Offloading

Securing the Exchange Control Panel

Securing the Exchange Control Panel using Netscaler Application Firewall

For this Blogpost I assume that you are already Load Balancing your Exchange Servers by using the NetScaler. If not you can find here a great Deployment Guide by Citrix. In my Lab Environment I also use Content Switching. So eventually you have to adjust the Virtual Server where you will bind your Application Firewall Policy to. Let´s start!

Navigate to Security -> Application Firewall -> Profiles

Exchange Control Panel

Here we will create a new Application Firewall Profile. Enter a Profile Name as you like and click “Create”.

Exchange Control Panel

Double Click that new created Profile and switch to the Security Checks Tab. Again Double Click Deny URL. Add a new Deny URL and enter the following Syntax: “^[^?]*/ecp” without quotes and mark the “Enabled” Check Box. In the General Tab enable at least the Block Check Box. Press OK.

Exchange Control PanelExchange Control PanelExchange Control Panel

 

Within the “Configure Web Application Firewall Profile” Window switch to the Settings Tab. You can specify here what will happen if /ecp will be accessed. In my setup i decided to redirect the Person to my Blog. Obviously you can create a HTML Website and upload it to the NetScaler.

Exchange Control Panel

After we successfully created a Profile we have to create a Policy and bind the Profile to Policy. To do this we switch to the Menu Security -> Application Firewall -> Policies -> Firewall. Here we click “Add”. Choose an appropriate name for the Policy. After that select the created Profile from the Dropdown Menu and as an expression simply enter “true”. Press OK.

Exchange Control Panel

Exchange Control Panel

To finish the setup we have to bind the Profile to an vServer, Content Switch vServer or Globally. In my Lab I decided to apply this Policy to the Content Switch vServer. We do this by starting the Application Firewall Policy Manager. You will find this Tool under Security -> Application Firewall -> Application Firewall Policy Manager. Switch to the Tab “CS Virtual Server”. Double Click your Content Switch vServer and insert your Policy. Click Apply Change and you are done. You can now start to test your newly created Application Firewall and try to access the Exchange Control Panel.

Exchange Control Panel

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

SSL Offloading / Content Switching with Citrix NetScaler and PRTG Network Monitor

SSL Offloading / Content Switching with Citrix NetScaler and PRTG Network Monitor

A quick one. I tried to publish the PRTG Webinterface through a NetScaler using SSL Offload and Content Switching. While testing my setup with a Webbrowser it all seemed to worked fine. But as I tried the iOS Application from Paessler I run into the following problem.

Content Switching

PRTG iOS APP

Since there are two Knowledge Base articles from Paessler available how to use an IIS or Apache as a Reverse Proxy (Link 1 Link 2) and I could access the Webinterface with my Browser I was pretty sure I made a mistake somewhere.

So I connected my iPad to XCode and checked the Console Logfile while setting up My Account.

Content Switching

XCode Error Log

Content Switching

Content Switching Policy

The App is trying to access prtg.trendelkamp.net:443. This got me thinking. I checked my NetScaler Content Switching policy.
The policy says that the hostname needs to be the same as I configured, prtg.trendelkamp.net. And since the PRTG App adds the port at the end of the hostname there is no matching policy anymore. As soon as I changed the expression to HTTP.REQ.HOSTNAME.CONTAINS(“prtg.trendelkamp.net”) the App worked fine 🙂

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close