Jump to content
Welcome to our new Citrix community!

NetScaler Unified Gateway and Exchange OWA 2016 Problem


Frank Löppert

Recommended Posts

Good Morning,

 

I have successfully configured the Unified Gateway with OWA 2016 and SSO.

 

But when the User opens OWA, the Content of the Site is Missing (see Attach).

With ECP there are no problems.

When I open the OWA directly on the Exchange, everything is fine.

 

 

My config is: Unified gateway -> Loadbalancer vServer -> 2x Exchange 2016 Server

 

 

Can anyone please help me to troubleshooting this Issue ?

 

Kind regards

 

Frank Loeppert

post-12620923-0-15653700-1456476363_thumb.jpg

post-12620923-0-77031400-1456476374_thumb.jpg

Link to comment
Share on other sites

 

Same problem with v11.0.64.34. The Content-Part doesn't load.

Hi,

I've taken a closer look on that. The NetScaler is manipulationg the URLs:

 

The Netscaler places an string like "*/cpvn/XXXXXXXXXXXX" after "/owa/#path=" in the URL.

When you manually delete this string -> "*/owa/#path=/mail", the Content-part is loading.

 

So, why does the NetScaler this, and how can we stopp it ?

 

Link to comment
Share on other sites

With normal Content Switching everything is fine.

By the way, I've removed

 

<add key="LogonSettings.SignOutKind" value="LegacyLogOff" />

 

in owa/web.config to bring the Logoff page back.  :)

Yes, with normal CS its fine. But with UG not..

 

Thanks for the Logoff Know-How :)

 

Can anybody help us with the UG Issue ?

Link to comment
Share on other sites

I got it ! :-)

 

Here is the Solution:

 

1. Configure your App in UG as Intranet Application:

 

post-12620923-0-37517200-1456992370_thumb.jpg

 

2. Create your Traffic and Form SSO Profiles and Policies at Security->AAA->Policys like this:

 

add tm formSSOAction AAA_profile_OWA_sso_form -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -r

 

add tm trafficAction AAA_pol_OWA_sso_trafic -appTimeout 1 -SSO ON -formSSOAction AAA_profile_OWA_sso_form -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE

 

 

add tm trafficPolicy aaa_pol_OWA_sso_traffic "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.asp\")" AAA_pol_OWA_sso_trafic

 

 

3. Bind the Traffic Policy to your LB vServer, not to the UG vServer!

 

bind lb vserver srv_cas_owa -policyName aaa_pol_OWA_sso_traffic -priority 100 -gotoPriorityExpression END -type REQUEST

 

4. At the LB vServer for OWA set the Authentication Options to:

 

post-12620923-0-48382800-1456993026_thumb.jpg

 

 

5. It Works  :)

 

post-12620923-0-57671900-1456992922_thumb.jpg

 

Best regard

 

Frank

 

 

Link to comment
Share on other sites

I got it ! :-)

 

Here is the Solution:

 

1. Configure your App in UG as Intranet Application:

 

post-12620923-0-52190300-1456993135_thumb.jpg

 

2. Create your Traffic and Form SSO Profiles and Policies at Security->AAA->Policys like this:

 

add tm formSSOAction AAA_profile_OWA_sso_form -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -r

 

add tm trafficAction AAA_pol_OWA_sso_trafic -appTimeout 1 -SSO ON -formSSOAction AAA_profile_OWA_sso_form -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE

 

 

add tm trafficPolicy aaa_pol_OWA_sso_traffic "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.asp\")" AAA_pol_OWA_sso_trafic

 

 

3. Bind the Traffic Policy to your LB vServer, not to the UG vServer!

 

bind lb vserver srv_cas_owa -policyName aaa_pol_OWA_sso_traffic -priority 100 -gotoPriorityExpression END -type REQUEST

 

4. At the LB vServer for OWA set the Authentication Options to:

post-12620923-0-70482800-1456993126_thumb.jpg

 

 

5. It Works  :)

 

post-12620923-0-65718700-1456993121_thumb.jpg

 

Best regard

 

Frank

 

 

Link to comment
Share on other sites

  • 4 months later...

Hi floeppert,

i think you missed one important parameter in your "add tm formSSOAction AAA_profile_OWA_sso_form"

It's the -submitMethod POST

 

In any case , following this document https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-with-netscaler-authentication-and-optimization.pdf

 

you should be able to achieve the SSO with Exchange from Unified Gateway.

This workerd for me 

 

add tm formSSOAction Exchange_owa_sso_form -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -responsesize 60000 -submitMethod POST
 
add tm trafficAction Exchange_2013_owa_sso_profile -appTimeout 1 -SSO ON -formSSOAction Exchange_owa_sso_form -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE
 
add tm trafficAction Exchange_2013_owa_logout_profile -appTimeout 10 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE
 
Regards
Link to comment
Share on other sites

  • 1 year later...

Has anyone been able to get this to work in the clientless vpn iframe?  I am defining email access (OWA Url) in my session policy.  Have a traffic policy in place to log me into OWA.  Log in and click on the Email tab in the CVPN portal and I am logged into OWA however I only see the OWA tool bar.  If I click on the settings icon and click display then my inbox and the rest of OWA renders.  If I click on Applications then back into Email same thing.  I need to click on the settings icon and then display to render my mailbox.  Opened a case up with Citrix and the response I got was for CVPN 2013 is only supported that OWA 2016 is not.  

 

Anyone come across this?

Link to comment
Share on other sites

  • 9 months later...

Hi Jared,

 

I had the exact same issue. The fix was easier as i thought. You only have to change the URL for Web-based Email within the session profile. 

 

After changing the URL from: https://exchange.domain.local/owa to: https://exchange.domain.local/owa/#path=/mail the owa page was showing up correctly.

 

Regards

 

Dennis

Link to comment
Share on other sites

  • 1 month later...
  • 2 weeks later...
On 3/9/2018 at 2:06 PM, Jared Hamilton1709156035 said:

Has anyone been able to get this to work in the clientless vpn iframe?  I am defining email access (OWA Url) in my session policy.  Have a traffic policy in place to log me into OWA.  Log in and click on the Email tab in the CVPN portal and I am logged into OWA however I only see the OWA tool bar.  If I click on the settings icon and click display then my inbox and the rest of OWA renders.  If I click on Applications then back into Email same thing.  I need to click on the settings icon and then display to render my mailbox.  Opened a case up with Citrix and the response I got was for CVPN 2013 is only supported that OWA 2016 is not.  

 

Anyone come across this?

 

Hey, I have almost a similar setup like your's. Gateway vserver configured with session policy and clientless policy for OWA 2016 and SharePoint2016. OWA 2016 and SharePoint 2016 bound as bookmarks. SharePoint 2016 works fine, OWA 2016 lands on the tool bar page. Did you manage to fix this?

 

Cheers,

Rahul U S

Link to comment
Share on other sites

  • 1 year later...

Hey everyone, I have a client seeing this as well.  Is there a permanent fix?  I see some people are saying that 2019 doesn't have the issue.  It looks like it is doubling the cvpn/token url both in the initial request, and then again after the #path prompt.

 

Just putting the #path/mail is not an option as you can't get to calendar or other entities from the toolbar.,

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...