SSO to Public Back End Server/Public IP Through NetScaler Gateway 10.5 Using Traffic Policy

This article documents a change to the behavior of NetScaler Gateway 10.5 when configuring Single Sign-on to hosts on public IP addresses.

Background

NetScaler Gateway 10.5 build 54.9 brings a change in behavior when authenticating against hosts using public IP addresses using Single Sign-on (SSO). For builds earlier than 54.9 and releases earlier than 10.5 the NetScaler Gateway supported connecting to host on public IP addresses using SSO. There are security concerns around allowing SSO to publicly based hosts so the behavior is changed.

To support SSO to hosts on Public IPs a traffic profile and policy must be configured.
Note: If traffic does not match the traffic policy rule, then SSO to public IPs will not succeed even when SSO is ON at VPN parameter or at the Session Policy level.

Use Cases

The following are the two use cases for Traffic Profiles/Policies to support SSO to public IPs.

Use Case 1 - Clientless VPN (CVPN) and Secure Browse

From Command Line Interface

Run the following command from the command line interface:

 > add vpn trafficAction TraffProf_CVPN_SBrowse http -SSO ON > add vpn trafficPolicy TraffPol_CVPN_SBrowse "REQ.HTTP.HEADER Host == host.cloud.com" TraffProf_CVPN_SBrowse > bind vpn vserver test-sslvpn -policy TraffPol_CVPN_SBrowse -priority 100

From User Interface

1. Navigate to Configuration > NetScaler Gateway > Policies > Traffic.

2. Click the Traffic Profiles tab and click Add.

3. Give the Traffic Profile a name, select HTTP radio button and select ON from the Single Sign-on drop-down list.

4. Click OK.

   

5. In Configuration > NetScaler Gateway > Policies > Traffic select the Traffic Policies tab.

6. Click Add.

7. Enter a name for the Traffic Policy.

8. Select the Traffic Profile you created in steps 1-4.

9. Create an expression. In this example the policy will only trigger on traffic where the HTTP host header has a value of "netscaler.cloud.com".
   Note: This policy only works if the traffic is HTTP, as this is the only time that the NetScaler will see the host header.

10. Click Create.

    

11. Navigate to Configuration > NetScaler Gateway > Virtual Servers. Open the virtual server of your choice by double-clicking the entry in the list.

12. Scroll down to Policies and click the + (plus) icon.

    

13. Select Traffic from the Choose Policy drop-down list and Request is selected automatically from the Choose Type list.

14. Click Continue.

15. Click the right-arrow in the Select Policy area.

    

16. Select the Traffic Policy created in steps 5-10.

17. Click OK.

    

18. Click Bind in the Policies dialog window.

    

19. Click Done at the bottom of the Virtual Server window.

Use Case 2 - Full VPN and Micro VPN

From Command Line Interface

Run the following command from the command line interface:

 > add vpn trafficAction TraffProd_FVPN_MVPN tcp -SSO ON > add vpn trafficPolicy TraffPol_FVPN_MVPN "REQ.IP.DESTIP == 200.100.50.25" TraffProf_FVPN_MVPN > bind vpn vserver test-sslvpn -policy TraffPol_FVPN_MVPN -priority 90

From User Interface

1. Navigate to Configuration > NetScaler Gateway > Policies > Traffic.

2. Click the Traffic Profiles tab and click Add.

3. Give the Traffic Profile a name, select TCP radio button and click Create.

   

4. Double click the TraffProf_FVPN_MVPN traffic profile in the UI and select ON from the Single Sign-on drop-down list. Click OK.

   

5. In Configuration > NetScaler Gateway > Policies > Traffic select the Traffic Policies tab.

6. Click Add.

7. Enter a name for the Traffic Policy.

8. Select the Traffic Profile you created in steps 1-4.

9. Create an expression.
   Note: The NetScaler can never perform SSO for HTTPS traffic in VPN mode, because the NetScaler cannot see the HTTP correspondence inside SSL. For this reason you need to use suitable expressions. In this example the policy will only trigger on traffic where the destination IP of the request is equal to a specific address. In this example the IP address used is a public IP.

   

10. Click Create.

11. Navigate to Configuration > NetScaler Gateway > Virtual Servers. Open the virtual server of your choice by double clicking the entry in the list.

12. Scroll down to Policies and click the + (plus) icon.

    

13. Select Traffic from the Choose Policy drop-down list and Request is selected automatically from the Choose Type list.

14. Click Continue.

    

15. Click the right arrow in the Select Policy area.

    

16. Select the Traffic Policy created in steps 5-10.

17. Click OK.

    

18. Click Bind in the Policies dialog window.

    

19. Click Done at the bottom of the Virtual Server window.

Additional Resources

For more information refer to NetScaler Gateway 10.5 release notes.

NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.
[From Build 54.9] [#518414]