again!

    Reply
  7. Hi Erik

    Great post, i have followed your article and was able to get ADFS working
    Only issue is when using Outlook app on iOS when i setup email it redirects me to ADFS page and after authenticating gives me a Http/1.1 Service Unavailable error it happens on S4B and Office apps also on iOS
    Any ideas or have you tested this with your configuration?

    Many thanks
    Adam

    Reply
  8. HI Trond,

    Great article. Doesn’t seem to work for ADFS 3 in Server 2012 R2. Using Wireshark, I can see failed SSL Handshakes on the ADFS server. The ADFS server doesn’t respond with a Server Hello or error, just an ACK/RST.

    Reply
  9. Yeah using this will severely cut the ADFS feature set. It completely breaks client certificate authentication and pass-through authentication, for example.

    Reply
  10. Hi Eric,
    Great read, thanks very much. I was wondering if you have any experience with the new ADFS smartlockout features.

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

    https://www.microsoft.com/en-us/microsoft-365/blog/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/

    I have enabled them on the ADFS servers but not sure it is working and everything I am ready points to a possible issue with the Proxy layer.

    Any help would be greatly appreciated.

    Reply
  11. Hi Eric

    Thank you for the article

    I have set up the system and found that the Pass-through authentication is not working. I need to type the user name and password everytime.

    Is there anything that am missing?

    Thank you

    Reply

Leave a Comment