NetScaler fulfils not only all the functionality in Forefront Threat Management Gateway, but adds many additional features to optimise, protect and scale web-based applications. One of the principal uses of NetScaler is to front-end applications such as Microsoft Lync, SharePoint and Exchange in enterprise data center of all sizes. But the most customers have used TMG to provide secure access to Exchange for e-mail syncing.

Here is a document which describes what’s possible with NetScaler including a nice feature matrix. But there is no step-by-step or best practice guide to configure the NetScaler to load balance Exchange and to have authentication configured correctly for all services. So I will share my personal experience. With this guide you should be able to configure a NetScaler for external E-Mail access with authentication and SSO to the CAS.


  • Setup your NetScaler using the best practices guide and secure it with the secure deployment guide as you place the box in the DMZ.
  • Be sure you have at least a NetScaler Enterprise license installed
  • Enable at least following features: LB, SSL, CS, REWRITE, AAA, and RESPONDER
  • Set the timezone and a NTP server and check the date and time on the NetScaler
  • Configure your DNS settings properly
  • Request and install the needed certificates. At least for 2 host, one for the CS-Vserver and one for the AAA-Vserver or use a wildcard certificate
Setup the LB-Vservers
  • Create for each Exchange server a “Server-Object” under Load Balancing
  • Create for each Exchange service a custom Monitor
  1. /owa (Outlook Web Access)
  2. /ecp (Exchange Control Panel)
  3. /ews (Exchange Web Service)
  4. /Microsoft-Server-ActiveSync (ActiveSync Service for Mobile Mail clients)
  5. /oab (Offline Address Book)
  6. /rpc (Outlook Anywhere or RPC over HTTPS)
  7. /Autodiscover (Autodiscover Service)

  • Create for each Exchange service a “Service Group-Object” and bind the Server-Objects and the appropriate monitor to it

  • Create for each Exchange service an LB-Vserver and bind the appropriate Service Group to it and a certificate. (can be a self-signed) You can uncheck Directly Addressable as we will bind it later to a CS-Vserver. Set an appropriate lb-method like Least Connection and a useful persistence like SSLSESSION.

Setup Authentication and AAA-TM Policies

  • Create an AAA-Vserver with an IP address with external access over https and bind the appropriate certificate to it.
  • Create an Authentication Profile and Policy (with ns_true) for LDAP and bind it to the AAA-Vserver
  • Create a Session Profile and Policy (with ns_true) with this settings: Bind it to the AAA-Vserver

Some settings refer to a post in the Citrix forum that with HTTPOnly Cookie “Yes” some Android native e-mail clients have problems to sync mails.

  • Configure Form based SSO Profiles for OWA.  Additionally you can differentiate between private and public computers on behalf of Source IP, Group membership or other triggers. For private computers just change the Name Value Pair to “flags=4&trusted=4”. This is valid for Exchange 2010. For Exchange 2013 I still have to validate them.

  • Configure Traffic profiles for each Form based SSO Profile created another one for the logout.


  • Set the needed Traffic policies. In my case user member of AD group “VIP” or coming from an internal network will use the private OWA setting and all others are using the public ones. Also set the policy for the logout action with the appropriate URL

  •  Bind the SSO traffic policies to the OWA LB-Vserver and the logout policy to global
  •  Configure Authorisation Policies if needed to lock down the Ports and IP accessing or limit the up- and download of attachment types. Bind them properly.

Configure authentication on the LB-Vservers

  • Open OWA and ECP LB-Vservers and go to the advanced tab and enable Authentication under “authentication settings” and set the Authentication FQDN and the Authentication Vserver.

  •  Now open all other LB-Vservers and go to the advanced tab and enable 401 Based Authentication under “authentication settings” and set the Authentication Vserver.

Configure Redirection to /owa policy

  • Configure a responder action and a policy to redirect the users to the /owa directory on the CAS server.

  • Bind this policy to the OWA LB-Vserver

Create the CS-Vserver

  • Create a CS-Vserver with the correct IP address, bind the right certificate to it.
  • Create CSW policies for each LB-Vserver target. Use ignore case to avoid incorrect client implementations. As OWA is normally only accessed by browsers, I search for the User-Agent header “Mozilla”.

With this information you should be able to set up a NetScaler for TMG Replacement and Exchange 2013. This configuration is also applicable for Exchange 2010. Unfortunately there are no specific monitoring service like in the 2013 Server.

Here are the ns.config snips for this configuration:


Thanks to Rafyel Brooks, who has done a great job, we have now a guide to use Certificate based authentication and  SSO with Kerberos Constrained Delegation

How to configure Citrix NetScaler for Client Certificate Based Authentication with KCD SSO for ActiveSync v1.1