by David Brett, CTP
In this part of this series we are going to tie it all together with the NetScaler Config.
This post assumes that you have a configured NetScaler Unified Gateway set up on your NetScaler build using the inbuilt Unified Gateway Wizard
The Google oAuth Policy on Citrix NetScaler
You will now need to instruct the NetScaler to authenticate you with the Google oAuth Services. Log into your NetScaler and navigate to Security – AAA Application Traffic – Policies – Authentication – Basic Policies – OAuth
Click Add to insert a new policy
Give the policy a name, fill out your Client ID and Client Secret you saved earlier and enter the following information in the Authorization Endpoint, Token Endpoint and ID Token Decrypt Endpoint fields
Authorization Endpoint: https://accounts.google.com/o/oauth2/auth?client_id=
YOUR_CLIENT_ID
&response_type=code&scope=openid%20email Token Endpoint: https://accounts.google.com/o/oauth2/token ID Token Decrypt Endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
Click ok to create the policy

Next navigate to Security – AAA Application Traffic – Policies – Authentication – Advanced Policies – Policy and click add to insert your new policy
Give your policy a name, set the action type to OAUTH and select your new action from the drop down list. For the expression type in true


The AAA vServer
Next you will need to bind your new policy to an AAA vServer for authentication. This is where we will pass the incoming requests for login.chromesummit.com for authentication, then hand them back to the NetScaler Unified Gateway from there.
Navigate to Security – AAA Application Traffic – Virtual Servers and Add a new Virtual Server
Give your Virtual Server a name, a free IP Address and assign the relevant certificate for the domain you are going to give your users (login.chromesummit.com – this was part of the pre-reqs in part 1). Then add an Advanced Authentication Policy and select your new Google oAuth Policy.


Make sure the server shows as up

We now need to create a Load Balancing vServer to act as a pass through for the Content Switch and AAA vServer.
The Load Balancing vServer
Navigate to Traffic Management – Load Balancing – Virtual Servers and click Add to configure your new Virtual Server.
Give your vServer a name and a free IP Address, assign the same certificate that you gave to your AAA vServer and bind it to an “Always Up” Service. Essentially this is a service configured on the NetScaler that will not go down. Just define a new service on the NetScaler to ping itself (127.0.0.1)


You now need to add your Authentication vServer to the Load Balancing vServer. Add Authentication from the options on the right-hand side of the screen and select form based authentication.
Fill out auth.h.1 as the Authentication FQDN, select Authentication Virtual Server from the drop-down and select your AAA vServer from the list provided

The final thing you will need to do is add a responder policy to the vServer to forward you to the VPN login page. This is because after authentication from Google you will be passed back to the root of the vServer and you want to forward the user to the NetScaler Gateway with the AAA credentials for SSO.
Click Policies and click on Add. Select Responder from the list, give the policy a name and click the + to add an action.
Give the action a name, the type will be Redirect and the expression will be the following (substitute login.chromesummit.com to your Google login URL):
"https://login.chromesummit.com/vpn/index.html"
Set the Response Status Code to 302 and click on OK. This will take you back to the policy screen.
For the policy Expression enter the following:
"http.req.url.eq("/")

Click ok and thats it for the vServer.
Bind the vServer to the AAA vServer
Navigate to Security – AAA Application Traffic – Virtual Servers and open up your AAA vServer
Scroll down until you see Form Based Virtual Servers and ensure that your vServer is listed there, if it is not then bind it to the AAA Server

Content Switching Policies
At this stage, you have your Google Authentication Provider set up, your AAA vServer and Load Balancing vServer set up and linked and your responder policy to forward your users to the NetScaler Gateway once authenticated. You now need to set up your Content Switching Policies to direct the traffic the way you want.
This is what I am trying to achieve.
- If a user types in citrix.chromesummit.com, then go straight to the NetScaler Gateway
- If the URL hitting the Content Switch contains any of the AAA Traffic, “/cvpn” in the URL or “/citrix” in the URL then direct them to the NetScaler Gateway
- If a user types in login.chromesummit.com, then go to the Load Balanced vServer (AAA Auth vServer is attached to this – and will redirect to Google for authentication)
I am going to achieve this by using a Content Switching policy and a Default vServer on the Content Switch.
Navigate to Traffic Management – Content Switching – Actions and create an action to redirect traffic to your NetScaler Gateway

Navigate to Traffic Management – Content Switching – Policies
Create a policy with the following expression:
HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/cvpn") || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/citrix") || HTTP.REQ.URL.CONTAINS_ANY("aaa_path") || HTTP.REQ.HOSTNAME.CONTAINS("citrix.chromesummit.com")
Substitute your URLs in place of mine.
Bind this policy to your action you created in the previous step.

Next open up your Content Switch (This should have been created when you created your Universal Gateway during the pre-reqs stage) and locate the Content Switching Policy Binding section.
Bind your policy as a priority of 100

Set your Load Balancing vServer as the Default Load Balancing Virtual Server

Unbind the SSO Domain in the NetScaler Gateway Session Policy
Locate the Web session policy assigned to your NetScaler Gateway and under the published applications tab, remove the SSO Domain name. The web session policy will have _WB_ in the name.

At this point your NetScaler should be configured to direct the traffic for citrix.chromesummit.com and login.chromesummit.com to different login providers.
Fallback Policy
One thing I did notice is that if you are already signed into Google and try to goto the login.chromesummit.com login page it will SSO you into the gateway but then when the apps and desktops should be displayed, it will try to launch the Java VPN client. From what I can see, this is because it is not hitting any of the HTTP headers defined in the session policies you have assigned to your gateway.
To get around this, we can create a fall back policy to handle any sessions that are uncovered in the 2 automatically created session profiles.
Navigate to NetScaler Gateway – Policies – Session and click to add a new Session Policy
Give the policy a name, e.g., fallback, set the expression to ns_true and bind the same web profile (_WB_) that you edited in the previous step.

Next you will need to bind this as an available policy on the NetScaler Gateway, make sure that the priority of this is the lowest so that if a session policy is not met this will act as the default policy for the gateway

NetScaler Gateway Login Once
One thing that you will need to check is that the login once option on the NetScaler Gateway is set. To do this, navigate to NetScaler Gateway – Virtual Servers and open up your vServer.
Click to edit the basic settings and click on the More Twisty. Make sure there is a tick in the Login Once box.

Catering for Native Receiver Access on the Login URL
Another thing we need to be aware of and cater for is that the Google users may want to use receiver to access the apps and desktops. This will currently fail as Native Receiver will not work with the configured oAuth policy. Therefore we will need to redirect users that use Receiver and try to hit the login.chromesummit.com URL.
We will do this using another Content Switching Policy.
Navigate to Traffic Management – Content Switching – Policies
Create a policy with the following expression:
HTTP.REQ.HOSTNAME.CONTAINS("login.chromesummit.com") && HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
Bind this to the same action you used for the previous policy (re-direction to the NetScaler Gateway).

Next, bind this new policy to the Content Switch as a higher priority than the previous policy

Now if a user tries to use Native Receiver and login to the login.chromesummit.com URL, they will be redirected back to the regular NetScaler Gateway and asked for LDAP credentials.
That’s it on the NetScaler for the moment – we will revisit it later on when we tidy up the config and add some nice-to-have bits to make the user experience better.
Thanks,
Dave Brett (@dbretty)