#
# AAATM Batch Configuration to Secure OWA 2010 Attachments via the AAA for Traffic Management feature on the NetScaler
#
# This example batch confiuration allows admins to utilize the AAA and Rewite features of NS to control attachment security in OWA. 
# The commands create the necessary entities such as AAA Vserver, AAA Groups,SSL Offload Vserver, Service Groups, Forms SSO traffic actions and policies, and rewrite policies for a complete solution
# Please refer to the blog post at http://communities.citrix.com/ for more details regarding this script and method
#
#

# AAATM POLICIES AND SSO

# add your private and public forms SSO actions
add tm formSSOAction owa_formssoaction_public -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -nameValuePair "flags=0&trusted=0" -responsesize 10240 -submitMethod POST
add tm formSSOAction owa_formssoaction_private -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -nameValuePair "flags=4&trusted=4" -responsesize 10240 -submitMethod POST

# add the corresponding traffic action
add tm trafficAction owa_trafficaction_public -appTimeout 1 -SSO ON -formSSOAction owa_formssoaction_public
add tm trafficAction owa_trafficaction_private -appTimeout 1 -SSO ON -formSSOAction owa_formssoaction_private

# add the policy conditions that dictate whether a user is granted a private profile with access to attachments or a public one which forces using the attachment viewer
add tm trafficPolicy owa_policy_public "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") &&  CLIENT.IP.SRC.IN_SUBNET(10.217.242.0/24).NOT" owa_trafficaction_public
add tm trafficPolicy owa_policy_private "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") &&  (CLIENT.IP.SRC.IN_SUBNET(10.217.242.0/24)||HTTP.REQ.USER.IS_MEMBER_OF(\"VIP\"))" owa_trafficaction_private

# REWRITE POLCIES AND ACTIONS

# create the required rewrite actions to manipulate cookies associated with the OWA session
# the pback cookie is required for the OWA form postback and must be inserted with the origin inbound request
add rewrite action owa2010_insert_pback_cookie_act_1 insert_http_header COOKIE "\"PBack=0;\""
add rewrite action owa2010_insert_pback_cookie_act_2 insert_after "HTTP.REQ.HEADER(\"COOKIE\").INSTANCE(0).SUBSTR(\":\")" "\" PBack=0;\""

# this action redirects the browser via the location header when the user clicks logout in OWA so they are redirected to the TM AAA login page
add rewrite action replace_location replace "HTTP.RES.HEADER(\"Location\").VALUE(0)" "\"https://owa.citrixreadiness.com/owa\""

# these actions expire the NS TM AAA cookies for secure and non-secure connections once a user logs out of owa
add rewrite action owa2010_invalidate_tmas_cookie_act insert_HTTP_header Set-COOKIE "\"NSC_TMAS=xyz;Domain=.citrixreadiness.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\""
add rewrite action owa2010_invalidate_tmaa_cookie_act insert_HTTP_header Set-COOKIE "\"NSC_TMAA=xyz;Domain=.citrixreadiness.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\""

# all policies that deal with logout are bound to the URL requested when a user clicks the logout link in OWA
add rewrite policy owa2010_set_pback_cookie_pol_1 "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") && HTTP.REQ.COOKIE.COUNT.GT(2).NOT" owa2010_insert_pback_cookie_1
add rewrite policy owa2010_set_pback_cookie_pol_2 "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") &&  HTTP.REQ.COOKIE.COUNT.GT(2)" owa2010_insert_pback_cookie_act_2
add rewrite policy owa2010_replace_location "HTTP.REQ.URL.CONTAINS(\"owa/auth/logoff.aspx?Cmd=logoff&src=exch\")" replace_location
add rewrite policy owa2010_invalidate_tmas_cookie_pol "HTTP.REQ.URL.CONTAINS(\"owa/auth/logoff.aspx?Cmd=logoff&src=exch\")" owa2010_invalidate_tmas_cookie_act
add rewrite policy owa2010_invalidate_tmaa_cookie_pol "HTTP.REQ.URL.CONTAINS(\"owa/auth/logoff.aspx?Cmd=logoff&src=exch\")" owa2010_invalidate_tmaa_cookie_act

# bind the pback policies globally so that they fire with the backend forms SSO policies/actions
bind rewrite global owa2010_set_pback_cookie_pol_2 135 END -type REQ_DEFAULT
bind rewrite global owa2010_set_pback_cookie_pol_1 140 END -type REQ_DEFAULT

# AAA CONFIGURATION

# add your LDAP authentication server and group extraction settings as well as the local matching group name
add authentication ldapAction LDAP -serverIP 10.217.242.241 -serverPort 636 -authTimeout 5 -ldapBase "dc=cartel,dc=net" -ldapBindDn administrator@cartel.net -ldapBindDnPassword ee2e035360973027 -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication ldapPolicy LDAP ns_true LDAP
add authentication vserver 10.217.242.249_443_auth_vs SSL 10.217.242.249 443 -AuthenticationDomain citrixreadiness.com -appflowLog DISABLED
bind authentication vserver 10.217.242.249_443_auth_vs -policy LDAP -priority 100
add aaa group VIP


## CONTENT SWITCHING AND LOAD BALANCING CONFIGURATION

# add your taget CAS servers 
add server pasto.cartel.net 10.217.242.226
add server bogota.cartel.net 10.217.242.227

# add an HTTP-ECV health check for OWA
add lb monitor OWA_10.217.242.250_443_mn HTTP-ECV -customHeaders "User-Agent:Mozilla/5.0+\r\nHost:owa.citrixreadiness.com\r\n" -send "GET /owa/auth/logon.aspx" -recv "Outlook Web App" -LRTM ENABLED -interval 30 -resptimeout 5 -downTime 2 MIN -secure YES

# add a service group and bind CAS servers
add serviceGroup OWA_10.217.242.250_443_svg SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED
bind serviceGroup OWA_10.217.242.250_443_svg bogota.cartel.net 443
bind serviceGroup OWA_10.217.242.250_443_svg pasto.cartel.net 443
bind lb monitor OWA_10.217.242.250_443_mn OWA_10.217.242.250_443_svg

# add your LB Vserver for OWA with AAATM Vserver binding and bind OWA service group
add lb vserver OWA_10.217.242.250_443_lbvip SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180 -AuthenticationHost auth.citrixreadiness.com -Authentication ON -authnVsName 10.217.242.249_443_auth_vs
bind lb vserver OWA_10.217.242.250_443_lbvip OWA_10.217.242.250_443_svg

# add a Content Switching Vserver
add cs vserver OWA_10.217.242.250_443_csv SSL 10.217.242.250 443 -cltTimeout 180 -AuthenticationHost auth.citrixreadiness.com
add cs policy OWA_10.217.242.250_csvpol -rule "HTTP.REQ.URL.CONTAINS(\"/owa\")"
bind cs vserver OWA_10.217.242.250_443_csv OWA_10.217.242.250_443_lbvip -policyName OWA_10.217.242.250_csvpol -priority 100

# the invalidation policies are bound to the http reponse and bound to the OWA Vserver to which you have bound your AAA TM Vserver
bind lb vserver OWA_10.217.242.250_443_lbvip -policyName owa2010_replace_location -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind lb vserver OWA_10.217.242.250_443_lbvip -policyName owa2010_invalidate_tmaa_cookie_pol -priority 110 -gotoPriorityExpression NEXT -type RESPONSE
bind lb vserver OWA_10.217.242.250_443_lbvip -policyName owa2010_invalidate_tmas_cookie_pol -priority 120 -gotoPriorityExpression END -type RESPONSE