Author: Peter Benjamin
Date: 01/15/2016
Revised: 01/20/2016
Purpose: Instructions for setting up/configuring citrix netscaler as it pertains to Echo-Cloud.
bind policy patset <webservername> <clientid>
add aaa group <clientid>
add authorization policy <policy name> "<policy rule>" <policy action>
bind aaa group <clientid> -policy <policy name> -priority 100
save ns config
Example:
bind policy patset cloudweb53 echo12345
add aaa group echo12345
add authorization policy client_auth_policy_echo12345 "REQ.HTTP.URL == \'/echo12345/*\'" ALLOW
bind aaa group echo12345 -policy client_auth_policy_echo12345 -priority 100
save ns config
Single Sign-on Configuration:
add ssl certKey SAMLIDP_<clientID> -cert "/nsconfig/ssl/pf.<client_name>.com.crt"
add authentication samlAction SAM_Server_<clientID> -samlIdPCertName SAMLIDP_<clientID> -samlRedirectUrl "https://pf.<client_name>.com/idp/startSSO.ping?PartnerSpId=Echoaccess_CTX" -samlRejectUnsignedAssertion OFF -samlIssuerName pf.<client_name>.com -defaultAuthenticationGroup echo<clientID>
add authentication samlPolicy SAMLPolicy_<clientID> "REQ.HTTP.URL CONTAINS echo<clientID> || REQ.HTTP.URLQUERY CONTAINS echo<clientID>" SAM_Server_<clientID>
bind authentication vserver saml_auth -policy SAMLPolicy_<clientID> -priority 110
- For all portals:
bind policy patset <aspportal_auth_ldap|aspportal_open|aspportal_ip_restrict> <clientid/portal_name>
- For closed/private portals, run:
set authorization policy client_auth_policy_<clientid> -rule "<expression || expression && expression>" -action <action>
- For IP-restricted portals, run:
add responder policy <policy_name> "<expression || expression && expression>" <action>
bind lb vserver <vserver_name> -policyName <policy_name> -gotoPriorityExpression END -type REQUEST -priority <number>
Examples:
- For open/public portals, run:
bind policy patset aspportal_open "/12345portal/verifportal/"
- For closed/private portals:
bind policy patset aspportal_auth_ldap "/12345portal/pharmacy/"
set authorization policy client_auth_policy_echo12345 -rule "REQ.HTTP.URL == \'/echo12345/*\' || REQ.HTTP.URL == \'/12345portal/pharmacy/*\'" -action ALLOW
- For IP-restricted portals:
bind policy patset aspportal_ip_restrict "/12345portal/privportal/"
set authorization policy client_auth_policy_echo12345 -rule "REQ.HTTP.URL == \'/echo12345/*\' || REQ.HTTP.URL == \'/12345echoapps/*\' || REQ.HTTP.URL == \'/12345portal/verifportal/*\' || REQ.HTTP.URL == \'/12345portal/privportal/*\' || REQ.HTTP.URL == \'/echo12345test/*\' || REQ.HTTP.URL == \'/12345testechoapps/*\'" -action ALLOW
add responder policy 12345privportal " (CLIENT.IP.SRC.EQ(67.207.214.82) || CLIENT.IP.SRC.IN_SUBNET(63.247.0.0/19) && HTTP.REQ.URL.STARTSWITH(\"/12345portal/privportal/\") " NOOP
bind lb vserver aspportal_auth_ip_lbv -policyName 12345privportal -gotoPriorityExpression END -type REQUEST -priority 1523
- How to do/undo common tasks in Citrix NetScaler: NETSCALER Command Reference Guide
- Detailed information on Citrix NetScaler Policies and their configurations: Policy Configuration