NetScaler VPX as Reverse Proxy for Exchange 2016

Leave a Comment / By /

Please refer to the steps below on how to configure Citrix NetScaler VPX (NS12.0: Build 57.19.nc) located in DMZ as Reverse Proxy for Microsoft Exchange 2016 Server located in LAN

Information of IP Addresses
1. NetScaler VPX – 172.16.1.2 (NS IP)
2. NetScaler VPX – 172.16.1.3 (Subnet IP)
3. NetScaler VPX – 172.16.1.10 (Virtual IP for Content Switching)

  1. Exchange 2016 Server – 192.168.1.231

Enable NS Features 

enable ns feature CS,RESPONDER,LB,SSL

Add Exchange 2016 Server

add server MDT-EX16 192.168.1.231

Add Monitoring Services

add lb monitor mon_owa HTTP-ECV -send "GET /owa/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_activesync HTTP-ECV -send "GET /Microsoft-Server-ActiveSync/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_rpc HTTP-ECV -send "GET /rpc/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_ews HTTP-ECV -send "GET /ews/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_autodiscover HTTP-ECV -send "GET /Autodiscover/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_oab HTTP-ECV -send "GET /oab/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_mapi HTTP-ECV -send "GET /mapi/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_ecp HTTP-ECV -send "GET /ecp/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES

Add Service Groups

add serviceGroup svcgrp_owa SSL
add serviceGroup svcgrp_activesync SSL
add serviceGroup svcgrp_rpc SSL
add serviceGroup svcgrp_ews SSL
add serviceGroup svcgrp_autodisover SSL
add serviceGroup svcgrp_oab SSL
add serviceGroup svcgrp_mapi SSL
add serviceGroup svcgrp_ecp SSL

Bind Service Group with Monitoring Service

bind servicegroup svcgrp_owa MDT-EX16 443
bind servicegroup svcgrp_owa -monitorName mon_owa 
bind servicegroup svcgrp_activesync MDT-EX16 443
bind servicegroup svcgrp_activesync -monitorName mon_activesync
bind servicegroup svcgrp_rpc MDT-EX16 443
bind servicegroup svcgrp_rpc -monitorName mon_rpc
bind servicegroup svcgrp_ews MDT-EX16 443
bind servicegroup svcgrp_ews -monitorName mon_ews
bind servicegroup svcgrp_autodiscover MDT-EX16 443
bind servicegroup svcgrp_autodiscover -monitorName mon_autodiscover
bind servicegroup svcgrp_oab MDT-EX16 443
bind servicegroup svcgrp_oab -monitorName mon_oab
bind servicegroup svcgrp_mapi MDT-EX16 443
bind servicegroup svcgrp_mapi -monitorName mon_mapi
bind servicegroup svcgrp_ecp MDT-EX16 443
bind servicegroup svcgrp_ecp -monitorName mon_ecp

Create Load Balancer

add lb vserver lb_owa SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_activesync SSL 0.0.0.0 0 -persistenceType SRCIPDESTIP
add lb vserver lb_rpc SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_ews SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_autodiscover SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_oab SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_mapi SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_ecp SSL 0.0.0.0 0 -persistenceType NONE

Bind Service Group to Load Balancer

bind lb vserver lb_owa svcgrp_owa
bind lb vserver lb_activesync svcgrp_activesync
bind lb vserver lb_rpc svcgrp_rpc
bind lb vserver lb_ews svcgrp_ews
bind lb vserver lb_autodiscover svcgrp_autodisover
bind lb vserver lb_oab svcgrp_oab
bind lb vserver lb_mapi svcgrp_mapi
bind lb vserver lb_ecp svcgrp_ecp

Please refer to Import PFX Certificate to NetScaler VPX before continue the steps below
Bind SSL Certificate

bind ssl vserver lb_owa -certkeyName 'aventistech.info'
bind ssl vserver lb_activesync -certkeyName 'aventistech.info'
bind ssl vserver lb_rpc -certkeyName 'aventistech.info'
bind ssl vserver lb_ews -certkeyName 'aventistech.info'
bind ssl vserver lb_autodiscover -certkeyName 'aventistech.info'
bind ssl vserver lb_oab -certkeyName 'aventistech.info'
bind ssl vserver lb_mapi -certkeyName 'aventistech.info'
bind ssl vserver lb_ecp -certkeyName 'aventistech.info'

Add Content Switching Server

add cs vserver cs_ex16 SSL 172.16.1.10 443
bind ssl vserver cs_ex16 -certkeyName "aventistech.info"

Create Content Switching Policies

add cs action cs_act_owa -targetLBVserver lb_owa
add cs policy cs_pol_owa -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/owa")' -action cs_act_owa
add cs action cs_act_ews -targetLBVserver  lb_ews
add cs policy cs_pol_ews -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ews")' -action cs_act_ews
add cs action cs_act_autodiscover -targetLBVserver  lb_autodiscover
add cs policy cs_pol_autodiscover -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/autodiscover")' -action cs_act_autodiscover
add cs action cs_act_activesync -targetLBVserver  lb_activesync
add cs policy cs_pol_activesync -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("Microsoft")' -action cs_act_activesync
add cs action cs_act_oab -targetLBVserver  lb_oab
add cs policy cs_pol_oab -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/oab")' -action cs_act_oab
add cs action cs_act_mapi -targetLBVserver  lb_mapi
add cs policy cs_pol_mapi -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/mapi")' -action cs_act_mapi
add cs action cs_act_rpc -targetLBVserver  lb_rpc
add cs policy cs_pol_rpc -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/rpc")' -action cs_act_rpc
add cs action cs_act_ecp -targetLBVserver  lb_ecp
add cs policy cs_pol_ecp -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ecp")' -action cs_act_ecp
#OWA Fix https://support.citrix.com/article/CTX209060
add cs policy cs_pol_cgi -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/cgi")' -action cs_act_owa
#Redirect to OWA if only https://mail.aventistech.info will be entered
add cs policy cs_pol_owa_redirect -rule 'HTTP.REQ.HOSTNAME.EQ("mail.aventistech.info")' -action cs_act_owa

Bind Content Switching Policies to CS Server

bind cs vserver cs_ex16 -policyName cs_pol_owa -priority 100
bind cs vserver cs_ex16 -policyName cs_pol_ews -priority 110
bind cs vserver cs_ex16 -policyName cs_pol_autodiscover -priority 120
bind cs vserver cs_ex16 -policyName cs_pol_activesync -priority 130
bind cs vserver cs_ex16 -policyName cs_pol_oab -priority 140
bind cs vserver cs_ex16 -policyName cs_pol_mapi -priority 150
bind cs vserver cs_ex16 -policyName cs_pol_rpc -priority 160
bind cs vserver cs_ex16 -policyName cs_pol_ecp -priority 170
bind cs vserver cs_ex16 -policyName cs_pol_cgi -priority 180
bind cs vserver cs_ex16 -policyName cs_pol_owa_redirect -priority 190

HTTP Redirect with Responder

add cs vserver cs_ex16_http HTTP 172.16.1.10 80
add responder action resp_act_owa redirect '"https://"+HTTP.REQ.HOSTNAME+"/owa/"'
add responder policy resp_pol_owa 'HTTP.REQ.HOSTNAME.CONTAINS("mail.flashmob-saulgau.de")' resp_act_owa
bind cs vserver cs_ex16_http -policyName resp_pol_owa -priority 100

You should be able to login via https://mail.aventistech.info via NetScaler VPX now

Remarks
1. Test result via https://testconnectivity.microsoft.com will ALL failed, but i tested my OWA, Activesync, Outlook Anywhere are working fine
2. You will get C when you run the SSL test via https://www.ssllabs.com and please refer to How to Make A+ Result in NetScaler VPX for more information

Reference link
1. https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top