compdigit44
asked on
Sharepoint 2010 and Citrix Netscaler
I started at my new company 4 months ago and they have a Sharepoint site which is externally accessible. We also use a Citrix Netscaler to load balance all services. I was told the previous admin was not able to get Sharepoint to work with the Netscaler becuase they keep on getting two login prompts. They ended up setting up a 2007 ISA server to get around this. I have been task to decommision the ISA server and sharepoint is the last remaining app hosted.
Has anyone run into this issue before with Sharepoint and the Netscaler. I wanted to post this question ahead of time so I can start preparing.
Has anyone run into this issue before with Sharepoint and the Netscaler. I wanted to post this question ahead of time so I can start preparing.
ASKER
We have Netscaler 10.1 as well. I am in the planing phase and we have a large Netscaler HA environment. The external landing page points to an IP on the ISA server.
1) Would the login page when not going through Citrix?
2) What are your vServer settings for Sharepoint to avoid the double prompt issue
1) Would the login page when not going through Citrix?
2) What are your vServer settings for Sharepoint to avoid the double prompt issue
ASKER
Just has an idea. I can easily test this without impact production my setup a vserver on our Netscaler and access the VIP by IP only from the outside while users sill use the DNS name associated with the ISA server!!!!
Hang tight, writing something up for you with screenshots to show you how we've got it configured.
I don't know how much of the attached will be useful to you but it might be a start. There is more to our configuration because we have SMS/Token 2-factor and Client Certificate checks but I've tried to grab the core part.
Assuming your Netscaler config is OK there were a couple of tweaks we had to do to the SharePoint farm, I'll check with our SP person to see if they have anything documented.
Assuming your Netscaler config is OK there were a couple of tweaks we had to do to the SharePoint farm, I'll check with our SP person to see if they have anything documented.
ASKER
Wow.. thanks...
ASKER
I found this article online from Microsoft on setting reverse proxy for Sharepoint with the Netscaler... Is this basically what you did???
http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/deployment-guide-netscaler-office-365-en.pdf?accessmode=direct
http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/deployment-guide-netscaler-office-365-en.pdf?accessmode=direct
Did my Word Doc attachment upload correctly?
Our SharePoint person just confirmed we actually didn't end up needing to do anything with the SP Farm except that we were using http://sharepoint internally and had to make the switch to https://sharepoint (silly design choice when SP was first implemented).
I haven't seen the guide you linked before. It looks similar though guides are always a little more generic than how our own solution ends up.A little annoying that the pictures in that guide are so blurry.
Our SharePoint person just confirmed we actually didn't end up needing to do anything with the SP Farm except that we were using http://sharepoint internally and had to make the switch to https://sharepoint (silly design choice when SP was first implemented).
I haven't seen the guide you linked before. It looks similar though guides are always a little more generic than how our own solution ends up.A little annoying that the pictures in that guide are so blurry.
ASKER
I never saw the word doc... Did you upload it????
ASKER
Our ISA 2006 server presents using with a Forms Based authentication page... when moving to the Netscaler this would be lost. How did you handle this in your orginaztion
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I can't help you on the Forms Auth sorry, we have it disabled in IIS.
ASKER
I guess what I am trying to say is with ISA is give you the default login page... We are not using FBA at all.... When users log in external are they getting a plan windows login prompt???
ASKER
I am starting to look though your Word Doc.. So in short you created a LDAP policy which authenticates users upfront... correct
Never used a LDAP policy before
Is this what you are referencing on page 2 of your rword doc
Thanks again for everything .....
Never used a LDAP policy before
Is this what you are referencing on page 2 of your rword doc
Thanks again for everything .....
In response to your ISA question:
So, users will get the black Netscaler Gateway login page, once they log in successfully there they will have:
1. On a domain computer, pass-through authentication so they don't get any further credential prompts from Windows or IE.
2. Non domain computers get repeated prompts as they connect to team sites or open up documents.
Is that what you meant?
Also, my pleasure - I hope it is some small help. Netscaler is such a seriously steep learning curve -_-
So, users will get the black Netscaler Gateway login page, once they log in successfully there they will have:
1. On a domain computer, pass-through authentication so they don't get any further credential prompts from Windows or IE.
2. Non domain computers get repeated prompts as they connect to team sites or open up documents.
Is that what you meant?
Also, my pleasure - I hope it is some small help. Netscaler is such a seriously steep learning curve -_-
ASKER
I am working through your Word document now. So the AAA vServer really hold the LDAP policy that's it.. We already a a vserver in our DMZ that does LDAP. Could I some how piggy back of this??? I am also waiting on or Security team to open ports in the fireall for me
ASKER
Here is my concern. We already have a load balanced vserver that host LDAP and applications reference it by IP. With the AAA vServer is need the FQDN of the LDAP connection. Do I need to now have a external DNS record for me LDAP vserver or can this just be a local host entry on the Netscaler.
Thank you so much for all of your help......
Thank you so much for all of your help......
Sorry for the late reply, LDAP not needed externally, it all happens from the SNIP to the internal network - did you work it all out? :)
ASKER
HOw did you set it up with out LDAP??? Some type of authentication source needs to be listed?
aroddick, we are having a similar issue, would love to see the doc that you originally posted, it may help us out on our problem which is almost exact to this issue. I tried the link but since it is a year old it only comes up to a blank page.
Thanks again
Brian
Thanks again
Brian
We've just finished a setup of SharePoint 2010 Reverse Proxy. The only feature that doesn't work that we've identified is the 'SharePoint Sites Connect to Office' which uses WebDav.
We also use OWA Reverse Proxy (for externals and non-domain computers). Citrix StoreFront and the 'full tunnel' VPN (for staff with domain computers).
We're running 10.1 on the Netscaler, planning to in-place upgrade to 10.5
How far into it are you? I'm by no means an expert, learning on the fly but I'm happy to help if I can.
Cheers,
Adam