Monthly archives: februari, 2017

Redirect users with mailboxes in Office 365 from Exchange using NetScaler

I wrote a blog post about smart links to Office 365, but there’s also a way to make sure users with their mailboxes in Office 365 automatically are redirected to their Outlook Web Access there (with SSO). They key lies in using a 307 redirect instead of 301 or 302, where the post is sent to ADFS – and the username and password field (luckily) are the same in Exchange (tried it with 2013). I haven’t tried this with Windows Integrated Authentication internally, but should work just fine – but maybe needs some tweaking.

First off, as always, create the pattern sets and expressions (if not already created for your Exchange load balancing):

Next step, create the rewrite to actually redirect the user from Exchange to ADFS:

Remember to replace example.com (it’s in a few different places) as well as the ADFS FQDN.

Now, create the rewrite policies and policy labels- and don’t forget to replace OFFICE365TENANT with your tenant name:

And as a last step, bind them to the vservers – in my case the load balancing vservers:

Leave a comment if you have any questions or if it doesn’t work – or if you have any better ways of doing this! I’ve tried it with Exchange 2013 and ADFS on 2012 R2.



Office 365 smart links with NetScaler and ADFS

A common issue in organizations moving to Office 365 is the different URLs the users have to remember. This can be made easier by for example smart links, where the users only have to remember something like ”office.example.com” or ”onedrive.example.com”.

This is something we can easily do with NetScaler and ADFS. See below for a few examples.

First, create a few pattern sets and expressions to reflect the different host headers:

In this case, they will do the following:

  • adminportal.example.com will point to portal.office.com but not use SSO in ADFS (internally), but rather allow the user to enter username and password.
  • portal.example.com will point to portal.office.com and use SSO in ADFS (internally)
  • onedrive.example.com will point to OFFICE365TEANANT-my.sharepoint.com
  • sharepoint.example.com will point to OFFICE365TENANT.sharepoint.com

Next step, create the responder actions. Different for internal and external usage:

In my case, I’ve added the ability to enter add a query string to onedrive, which forwards it to ADFS. For example, you’ll be able to go to https://onedrive.example.com/?username=simon and it will be entered in ADFS for you. Great to use in combination with other tools that already knows you username. Don’t forget to change adfs.example.com and OFFICE365TENANT to your own.

Now we’ll create the responder policies and policy labels:

 

And as a last step, bind these policy labels to vserver, in my example to content switching vservers:

Please leave a comment if something doesn’t work as expected or you have some enhancements that can make this work even better! I’ve tried it with ADFS on Windows Server 2012 R2.



AAA form fill not working with Secure Web and CSRF token

One of the best things about XenMobile and Secure Web is the SSO integration with NetScaler. It usually ”just works”, but I actually got into an issue this time that was kind of interesting.

AAA form fill SSO using a web browser and AAA traffic policies worked without a problem, but when using the VPN traffic policies for Secure Web – the form fill only worked after manually refreshing the page.

After doing some initial troubleshooting and realizing it may be something deeper than just a misconfigured SSO, I decided to do a workaround – which actually works quite well until the problem is solved.

For those interested, it does seem like the NetScaler finds the CSRF token and inserts it – just that it doesn’t work the first time:

My solution was inserting a JavaScript into the page and forcing Secure Web to refresh once – which magically gets the form fill to work:

 



(tech preview) Using multiple IPs on one NIC with NetScaler in Azure

Microsoft has released a tech preview to support multiple IPs on the same NIC in Azure. I’ve tried it with NetScaler and seems to be working like expected!

More info about it can be found here: Assign multiple IP addresses to virtual machines using PowerShell

As always, logon and select your subscription using PowerShell:

FYI: This may take a few minutes. Even after registring the features (and seeing them being registered), I received the following error message when trying to assign multiple IP configurations to one NIC: Subscription <ID> is not registered for feature Microsoft.Network/AllowMultipleIpConfigurationsPerNic required to carry out the requested operation.

It started working for me after running Register-AzureRmResourceProvider, but maybe I just didn’t wait long enough.

Verify that they have the state ”Registered”:

You can now go to the portal and assign new IP configurations, or do it from PowerShell. See below for how I added new IPs to an already existing NetScaler:

Now, just add a SNIP and then start working with your VIP or VIPs in NetScaler. Remember, this is still a Tech preview and shouldn’t be used in production – you may not get support from Microsoft or Citrix if something stops working.



Uppdatering till Skype for Business on Mac, version 16.3.0.240

Microsoft släppte nu i veckan en uppdatering till Skype for Business on Mac, version 16.3.0.240.

Den senaste versionen innehåller en del rättningar på kända fel och buggar, bland de som ska vara åtgärdade finns:

  • Multiple prompts to leave meeting when pressing the hang-up button on a UC USB device.
    This is a known issue due to signaling with some USB devices.
  • Hold or resume the current call
    The hardware hold button works for the following devices for Lync for Mac while it doesn’t work on Skype for Business on Mac.

    • Polycom CX300 Desk phone
    • Jabra Bis 2400 II CC, headphone
    • Jabra Evolve 65 (Bluetooth dongle)
    • Jabra Evolve 65 (USB cable)
  • Skype for Business hangs after clicking on a meeting in the calendar
  • If the meeting invitation contains a specific text pattern like <someone@somewhere.com<mailto:someone@somewhere.com>>, it might cause Skype for Business on Mac to hang.
  • Menu to add/rename/delete contact group are disabled right after adding a new group
  • Expand/Collapse Group Chevron icon is out of sync with the list of contacts after minimize/maximize Skype for Business
  • When user tries to restart a video from the chat list, the user cannot see the remote user’s video

En fullständig lista över kända fel och buggar har Microsoft dokumenterat här:
Known issues – Skype for Business on Mac

För att hämta hem den senaste versionen, bege dig till nedanstående länk:
https://www.microsoft.com/en-us/download/details.aspx?id=54108

För att Outlook-integration med Skype for Business on Mac ska fungera optimalt, säkerställ att du har senaste versionen av Outlook 2016 for Mac. Minimum kravet 16.3.0.240 är Outlook Mac build 15.27 (161010).