A common scenario and requirement is to use a HTTP Web Proxy gateway (BlueCoat, IronPort etc.) for outbound traffic to the Internet from the XenMobile Secure Web, securing and inspecting URL traffic etc.
Once again we use our lovely NetScaler to meet the objectives.
This post describes the implementation steps required.
Objectives
- Direct XenMobile Secure Web traffic through a HTTP Web Proxy for outbound inspection etc.
- Provide SSO Authentication from Secure Web to HTTP Web Proxy Gateway
Pre-Requirements
- HTTP Web Proxy sends a 401 Challenge/Response upon authentication accepting our user credentials
- XenMobile Secure Web MDX policy is set to “Tunnel to Internal network” and “Secure Browse” mode is enabled
- NetScaler Gateway for mVPN traffic is doing LDAP authentication as one of the authentication factors and userPrincipalName is set as Attribute 1.
Traffic flow and NetScaler Configuration Steps
When Secure Web initiates a mVPN session towards the NetScaler Gateway, our NetScaler is authenticating the user against LDAP directory, and in the same time we extract the required AD Attribute, in this case the userPrincipalName which we are going to reference in our Traffic Policy controlling the SSO part of the flow.
When we from the Secure Web / NetScaler Gateway communicates with our HTTP Web Proxy gateway this sends a 401 Challenge, NetScaler catches the 401 message and respond with logged on credentials/authentication headers in next request to the Web Proxy providing SSO (Controlled by the Traffic Policy).
NS CLI – Configuration steps:
|
1 2 3 |
add vpn trafficAction traf-prof-web-proxy-secureweb tcp -SSO ON -proxy 1.1.2.3:8888 -userExpression "HTTP.REQ.USER.ATTRIBUTE(1)" -passwdExpression HTTP.REQ.USER.PASSWD add vpn trafficPolicy traf-pol-web-proxy-secureweb "REQ.HTTP.HEADER User-Agent CONTAINS WorxWeb && !REQ.HTTP.HEADER Hostname CONTAINS demo.local || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser && !REQ.HTTP.HEADER Hostname CONTAINS demo.local" traf-prof-web-proxy-secureweb |
Bind above Traffic Policy to NetScaler Gateway for mVPN (MAM) traffic. Both iOS and Android will use the defined Web Proxy when using Secure Web, it will bypass proxy server for internal domains ending on .local in above example.
GUI:
Traffic Profile:
Consider adjusting AppTimeout in order to limit the amount of time a user can stay authenticated to the web application.
Traffic Policy:
Another Reference
The guys at netscalerrocks also wrote an excellent blog post around this subject a few years ago: