Today, we are going to provide technical guidance on how to migrate your Citrix Netscaler Exchange Virtual Server using NetScaler AAA Session Policy Virtual Server, to a Kemp Exchange Virtual Service using Kemp’s Edge Security Pack (ESP). This is a valuable technical guide if you currently use Citrix Netscaler products and are interested in learning about migrating an advanced service that includes AAA Session Policies. In this walk-through, we are using our Exchange OWA service with Forms Based Client Side and Forms Based Server Side.
Citrix Netscaler uses different terms for some functions and technologies. Below is a chart that maps the Netscaler terms with what is used within Kemp documentation.
| Citrix Netscaler | kemp LoadMaster |
| Virtual Servers | Virtual Services |
| SSL Profile | SSL Acceleration |
| Content Switch Policies | Content Rules |
| Monitors | Health Checks |
| AAA Virtual Server Policies | ESP |
| Service Group | Sub Virtual Service |
| Group Member | Real Servers |
Kemp provides an Exchange configuration Template which comes preconfigured with all the required configuration parameters. This makes the Kemp configuration easy since only customer unique information needs to be provided (IP addresses, server names, etc.). To download our popular application Templates, please navigate here. Select the corresponding Template depending on your Exchange version. In this case, we have chosen Exchange 2016.
On the Kemp load balancer, to import the template, navigate to Virtual Services > Templates > Browse > Import on the left-hand menu.
On your Citrix Netscaler navigate to: Traffic Management > SSL, click on Manage Certificates / Keys / CSRs.
Select your SSL Certificate and Download. In most cases this will be a PFX.P12 certificate, but it could also be in other formats such as “.crt” with .pem or .key.
On your LoadMaster Navigate to Certificates & Security > Import Certificate.
Select your PFX certificate and enter your Pass Phrase
If you have your Private Key and CA Cert as separate files, select your .crt/.pem file,and for your Private Key file select your .key/.pem file.
Both Netcaler & LoadMaster can direct traffic to a specific Exchange Pool by looking at the HTTP URL. Netscaler achieves this using Content Switching Policies and a Content Switching Virtual Server, whereas Kemp achieves by using Content Rules which are assigned to a Sub VS.
HTTP.REQ.URL.CONTAINS(“/owa”)
This function is much more easily achieved on kemp by creating a simple Content Switching rule.
All Exchange Content Rules come as part of the template and are already associated to each Exchange Pool such as OWA & ECP. More information on Content Rules can be found here.
Navigate to Virtual Services > Add New > Add IP > User Template > Select Exchange 2016 HTTPs Reencrypted with ESP.
Navigate to Virtual Services > Modify Sub VS > Real Servers > Add Real Server
Check “Add to all SubVS”. This will add your server to all Exchange Sub VS such as OWA & ECP.
Within the Netscaler environment, you will define a Session Policy which will bind to an AAA Authentication VServer which will eventually Bind to your Exchange Virtual Server. Kemp LoadMaster uses similar more easily configurable logic where you will create a Single Sign On (SSO) Profile and associate it with your Virtual Service or Sub VS.
Certificates & Security > LDAP Configuration > Add new LDAP Endpoint
Navigate to Virtual Services > Manage SSO > Add new Client Side Configuration
Navigate to Virtual Services > Modify > LM_auth Sub VSand OWA Sub VS and assign your previously created SSO Profile “kemptest.com”.
You will also be required to configure your Virtual Host to your FQDN. e.g, “mail.kemptest.com”.
Once complete, you should be able to connect to the newly created Virtual Service using your Exchange client and access the service on the Kemp load balancer in the same way you did with your Citrix Netscaler load balancer. All of the Netscaler functionality has been migrated to the Kemp solution delivering an optimal application experience (AX).
If you would like to implement an multi-factor authentication (MFA) solution please see this blog. For additional information on specific ESP Exchange Options, please see this Knowledge Base article.
If you are also using Netscalers Gateway feature to proxy your external Virtual Apps & Desktop connections, please see our configuration guide in how to achieve this.