Product Documentation

Configuring a traffic management virtual server

After you have created and configured your authentication virtual server, you next create or configure a traffic management virtual server and associate your authentication virtual sever with it. You can use either a load balancing or content switching virtual server for a traffic management virtual server. For more information about creating and configuring either type of virtual server, see the Citrix Traffic Management Guide at Traffic Management.

Note

The FQDN of the traffic management virtual server must be in the same domain as the FQDN of the authentication virtual server for the domain session cookie to function correctly.

You configure a traffic management virtual server for authentication, authorization, and auditing by enabling authentication and then assigning the FQDN of the authentication server to the traffic management virtual server. You can also configure the authentication domain on the traffic management virtual server at this time. If you do not configure this option, the Citrix ADC appliance assigns the traffic management virtual server an FQDN that consists of the FQDN of the authentication virtual server without the hostname portion. For example, if domain name of the authentication virtual server is tm.xyz.bar.com, the appliance assigns xyz.bar.com. as the authentication domain.

To configure a TM virtual server for authentication, authorization, and auditing by using the command line interface

At the command prompt, type one of the following sets of commands to configure a TM virtual server and verify the configuration:

  • set lb vserver <name> –authentication ON -authenticationhost <FQDN> [-authenticationdomain <authdomain>]
  • show lb vserver <name>
  • set cs vserver <name> –authentication ON -authenticationhost <FQDN> [-authenticationdomain <authdomain>]
  • show cs vserver <name>

    Example

  • set lb vserver vs-cont-sw -Authentication ON -AuthenticationHost mywiki.index.com Done
  • show lb vserver vs-cont-sw vs-cont-sw (0.0.0.0:0) - TCP Type: ADDRESS State: DOWN Last state change was at Wed Aug 19 10:03:15 2009 (+410 ms) Time since last state change: 5 days, 20:00:40.290 Effective State: DOWN Client Idle Timeout: 9000 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED No. of Bound Services : 0 (Total) 0 (Active) Configured Method: LEASTCONNECTION Mode: IP Persistence: NONE Connection Failover: DISABLED Authentication: ON Host: mywiki.index.com Done

To configure a TM virtual server for authentication, authorization, and auditing by using the configuration utility

  1. In the navigation pane, do one of the following.
    • Navigate to Traffic Management > Load Balancing > Virtual Servers.
    • Navigate to Traffic Management > Content Switching > Virtual Servers

    • In the details pane, select the virtual server on which you want to enable authentication, and then click Edit.
    • In the Domain text box, type the authentication domain.
    • In the Advanced menu on the right, select Authentication.
    • Choose either Form Based Authentication or 401 Based Authentication, and fill in the Authentication information.
      • For Form Based Authentication, enter the Authentication FQDN (the fully-qualified domain name of the authentication server), the Authentication VServer (the IP address of the authentication virtual server), and the Authentication Profile (the profile to use for authentication).
      • For 401 Based Authentication, enter the Authentication VServer and the Authentication Profile only.
    • Click OK. A message appears in the status bar, stating that the vserver has been configured successfully.

Simplified login protocol support for authentication, authorization, and auditing

The login protocol between authentication, authorization, and auditing traffic management virtual servers and authentication, authorization, and auditing virtual servers is simplified to use internal mechanisms as opposed to sending the encrypted data through query parameters. By leveraging this feature, the replay of requests is prevented.