Hands-on Lab Exercise Guide

Similar documents
Hands-on Lab Exercise Guide

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Deploying NetScaler with Microsoft Exchange 2016

Setting up Microsoft Exchange Server 2016 with Avi

CNS 207 3i - Implementing Citrix NetScaler 11.0 for Application and Desktop Solutions

Azure MFA Integration with NetScaler

Load Balancing VMware Workspace Portal/Identity Manager

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Citrix Exam 1Y0-253 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions Version: 6.0 [ Total Questions: 186 ]

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

App Orchestration 2.6

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

User guide NotifySCM Installer

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

XenMobile 10 Cluster installation. Here is the task that would be completed in order to implement a XenMobile 10 Cluster.

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org

Extend your networking skill set by learning NetScaler fundamentals. Self-paced exercise guide

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

What to Know About Exchange 2013 and Load Balancing

Vendor: Citrix. Exam Code: 1Y Exam Name: Citrix NetScaler 10.5 Essentials and Networking. Question Question 160

Getting Started with Outlook Web App (OWA)

FortiADC with MS Exchange 2016 Deployment Guide

604: Automating NetScaler Deployments and Monitoring using the NetScaler 10.5 NITRO API Hands-on Lab Exercise Guide

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10 for App and Desktop Solutions. Version: Demo

Agility 2018 Hands-on Lab Guide. VDI the F5 Way. F5 Networks, Inc.

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

1Y Citrix NetScaler 12 Essentials and Traffic Management. vmexam.com Exam Summary Syllabus Questions

ACE Live on RSP: Installation Instructions

Installing and Configuring vcloud Connector

604: Administering and troubleshooting XenDesktop 7.x

WatchGuard XCS and Outlook Web Access 2013

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Content Switching Exchange and Lync. Technical Note

Load Balancing VMware Identity Manager

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

AD FS v3. Deployment Guide

Workshop Netscaler VPX from Express(free) to Platinum

How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

Citrix 1Y Deploying Citrix XenDesktop 7.6 Solutions. Download Full Version :

Hands-on Lab Exercise Guide


VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

MS Exchange 2016 Deployment Guide

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

Citrix NetScaler Traffic Management

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

VMware Enterprise Systems Connector Installation and Configuration

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Citrix NetScaler LLB Deployment Guide

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

McAfee Firewall Enterprise epolicy Orchestrator Extension

Citrix Exam 1Y0-351 Citrix NetScaler 10.5 Essentials and Networking Version: 7.0 [ Total Questions: 178 ]

VII. Corente Services SSL Client

Merchandising Server 2.2


AppController :20:49 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

DEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC

IPMI Configuration Guide

Configure the Cisco DNA Center Appliance

Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide

NetExtender for SSL-VPN

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

Hosted Microsoft Exchange Client Setup & Guide Book

Novell Access Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

BIG-IP Access Policy Manager : Portal Access. Version 12.1

CNS-220-1I: CITRIX NETSCALER TRAFFIC MANAGEMENT

Reference Card: How to connect Windows 7 to UniWireless

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Okta Integration Guide for Web Access Management with F5 BIG-IP

Table of Contents HOL-1757-MBL-6

VMware AirWatch Content Gateway Guide for Linux For Linux

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Firewall Enterprise epolicy Orchestrator

Prerequisites CNS-220 Citrix NetScaler Essentials and Traffic Management

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Oracle Enterprise Manager 11g Ops Center 2.5 Hands-on Lab

Configuring the SFB 2015 Reverse Proxy Server for Express for Lync 3.0

App Orchestration 2.0

About XenClient Synchronizer

ForeScout Extended Module for MobileIron

AX Series with Microsoft Exchange Server 2010

Sophos Mobile as a Service

AutomaTech Application Note July 2015

Transcription:

606: Improving Microsoft Exchange 2013 Performance with NetScaler Hands-on Lab Exercise Guide Johnathan Campos and Daniel Kuenzli May 2015

Table of Contents Table of Contents... 1 Overview... 2 Scenario... 6 Exercise 1: Initial Configuration... 7 Exercise 2: Configuring Custom Monitors for Exchange 2013...23 Exercise 3: Configuring Service Groups for Exchange 2013...37 Exercise 4: Configuring Virtual Servers for Exchange 2013...66 Exercise 5: Configuring the Content Switching Virtual Server for Exchange 2013...85 Exercise 6: Configuring Custom Responder Policies for Exchange 2013... 111 Exercise 7: Configuring Single Sign-On for Exchange 2013... 135 1

Overview Hands-on Training Module Objective Companies today conduct much of their business online. Whether email for corporate communications, websites for product and service information or sales, or server-hosted apps that run across a variety of end-user devices, companies rely on secure, reliable network connectivity in order to function and prosper. As the volume of a company s network traffic increases, so does the need for robust, resilient, and reliable network infrastructure that can not only sustain the network traffic, but optimize it. Gaining optimum efficiency in network connections, whether between private company assets across semi-private telecommunications channels, or between companies and their customers across the public internet, is a key asset to any company s operations. Citrix NetScaler, leveraging Load Balancing, optimizes and enhances the reliability of network infrastructures to allow better, more secure network communications, regardless of device or protocol. In this hands-on lab, we will configure Citrix NetScaler s Load Balancing, Custom Monitors, and Responder features in tandem with Microsoft Exchange 2013. The exercises shown in this hands-on lab guide will allow administrators to work with the features focused on the replacement of Microsoft Threat Management Gateway with Citrix NetScaler. Challenges: Providing increased reliability of email services, even in the face of individual server downtime Ensuring that email communications facilitate business operations while not introducing potential security threats Optimizing the user experience when access email services Provide a replacement for the existing web proxy (Microsoft Threat Management Gateway) Prerequisites Basic understanding of deployment scenarios of the Citrix NetScaler. Basic understanding of deployment scenarios of Microsoft Exchange 2013. Basic understanding of the Microsoft Exchange 2013 management console. Audience Citrix Partners Customers Sales Engineers 2

Consultants Technical Support Lab Environment Details The system diagram of the lab is shown below: The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All windows applications such as XenCenter, (the XenServer GUI management tool), are accessed from the Student Desktop. Lab Guide Conventions This symbol indicates particular attention must be paid to this step Special note to offer advice or background information reboot VMDemo Start Text the student enters or an item they select is printed like this Filename mentioned in text or lines added to files during editing Bold text indicates reference to a button or object Focuses attention on a particular part of the screen (R:255 G:20 B:147) Shows where to click or select an item on a screen shot (R:255 G:102 B:0) 3

List of Virtual Machines Used VM Name IP Address Description / OS Site1-NS1 192.168.10.15 Citrix NetScaler Build 10.5 53.9 Site1-AD1 192.168.10.11 Windows Server 2012R2 LDAP Server Site1-Client1 192.168.10.45 Windows 8.1 Client Site1-Exchange 192.168.10.20 Windows Server 2012R2 Exchange 2013 - CAS/MB Site2-Exchange2 192.168.20.20 Windows Server 2012R2 Exchange 2013 - CAS/MB Site2-AD2 192.168.20.11 Windows Server 2012R2 LDAP Server Required Lab Credentials The credentials required to connect to the environment and complete the lab exercises. VM Name IP Address Username Password Site1-NS1 192.168.10.15 nsroot nsroot Site1-AD1 192.168.10.11 Training\Administrator Citrix123 Site1-Client1 192.168.10.45 Training\Administrator Citrix123 Site1-Exchange 192.168.10.20 Training\Administrator Citrix123 Site2-Exchange2 192.168.20.20 Training\Administrator Citrix123 Site2-AD2 192.168.20.11 Training\Administrator Citrix123 4

Important Lab Environment Note When connecting to the lab environment, you may be prompted to restart the Windows on the Student Desktop If prompted, please select Restart Later. Selecting Restart Now will disconnect you from the Student Desktop. Additionally, you may receive intermittent User Access Control prompts on the Student Desktop regarding jucheck.exe: When prompted, please select No and continue with your lab. 5

Scenario AnyCo, Inc. has requested that a Sales Engineer demonstrate to their executive IT staff a solution that can improve the reliability and operational continuity of their infrastructure while also enhancing their network security as they increase the amount of traffic that must flow between their internal network and the public internet. Likewise, they also want to ensure that these additional security and functionality enhancements do not impede their available throughput or negatively impact their employees day-to-day productivity. Citrix NetScaler, through its Load Balancing feature, can provide all of these abilities and more. In order to improve email availability system-wide and provide service redundancy, your goal is to assist AnyCo, Inc. with their challenges outlined below, and ensure that these solutions fit their business needs. Challenges: The customer wants to make sure that their email services continue despite server maintenance or unexpected downtime in any one site Emails sent outside the company should reveal as little network information as possible about the sender s environment Fluctuating volumes of email and other network traffic should not affect users experience working within the company s network Users experience should be considered when accessing web services Replacement of the current web services proxy, current web services proxy is end of support December 2015 6

Exercise 1 Initial Configuration Overview This exercise will guide you through the initial configuration of the NetScaler appliance in this lab environment, which are identified as: Site1-NS1 The following settings will be configured for each NetScaler: NSIP (NetScaler Management IP) SNIP (Subnet IP) Verify Licenses Enable Global Features Step by step guidance Estimated time to complete this lab: 20 minutes. Step Action 1. Begin by logging on to the assigned Citrix XenServer by double-clicking on the Citrix XenCenter icon. XenCenter may open automatically if XenCenter does not open, proceed with Step 1. 2. Connect to the assigned XenServer by right clicking on your attached XenServer and clicking Connect. 7

3. Enter the XenServer credentials shown on the login screen of the lab execution page and click Connect. Below is an example of assigned XenServer credentials. 8

4. Select the following VM and click on the console tab to begin the configuration of the Citrix NetScaler. VM: Site1-NS1 5. Enter the following IP Address, Subnet Mask and Default Gateway for the Site1-NS1, pressing Enter after each line entry. IP Address: 192.168.10.15 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.10.1 9

6. Select the following option and press Enter to Save and Quit to commit the following settings previously entered. Option: 4 7. Once the reboot is completed proceed to login to the Site1-NS1 NetScaler ADC with the following credentials. Login: nsroot Password: nsroot When entering the password text will not display for security reasons. 10

8. Enter the following command once logged onto the Site1-NS1 and confirm that 192.168.10.15 is set as the NetScaler IP. Command: show ns ip Once verified type exit on the Site1-NS1 console, press Enter, and minimize the XenCenter application. 11

9. Using Internet Explorer, proceed to type the below URL and credentials to logon to the Site1-NS1 NetScaler. http://192.168.10.15 Username: nsroot Password: nsroot 10. Select the Subnet IP Address box on the initial NetScaler configuration wizard to enter the SNIP (Subnet IP Address) for the Site1-NS1 NetScaler ADC. 12

11. Enter the following Subnet IP Address and click Done. Subnet IP Address: 192.168.10.50 A subnet IP address is used by the NetScaler to communicate with the backend servers. NetScaler uses this subnet IP address as a source IP address to proxy the client connections as well as to send monitor probes to check the health of the backend servers. 12. Proceed to click the Host Name, DNS IP Address, and Time Zone boxes on the initial NetScaler configuration wizard to enter the Host Name, DNS IP Address, and Time Zone for the Site1-NS1 NetScaler ADC. 13

13. Enter the following Host Name, DNS IP Address, and Time Zone and click Done. Host Name: NS1 DNS IP Address: 192.168.10.11 Time Zone: GMT-4:00-EDT-America/New_York 14. Proceed to click the Licenses box on the initial NetScaler configuration wizard to confirm the license for the Site1-NS1 NetScaler ADC. 14

15. Confirm that the four pre-configured licenses have been uploaded to the Site1-NS1 NetScaler ADC and click Back. 16. Click Continue on the initial NetScaler configuration wizard to proceed to the Site1-NS1 NetScaler dashboard. 15

17. From the NetScaler dashboard proceed to System > Settings > and click Configure Basic Features. 18. Select the following basic features and click OK to return to the NetScaler dashboard. Features: SSL Offloading Load Balancing Rewrite Authentication, Authorization, and Auditing HTTP Compression Content Switching 16

17 19. Click Configure Advanced Features to now enable several advanced features.

20. Select the following advanced features and click OK to return to the NetScaler dashboard. Features: Responder Surge Protection and Web Logging are selected by default. DO NOT un-select. Surge Protection: This feature ensures that connections to the server occur at a rate which the server can handle. The response rate depends on how surge protection is configured. The NetScaler appliance also tracks the number of connections to the server, and uses that information to adjust the rate at which it opens new server connections. Web Logging: This feature send logs of HTTP and HTTPS requests to a client system for storage and retrieval. This feature has two components: The Web log server, which runs on the NetScaler. The NetScaler Web Logging (NSWL) client, which runs on the client system. When you run the NetScaler Web Logging (NSWL) client: 1. It connects to the NetScaler. 2. The NetScaler buffers the HTTP and HTTPS request log entries before sending them to the client. 3. The client can filter the entries before storing them. 18

21. From the NetScaler dashboard proceed to Traffic Management > SSL > Certificates and click Install to begin the installation of the SSL certificates utilized in this lab and exercise. 22. Add the following Certificate-Key Pair Name and browse for the Certificate File on the local C:\Certificates folder of the student desktop for the MCTIntermediate.cer certificate file. Click Install to complete the installation. Certificate-Key Pair Name: MCT Intermediate Intermediate certificates sit between an end entity certificate and a root certificate. They help complete a Chain of Trust from your certificate back to your certification authorities root certificate. 19

23. Confirm that the MCT Intermediate certificate has been installed and click Install to continue installation of the second certificate utilized in this lab and exercise. 24. Add the following Certificate-Key Pair Name and browse for the Certificate File on the local C:\Certificates folder of the student desktop for the MCTWildcard.cer certificate file and MyCitrixTraining.key key file. Click Install to complete the installation. Certificate-Key Pair Name: MCT Key Pair 20

25. Confirm that the MCT Key Pair certificate has been installed. 26. Link the MCT Key Pair SSL Certificate and MCT Intermediate SSL Certificate by right clicking on the MCT- Key Pair and selecting Link. 27. Select the following CA Certificate Name and click OK to complete the link between both SSL certificates. CA Certificate Name: MCT Intermediate 21

28. Click the small blue disk to save the NetScaler configuration. Click Yes to confirm. Exercise Summary In this exercise, you configured the basic features of Citrix NetScaler, including its IP addresses, licensing, and advanced feature enablement. 22

Exercise 2 Configuring Custom Monitors for Exchange 2013 Overview This exercise explains how to create custom Microsoft Exchange monitors to thoroughly inspect all existing Microsoft Exchange virtual directories. These monitors will specifically probe the below Exchange virtual directories. The monitor will be specifically probing the HTTP header of each virtual directory for a 200 OK response code. 1. /owa (Outlook Web Access) 2. /ecp (Exchange Control Panel) 3. /ews (Exchange Web Service) 4. /Microsoft-Server-ActiveSync (ActiveSync Service for Mobile Mail clients) 5. /oab (Offline Address Book) 6. /rpc (Outlook Anywhere or RPC over HTTPS) 7. /Autodiscover (Autodiscover Service) 23

Step by step guidance Estimated time to complete this lab: 45 minutes. Step Action 1. Using Internet Explorer, type the following URL and credentials to logon to the Site1-NS1 NetScaler. Skip this step if already logged into the Site1-NS1 NetScaler. http://192.168.10.15 Username: nsroot Password: nsroot 24

2. From the NetScaler dashboard navigate to Configuration > Traffic Management > Load Balancing > Monitors and click Add to create the first Monitor utilized in this exercise. 3. Enter the following Name and Type. Scroll down to click the Secure check box to convert the HTTP monitor to HTTPS. Name: OWA-Mon Type: HTTP Do not Click Create. Proceed to the next step. 25

4. Click on the Special Parameters tab, add the following HTTP Request (HTTP Header Request), click the Treat Backslash as Escape Character check box and click Create. HTTP Request: GET /owa/healthcheck.htm The monitor created is a dedicated monitor for the Outlook Web Access virtual directory. 5. Select the OWA-Mon and click Add to create a new pre-populated monitor. 26

6. Change the OWA-Mon name to ECP-Mon and ensure that the Secure check box is checked. 7. Click on the Special Parameters tab, modify the following HTTP Request (HTTP Header Request), and click the Treat Backslash as Escape Character check box and click Create. HTTP Request: GET /ecp/healthcheck.htm The monitor created is a dedicated monitor for the Exchange Control Panel virtual directory. 27

8. Select the OWA-Mon and click Add to create a new pre-populated monitor. 9. Change the OWA-Mon name to EWS-Mon and ensure that the Secure check box is checked. 28

10. Click on the Special Parameters tab, modify the following HTTP Request (HTTP Header Request), check the Treat Backslash as Escape Character check box and click Create. HTTP Request: GET /ews/healthcheck.htm The monitor created is a dedicated monitor for the Exchange Web Services virtual directory. 11. Select the OWA-Mon and click Add to create a new pre-populated monitor. 29

12. Change the OWA-Mon name to Activesync-Mon and ensure that the Secure check box is checked. 13. Click on the Special Parameters tab, modify the following HTTP Request (HTTP Header Request), check the Treat Backslash as Escape Character check box and click Create. HTTP Request: GET /Microsoft-Server-ActiveSync/healthcheck.htm The monitor created is a dedicated monitor for Exchange ActiveSync virtual directory used with mobile devices. 30

14. Select the OWA-Mon and click Add to create a new pre-populated monitor. 15. Change the OWA-Mon name to OAB-Mon and ensure that the Secure check box is checked. 31

16. Click on the Special Parameters tab, modify the following HTTP Request (HTTP Header Request), check the Treat Backslash as Escape Character check box and click Create. HTTP Request: GET /oab/healthcheck.htm The monitor created is a dedicated monitor for Exchange Offline Address Book virtual directory. 17. Select the OWA-Mon and click Add to create a new pre-populated monitor. 32

18. Change the OWA-Mon name to RPC-Mon and ensure that the Secure check box is checked. 19. Click on the Special Parameters tab, modify the following HTTP Request (HTTP Header Request), check the Treat Backslash as Escape Character check box and click Create. HTTP Request: GET /rpc/healthcheck.htm The monitor created is a dedicated monitor for the RPC virtual directory used for Basic Authentication. 33

20. Select the OWA-Mon and click Add to create a new pre-populated monitor. 21. Change the OWA-Mon name to AutoDiscover-Mon and ensure that the Secure check box is checked. 34

22. Click on the Special Parameters tab, modify the following HTTP Request (HTTP Header Request), check the Treat Backslash as Escape Character check box and click Create. HTTP Request: GET /Autodiscover/healthcheck.htm The monitor created is a dedicated monitor for AutoDiscover virtual directory used with the Auto Discover service. 35

23. Click the small blue disk to save the NetScaler configuration. Click Yes to confirm. Exercise Summary In this exercise, you configured Service Monitors, which allow the Citrix NetScaler to continually communicate with and verify the availability of the associated email servers. By monitoring the status and availability of the email servers, Citrix NetScaler can ensure that it is always passing network traffic to backend servers and resources that are online and available to serve the content that incoming client connections are requesting. Likewise, monitoring the backend servers allows the Citrix NetScaler to redirect traffic when necessary in order to ensure continuity of service availability. 36

Exercise 3 Configuring Service Groups for Exchange 2013 Overview In this exercise, service groups are used to bind together both the previously created custom monitors and the two existing Microsoft Exchange backend servers (Site1-Exchange and Site2- Exchange). Each service group will contain the same backend servers, but use unique monitors for each virtual directory used with Microsoft Exchange. Administrators are typically accustomed to using traditional services with Citrix NetScaler for this type of implementation, however with traditional services the same backend server cannot be used repeatedly. This exercise covers 4 of the 7 Service Groups that can be created when Load balancing Microsoft Exchange with Citrix NetScaler. Each of the service groups will use the same backend servers but are unique in their respective monitor. The monitors used to this exercise will be the following. OWA-Mon (Outlook Web Access) ECP-Mon (Exchange Control Panel) Autodiscover-Mon (Autodiscover Monitor) ActiveSync-Mon (ActiveSync Monitor) Step by step guidance Estimated time to complete this lab: 30 minutes. 37

Step Action 1. Using Internet Explorer, type the following URL and credentials to logon to the Site1-NS1 NetScaler. http://192.168.10.15 Skip this step if already logged into the Site1-NS1 NetScaler. Username: nsroot Password: nsroot 2. From the NetScaler dashboard navigate to Configuration > Traffic Management > Load Balancing > Service Groups and click Add to create the first Service Group associated to the Outlook Web Access virtual directory. 38

3. Enter the following Name, Protocol, and Click OK. Name: OWA-SG Protocol: SSL 4. Add the following Advanced features. Members Monitors 39

5. Select No Service Group Member to begin adding the first Microsoft Exchange backend server. 6. Select Server Based followed by the + symbol. 40

7. Add the following Server Name, IP Address, and click Create to add the first server associated to this Service Group. Server Name: Site1-Exchange IP Address: 192.168.10.20 8. Add the following Port and select Create to complete the association of the Site1-Exchange back end server. Port: 443 41

9. Click 1 Service Group Member to begin adding the second Microsoft Exchange backend server to this service group. 10. Click Add to continue adding the server to this Service Group. 11. Select Server Based followed by the + symbol. 42

12. Add the following Server Name, IP Address, and click Create to add the second server associated to this Service Group. Server Name: Site2-Exchange IP Address: 192.168.20.20 13. Add the following Port and select Create to complete the association of the Site2-Exchange back end server. Port: 443 43

14. Select Close to complete the Member Binding portion of the Service Group. 15. Click No Service Group to Monitor Binding to bind the previously created monitor for the Outlook Web Access virtual directory. 16. Click the > symbol to select the necessary monitor used for the Outlook Web Access virtual directory. 44

17. Scroll down and select the previously created monitor named OWA-Mon and click OK. This monitor will consistently monitor the Outlook Web Access virtual directory. 18. Click Bind to bind the monitor to the OWA-SG (Outlook Web Access) Service Group. 45

19. Click Done to complete the OWA-SG (Outlook Web Access) Service Group. 20. Click Add to create the second Service Group used for the Exchange Control Panel virtual directory. It may be required to refresh the NetScaler dashboard to view the current State and Effective state of the recently created Service Group. 46

21. Enter the following Name, Protocol, and Click OK. Name: ECP-SG Protocol: SSL 22. Add the following Advanced features. Members Monitors 47

23. Select No Service Group Member to add both Microsoft Exchange backend servers to the Service Group. 24. Select Server Based followed by the > symbol. 48

25. Select the following servers previously added when creating the OWA-SG Service Group and click OK. Site1-Exchange Site2-Exchange 26. Add the following Port and select Create to complete the association of both the Site1 and Site2 Microsoft Exchange backend servers to the Service Group. Port: 443 49

27. Click No Service Group to Monitor Binding to bind the previously created monitor for the Exchange Control Panel virtual directory. 28. Click the > symbol to select the necessary monitor used for the Exchange Control Panel virtual directory. 50

29. Scroll down and select the previously created monitor named ECP-Mon and click OK. This monitor will consistently monitor the Exchange Control Panel virtual directory. 30. Click Bind to bind the monitor to the Exchange Control Panel Service Group. 51

31. Click Done to complete the ECP-SG (Exchange Control Panel) Service Group. 32. Click Add to create the third Service Group used for the Autodiscover virtual directory. It may be required to refresh the NetScaler dashboard to view the current State and Effective state of the recently created Service Group. 52

33. Enter the following Name, Protocol, and Click OK. Name: Autodiscover-SG Protocol: SSL 34. Add the following Advanced features. Members Monitors 53

35. Select No Service Group Member to add both Microsoft Exchange backend servers to the Service Group. 36. Select Server Based followed by the > symbol. 54

37. Select the following servers previously added when creating the OWA-SG Service Group and click OK. Site1-Exchange Site2-Exchange 38. Add the following Port and select Create to complete the association of both the Site1 and Site2 Microsoft Exchange backend servers. Port: 443 55

39. Click No Service Group to Monitor Binding to bind the previously created monitor for Autodiscover virtual directory. 40. Click the > symbol to select the necessary monitor used for the Autodiscover virtual directory. 56

41. Scroll down the list of available monitors and change the view to 50 Per Page. 42. Scroll down and select the previously created monitor named Autodiscover-Mon and click OK. This monitor will consistently monitor the Autodiscover virtual directory. 57

43. Click Bind to bind the monitor to the Autodiscover Service Group. 44. Click Done to complete the Autodiscover-SG Service Group. 58

45. Click Add to create the fourth Service Group used for the ActiveSync virtual directory. It may be required to refresh the NetScaler dashboard to view the current State and Effective state of the recently created Service Group. 46. Enter the following Name, Protocol, and Click OK. Name: ActiveSync-SG Protocol: SSL 59

47. Add the following Advanced features. Members Monitors 48. Select No Service Group Member to add both Microsoft Exchange backend servers to the Service Group. 60

49. Select Server Based followed by the > symbol. 50. Select the following servers previously added when creating the OWA-SG Service Group and click OK. Site1-Exchange Site2-Exchange 61

51. Add the following Port and select Create to complete the association of both the Site1 and Site2 Microsoft Exchange backend servers. Port: 443 52. Click No Service Group to Monitor Binding to bind the previously created monitor for the ActiveSync virtual directory. 62

53. Click the > symbol to select the necessary monitor used for the ActiveSync virtual directory. 54. Scroll down and select the previously created monitor named Activesync-Mon and click OK. This monitor will consistently monitor the ActiveSync virtual directory. 63

55. Click Bind to bind the monitor to the ActiveSync Service Group. 56. Click Done to complete the ActiveSync-SG Service Group. 64

57. Click the small blue disk to save the NetScaler configuration. Click Yes to confirm. It may be required to refresh the NetScaler dashboard to view the currently State and Effective state of the recently created Service Group. Exercise Summary This exercise covered the configuration of the service groups used to bind together previously created monitors for each Exchange 2013 virtual directory and backend servers found in this lab environment. Each service group reflects the same two backend servers, but uniquely works with a different custom Exchange monitor. 65

Exercise 4 Configuring Virtual Servers for Exchange 2013 Overview In this exercise non-addressable virtual servers are created for each one of the Exchange virtual directories for which a service group was created in the previous exercise. Creating these virtual servers will allow the ability for administrators to apply the needed policies to allow for a better user experience and more secure environment. Each one of the virtual servers will bind all of the service groups created in exercise 3 along with the certificate bound to each Exchange Server in the lab environment. Step by step guidance Estimated time to complete this lab: 30 minutes. Step Action 1. Using Internet Explorer, type the following URL and credentials to logon to the Site1-NS1 NetScaler. Skip this step if already logged into the Site1-NS1 NetScaler. http://192.168.10.15 Username: nsroot Password: nsroot 66

2. From the NetScaler dashboard navigate to Configuration > Traffic Management > Load Balancing > Virtual Servers and click Add to create the first Virtual Server associated to the Outlook Web Access virtual directory. 3. Add the following basic settings and click OK. Name: Exchange-OWA Protocol: SSL IP Address Type: Non-Addressable 67

4. Click the No Load Balancing Virtual Server ServiceGroup Binding. 5. Click the > symbol to select the corresponding Service Group. 6. Select the OWA-SG Service Group and click OK. This will attach all servers hosting the Outlook Web Access virtual directory and monitors to the Exchange-OWA Virtual Server. 7. Select Bind to complete the attachment of the OWA-SG Service Group. 68

8. Click OK to proceed with the Virtual Server configuration. 9. Click the NO Server Certificate to bind a certificate to the Exchange-OWA Virtual Server. 10. Click the > symbol to select the certificate. 11. Select the MCT Key Pair certificate and select OK. 69

12. Select Bind to complete the attachment of the MCT Key Pair certificate to the Exchange- OWA Virtual Server. 13. Click OK to complete the Virtual Server configuration. 14. Click Done to navigate back to the NetScaler dashboard. 70

15. Click refresh to confirm that the Exchange-OWA Virtual Servers State and Effective State are UP. 16. Click Add to create the second Virtual Server for Exchange 2013 associated to the ActiveSync virtual directory. 71

17. Add the following basic settings and click OK. Name: Exchange-ActSync Protocol: SSL IP Address Type: Non-Addressable 18. Click the No Load Balancing Virtual Server ServiceGroup Binding. 19. Click the > symbol to select the corresponding Service Group. 72

20. Select the ActiveSync-SG Service Group and click OK. This will attach all servers hosting the ActiveSync virtual directory and monitors to the Exchange-ActSync Virtual Server. 21. Select Bind to complete the attachment of the ActiveSync-SG Service Group. 22. Click OK to proceed with the Virtual Server configuration. 23. Click the NO Server Certificate to bind a certificate to the Exchange-ActSync Virtual Server. 73

24. Click the > symbol to select the certificate. 25. Select the MCT Key Pair certificate and select OK. 26. Select Bind to complete the attachment of the MCT Key Pair certificate to the Exchange- ActSync Virtual Server. 27. Click OK to complete the Virtual Server configuration. 74

28. Click Done to navigate back to the NetScaler dashboard. 29. Click refresh to confirm that the Exchange-ActSync Virtual Servers State and Effective State are UP. 30. Click Add to create the third Virtual Server for Exchange 2013 associated to the Auto Discover virtual directory. 75

31. Add the following basic settings and click OK. Name: Exchange-AutoDis Protocol: SSL IP Address Type: Non-Addressable 32. Click the No Load Balancing Virtual Server ServiceGroup Binding. 33. Click the > symbol to select the corresponding Service Group. 76

34. Select the AutoDiscover-SG Service Group and click OK. This will attach all servers hosting the Auto Discover virtual directory and monitors to the Exchange-AutoDis Virtual Server. 35. Select Bind to complete the attachment of the Autodiscover-SG Service Group. 36. Click OK to proceed with the Virtual Server configuration. 77

37. Click the NO Server Certificate to bind a certificate to the Exchange-ActSync Virtual Server. 38. Click the > symbol to select the certificate. 39. Select the MCT Key Pair certificate and select OK. 40. Select Bind to complete the attachment of the MCT Key Pair certificate to the Exchange- AutoDis Virtual Server. 78

41. Click OK to complete the Virtual Server configuration. 42. Click Done to navigate back to the NetScaler dashboard. 43. Click refresh to confirm that the Exchange-AutoDis Virtual Servers State and Effective State are UP. 79

44. Click Add to create the fourth Virtual Server for Exchange 2013 associated to the Exchange Control Panel virtual directory. 45. Add the following basic settings and click OK. Name: Exchange-ECP Protocol: SSL IP Address Type: Non-Addressable 80

46. Click the No Load Balancing Virtual Server ServiceGroup Binding. 47. Click the > symbol to select the corresponding Service Group. 48. Select the ECP-SG Service Group and click OK. This will attach all servers hosting the Exchange Control Panel virtual directory and monitors to the Exchange-ECP Virtual Server. 49. Select Bind to complete the attachment of the ECP-SG Service Group. 81

50. Click OK to proceed with the Virtual Server configuration. 51. Click the NO Server Certificate to bind a certificate to the Exchange-ECP Virtual Server. 52. Click the > symbol to select the certificate. 53. Select the MCT Key Pair certificate and select OK. 82

54. Select Bind to complete the attachment of the MCT Key Pair certificate to the Exchange- ECP Virtual Server. 55. Click OK to complete the Virtual Server configuration. 56. Click Done to navigate back to the NetScaler dashboard. 83

57. Click refresh to confirm that the Exchange-ECP Virtual Servers State and Effective State are UP. 58. Click the small blue disk to save the NetScaler configuration. Click Yes to confirm. Exercise Summary This exercise explained how to create non-addressable virtual servers for each one of the Exchange virtual directories for which a service group was created in the previous exercise. These virtual servers bound all of the service groups created in Exercise 3 along with the certificate bound to each Exchange Server in the lab environment. 84

Exercise 5 Configuring the Content Switching Virtual Server for Exchange 2013 Overview In this exercise one addressable content switching virtual server is created to reflect each virtual server created. The content switching virtual server will allow administrators the ability to create policies for each type of device or URL by inspecting the HTTP header sent to the IP address applied to the content switching virtual server. The content switching policy then identifies the type of device or URL and directs it to the corresponding virtual server. Step by step guidance Estimated time to complete this lab: 30 minutes. Step Action 1. Using Internet Explorer, type the following URL and credentials to logon to the Site1-NS1 NetScaler Skip this step if already logged into the Site1-NS1 NetScaler. http://192.168.10.15 Username: nsroot Password: nsroot 85

2. From the NetScaler dashboard navigate to Configuration > Traffic Management > Content Switching > Virtual Servers and click Add to begin the creating the content switching virtual server. 3. Add the following basic settings for the Content Switching Virtual Server and click OK. Name: Exchange-CSvServer Protocol: SSL IP Address Type: IP Address IP Address: 192.168.10.100 Port: 443 86

4. Click the No Content Switching Policy Bound to begin adding a CS Policy. The CS policy expression will help identify the type of data and the action to take once identified. 5. Click the + symbol to add the first policy for the Content Switching vserver. This first Content Switching Policy will forward requests to the ActiveSync virtual server (Exchange- ActSync). 87

6. Add the following settings to the Content Switch Policy and click create. Name: CS-POL-ACTSYNC Expression: HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/Microsoft-Server- ActiveSync") Do not copy and paste the expression. 88

7. Click the > symbol to attach a target virtual server. 8. Select the following Virtual Server and click OK. Virtual Server: Exchange-ActSync 89

9. Click Bind to complete the first Content Switching Policy. 10. Click the 1 Content Switching Policy link to add a second CS Policy. 11. Click Add Binding. 90

91 12. Click the + symbol to add the second policy for the Content Switching vserver. This second Content Switching Policy will forward requests to the Auto Discover virtual server (Exchange-AutoDis).

13. Add the following settings to the Content Switch Policy and click create. Name: CS-POL-AUTODIS Expression: HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/Autodiscover") Do not copy and paste the expression. 14. Click the > symbol to attach a target virtual server. 92

15. Select the following Virtual Server and click OK. Virtual Server: Exchange-AutoDis 16. Click Bind to complete the second Content Switching Policy. 17. Click Add Binding. 93

94 18. Click the + symbol to add the third policy for the Content Switching vserver. This third Content Switching Policy will forward requests to the Exchange Control Panel virtual server (Exchange-ECP).

19. Add the following settings to the Content Switch Policy and click create. Name: CS-POL-ECP Expression: HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ecp") Do not copy and paste the expression. 20. Click the > symbol to attach a target virtual server. 95

21. Select the following Virtual Server and click OK. Virtual Server: Exchange-ECP 22. Click Bind to complete the third Content Switching Policy. 23. Click Add Binding. This fourth Content Switching Policy will forward requests to the OWA virtual server (Exchange-OWA). 96

97 24. Click the + symbol to add the fourth policy for the Content Switching vserver. This fourth Content Switching Policy will forward requests to the OWA virtual server (Exchange-OWA).

25. Add the following settings to the Content Switch Policy and click create. Name: CS-POL-OWA Expression: HTTP.REQ.HEADER("User- Agent").SET_TEXT_MODE(IGNORECASE).CONTAINS("Mozilla") Do not copy and paste the expression. Also, note that expressions do not contain any spaces. 98

26. Click the > symbol to attach a target virtual server. 27. Select the following Virtual Server and click OK. Virtual Server: Exchange-OWA 99

28. Click Bind to complete the fourth Content Switching Policy. 29. Click Close to continue with the Content Switching Virtual Server. 30. Click OK. 100

31. Add the following advanced setting to add a certificate to the Content Switching virtual server. Advanced Settings: Certificates 32. Click the No Server Certificate link. 33. Click the > symbol. 101

34. Select the following SSL certificate and click OK. SSL certificate: MCT- Key Pair 35. Click Bind to attach the certificate to the Content Switching Virtual Server. 36. Click Close to close the certificate box. 37. Click Done to complete the Content Switching Virtual Directory. 102

38. Click refresh to confirm that the State of the Exchange-CSvServer is Up. 39. Navigate back to Traffic Management > Load Balancing > Virtual Servers, select the Exchange-OWA virtual server, and click Edit. 40. Add the following Advanced setting to the virtual server. Advanced Settings: Policies 103

41. Click the + symbol to add a responder policy to the Exchange-OWA virtual server Adding the responder policy to this virtual server will add /owa to all requests sent to the Exchange-CSvServer without a virtual directory. Example: https://exchange.mycitrixtraining.net forwards to https://exchange.mycitrixtraining.net/owa. 42. Choose the following Policy and Type. 104

105 43. Click the + symbol to set the responder properties.

44. Add the following Name and Expression. Continue by clicking the + symbol to add an Action for the matching expression. Name: OWA-Redirect Expression: HTTP.REQ.URL.STARTSWITH("/owa").NOT 106

45. Add the following Name, Type, Expression, and click Create to add the action to the policy just created. Name: OWA-RedirectAction Type: Redirect Expression: /owa 46. Click Create to create the Responder Policy associated with the OWA-RedirectAction. 107

47. Click Bind to bind the Responder Policy to the Exchange-OWA Virtual Server. 48. Click Done to proceed back to the NetScaler dashboard. 108

49. Click the blue disk and select Yes to save the NetScaler configuration. 50. Using Internet Explorer, open a new browser window and type the below URL to test the Exchange-CSvServer with the Exchange-OWA Virtual Server. https://mail.mycitrixtraining.net 51. Confirm that the Exchange-CSvServer has sent the connection to the correct virtual server (Exchange-OWA). 52. Using Internet Explorer, open a new tab and type the below URL to test the Exchange- CSvServer with the Exchange-ECP Virtual Server. https://mail.mycitrixtraining.net/ecp 109

53. Confirm that the Exchange-CSvServer has sent the connection to the correct virtual server (Exchange-ECP). Exercise Summary This exercise explained how to create a content switching virtual server to reflect each virtual server created in the previous exercise. Creating the content switching virtual server custom policies allowed the inspection of the HTTP header to correctly forward traffic to its respective virtual server. The policies were tested to reflect two virtual servers: Exchange-OWA and Exchange-ECP. 110

Exercise 6 Configuring Custom Responder Policies for Exchange 2013 Overview The goal of this exercise is to assist with the user experience. By default, virtual directories such as Outlook Web Access and the Exchange Control Panel require users and administrators to type long and sometimes confusing URLs, such as HTTPS://mail.company.com/owa. In this exercise, custom responder policies are created allowing users and administrators to type simple URLs. These simple URLs such as mail.company.com, when entered in a browser, will forward users and administrators to the more complex correct URL such as HTTPS://mail.company.com/owa. Step by step guidance Estimated time to complete this lab: 30 minutes. Step Action 1. Using Internet Explorer, proceed to type the below URL and credentials to logon to the Site1-NS1 NetScaler. http://192.168.10.15 Username: nsroot Password: nsroot 111

2. Navigate to AppExpert > Responder > Actions and click Add to create the responder action used for our responder policy. 3. Enter the following Name, Type, Expression, check the Bypass Safety Check checkbox and click Create to complete the responder action. Name: OWA-RESP-ACTION Type: Redirect Expression: "https://"+http.req.hostname+"/owa/" The responder action create will be used for HTTP to HTTPS redirection for Outlook Web Access. 112

4. Click Add to add a second responder action. 5. Enter the following Name, Type, Expression, check the Bypass Safety Check checkbox, and click Create to complete the responder action. Name: EAC-RESP-ACTION Type: Redirect Expression: "https://"+http.req.hostname+"/ecp/" It is recommended to COPY and PASTE the expression to ensure no mistakes occur. The responder action created will be used for HTTP to HTTPS redirection for Outlook Web Access. 113

6. Navigate to AppExpert > Responder > Policies and click Add to create the responder policy that will bind to the newly created actions. 7. Enter the following Name, Action, Expression, and click Create to complete the responder policy. Name: OWA-RESP-POLICY Action: OWA-RESP-ACTION Expression: CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("mail.mycitrixtraining.net") The responder policy created here will be used for HTTP to HTTPS redirection for Outlook Web Access. 114

8. Click Add to add a second responder policy. 9. Enter the following Name, Action, Expression, and click Create to complete the responder policy. Name: EAC-RESP-POLICY Action: EAC-RESP-ACTION Expression: CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("eac.mycitrixtraining.net") The responder policy created here will be used for HTTP to HTTPS redirection for Outlook Web Access. 115

10. Navigate to Configuration > Traffic Management > Load Balancing > Servers and click Add to add a fictitious server utilized by the responder policies. 11. Enter the following Server Name, IP Address, and click Create to complete the addition of fictitious server. Server Name: HTTP-RESP-Server IP Address: 1.1.1.1 The IP Address 1.1.1.1 is used as a fictitious address as this virtual server sole purpose is for the responder policies. 116

12. Confirm that the HTTP-RESP-Server State is Enabled. 13. Navigate to Configuration > Traffic Management > Load Balancing > Monitors to bind fictitious PING monitor to utilize for the future responder Virtual Server. 14. Click ping followed by Add to complete the ping monitor. 117

15. Enter the following Name and Desitination IP and click Create to complete the customer ping monitor. Name: Self-NS-PING Destination IP: 127.0.0.1 16. Modify the monitors page to display 50 or more items. 118

17. Confirm that the Self-NS-PING is now Enabled. 18. Navigate to Configuration > Traffic Management > Load Balancing > Services, click Add to bind the recently added HTTP-RESP-Server and Self-NS-PING monitor. 119

19. Enter the following Service Name, Existing Server, Protocol, Port, and click Continue. Service Name: HTTP-RESP-Service Existing Server: HTTP-RESP-Server Protocol: HTTP Port: 80 20. Click on 1 Service to LB Monitor Binding to bind the Self-NS-PING monitor to the HTTP- RESP-Service. 21. Select Add Binding. 120

22. Click the > symbol to select the Self-NS-PING monitor. 23. Scroll to the bottom of the page and change the Per Page item amount to 50. 121

24. Select the following Monitor and click Insert. Monitor: Self-NS-PING 25. Click Bind to bind the monitor. 26. Click Close to save the selected monitor to the service. 122

27. Click Done to complete the Load Balancing Service. 28. Confirm that the HTTP-RESP-Service State is Up. It is recommended to click refresh to ensure the most accurate State of all Services. 29. Navigate to Configuration > Traffic Management > Load Balancing > Virtual Servers, click Add to bind the recently added HTTP-RESP-Service to a virtual server. 123

30. Enter the following Name, Protocol, IP Address, Port, and click Continue. Name: HTTP-RESP-vServer IP Address: 192.168.10.100 Protocol: HTTP Port: 80 31. Click on the No Load Balancing Virtual Server Service Binding to bind the HTTP-RESP- Service to the newly create Virtual Server. 124

32. Click the > symbol to select the service. 33. Select the HTTP-RESP-Service and click OK. 34. Click Bind to bind the selected service. 125

35. Click OK to proceed with the addition of policies to the Load Balancing Virtual Server. 36. Select the following Advanced Setting to apply the responder policy to the load balancing virtual server. Policies 37. Click on the + symbol to add the policy. 126

38. Choose the following Policy, Type, and click Continue. Policy: Responder Type: Request 39. Click the > to select the policies recently created. 40. Choose the following Responder Policies and click OK. Responder Policies: OWA-RESP-POLICY 127

41. Click Bind to bind the OWA-RESP-POLICY. 42. Click on the + symbol to add the policy. 128

43. Choose the following Policy, Type, and click Continue. Policy: Responder Type: Request 44. Click Add Binding to add the EAC-RESP-POLICY. 45. Click the > symbol to select the policy. 129

46. Select the EAC-RESP-POLICY and click OK. 47. Click Bind to bind the policy to the Virtual Server. 48. Click Close. 130

49. Click Done to complete the HTTP-RESP-vServer. 50. Confirm the State of the HTTP-RESP-vServer State and Effective State is Up. It is recommended to click refresh to ensure the most accurate State of all Services. 131

132 51. Select the small blue disk to save the NetScaler configuration.

52. Using Internet Explorer, navigate to the following sites to begin testing. URL to test OWA-RESP-POLICY: http://mail.mycitrixtraining.net URL to test EAC-RESP-POLICY: http://eac.mycitrixtraining.net DNS A records for both mail.mycitrixtraining.net and eac.mycitrixtraining.net have been pre-set for this lab to point to 192.168.10.100 OWA-RESP-Policy will forward any requests to http://mail.mycitrixtraining.net to a secure SSL connection URL https://mail.mycitirixtraining.net/owa (Outlook Web Access) EAC-RESP-Policy will forward any requests to http://eac.mycitrixtraining.net to a secure SSL connection URL https://eac.mycitirixtraining.net/ecp Exchange Admin Center 133

Exercise Summary This exercise explained how to create a better user experience by the use of NetScaler responder policies. Policies for both Outlook Web Access and the Exchange Control Panel were created to allow users and administrators to type simple URLs to seamlessly forward them to the correct, more complex URL. 134

Exercise 7 Configuring Single Sign On for Exchange 2013 Overview The goal of this exercise is to solve two major challenges. The first challenge is to improve user experience by leveraging the NetScaler s ability to provide single sign on services. The second is to provide added security. Upon completing these exercises the administrator will have created a custom form allowing users to directly authenticate on the Citrix NetScaler. The NetScaler will then forward these credentials to any available Exchange Server and securely authenticate the user allowing for one simple sign on. This will then enable administrators to place the Citrix NetScaler in the DMZ resulting in no publicly accessible Exchange Servers. Step by step guidance Estimated time to complete this lab: 30 minutes. Step Action 1. Using Internet Explorer, proceed to type the below URL and credentials to logon to the Site1-NS1 NetScaler. http://192.168.10.15 Username: nsroot Password: nsroot 135

136 2. Navigate to Security > AAA Application Traffic > Virtual Servers and click Add to begin creating the AAA Virtual Server that will be used for single sign on.

3. Add the following Name, IP Address, and Authentication Domain. Then click OK. Name: AAA-ExchangevServer IP Address: 192.168.10.101 Authentication Domain: mycitrixtraining.net 4. Click the No Server Certificate link to attach a certificate to the AAA Virtual Server. 137

5. Click the > symbol to select the server certificate. 6. Select the MCT Key Pair certificate and click OK. 7. Click Bind to bind the certificate. 8. Confirm that the certificate has been bound to the Virtual Server and Continue. 138

9. Click Continue. Advanced Authentication Policies will not be used. 10. Click the + symbol to add a basic authentication policy. The policy will be used to incorporate the existing LDAP server pre-installed in this lab environment. 11. Choose the following Policy and Type. Policy: LDAP Type: Primary 139

12. Click the + to add the policy 13. Add the following Name and Expression. Click the + symbol to add the LDAP server information. Name: LDAP-POL-TRAINING Expression: ns_true 140

14. Enter the following settings to create the LDAP server. Scroll down and click Create when completed. Name: LDAP-SRV-TRAINING Server Name / Server IP: Server IP IP Address: 192.168.10.11 Connection Settings Base DN: CN=Users,DC=training,DC=lab Administrator Bind DN: CN=Administrator,CN=Users,DC=training,DC=lab Bind DN Password: Select Administrator Password: Citrix123 Confirm Administrator Password: Citrix123 Other Settings Server Logon Name Attribute: samaccountname 141

15. Click Create to create the policy which is bound to the newly added LDAP server. 16. Click Bind to bind the policy to the AAA Virtual Server. 142

17. Click Continue. 18. Click the following advanced setting. Advanced Settings: Policies 19. Click the + symbol to add the session policy. 143

20. Select the type of Policy. Then click Continue. Policy: Session 21. Click the + symbol to add the Session Policy. 22. Enter the following Name and Expression. Name: SES-POL-AUTH Expression: ns_true 144

145 23. Click the + symbol to add the request profile for this Session Policy.

24. Select the following properties for the request profile. Once completed click Create. Name: SES-REQ-PRO Default Authorization Action: ALLOW Single Sign-on to Web Applications: ON Credential Index: PRIMARY Single Sign-on Domain: training.lab HTTPOnly Cookie: NO Enable Persistent Cookie: ON Persistent Cookie Validity: 30 146

25. Click Create to create the session policy. 26. Click Bind to bind the policy to the AAA Virtual Server. 147

27. Click Done to complete the AAA - Virtual Server. 28. Click Refresh to and confirm that the AAA-ExchangevServer state is Up. 29. Click the Blue Disk from the NetScaler dashboard to save the NetScaler configuration and click Yes to confirm. 30. From the NetScaler dashboard navigate back to Traffic Management > Load Balancing > Virtual Servers. Click the Exchange-OWA virtual server and click Edit. 148

31. Add the following advanced setting. Advanced Setting: Authentication. 32. Choose Form Based Authentication and add the following settings. Once completed click OK. Authentication FQDN: auth.mycitrixtraining.net Authentication Virtual Server: AAA-ExchangevServer Authentication Profile: BLANK A DNS A record for auth.mycitrixtraining.net has been pre-set in this lab environment. 149

33. Proceed to the policies section of the Exchange-OWA virtual server and click the + symbol to add first traffic policy that will identify to the NetScaler the logon and logoff parameters of outlook web access. 34. Choose the following Policy and Type. Click Continue to create the policy. Policy: Traffic Choose Type: Request 150

35. Click the + to create the traffic policy. 36. Enter the following Name and Expression. Name: EXCH-LOGON-OWA Expression: HTTP.REQ.URL.CONTAINS("owa/auth/logon.aspx") 37. Click the + symbol to add Traffic Profile. 151

38. Enter the following settings. Name: EXCH-LOGON-PRO AppTimeout: 1 All other settings should be left blank. Single Sign-On: On 39. Click the + symbol to add a Form SSO Profile. 152

40. Add the following settings for the Form SSO Profile. Once completed click Create. Name: EXCH-LOGON-FORMS Action URL: /owa/auth.owa User Name Field: username Password Field: password Expression: HTTP.RES.SET_COOKIE.COOKIE("cadata").VALUE("cadata").LENGTH.GT(70) Name Value Pair: flags=0&trusted=0 Response Size: 10240 Extraction: DYNAMIC Submit Method: POST 153

41. Click Create to create the Traffic Profile. 42. Click Create to create the Traffic Policy. 154

43. Click Bind to bind the policy to the Exchange-OWA Virtual Server. 44. Proceed back to the policies section of the Exchange-OWA virtual server and click the + symbol to add second traffic policy that will identify to the NetScaler the logon and logoff parameters of outlook web access. 155

45. Choose the following Policy and Type. Click Continue to create the policy. Policy: Traffic Choose Type: Request 46. Click Add Binding. 47. Change the Priority to the following number and click the + to begin adding the second policy. Priority: 90 156

48. Enter the following Name and Expression. Name: EXCH-LOGOFF-OWA Expression: HTTP.REQ.URL.CONTAINS("/owa/logoff.owa") 49. Click the + symbol to add Traffic Profile. 157

50. Enter the following settings. Scroll down and click Create when completed. Name: EXCH-LOGOFF-PRO AppTimeout: 1 All other settings should be left blank. Single Sign-On: On Initiate Logout: Click check box. 158

51. Click Create to create the Traffic Policy. 52. Click Bind to bind the policy to the Exchange-OWA Virtual Server. 53. Click Close to close the traffic polices section. 159

54. Click Done to proceed back to the NetScaler dashboard. 55. Click the Blue Disk to save NetScaler configuration. Click Yes to confirm. 160

56. Using Internet Explorer, open a new window and type the below URL, credentials, and click Log On to test Single Sign-On with NetScaler and Outlook Web Access. http://mail.mycitrixtraining.net Username: Administrator Password: Citrix123 57. After the credentials are entered the user account should be automatically signed into Outlook Web Access. Exercise Summary This exercise explains how administrators can create a AAA authentication virtual server associated to the Outlook Web Access virtual directory (Exchange-OWA virtual server). The AAA virtual server will allow for a more secure deployment and better user experience of Exchange 2013 within the datacenter allowing users to have a simple and secure sign on experience. 161

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback