How to connect to ADFS 3.0 from NetScaler ADC load balancer?

How to connect to ADFS 3.0 from NetScaler ADC load balancer?

book

Article ID: CTX218018

calendar_today

Updated On:

Description

Use Case

Use case 1: Microsoft Active Directory Federation Services (ADFS) 3.0 which provides single sign-on access to enterprise applications, requires server name in client hello extension to identify the application to connect to.

Use case 2: Connect to a server with multiple applications running on same port and indicate the application NetScaler wants to connect to, using Server Name Indication (SNI).

Introduction

SNI has become a common feature now with most of the web browsers supporting it. Using SNI, a client informs server that which application it wants to connect to. Server then selects the SSL certificate corresponding to that application and sends it to the client. This enables a server to host multiple applications running on same IP and port and thus eases manageability.

NetScaler supports SNI on both frontend and backend connection i.e. connection from client to NetScaler and from NetScaler to server. The use cases mentioned above are related to SNI support on NetScaler backend. When SNI is configured on SSL service, NetScaler sends server name in client hello. Server is then able to decide which application to connect to sends appropriate SSL certificate to NetScaler.

Applications like Microsoft ADFS 3.0 mandates to send server name in client hello. With SNI support on backend (from 11.1 GA), NetScaler is able to connect to ADFS 3.0 as per the specification. Also, this feature allows to securely connect to any generic server hosting multiple applications on same port.

The SNI on backend support is also available on secure monitors in NetScaler. This enable NetScaler to correctly monitor applications like ADFS 3.0.

A trace taken on NetScaler captures SNIP sending server name in client hello to backend server. The server name is a static parameter of an SSL service.

User-added image

Instructions

rtaImage.jfif Configuration Steps in NetScaler ADC

CLI:
> add service <service name> <service IP> SSL 443
> set ssl service <service name> -SNIEnable ENABLED –commonName adfs3server.net

For more information please see the official documentation site –
http://docs.citrix.com/en-us/netscaler/11-1/ssl/configssloffloading/support_for_sni_on_backend_service.html

Issue/Introduction

How to connect to ADFS 3.0 from NetScaler ADC load balancer?
Powered by Wolken Software