Publish RSA Self-Service Console through NetScaler

This week I was at a customer which would like to publish the RSA Self Service Console so that users can self-service their RSA tokens, passwords and accounts and create some sort of redundancy with multiple RSA Authentication Servers. RSA has limited documentation on publishing the RSA Self-Service Console using a reverse proxy, especially Citrix NetScaler.

First of all, what you need to be aware of is that the RSA Servers works in a Primary/Replica model in which only the Primary can be written to by users, all other RSA Servers are read-only replica’s. So you can not use the replica servers for changing tokens, resetting passwords or enabling accounts. Replica’s can only be used for authenticating purposes.

image

What does publishing RSA Self Service Console through Citrix NetScaler involve:

– HTTPS RSA Self Service servers (in my example I use two: rsa01.domain.local and rsa02.domain.local):
– NetScaler Load Balancing (Active-Passive);
– Redirect using Rewrite rules;
– Rewrite Header content;
– Rewrite Body conent;
– Monitoring (this an is optional).

Prerequisites

We are going to assume that the HTTPS RSA Self-Service servers are already configured in the backend and that these are reachable by Citrix NetScaler. The RSA Self-Service Console uses port 7004 and have to be approached by this port on the outside. As far as I can see this cannot be changed due to hard redirection by the RSA software.

We are going to assume an SSL certificate is installed for binding to the external DNS name that is being used for publishing the RSA Self-Service Console to the public network. We’ll be using the fake name rsa.domain.public in this post.

The Basics (building RSA redundancy)

Create the Servers for the RSA Self Service Console Servers under Load Balancing => Servers:

add server rsa01.domain.local 192.168.0.1
add server rsa02.domain.local 192.168.0.2

Now, remember that RSA cannot be active-active load balanced due to the read-only replica’s so that means we will have to create a Service for each RSA Server, do not create a ServiceGroup.

add service svc_selfservice_rsa_001 rsa01.domain.local SSL 7004 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add service svc_selfservice_rsa_002 rsa02.domain.local SSL 7004 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

Create a load balanced Virtual Server and bind the above first created Service svc_selfservice_rsa_001 to this Virtual Server (Remember to change the IP-addresses accordingly).

add lb vserver lb_vs_rsa_ss SSL 192.168.0.3 7004 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180

Create a second load balanced Virtual Server and bind the above second created Service svc_selfservice_rsa_002 to this Virtual Server (Do not assign an IP-Address to this vServer by de-selecting “Directly Addressable”).
Note the -persistenceType COOKIEINSERT -timeout 0, this is very important or you could get immediate Authentication error statements. Bind an SSL certificate to this vServer.

add lb vserver lb_vs_rsa_ss_failover SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180

Note the -persistenceType COOKIEINSERT -timeout 0, this is very important or you could get immediate Authentication error statements. Bind an SSL certificate to this vServer.

Open the properties of the lb_vs_rsa_ss vServer, go to the Advanced and select lb_vs_rsa_ss_failover under Backup Virtual Server.

set vserver lb_vs_rsa_ss –backupVServer lb_vs_rsa_ss_failover

Rewrite (Redirect)

We would like users to be able to just type rsa.domain.public without using explicit port numbers or sub paths, this is why we redirect the incoming connection of http://rsa.domain.public to https://rsa.domain.public:7004/console-selfservice/.

What we basically want is a two step procedure:
1. Redirect from http to https and the correct port number which is 7004;
2. Redirect to the sub path /console-selfservice.

First step is to create a load balanced Virtual Server for the RSA publication on http with no services or serviceGroups bound to it. Go to the Advanced page and enter https://rsa.domain.public:7004 under “Redirect URL”.
(This Service will be marked DOWN, but that’s OK).

Second step is creating a Rewrite action and policy that will attach the subpath to the URL. This will look like this in the GUI.

image

image

The above screenshots will look like this on the CLI.

add rewrite action rw_ac_rsa_ss replace HTTP.REQ.URL “\”/console-selfservice\””
add rewrite policy rw_pol_rsa_ss “HTTP.REQ.URL.EQ(\”/\”)” rw_ac_rsa_ss

Bind the Rewrite Policies to the newly created vServer (The one where we made the URL Redirect under Advanced and is marked DOWN).

bind lb vserver lb_vs_rsa_ss_failover -policyName rw_pol_rsa_ss -priority 100 -gotoPriorityExpression NEXT -type REQUEST

Rewrite (REQ Host Header)

add rewrite action act_replace-host-header-rsa01 replace_all “HTTP.REQ.HEADER(\”Host\”)” “\”rsa.domain.public\”” -pattern sa01.domain.local
add rewrite policy pol_replace-host-header-rsa01 true act_replace-host-header-rsa01

add rewrite action act_replace-host-header-rsa02 replace_all “HTTP.REQ.HEADER(\”Host\”)” “\”rsa.domain.local\”” -pattern rsa02.domain.local
add rewrite policy pol_replace-host-header-rsa02 true act_replace-host-header-rsa02

Rewrite (REQ BODY)

add rewrite action rw_act_req_rsa01 replace_all “HTTP.REQ.BODY(200000)” “\”rsa.domain.local\”” -pattern rsa01.domain.local

add rewrite policy rw_pol_req_rsa01 “http.req.body(200000).contains(\”rsa01.domain.local\”)” rw_act_req_rsa01

Rewrite (RES Host Header)

add rewrite action act_replace-location-header-rsa01 replace_all “HTTP.RES.HEADER(\”Location\”)” “\”rsa.domain.public\”” -pattern rsa01.domain.local
add rewrite policy pol_replace-location-header-rsa01 true act_replace-location-header-rsa01

add rewrite action act_replace-location-header-rsa02 replace_all “HTTP.RES.HEADER(\”Location\”)” “\”rsa.domain.local\”” -pattern rsa02.domain.local
add rewrite policy pol_replace-location-header-rsa02 true act_replace-location-header-rsa02

Rewrite (RES BODY)

add rewrite action rw_act_res_rsa01 replace_all “HTTP.RES.BODY(200000)” “\”rsa.domain.public\”” -pattern rsa01.domain.local
add rewrite policy rw_pol_res_rsa01 “http.res.body(200000).contains(\”rsa01.domain.local\”)” rw_act_res_rsa01

add rewrite action rw_act_res_rsa02 replace_all “HTTP.RES.BODY(200000)” “\”rsa.domain.public\”” -pattern rsa02.domain.local
add rewrite policy rw_pol_res_rsa02 “http.res.body(200000).contains(\”rsa02.domain.local\”)” rw_act_res_rsa02

Monitoring (Optional)

Ok, this is optional. Select https and click Add under Load Balancing => Monitor. Fill in the fields like below.
(Type: HTTP, Destination Port: 7004, Secure (checked).
I’ve have increased the Response Time-out and Interval on purpose, because I really want to make sure the primary RSA Server is down before doing a fail-over because of the Primary/Replica model.

image

Under tab Special Parameters make sure you have filled in “”HEAD /console-selfservice/” and as a response code 302 because of a hard redirect that is being made by RSA Software.

image

add lb monitor https-self-service-rsa HTTP -respCode 302 -httpRequest “HEAD /console-selfservice/” -LRTM ENABLED -interval 20 -resptimeout 10 -destPort 7004 -secure YES

Bind the newly created monitor to both of the created RSA Services.

bind lb monitor https-self-service-rsa svc_selfservice_rsa_002
bind lb monitor https-self-service-rsa svc_selfservice_rsa_001

About Henny Louwers
I work as a Consultant specialized in Application Delivery, Virtualization of Servers, Desktops and Apps.

6 Responses to Publish RSA Self-Service Console through NetScaler

  1. Chris says:

    Henny – Great article as always I’ve gotten great, great information from you over the past year and 1/2. Thanks very much for taking the time!!!

    I have a couple of questions regarding a similar Netscaler configuration. We are using two factor authentication with LDAP and RADIUS and I have my Primary RSA server added to the Netscaler and everything is and has been working great for over a year. I recently completed the build of my replica RSA server and have added it to the Netscaler in a load balance configuration. My questions are…

    If I dont know the correct request/response to enter into the speical parameters for my udp-ecv monitor how else to make the monitor probe correctly and get a correct response? I ended up following the second option in CTX131537 and thusly added to my intial firewall rule for UDP and 1812, ICMP type 0 and type 3 and added the TCP/IP monitor to the service.

    This is working great but I’d rather not have the ICMP traffic opened up like this. How did you come up with the information “”HEAD /console-selfservice/” to enter in for your udp-ecv monitor? Can you help with what information I could use to enter in for my configuration?

    Like

    • Hi Chris,

      Thanks for the positive feedback. Really appreciate it.

      I’m not using the “HEAD /console-selfservice/” in a UDP-ECV monitor but in a (Secure) HTTP monitor, the /console-selfservice/ is a default subpath of the RSA Self Service portal. When this one is reacheable the NetScaler knows it’s ready to service requests. Remember that this post regards the RSA Self Service Portal Page.

      I think you are talking about monitoring the RSA Radius service from the Citrix NetScaler, maybe this post will be of more use to you:
      https://hlouwers.wordpress.com/2011/12/16/configure-rsa-radius-monitoring-on-netscaler/

      Let me know if this helps!

      Like

  2. Colin says:

    just one problem. When click on the log on link on the self service, i can get all the way to the password, but then it fails with an error when i try to logon. System Internal Error. the address bar shows it trying to deliver an SSO request of some sort “…:7004/console-selfservice/sso/artifact?….”

    Like

  3. Hi Henny, thanks for your post which gave me the hint in the rigth directions. I had to implement a FULL offload for the RSA Self service console including translating Port 7004 to 443.
    Using Netscaler URL transformation solves the problem in just a few steps and easy way:

    Explanation for GUI:

    1. Goto “Rewrite – URL Transformation – Profiles” and click “add”, name the profile e.g.”trans_profile_RSA_SS”
    2. click Add to create a URL Transformation Action
    3. enter a Name, e.g. “trans_action_RSA_SS”
    enter a priority, e.g. 1000
    Request URL From = https://rsa.domain.public
    Request URL into = https://rsa.domain.local:7004
    Response URL From = https://rsa.domain.local:7004
    Response URL into = https://rsa.domain.public
    4. click ok twice and click Close
    5. Goto “Rewrite – URL Transformation – Policies” and click “add”, name the policy e.g. “trans_pol_RSA_SS”
    select the Profile from step 1.
    Enter true for Expression
    Click ok and close
    6. click on “URL Transformation” and click “Transform policy manager” in the right pane
    7. click “LB virtual server” and double(!) click the SSL offload vserver for RSA
    8. click insert policy an select the policy from step 5.
    9. click “Apply” and “close”
    10. finish.

    Explanation for CLI:

    1. add transform profile trans_profile_RSA_SS
    2. add transform action trans_action_RSA_SS trans_profile_RSA_SS 1000
    3. set transform action trans_action_RSA_SS -priority 1000 -reqUrlFrom “https://rsa.domain.public” -reqUrlInto “https://rsa.domain.local:7004” -resUrlFrom “https://rsa.domain.local:7004” -resUrlInto “https://rsa.domain.public”
    4. add transform policy trans_pol_RSA_SS true trans_profile_RSA_SS
    5. bind lb vserver ssl_vserver_RSASelfService -policyName trans_pol_RSA_SS -priority 100 -gotoPriorityExpression END -type REQUEST

    Hope that helps,

    Regards,
    Christoph Link
    net on AG

    Like

    • Thanks for the feedback Christoph!

      Like

  4. Matthew says:

    Thanks for this! I can get to the page successfully, but when I select OK after typing in my user ID I get page cannot be displayed. This is what is in the URL path:

    https://WEBSITE:7004/console-selfservice/ExistingUser/Links.do?com.rsa.ui.jsp.taglibs.html.TOKEN=aae000de226232974e4bca2248f2daf0&ptoken=IZQY19SUY11YXK4T&action=loginToMyAccount&textFieldUserID=USERNAME

    I replaced the following items for security purposes:

    WEBSITE
    USERNAME

    Like

%d bloggers like this: