Netscaler as ADFS Proxy

#adfs, #citrix, #en edit this page

I decided to use Netscaler to publish my ADFS server to the internet instead of a dedicated server in the DMZ. I checked several blogs and the official Citrix documentation but this looked overloaded.

Citrix documentation: NetScaler as ADFS Proxy Deployment Guide - Citrix
Blogs: http://blogs.citrix.com/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/, http://cividan.blogspot.it/2015/02/use-citrix-netscaler-as-replacement-for.html

So I searched a way to:

- Publish ADFS to the Internet with URL filter
- Do not pre-authenticate with Netscaler (Customizing multiple pre-authentication Websites can be very time consuming per tenant)
- Modify the Header that ADFS server understands the request comes from external

There was no blog post that explained the whole configuration, so I decided to write down the required steps:

1. The service

First create the service and specify to forward the Client IP (Header: X-MS-Forwarded-Client-IP)

image

 

2. The vServer 

Create the vServer not directly addressable to not trash an IP address and bind the certificate

image

3. Content switch policy

Create a content switch policy to forward only /adfs and the exact hostname to the vServer

image

4. Content Switch vServer

Create the content switch vServer and apply the content switch policy

image

5. Rewrite Actions

You want to let the ADFS know that the request comes from extranet. So you can apply different authentication methods in the different zones. You have to add the header X-MS-Proxy to the request. Therefore you create a rewrite action

image

Create also a rewrite action to rewrite URL /mex

image

6. Rewrite Policy

image

image

7. Bind the Policies

Now bind the policies to the vServer. Both are rewrite policies for requests. Be careful with the GoTo expression to the Header transformation, this must be “NEXT”

image

8. The Monitor

ADFS has a probe check build in. If you check /adfs/probe you get a 200 message if everything is OK. Create the monitor and add it to the service

    <p><a href="/assets/archive/image_684.png"><img width="265" height="339" title="image" style="border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; display: inline; background-image: none;" alt="image" src="/assets/archive/image_thumb_682.png" border="0"></a></p> <p>&nbsp;</p> <p>Netscaler configuration is done. You can test now the authentication if you access the URL <a href="https://portal.office.com">https://portal.office.com</a> through Netscaler. Then you will be redirected to the ADFS website for authentication:</p> <p><a href="/assets/archive/image_685.png"><img width="438" height="156" title="image" style="border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; display: inline; background-image: none;" alt="image" src="/assets/archive/image_thumb_683.png" border="0"></a></p> <p>For internal requests use split DNS to forward the authentication directly to the ADFS server and not to the Netscaler ADFS proxy. So the Proxy Header is missing and your client will use internal authentication.</p> <p>Stay tuned for my post series about configuring Exchange in Hybrid mode with Office 365.</p> <p>Greetings<br>ND</p>