Commands Generated by XenMobile Wizard on NetScaler - SSL Offload
Article ID: CTX205773
Updated On:
Description
This article will help you when you need to run the wizard more than once for multiple XenMobile environments.
This article assumes that you have the following items already installed and configured on the NetScaler:
1. NetScaler IP address (NSIP)
2. Subnet IP address (SNIP)
3. DNS Settings
4. Server, Intermediate, and Root certificates installed and linked
5. Valid NetScaler license
This is only applicable for XenMobile 10.x.
Instructions
Before running the commands, copy the sample script to your favorite text editor (Notepad++) and replace the values and names according to your environment in this order:
- Replace 192_168_1_142 for IP address of the Gateway in this format XXX_XXX_XXX_XXX
- Replace xm-10.scubica.com to the hostname of your XMS.
- Replace 192.168.1.110 to the IP address of your XMS.
- Replace CustomServerID 3232235886 for the CustomServerID ############. Customer server ID is the Node ID of the XMS. See http://support.citrix.com/article/CTX200430 for more information.
- Replace 192.168.1.102 with the IP address of your Domain Controller.
- Replace dc=scubica,dc=com for the Base DN of your domain.
- Replace administrator@scubica.com for the Bind DN for your environment.
- Replace PasswordPlainText for the LDAP Bind DN password.
- Replace 192.168.1.144 for the IP address of MAM Load Balancer VIP.
- Replace 192.168.1.143 for the IP address of MDM Load Balancer VIP.
- Replace 192.168.1.142 for the IP address of Netscaler Gateway VIP.
- Replace Wildcard for the name of your Server Certificate.
- Replace Root for the name of your root certificate.
Once all values have been replaced, open a Putty session to the NetScaler and paste the commands.
Disclaimer
The following information was gathered by comparing a base ns.conf file that already contained the objects listed in the introduction, and compared against ns.conf files after the Wizard was run for both SSL Bridge and SSL Offload scenarios. The commands have only been tested using a lab environment. Try the commands at your own risk in your own environment.
SSL Offload
enable ns feature WL SP LB SSL IC SSLVPN AAA RESPONDER
add policy patset ST_WB_CKIES192_168_1_142
bind policy patset ns_cvpn_default_inet_domains xm-10.scubica.com:8443 -index 2
bind policy patset ST_WB_CKIES192_168_1_142 CsrfToken -index 1
bind policy patset ST_WB_CKIES192_168_1_142 ASP.NET_SessionId -index 2
bind policy patset ST_WB_CKIES192_168_1_142 CtxsPluginAssistantState -index 3
bind policy patset ST_WB_CKIES192_168_1_142 CtxsAuthId -index 4
add ns httpProfile _XM_SSL_OFFLOAD_HTTP_PROFILE -conMultiplex DISABLED
add server 192.168.1.110 192.168.1.110
add service 192.168.1.110_80 192.168.1.110 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CustomServerID 3232235886 -CKA NO -TCPB NO -CMP NO
add authentication ldapAction 192.168.1.102_LDAP -serverIP 192.168.1.102 -ldapBase "dc=scubica,dc=com" -ldapBindDn administrator@scubica.com -ldapBindDnPassword PasswordPlainText -ldapLoginName sAMAccountName
add authentication ldapPolicy 192.168.1.102_LDAP_pol NS_TRUE 192.168.1.102_LDAP
add lb vserver _XM_MAM_LB_192.168.1.144_8443 SSL 192.168.1.144 8443 -persistenceType CUSTOMSERVERID -rule "HTTP.REQ.COOKIE.VALUE(\"ACNODEID\")" -cltTimeout 180
add lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 SSL 192.168.1.143 443 -persistenceType SSLSESSION -timeout 1440 -cltTimeout 180 -httpProfileName _XM_SSL_OFFLOAD_HTTP_PROFILE
add lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 SSL 192.168.1.143 8443 -persistenceType SSLSESSION -cltTimeout 180 -httpProfileName _XM_SSL_OFFLOAD_HTTP_PROFILE
add vpn vserver _XM_XenMobileGateway10 SSL 192.168.1.142 443 -Listenpolicy NONE
add vpn clientlessAccessProfile ST_WB_RW_192.168.1.142
add vpn clientlessAccessProfile NO_RW_192.168.1.142
set vpn clientlessAccessProfile ST_WB_RW_192.168.1.142 -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies ST_WB_CKIES192_168_1_142
add vpn clientlessAccessPolicy CLT_LESS_RF_192.168.1.142 TRUE ST_WB_RW_192.168.1.142
add vpn clientlessAccessPolicy CLT_LESS_192.168.1.142 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" NO_RW_192.168.1.142
bind lb vserver _XM_MAM_LB_192.168.1.144_8443 192.168.1.110_80
bind lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 192.168.1.110_80
bind lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 192.168.1.110_80
add dns addRec xm-10.scubica.com 192.168.1.144
set ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -sessReuse ENABLED -sessTimeout 15 -clientAuth ENABLED -clientCert Optional -sslRedirect ENABLED
add ssl action _XM_MDM_XenMobileMDM10_ACTION -clientCert ENABLED -certHeader NSClientCert
add ssl policy _XM_MDM_XenMobileMDM10_POLICY -rule CLIENT.SSL.CLIENT_CERT.EXISTS -action _XM_MDM_XenMobileMDM10_ACTION
add vpn sessionAction AC_OS_192.168.1.142_A_ -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://xm-10.scubica.com:8443"
add vpn sessionAction AC_WB_192.168.1.142_A_ -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://xm-10.scubica.com:8443/Citrix/StoreWeb" -icaProxy OFF -wihome "https://xm-10.scubica.com:8443/Citrix/StoreWeb" -ClientChoices OFF -clientlessVpnMode ON -SecureBrowse ENABLED
add vpn sessionAction AC_AG_PLG_192.168.1.142_A_ -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://xm-10.scubica.com:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://xm-10.scubica.com:8443"
add vpn sessionPolicy PL_OS_192.168.1.142 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" AC_OS_192.168.1.142_A_
add vpn sessionPolicy PL_WB_192.168.1.142 "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" AC_WB_192.168.1.142_A_
add vpn sessionPolicy PL_AG_PLG_192.168.1.142 "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS" AC_AG_PLG_192.168.1.142_A_
bind vpn vserver _XM_XenMobileGateway10 -staServer "https://xm-10.scubica.com:8443"
bind vpn vserver _XM_XenMobileGateway10 -appController "https://xm-10.scubica.com:8443"
bind vpn vserver _XM_XenMobileGateway10 -policy 192.168.1.102_LDAP_pol
bind vpn vserver _XM_XenMobileGateway10 -policy PL_OS_192.168.1.142 -priority 100
bind vpn vserver _XM_XenMobileGateway10 -policy PL_WB_192.168.1.142 -priority 100
bind vpn vserver _XM_XenMobileGateway10 -policy PL_AG_PLG_192.168.1.142 -priority 100
bind vpn vserver _XM_XenMobileGateway10 -policy CLT_LESS_192.168.1.142 -priority 80 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy CLT_LESS_RF_192.168.1.142 -priority 100 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _noCacheRest -priority 40 -gotoPriorityExpression END -type REQUEST
bind ssl vserver _XM_XenMobileGateway10 -certkeyName Wildcard
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -certkeyName Wildcard
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -certkeyName Wildcard
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -certkeyName Root -CA -ocspCheck Optional
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 -certkeyName Wildcard
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_256
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_384
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_224
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_521
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_256
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_384
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_224
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_521
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -eccCurveName P_256
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -eccCurveName P_384
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -eccCurveName P_224
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -eccCurveName P_521
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 -eccCurveName P_256
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 -eccCurveName P_384
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 -eccCurveName P_224
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 -eccCurveName P_521
bind ssl vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 -policyName _XM_MDM_XenMobileMDM10_POLICY -priority 100
set ssl service vpndbssvc_-245333078 -sessReuse ENABLED -sessTimeout 120 -tls11 DISABLED -tls12 DISABLED
Issue/Introduction
