Recommended Configuration Example for NetScaler Load Balancing of Microsoft Exchange

Proper configuration of load balancing for Microsoft Exchange 2007, 2010, 2013, and 2016.

Citrix ADM StyleBooks simplifies Citrix ADC load balancing configurations for Exchange. Refer to Citrix Docs to learn more – Microsoft Exchange StyleBook.

Note: Load balancing of Microsoft Exchange is not possible using a single LB VServer. Instead, please follow the recommended configuration provided in this article.


NetScaler Unified Gateway for Applications with Different Login Site Requirements Including Step Up Authentication


Requirements for this example:

  • NetScaler Enterprise License
  • NetScaler Version 11.1.x and above.
  • LDAP Server
  • RADIUS Server
  • Public IP Address

Basic Setup

  1. Add none addressable Loadbalancing VServers and Services for both web applications.

    1. Load-balancing VServers:

      User-added image

    2. Services:

      User-added image

  2. Add basic none addressable AAA VServer for logon. No need of more configuration at this moment.

    User-added image

    1. Add Content Switching VServer of type SSL with public IP. On this IP address we need DNS records for each application we want to access and for AAA VServer as well. In this example we will use the following DNS names:

      • green.lab.local -> Application Green
      • red.lab.local -> Application Red
      • aaa.lab.local -> AAA VServer

        User-added image

    2. ​Afterwards bind a SSL certificate with matching CN or SAN for all DNS records.

  3. .

    1. After this we need to add Content Switch Policies to the VServer. One for each application which should match the individual hostname. This is how the NetScaler determines which application the user wants to access.In addition add another policy for AAA with expression “true”.

      User-added image

    2. Make sure that AAA policy has the highest priority. Otherwise it would not be possible to access the apps.

    3. Add Content Switch Actions for each policy pointing on the matching VServer. In this example on each Loadbalancing VServer and one one the Authentication VServer.

      User-added image

Authentication Level Config

After completing the basic VServers and content switching setup, we will now enable the authentication and doing the strong / weak definition for our applications.

  1. .

    1. Drill down to Loadbalancing VServer for application Red and enable “Form Based Authentication” and add a Authentication Profile.

      User-added image

    2. Enter the defined AAA VServer hostname for doing redirection when a user wants to access the application and has no existing session.

    3. Chose Authentication Virtual Server as type and bind AAA VServer

    4. At least define Authentication Level. This is how we can configure whether an application is stronger or weaker than another. A session at the given level of 100 can access VServers with a lower level without re-authenticating. On the other hand, this session is forced to authenticate once again if the user tries to access a VServer with a higher level.

      User-added image

    5. Repeat step a-d with application Green.

    6. After adding both Authentication Profile it should look like this: Security > AAAApplication Traffic > Authentication Profiles.

      User-added image

      One profile for each application, both pointing on the AAA VServer hostname. As defined in the flow chart, in our example application Red is stronger (Level 100) than application Green (Level 90). This means a user with an existing session for Red, can access Green without reauth. The other way around a user who accessed Green at first must reauth for application Red.

nFactor Config for MFA

  1. To achieve the needed NetScaler logon page behavior, we need to add three Login Schemas. Go to: Security > AAAApplication Traffic > Login Schema > Profiles

    1. Schema for normal LDAP authentication

      1. Select SingleAuth XML to present the use two fields. One for username and the second for LDAP password.

      2. Make sure to save username at index 1 and password at index 2. This is important for doing LDAP reauth, when a user is accessing application Red after application Green.

        User-added image

    2. Schema for LDAP re-authentication

      1. Select “noschema” because the user will not see the process of LDAP re-authentication.

      2. Fill User and Password Expression with the attribute fields we defined in the first schema.

        User-added image

    3. Schema for RADIUS Authentication

      1. Select OnlyPassword XML to present only one field for RADIUS pin. Username is not necessarily due to first LDAP login.

        User-added image

  2. The next step is to add all needed Authentication Policies to control the behavior of our login mechanism.Go to: Security > AAA – Application Traffic > Policies > Authentication > Policy

    1. Add default LDAP policy with required LDAP server.

      User-added image

    2. Add default RADIUS policy with required RADIUS server.

      User-added image

    3. Add a third authentication policy with action type “NO_AUTH” and expression “true”. This policy will have no more effect than bridging to the next factor.

      User-added image

    4. Fourth policy evaluate whether a user wants to access the stronger application Red or not. This is important to do multifactor authentication for Red.

      1. Select “LDAP” as action type and choose your LDAP server.

      2. The expression will evaluate whether it is application Red by checking the cookie NSC_TMAP. The user gets issued this cookie by accessing the NetScaler logon site and contains the name of the Authentication Profile bound to the accessed Load-balancing VServer.

        User-added image

        User-added image

    5. Last policy will check whether the user has saved credentials from a first weaker login. This is important for automatic LDAP relogin when a user at first accessed the weaker application and now wants to start the stronger one.

      User-added image

  3. For binding all this Authentication Policies and Login Schemas we now have to add some Policy Labels.

    Go to: Security > AAA – Application Traffic > Policies > Authentication > PolicyLabel

    1. ​At first we will start with the label for RADIUS authentication.

      1. Give the label a prober name, select the earlier schema for RADIUS and click on “Continue”.

        User-added image

      2. Last step for this label is to bind the default RADIUS authentication policy.

        User-added image

    2. Second label will do the LDAP relogin.

      1. Add the label and bind the “Relogin” schema.

        User-added image

      2. Bind the LDAP authentication policy and make sure to set the RADIUS Policy Label as Next Factor.

        User-added image

    3. Add the last label for first LDAP authentication

      1. Select proper schema and click on “Continue”.

        User-added image

      2. Bind the first policy for strong authentication and make sure to set Goto Expression to “End” and select RADIUS Policy Label as Next Factor.

      3. Second policy is for weaker Green authentication without RADIUS.

      4. Ensure the priority of the binding.

        User-added image

  4. At least we need setup the AAA VServer as well Go to: Security > AAA – Application Traffic > Virtual Servers

    1. Open earlier added VServer and set favored Portal Theme.

      User-added image

    2. At next we have to bind the last two remaining Authentication Policies directly at the VServer.

      User-added image

      1. Bind relogin Policy with “NO_AUTH” and LDAP relogin Policy Label as Next Factor. This is for doing the automatic LDAP reauth with an existing session.

      2. Set second policy to bridge directly to Next Factor LDAP when no session before existed.

      3. As always make sure to set the right priorities.

        User-added image

MFA Configuration through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. Type in the Factor Name for the first factor

4. No Schema is needed for the first factor. Click on Add Policy to add NO_Authentication Policy as shown in Step 2. e of the MFA Configuration above

5. Click on blue + sign to add second Authentication.

6. Choose Authentication Policy created as shown in Step 2. c and click on Add

7. Click on green + sign to add a next factor

8. Select Create Factor and type in Factor Name and click on Create to add next authentication factor

9. Click on Add Schema to Add a schema

10. Choose Schema created as show in step 1. b in MFA Configuration above and Click on OK

11. Click on Add Policy and Choose the authentication policy created in Step 2. a

12. Click on green + sign to add another factor for radius authentication

13. Following step 8 Create another Factor

14. Click on Add Schema and Choose schema for password only field. You can follow step 1. c given above to create the schema

15. By clicking on Add Policy Choose Radius Authentication and click on Add

16. Click on green + sign in First factor next to step_up-pol

17. Create another factor following step 8

18. Click on Add Schema and choose schema created as shown in Step 1.a

19. Click on Add Policy to choose Authentication Policy created as shown in Step 2. d

20. Click on blue + sign to add another authentication policy for LDAP Authentication

21. Choose LDAP Authentication Policy and click on Add

22. Click on green + sign next to LDAP_Step_up to add the RADIUS Authentication

23. As the factor for RADIUS Authentication is already present, select Connect to existing Factor and select step_up_radius

24. Click on Done this will automatically save the configuration.

25. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE: Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind


Access application Red as first:

  1. Redirection to AAA VServer logon page with first factor LDAP after accessing red.lab.local.

    User-added image

  2. nFactor evaluates that user wants to access application Red and presents second factor RADIUS.

    User-added image

  3. NetScaler grants access to application Red.

    User-added image

  4. Access application Green as next. NetScaler grants immediate access because of session of stronger application Red.

    User-added image

Access application Green as first

  1. Redirection to AAA VServer logon page after accessing green.lab.local.

    User-added image

  2. nFactor evaluates application Green and grants access without any second factor.

    User-added image

  3. User access application Red as next. Higher Authentication Level requires relogin and nFactor does LDAP relogin automatic with saved credentials from first login at application Green. User has now only to enter RADIUS.

    User-added image

  4. NetScaler grants access to application Red.

    User-added image


Office 365 is Randomly Asking Users to Reactivate

Solution 1

Review this Microsoft documentation:

Confirm the following:

  1. Check that your Office 365 plan supports shared computer activation.
  2. Verify that shared computer activation is enabled for Office 365 ProPlus.
  3. Verify that activation for Office 365 ProPlus succeeded.
  4. Does %localappdata%MicrosoftOffice16.0Licensing have some text files in the folder? When were those files created. Are they also in the profile store? If so, delete the user profile from the profile store and have the user log back in.
  5. Confirm that the exclusion policy is applied successfully and that the !ctx_localappdata!MicrosoftOffice16.0Licensing directory is being excluded. Refer to Ultimately, you may need to contact Microsoft support for additional assistance on Office 365 activation process.

Solution 2

Registry Key Modified:



SCLCacheOverride with value 1 (string).SharedComputerLicense with value 1 (dword).SCLCacheOverrideDirectory in the file path: %userprofile%AppdataToken365 (it can be modified)

Also, enable the following policies

  1. Via GPO “Automatically activate Office with federated organization credentials”
    • Under “Subscription activation settings”
  2. Add ADFS.[domain] to the Local Intranet trusted Zone (Via Group Policy):
  3. Add automatic logon in Security Configuration (via Group Policy):
  4. If using Citrix UPM, make sure the UPM profile is synchronizing these two folders:
    • %localappdata%MicrosoftOffice16.0Licensing
    • %localappdata%MicrosoftCredential

After applying the changes above there were no additional Office 365 activation requests.

Solution 3

If virtual machines and newest version of Office 365 Pro Plus that you have to run “reg add “HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonIdentity” /v “DisableADALatopWAMOverride” /d “1” /f /t REG_DWORD” on the virtual machine for Outlook sign in to work properly.


  • No Related Posts