Marcel A Campo1709151990 Posted August 23, 2016 Share Posted August 23, 2016 We want to configure our Netscaler Gateway Virtual Server in such a way that is uses 1 Factor Authentication or 2 Factor Authentication based on the subnet of the client. For example users from subnet 10.10.10.x should get only LDAP authentication and users from 10.20.20.20 should get both LDAP and RADIUS. However we only want to communicate 1 URL. We have struggled with configuring this in the past and never succeeded. A rewrite policy was getting close, but had the disadvantage that the new URL would be visible in the browser. If the user then saves that URL as a favorite and moves to another subnet then clicking the URL would generate an error and confusion for our users. Eventually we used F5s we have in front of our Netscalers and configured iRules on them. Bases on the client subnet the F5 forwards users to 1 of the 2 NG Virtual Servers. But now Citrix released Netscaler 11 and that ships with more configuration options (e.g. nFactor authentication). I was wondering if anyone succeeded in configuring the above scenario using Netscaler 11. If so, please let me know how to configure this. Thanks! Link to comment Share on other sites More sharing options...
CarlStalhood Posted August 23, 2016 Share Posted August 23, 2016 Create two Gateway vServers on the same VIP/Port. Each has a Listen Policy with a CLIENT.IP.SRC expression. Then each Gateway can have different authentication configuration. Link to comment Share on other sites More sharing options...
Marcel A Campo1709151990 Posted August 23, 2016 Author Share Posted August 23, 2016 He the famous Carl! I probably do not understand correctly. Do you mean I should create 2 Netscaler Gateway Virtual Servers with the same IP and port? I just tried but then it says "resource already in use". Regards, Marcel Link to comment Share on other sites More sharing options...
CarlStalhood Posted August 23, 2016 Share Posted August 23, 2016 Yes. But in the Other Settings section there's a Listen Policy that needs to be configured. Link to comment Share on other sites More sharing options...
Marcel A Campo1709151990 Posted August 23, 2016 Author Share Posted August 23, 2016 Amazing. Once I configure listen policies it lets me use the same IP and port. I will give it a thorough test but I believe this will probably work. Thanks a million, Carl! Link to comment Share on other sites More sharing options...
Julian Jakob Posted March 28, 2019 Share Posted March 28, 2019 Hey Carl, do you know if the listen policy works also with the workspace / workspace app? Or is it only limited to browser based? Thanks and Regards Julian Link to comment Share on other sites More sharing options...
Julian Jakob Posted April 1, 2019 Share Posted April 1, 2019 On 28.3.2019 at 9:39 PM, Julian Jakob said: Hey Carl, do you know if the listen policy works also with the workspace / workspace app? Or is it only limited to browser based? Thanks and Regards Julian Tested it in my lab - it works via Browser and Receiver / Workspace Client, on the fly the Auth Popup is changing, very cool Feature and no Advanced license needed. Regards Julian Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now