Configuring NetScaler for Integration with ShareFile StorageZones Controller 2.0



Similar documents
Configuring Content Switching Feature

Deploying Microsoft Dynamics CRM 2015 with NetScaler

Table of Contents Citrix NetScaler Deployment Guide for Microsoft Exchange

Chapter 1 Load Balancing 99

Single Sign On for ShareFile with NetScaler. Deployment Guide

NetScaler and XenMobile Solution for Enterprise Mobility

How do I load balance FTP on NetScaler?

App Orchestration 2.5

Replacing Microsoft Forefront TMG with Citrix NetScaler for enterprise authentication

Using Vasco IDENTIKEY Server with NetScaler

Solution Guide for Citrix NetScaler and Cisco APIC EM

This guide identifies two possible enterprise integration scenarios for NetScaler and Azure AD.

Configuring User Identification via Active Directory

Managing User Accounts

App Orchestration 2.0

Link Load Balancing :50:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

CNS-205 Citrix NetScaler 10 Essentials and Networking

Firewall Load Balancing

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Deploying RSA ClearTrust with the FirePass controller

How to Logon with Domain Credentials to a Server in a Workgroup

Sample Configuration: Cisco UCS, LDAP and Active Directory

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Improving Microsoft Exchange 2013 performance with NetScaler Hands-on Lab Exercise Guide. Johnathan Campos

Single Sign On for ZenDesk with NetScaler. Deployment Guide

Siteminder Integration Guide

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

How To Manage A Netscaler On A Pc Or Mac Or Mac With A Net Scaler On An Ipad Or Ipad With A Goslade On A Ggoslode On A Laptop Or Ipa On A Network With

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

Single Sign On for Google Apps with NetScaler. Deployment Guide

Managing User Accounts

Citrix NetScaler 10.5 Essentials for ACE Migration CNS208; 5 Days, Instructor-led

Deployment Guide. Web Filter. Deployment Guide. A Step-by-Step Technical Guide

Configuring Sponsor Authentication

HP Device Manager 4.7

Single Sign On for GoToMeeting with NetScaler

Client configuration and migration Guide Setting up Thunderbird 3.1

Understanding Slow Start

Citrix NetScaler 10 Essentials and Networking

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Deploying the BIG-IP LTM system and Microsoft Windows Server 2003 Terminal Services

NETASQ ACTIVE DIRECTORY INTEGRATION

CNS-208 Citrix NetScaler 10 Essentials for ACE Migration

CNS-208 Citrix NetScaler 10.5 Essentials for ACE Migration

LDAP Authentication and Authorization

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

609: Front-ending and load balancing XenDesktop and XenApp with NetScaler

Introduction to Directory Services

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Single Sign On for Office 365 with NetScaler. Deployment Guide

Preparing for GO!Enterprise MDM On-Demand Service

NSi Mobile Installation Guide. Version 6.2

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

Configuring Auto Policy-Based Routing

Deploying the BIG-IP System with Oracle E-Business Suite 11i

NAS 206 Using NAS with Windows Active Directory

icrosoft TMG Replacement with NetScaler

Configuring Single Sign-on for WebVPN

HRG Performance Series DVR DDNS Support Application Note (hrgddns)

Microsoft Outlook Web Access 2003 using Microsoft Internet Information Server v6.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Getting Started with Clearlogin A Guide for Administrators V1.01

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration

To enable an application to use external usernames and passwords, you need to first configure CA EEM to use external directories.

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Deployment Guide ICA Proxy for XenApp

Citrix NetScaler 10 Essentials and Networking

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

DEPLOYMENT GUIDE CONFIGURING THE BIG-IP LTM SYSTEM WITH FIREPASS CONTROLLERS FOR LOAD BALANCING AND SSL OFFLOAD

Instructions for Microsoft Outlook 2003

Set up Outlook for your new student e mail with IMAP/POP3 settings

Basic Exchange Setup Guide

Configuring Outlook 2013 For IMAP Connections

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

DEPLOYMENT GUIDE. Deploying the BIG-IP LTM v9.x with Microsoft Windows Server 2008 Terminal Services

Citrix StoreFront 2.0

PriveonLabs Research. Cisco Security Agent Protection Series:

How to Pop to Outlook

Configuring the BIG-IP system for FirePass controllers

Microsoft Lync Server 2010

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

Basic Exchange Setup Guide

How to set up Outlook Anywhere on your home system

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

NetIQ Advanced Authentication Framework - MacOS Client

F-Secure Messaging Security Gateway. Deployment Guide

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Scaling Next-Generation Firewalls with Citrix NetScaler

Defender EAP Agent Installation and Configuration Guide

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Transcription:

Configuring NetScaler for Integration with ShareFile StorageZones Controller 2.0 The steps outlined here have been excerpted from edocs available here. Sharefile Server I have compiled these instructions so that they have a natural flow for an Administrator integrating both components. The instructions that follow will depict the method to perform actions using Graphical User Interface (GUI) and subsequently how to perform the same function(s) using the Command Line Interface (CLI). For purposes of this guide, NetScaler v. 10.1 build 118.7nc was used, any NS Firmware 10.x, 9.3 support http callouts (required as part of the configuration), however, only 10.1 allows us to bind callout expressions to SSL Virtual Servers, which is recommended. I have broken them into 7* Steps: Step 1 Create StorageZone Controller 2.0 Service(s) on NetScaler Step 2 Create and Configure Load Balancing VServers Step 3 Create and Configure Content Switching Policies Step 4 Create and Configure Content Switching VServer Step 5 Create HTTP Callouts Step 6 Create and Configure Responder Policy to use HTTP Callout Step 7 Bind Responder Policy to Load Balancing VServer(s) Step 8* (Optional) Configure Authentication VServer

Step 1 Create StorageZone Controller Service(s) on NetScaler Create a Service of Protocol SSL on port 443 for the Sharefile 2.0 Storage Zone Controller server entity. This is performed under the Traffic Management \ Load Balancing \ Services section of GUI. GUI Method: CLI Command: add service <servicename> <IP ADDRESS> SSL 443 - gslb NONE - maxclient 0 - maxreq 0 - cip DISABLED - usip NO - useproxyport YES - sp ON - clttimeout 180 - svrtimeout 360 - CustomServerID "\"None\"" - CKA NO - TCPB NO - CMP YES Note: Multiple services can be created (ex. Data_requests_svc, Connector_Svc), however for this example we will only create one. Step 2 Create and Configure Load Balancing VServers We will create two Load Balancing Virtual Servers in this step. Create a Load Balanced Virtual Server for the StorageZone Controller Data Requests, another for the StorageZone Controller Connector Requests. This allows us differentiate between the two types of traffic received on NetScaler and can scale accordingly.

2a: Create First Load Balancing Virtual Server (for SZC Data Requests) of Protocol Type SSL, de- select Directly Addressable option. Select the service that was created in step one. This will bind the service to the Load Balancing Virtual server. Do not click create as of yet. Step 2b: Navigate to the Method and Persistence Tab, set the LB Method to Token. Set the rule to http.req.url.query.value("uploadid")

Step 2c: Navigate to the SSL Settings tab and bind the appropriate certificate to the LBVServer, click Create. Step 2D: Perform the same actions as above to create the other Load Balancing Virtual Server for the StorageZone Controller Connector Requests. CLI Commands: add lb vserver SZC2.0_LBVData SSL 0.0.0.0 0 - persistencetype SSLSESSION - lbmethod TOKEN - rule "http.req.url.query.value(\"uploadid\")" - clttimeout 180 bind lb vserver SZC2.0_ LBVData szc20_svc bind ssl vserver SZC2.0_ LBVData - certkeyname szc20 add lb vserver SZC2.0_LBVConnector SSL 0.0.0.0 0 - persistencetype SSLSESSION - lbmethod TOKEN - rule "http.req.url.query.value(\"uploadid\")" - clttimeout 180 bind lb vserver SZC2.0_LBVConnector szc20_svc bind ssl vserver SZC2.0_LBVConnector - certkeyname szc20

See below for reference once completed step 1& 2 Step 3 Create and Configure Content Switching Policies Step 3a: Navigate in GUI to Content Switching \ Policies. Here we will create two policies. This is for purposes of differentiating the traffic for Data and Connector Requests. First will be named Data_Requests. In the expression field, type/paste the following qualifier: HTTP.REQ.HOSTNAME.CONTAINS("StorageZoneControllerFQDN") && HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/").NOT. Click Create. CLI Command: add cs policy Data_Requests - rule "HTTP.REQ.HOSTNAME.CONTAINS(\"StorageZoneControllerFQDN\") && HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT"

Step 3b: Second will be named Connector_Requests. In the expression field, type/paste the following qualifier: HTTP.REQ.HOSTNAME.CONTAINS("StorageZoneControllerFQDN") && HTTP.REQ.URL.CONTAINS("/cifs/") && HTTP.REQ.URL.CONTAINS("/sp/"). Click Create. CLI command: add cs policy Connector_Requests - rule "HTTP.REQ.HOSTNAME.CONTAINS(\"StorageZoneControllerFQDN\") && (HTTP.REQ.URL.CONTAINS(\"/cifs/\") HTTP.REQ.URL.CONTAINS(\"/sp/\"))" See below for reference once completed with Step 3.

Step 4 Create and Configure Content Switching VServer Step 4a: Navigate in GUI to Content Switching \ Virtual Servers. Here we will bind the policies we created to a Content Switching Virtual Server. Create a Content Switch VServer of Protocol type SSL. Do not select Create yet. Step 4b: Bind the two Content Switch Virtual Server Policies created in previous step. This is performed by inserting CS Policy, the corresponding LBVServer created in step 2.

4c: Now navigate to the SSL Settings tab and bind the certificate (must be a publicly accessible FQDN). Click Create. CLI Commands: add cs vserver szc20_csv SSL 192.168.1.12 443 - clttimeout 180 bind cs vserver szc20_csv - policyname Data_Requests - targetlbvserver SZC2.0_LBVData - priority 100 bind cs vserver szc20_csv - policyname Connector_Requests - targetlbvserver SZC2.0_LBVConnector - priority 110 bind ssl vserver szc20_csv - certkeyname szc20

Step 5 Create HTTP Callouts Step 5a: Here we will create our HTTP callouts. The purpose of which is to validate traffic before allowed to proceed unfettered. Navigate in GUI to AppExpert \ HTTP Callouts section of GUI. Create an HTTP Callout named sf_callout. Define the Virtual Server or IP Address of which we will direct the callout to. a. Under Server Response, choose a Return Type of Bool. b. In Expression to extract data from the response enter: HTTP.RES.STATUS.EQ(200).NOT Step 5b: Under Request to send to the server, click Attribute- based and then click Configure Request Attributes.

a. Select Get Method. b. In Host Expression enter the virtual server IP address or the host IP address for any of the StorageZone Controllers. This is required for correct operation. c. In URL Stem Expression enter: "/validate.ashx?requesturi=" + HTTP.REQ.URL.BEFORE_STR("&h").HTTP_URL_SAFE.B64ENCODE + "&h="+ HTTP.REQ.URL.QUERY.VALUE("h") d. Click OK and then return to the Configure HTTP Callout dialog box. Click CREATE. CLI commands: add policy httpcallout sf_callout set policy httpcallout sf_callout - vserver SZC2.0_LBVData - returntype BOOL - hostexpr 192.168.1.12 - urlstemexpr "\"/validate.ashx?requesturi=\" + HTTP.REQ.URL.BEFORE_STR(\"&h\").HTTP_URL_SAFE.B64ENCODE + \"&h=\"+ HTTP.REQ.URL.QUERY.VALUE(\"h\")" - scheme http - resultexpr "HTTP.RES.STATUS.EQ(200).NOT" Step 5c: Follow the preceding steps to configure an HTTP callout named sf_callout_y. Use the same settings except modify it to the below expression: In URL Stem Expression enter: "/validate.ashx?requesturi=" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + "&h=" CLI Commands: add policy httpcallout sf_callout_y set policy httpcallout sf_callout_y - vserver SZC2.0_LBVData - returntype BOOL - hostexpr 192.168.1.12 - urlstemexpr "\"/validate.ashxrequesturi=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" - scheme http - resultexpr "HTTP.RES.STATUS.EQ(200).NOT"

Step 6 Create and Configure Responder Policy to use HTTP Callout Step 6: Navigate to AppExpert \ Responder \ Policies section of the GUI. Add a new Responder Policy. In the Configure Responder Policy dialog box: For Action, choose Drop expression window, In Expression, enter: http.req.url.contains("&h=") && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout) http.req.url.contains("&h=").not && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout_y) click create. CLI command: add responder policy sf_sz_policy "http.req.url.contains(\"&h=\") && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout) http.req.url.contains(\"&h=\").not && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout_y)" DROP

Step 7 Bind Responder Policy to Load Balancing VServer(s) Step 7: Bind responder policy to Load Balancing Virtual Server as defined in Step 2, by navigating to policies \ responder under the defined Load Balanced Virtual Server. CLI Command: bind lb vserver SZC2.0_LBVData - policyname sf_sz_policy - priority 100 - gotopriorityexpression END - type REQUEST With the completion of the above exercises, the NetScaler Configuration has been finalized.

Step 8 - Create and Configure Authentication VServer There is an optional configuration step further securing StorageZone Connector which is used with XenMobile Enterprise, MDM, and App Editions. While authentication to NetScaler is optional, it is a recommended best practice. We will configure this feature following the steps below: a - Create LDAP Server Profile/Policy b - Create/configure associated Session Profile/Policy c - Create Authentication VServer d Bind Authentication Settings to StorageZone Connector VServer Step 8a: Create LDAP Server Profile \ LDAP Policy To create the LDAP Server Profile, navigate to Security \ AAA Application Traffic \ Policies \ Authentication \ LDAP section of the GUI. Click on the Servers tab in the right pane to create a new Authentication Server (Profile) entity. Populate this dialogue with all pertinent details. Ensure to add the SSO Name Attribute of userprincipalname before electing to create. Click the Create button to finish adding Authentication Profile. CLI Method: add authentication ldapaction SZC_Auth - serverip 192.168.1.10 - ldapbase "DC=nsdemo,DC=ctx" - ldapbinddn admin@nsdemo.ctx - ldapbinddnpassword password - encrypted - ldaploginname samaccountname - groupattrname memberof - subattributename cn - ssonameattribute userprincipalname

Step 8a continued: To create the LDAP Policy, in the same section of the GUI ( Security \ AAA Application Traffic \ Policies \ Authentication \ LDAP ), click on the Policies tab to create a new Authentication Policy. Assign a Name to the new policy and bind the Server profile created in step 1. In the expression field, add the True Value expression, click Create. CLI Command: add authentication ldappolicy SZC_AuthPol ns_true SZC_Auth Step 8b: In this step we will create/configure associated Session Profile/Policy associated with the authentication policy we just defined. Navigate in GUI to the Security \ AAA Application Traffic \ Policies \ Session section and click on the Profiles tab in the right pane. Elect to create a new profile and define the relevant settings, again adding the correct SSO domain. Click Create once completed.

Step 8b continued: To create the Session Policy, in the same section of the GUI ( Security \ AAA Application Traffic \ Policies \ Session ), click on the Policies tab to create a new Session Policy. Assign a Name to the new policy and bind the session profile created in step 1. In the expression field, add the True Value expression, click Create. CLI commands: add tm sessionaction SZC_SessionProfile - ssodomain nsdemo.ctx add tm sessionpolicy SZC_SessionPolicy ns_true SZC_SessionProfile Step 8c: In this step we will create an Authentication Virtual Server and bind the Authentication Policy we created in the previous step. Navigate back up to AAA Application Traffic \ Virtual Servers section and elect to create a new Authentication Virtual Server. Provide relevant data and ensure that the base DN is defined in the domain field. Select the appropriate certificate. Do not click create yet.

Step 8c continued: Navigate to the authentication tab and bind the Authentication Policy created in step 8a. Again, do not click Create. Navigate to the Policies tab Under the Policies tab, select Session \ Insert Policy and bind the Session Policy created in step 8b, click Create. CLI commands: add authentication vserver SZC20_AuthVServer SSL 192.168.1.13 443 - AuthenticationDomain nsdemo.ctx bind authentication vserver SZC20_AuthVServer - policy SZC_AuthPol - priority 100 bind authentication vserver SZC20_AuthVServer - policy SZC_SessionPolicy - priority 100 bind ssl vserver SZC20_AuthVServer - certkeyname wildcard

Step 8d: In this step, we will bind the authentication Settings to StorageZone Connector Load Balancing VServer. In the GUI, navigate to the StorageZone Connector Load Balancing VServer ( Traffic Management \ Load Balancing \ Virtual Servers ), click on the Advanced tab, scroll down and expand the Authentication Settings section. Select the 401 Based Authentication check box and select the defined Authentication VServer (created in step 8c). Once complete, navigate to the Method and Persistence and modify the Persistence method to Cookie Insert. Set the appropriate Time- out value (in minutes). CLI Commands: set lb vserver SZC2.0_LBVConnector - persistencetype COOKIEINSERT - timeout 240 - authn401 ON - authnvsname SZC20_AuthVServer This concludes the steps required for the Optional configuration.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information