Project Silverton – Citrix XenDesktop, NetScaler, FAS and Google – Part 5

Project Silverton – Citrix XenDesktop, NetScaler, FAS and Google – Part 5

Project Silverton – Citrix XenDesktop, NetScaler, FAS and Google – Part 5

This post has already been read 4599 times!

We can now move onto Part 5 of this series, The NetScaler!

The previous parts in this series can be found by using the below links.

Part 1 – Summary of NetScaler, XenDesktop, FAS and Google

Part 2 – Pre-Reqs

Part 3 – Google oAuth Setup

Part 4 – Citrix Federated Authentication Services

In this part of this series we are going to tie it all together with the NetScaler Config.

This post assumes that you have a configures NetScaler Unified Gateway set up on your NetScaler build using the inbuilt Unified Gateway Wizard

The Google oAuth Policy on Citrix NetScaler

You will now need to instruct the NetScaler to authenticate you with the Google oAuth Services.  Log into your NetScaler and navigate to Security – AAA Application Traffic – Policies – Authentication – Basic Policies – OAuth

Click Add to insert a new policy

Give the policy a name, fill out your Client ID and Client Secret you saved earlier and enter the following information in the Authorization Endpoint, Token Endpoint and ID Token Decrypt Endpoint fields

Authorization Endpoint: https://accounts.google.com/o/oauth2/auth?client_id=YOUR_CLIENT_ID&response_type=code&scope=openid%20email

Token Endpoint: https://accounts.google.com/o/oauth2/token

ID Token Decrypt Endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo

Click ok to create the policy

Next navigate to Security – AAA Application Traffic – Policies – Authentication – Advanced Policies – Policy and click add to insert your new policy

Give your policy a name, set the action type to OAUTH and select your new action from the drop down list.  For the expression type in true

The AAA vServer

Next you will need to bind your new policy to an AAA vServer for authentication.  This is where we will pass the incoming requests for login.chromesummit.com for authentication, then hand them back to the NetScaler Unified Gateway from there.

Navigate to Security – AAA Application Traffic – Virtual Servers and Add a new Virtual Server

Give your Virtual Server a name, a free IP Address and assign the relevant certificate for the domain you are going to give you users (login.chromesummit.com – this was part of the pre-reqs in part 1).  Then add an Advanced Authentication Policy and select your new Google oAuth Policy.

Make sure the server shows as up

We now need to create a Load Balancing vServer to act as a pass through for the Content Switch and AAA vServer.

The Load Balancing vServer

Navigate to Traffic Management – Load Balancing – Virtual Servers and click Add to configure your new Virtual Server.

Give you vServer a name and a free IP Address, assign the same certificate that you gave to your AAA vServer and bind it to an “Always Up” Service.  Essentially this is a service configured on the NetScaler that will not go down.  Just define a new service on the NetScaler to ping itself (127.0.0.1)

You now need to add you Authentication vServer to the Load Balancing vServer.  Add Authentication from the options on the right hand side of the screen and select form based authentication.

Fill out auth.h.1 as the Authentication FQDN, select Authentication Virtual Server from the drop down and select your AAA vServer from the list provided

The final thing you will need to do is add a responder policy to the vServer to forward you to the vpn login page.  This is because after authentication from Google you will be passed back to the root of the vServer and you want to forward the user to the NetScaler Gateway with the AAA credentials for SSO.

Click Policies and click on Add.  Select Responder from the list, give the policy a name and click the + to add an action.

Give the action a name, the type will be Redirect and the expression will be the following (substitute login.chromesummit.com to your Google login URL):

"https://login.chromesummit.com/vpn/index.html"

Set the Response Status Code to 302 and click on OK.  This will take you back to the policy screen

For the policy Expression enter the following:

"http.req.url.eq("/")

Click ok and thats it for the vServer.

Bind the vServer to the AAA vServer

Navigate to Security – AAA Application Traffic – Virtual Servers and open up your AAA vServer

Scroll down until you see Form Based Virtual Servers and ensure that your vServer is listed there, if it is not then bind it to the AAA Server

10 - vserver bind

Content Switching Policies

At this stage you have your Google Authentication Provider set up, your AAA vServer and Load Balancing vServer set up and linked and your responder policy to forward your users to the NetScaler Gateway once authenticated.  You now need to set up your Content Switching Policies to direct the traffic the way you want.

This is what I am trying to achieve.

  • If a user types in citrix.chromesummit.com then go straight to the NetScaler Gateway
  • If the url hitting the Content Switch contains any of the AAA Traffic, “/cvpn” in the URL or “/citrix” in the URL then direct them to the NetScaler Gateway
  • If a user types in login.chromesummit.com then go to the Load Balanced vServer (AAA Auth vServer is attached to this – and will redirect to Google for authentication)

I am going to achieve this my using a Content Switching policy and a Default vServer on the Content Switch.

Navigate to Traffic Management – Content Switching – Actions and create an action to redirect traffic to your NetScaler Gateway

Navigate to Traffic Management – Content Switching – Policies

Create a policy with the following expression:

HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/cvpn") || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/citrix") || HTTP.REQ.URL.CONTAINS_ANY("aaa_path") ||
HTTP.REQ.HOSTNAME.CONTAINS("citrix.chromesummit.com")

Substitute your URL’s in place of mine

Bind this policy to your action you created in the previous step.

Next open up your Content Switch (This should have been created when you created your Universal Gateway during the pre-reqs stage) and locate the Content Switching Policy Binding section.

Bind your policy as a priority of 100

Set your Load Balancing vServer as the Default Load Balancing Virtual Server

Unbind the SSO Domain in the NetScaler Gateway Session Policy

Locate the Web session policy assigned to your NetScaler Gateway and under the published applications tab, remove the SSO Domain name.  The web session policy will have _WB_ in the name.

At this point your NetScaler should be configured to direct the traffic for citrix.chromesummit.com and login.chromesummit.com to different login providers.

Fallback Policy

One thing I did notice is that if you are already signed into Google and try to goto the login.chromesummit.com login page it will SSO you into the gateway but then when the apps and desktops should be displayed it will try to launch the Java VPN client.  From what I can see this is because it is not hitting any of the HTTP headers defined in the session policies you have assigned to your gateway.

To get around this we can create a fall back policy to handle and sessions that are uncovered for in the 2 automatically created session profiles.

Navigate to NetScaler Gateway – Policies – Session and click to add a new Session Policy

Give the policy a name e.g. fallback, set the expression to ns_true and bind the same web profile (_WB_) that you edited in the previous step.

Next you will need to bind this as an available policy on the NetScaler Gateway, make sure that the priority of this is the lowest so that if a session policy is not met this will act as the default policy for the gateway

NetScaler Gateway Login Once

One thing that you will need to check is that the login once option on the NetScaler Gateway is set.  To do this navigate to NetScaler Gateway – Virtual Servers and open up your vServer.

Click to edit the basic settings and click on the More Twisty.  Make sure there is a tick in the Login Once box.

Catering for Native Receiver Access on the Login URL

Another thing we need to be aware of and cater for is that the Google users may want to use receiver to access the apps and desktops.  This will currently fail as Native Receiver will not work with the configured oAuth policy.  Therefore we will need to redirect users that use Receiver and try to hit the login.chromesummit.com URL.

We will do this using another Content Switching Policy.

Navigate to Traffic Management – Content Switching – Policies

Create a policy with the following expression:

HTTP.REQ.HOSTNAME.CONTAINS("login.chromesummit.com") && HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")

Bind this to the same action you used for the previous policy (re-direction to the NetScaler Gateway).

Next bind this new policy to the Content Switch as a higher priority than the previous policy

Now if a user tries to use Native Receiver and login to the login.chromesummit.com URL they will be redirected back to the regular NetScaler Gateway and asked for LDAP credentials.

Thats it on the NetScaler for the moment – we will revisit it later on when we tidy up the config and add some nice to have bits to make the user experience better.

Part 6 – StoreFront Configuration

Thanks,

Dave Brett (@dbretty)

2 thoughts on “Project Silverton – Citrix XenDesktop, NetScaler, FAS and Google – Part 5

  1. Pingback: Project Silverton - Citrix XenDesktop, NetScaler, FAS and Google - Part 4 | bretty.me.uk

  2. Pingback: Project Silverton - Citrix XenDesktop, NetScaler, FAS and Google - Part 6 | bretty.me.uk

Leave a Reply

Your email address will not be published. Required fields are marked *