Building a NetScaler Gateway from Scratch – Part 2 – The CLI !

Building a NetScaler Gateway from Scratch – Part 2 – The CLI !

Building a NetScaler Gateway from Scratch – Part 2 – The CLI !

This post has already been read 7140 times!

In my last post I showed you how to create a NetScaler Gateway from Scratch without using the wizard.  Once this was released I got some feedback from Twitter asking for the command line (CLI) method for doing the same.

twitter-1

twitter-2

So here it is.  Obviously you will need to replace the <TEXT_LIKE_THIS> with your own local specific requirements.

These commands assume that you have created the Diffie Hellman Key on the NetScaler SSL Settings and have also imported your Public and Trusted Root and Int CA’s to the NetScaler.

Enjoy!

b@m #NetScalerRocks

#Enable the features required for the build
enable ns feature SSL SSLVPN REWRITE

#Add LDAP Policy and Profile
add authentication ldapAction <PROFILE_LDAP> -serverIP <IP_ADDRESS> -serverPort <PORT> -ldapBase "<LDAP_BASE>" -ldapBindDn <LDAP_BIND_ACCOUNT> -ldapBindDnPassword <LDAP_PASSWORD> -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute userPrincipalName -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute cn
add authentication ldapPolicy <POLICY_LDAP> ns_true <PROFILE_LDAP>

#Add SSL Cipher Group
add ssl cipher <CIPHER_GROUP_NAME>
bind ssl cipher <CIPHER_GROUP_NAME> -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher <CIPHER_GROUP_NAME> -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher <CIPHER_GROUP_NAME> -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher <CIPHER_GROUP_NAME> -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher <CIPHER_GROUP_NAME> -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher <CIPHER_GROUP_NAME> -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher <CIPHER_GROUP_NAME> -cipherName SSL3-DES-CBC3-SHA

#Add NetScaler Gateway Session Policies and Profiles
add vpn sessionAction <PROFILE_NATIVE> -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "<STOREFRONT_WEB_ADDRESS>" -ClientChoices OFF -ntDomain <DOMAIN_NAME> -clientlessVpnMode OFF -storefronturl "<STOREFRONT_BASE_URL>"
add vpn sessionAction <PROFILE_WEB> -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -wihome "<STOREFRONT_WEB_ADDRESS>" -wiPortalMode COMPACT -ClientChoices ON -ntDomain <DOMAIN_NAME> -clientlessVpnMode OFF
add vpn sessionPolicy <POLICY_NATIVE> "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" <PROFILE_NATIVE>
add vpn sessionPolicy <POLICY_WEB> "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" <PROFILE_WEB>

#Create Rewrite Actions and Policies
add rewrite action <REWRITE_ACTION_STS> insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy <REWRITE_POLICY_STS> true <REWRITE_ACTION_STS>

#Add NetScaler Gateway vServer and Assign XA_XD TCP Profile
add vpn vserver <GATEWAY_NAME> SSL <GATEWAY_IP_ADDRESS> <GATEWAY_PORT> -icaOnly ON -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile

#Bind Certificates to Gateway vServer - Repeat for each CA Certificate you want installed
bind ssl vserver <GATEWAY_NAME> -certkeyName <PUBLIC_CERT_NAME>
bind ssl vserver <GATEWAY_NAME> -certkeyName <INT_CERTIFICATE> -CA -ocspCheck Optional
bind ssl vserver <GATEWAY_NAME> -eccCurveName P_256
bind ssl vserver <GATEWAY_NAME> -eccCurveName P_384
bind ssl vserver <GATEWAY_NAME> -eccCurveName P_224
bind ssl vserver <GATEWAY_NAME> -eccCurveName P_521

#Bind LDAP Policy to Gateway
bind vpn vserver <GATEWAY_NAME> -policy <POLICY_LDAP> -priority 100

#Set the SSL Parameters for the Gateway vServer
set ssl vserver <GATEWAY_NAME> -dh ENABLED -dhFile "/nsconfig/ssl/<DH_KEY_FILENAME>" -dhCount 1000 -ssl3 DISABLED

#Set the Custom Ciphers for the Gateway vServer
bind ssl vserver <GATEWAY_NAME> -cipherName <CIPHER_GROUP_NAME>

#Bind Session Policies to the Gateway vServer
bind vpn vserver <GATEWAY_NAME> -policy <POLICY_NATIVE> -priority 100
bind vpn vserver <GATEWAY_NAME> -policy <PROFILE_WEB> -priority 100

#Bind STS Policy to Gateway vServer
bind vpn vserver <GATEWAY_NAME> -policy <REWRITE_POLICY_STS> -priority 100 -gotoPriorityExpression END -type REQUEST

#Add Secure Ticketing Server
bind vpn vserver <GATEWAY_NAME> -staServer "<STA_SERVER_ADDRESS>"

#Set Advanced SSL Parameters
set ssl parameter -denySSLReneg NONSECURE

One thought on “Building a NetScaler Gateway from Scratch – Part 2 – The CLI !

  1. Pingback: Building a NetScaler Gateway from Scratch – Part 2 – The CLI !

Leave a Reply

Your email address will not be published. Required fields are marked *