Commands Generated by XenMobile Wizard on Netscaler - SSL Bridge

Commands Generated by XenMobile Wizard on Netscaler - SSL Bridge

book

Article ID: CTX205771

calendar_today

Updated On:

Description

This was created for customers that need to run the wizard more than once for multiple XenMobile environments.

Instructions

Instructions

Before running the commands, copy the sample script to your favorite text editor (Notepad++) and replace the values and names for the ones according to your environment in this order:
  1. Replace 192_168_1_142 for IP address of the Gateway in this format XXX_XXX_XXX_XXX
  2. Replace xm-10.scubica.com to the hostname of your XMS
  3. Replace 192.168.1.110 to the IP address of your XMS
  4. Replace CustomServerID 3232235886 for the CustomServerID ############. Customer server ID is the Node ID of the XMS. See http://support.citrix.com/article/CTX200430 for more information.
  5. Replace 192.168.1.102 with the IP address of your Domain Controller
  6. Replace dc=scubica,dc=com for the Base DN of your domain
  7. Replace administrator@scubica.com for the Bind DN for your environment
  8. Replace PasswordPlainText for the LDAP Bind DN password
  9. Replace 192.168.1.144 for the IP address of MAM Load Balancer VIP
  10. Replace 192.168.1.143 for the IP address of MDM Load Balancer VIP
  11. Replace 192.168.1.142 for the IP address of Netscaler Gateway VIP
  12. Replace Wildcard for the name of your Server Certificate
  13. Replace Root for the name of your root certificate.
Once all values have been replaced, open a Putty session to the netscaler and paste the commands.

Disclaimer

The following information was gathered by comparing a base ns.conf file that already contained the objects listed in the introduction, and compared against ns.conf files after the Wizard was ran for both SSL Bridge and SSL Offload scenarios.
The commands have only been tested using my lab environment. Please try the commands at your own risk in your own environment.

SSL Bridge

enable ns feature WL SP LB SSL IC SSLVPN AAA RESPONDER
set system parameter -doppler DISABLED
add policy patset ST_WB_CKIES192_168_1_142
bind policy patset ns_cvpn_default_inet_domains xm-10.scubica.com:8443 -index 2
bind policy patset ST_WB_CKIES192_168_1_142 CsrfToken -index 1
bind policy patset ST_WB_CKIES192_168_1_142 ASP.NET_SessionId -index 2
bind policy patset ST_WB_CKIES192_168_1_142 CtxsPluginAssistantState -index 3
bind policy patset ST_WB_CKIES192_168_1_142 CtxsAuthId -index 4
add server 192.168.1.110 192.168.1.110
add serviceGroup _XM_SVC_GRP_MAM_ SSL -maxClient 0 -maxReq 0 -cacheable YES -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup _XM_SVC_GRP_MDM_443 SSL_BRIDGE -maxClient 0 -maxReq 0 -cacheable YES -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup _XM_SVC_GRP_MDM_8443 SSL_BRIDGE -maxClient 0 -maxReq 0 -cacheable YES -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add authentication ldapAction 192.168.1.102_LDAP -serverIP 192.168.1.102 -ldapBase "dc=scubica,dc=com" -ldapBindDn administrator@scubica.com -ldapBindDnPassword PasswordPlainText -ldapLoginName sAMAccountName
add authentication ldapPolicy 192.168.1.102_LDAP_pol NS_TRUE 192.168.1.102_LDAP
add lb vserver _XM_MAM_LB_192.168.1.144_8443 SSL 192.168.1.144 8443 -persistenceType CUSTOMSERVERID -rule "HTTP.REQ.COOKIE.VALUE(\"ACNODEID\")" -cltTimeout 180
add lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 SSL_BRIDGE 192.168.1.143 443 -persistenceType SSLSESSION -timeout 1440 -cltTimeout 180
add lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 SSL_BRIDGE 192.168.1.143 8443 -persistenceType SSLSESSION -cltTimeout 180
add vpn vserver _XM_XenMobileGateway10 SSL 192.168.1.142 443 -Listenpolicy NONE
add vpn clientlessAccessProfile ST_WB_RW_192.168.1.142
add vpn clientlessAccessProfile NO_RW_192.168.1.142
set vpn clientlessAccessProfile ST_WB_RW_192.168.1.142 -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies ST_WB_CKIES192_168_1_142
add vpn clientlessAccessPolicy CLT_LESS_RF_192.168.1.142 TRUE ST_WB_RW_192.168.1.142
add vpn clientlessAccessPolicy CLT_LESS_192.168.1.142 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" NO_RW_192.168.1.142
bind lb vserver _XM_MAM_LB_192.168.1.144_8443 _XM_SVC_GRP_MAM_
bind lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_443 _XM_SVC_GRP_MDM_443
bind lb vserver _XM_LB_MDM_XenMobileMDM10_192.168.1.143_8443 _XM_SVC_GRP_MDM_8443
set ns tcpbufParam -memLimit 200
add dns addRec xm-10.scubica.com 192.168.1.144
bind serviceGroup _XM_SVC_GRP_MAM_ 192.168.1.110 8443 -CustomServerID 3232235886
bind serviceGroup _XM_SVC_GRP_MDM_443 192.168.1.110 443 -CustomServerID 3232235886
bind serviceGroup _XM_SVC_GRP_MDM_8443 192.168.1.110 8443 -CustomServerID 3232235886
set ssl serviceGroup _XM_SVC_GRP_MAM_ -tls11 DISABLED -tls12 DISABLED
add vpn sessionAction AC_OS_192.168.1.142_A_ -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://xm-10.scubica.com:8443"
add vpn sessionAction AC_WB_192.168.1.142_A_ -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://xm-10.scubica.com:8443/Citrix/StoreWeb" -icaProxy OFF -wihome "https://xm-10.scubica.com:8443/Citrix/StoreWeb" -ClientChoices OFF -clientlessVpnMode ON -SecureBrowse ENABLED
add vpn sessionAction AC_AG_PLG_192.168.1.142_A_ -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://xm-10.scubica.com:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://xm-10.scubica.com:8443"
add vpn sessionPolicy PL_OS_192.168.1.142 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" AC_OS_192.168.1.142_A_
add vpn sessionPolicy PL_WB_192.168.1.142 "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" AC_WB_192.168.1.142_A_
add vpn sessionPolicy PL_AG_PLG_192.168.1.142 "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS" AC_AG_PLG_192.168.1.142_A_
bind vpn vserver _XM_XenMobileGateway10 -staServer "https://xm-10.scubica.com:8443"
bind vpn vserver _XM_XenMobileGateway10 -appController "https://xm-10.scubica.com:8443"
bind vpn vserver _XM_XenMobileGateway10 -policy 192.168.1.102_LDAP_pol
bind vpn vserver _XM_XenMobileGateway10 -policy PL_OS_192.168.1.142 -priority 100
bind vpn vserver _XM_XenMobileGateway10 -policy PL_WB_192.168.1.142 -priority 100
bind vpn vserver _XM_XenMobileGateway10 -policy PL_AG_PLG_192.168.1.142 -priority 100
bind vpn vserver _XM_XenMobileGateway10 -policy CLT_LESS_192.168.1.142 -priority 80 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy CLT_LESS_RF_192.168.1.142 -priority 100 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway10 -policy _noCacheRest -priority 40 -gotoPriorityExpression END -type REQUEST
bind ssl vserver _XM_XenMobileGateway10 -certkeyName Wildcard
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -certkeyName Wildcard
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_256
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_384
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_224
bind ssl vserver _XM_XenMobileGateway10 -eccCurveName P_521
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_256
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_384
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_224
bind ssl vserver _XM_MAM_LB_192.168.1.144_8443 -eccCurveName P_521
set ssl service vpndbssvc_-245333078 -sessReuse ENABLED -sessTimeout 120 -tls11 DISABLED -tls12 DISABLED

Issue/Introduction

This was created thinking of the customers that need to run the wizard more than once for multiple XenMobile environments.
Powered by Wolken Software